suricata
detect-http-client-body.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
29  *
30  * Implements support for the http_client_body keyword
31  */
32 
33 #include "suricata-common.h"
34 #include "threads.h"
35 #include "decode.h"
36 
37 #include "detect.h"
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
44 #include "detect-content.h"
45 #include "detect-pcre.h"
46 // PrefilterMpmFiledata
47 #include "detect-file-data.h"
48 
49 #include "flow.h"
50 #include "flow-var.h"
51 #include "flow-util.h"
52 
53 #include "util-debug.h"
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 #include "util-spm.h"
57 
58 #include "app-layer.h"
59 #include "app-layer-parser.h"
60 #include "app-layer-htp.h"
62 #include "stream-tcp.h"
63 #include "util-profiling.h"
64 
65 static int DetectHttpClientBodySetup(DetectEngineCtx *, Signature *, const char *);
66 static int DetectHttpClientBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
67 #ifdef UNITTESTS
68 static void DetectHttpClientBodyRegisterTests(void);
69 #endif
70 static void DetectHttpClientBodySetupCallback(const DetectEngineCtx *de_ctx,
71  Signature *s);
72 static int g_http_client_body_buffer_id = 0;
73 
74 static uint8_t DetectEngineInspectBufferHttpBody(DetectEngineCtx *de_ctx,
76  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
77 
78 static int PrefilterMpmHttpRequestBodyRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
79  MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id);
80 
81 /**
82  * \brief Registers the keyword handlers for the "http_client_body" keyword.
83  */
85 {
86  /* http_client_body content modifier */
87  sigmatch_table[DETECT_HTTP_CLIENT_BODY].name = "http_client_body";
89  "content modifier to match only on HTTP request-body";
90  sigmatch_table[DETECT_HTTP_CLIENT_BODY].url = "/rules/http-keywords.html#http-client-body";
91  sigmatch_table[DETECT_HTTP_CLIENT_BODY].Setup = DetectHttpClientBodySetup;
92 #ifdef UNITTESTS
94 #endif
98 
99  /* http.request_body sticky buffer */
100  sigmatch_table[DETECT_HTTP_REQUEST_BODY].name = "http.request_body";
101  sigmatch_table[DETECT_HTTP_REQUEST_BODY].desc = "sticky buffer to match the HTTP request body buffer";
102  sigmatch_table[DETECT_HTTP_REQUEST_BODY].url = "/rules/http-keywords.html#http-client-body";
103  sigmatch_table[DETECT_HTTP_REQUEST_BODY].Setup = DetectHttpClientBodySetupSticky;
106 
108  HTP_REQUEST_PROGRESS_BODY, DetectEngineInspectBufferHttpBody, NULL);
109 
110  DetectAppLayerMpmRegister("http_client_body", SIG_FLAG_TOSERVER, 2,
111  PrefilterMpmHttpRequestBodyRegister, NULL, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_BODY);
112 
114  HTTP2StateDataClient, DetectEngineInspectFiledata, NULL);
115  DetectAppLayerMpmRegister("http_client_body", SIG_FLAG_TOSERVER, 2,
116  PrefilterMpmFiledataRegister, NULL, ALPROTO_HTTP2, HTTP2StateDataClient);
117 
118  DetectBufferTypeSetDescriptionByName("http_client_body",
119  "http request body");
120 
121  DetectBufferTypeRegisterSetupCallback("http_client_body",
122  DetectHttpClientBodySetupCallback);
123 
124  g_http_client_body_buffer_id = DetectBufferTypeGetByName("http_client_body");
125 }
126 
127 static void DetectHttpClientBodySetupCallback(const DetectEngineCtx *de_ctx,
128  Signature *s)
129 {
130  SCLogDebug("callback invoked by %u", s->id);
132 
133  /* client body needs to be inspected in sync with stream if possible */
135 }
136 
137 /**
138  * \brief The setup function for the http_client_body keyword for a signature.
139  *
140  * \param de_ctx Pointer to the detection engine context.
141  * \param s Pointer to signature for the current Signature being parsed
142  * from the rules.
143  * \param m Pointer to the head of the SigMatchs for the current rule
144  * being parsed.
145  * \param arg Pointer to the string holding the keyword value.
146  *
147  * \retval 0 On success
148  * \retval -1 On failure
149  */
150 int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
151 {
153  de_ctx, s, arg, DETECT_HTTP_CLIENT_BODY, g_http_client_body_buffer_id, ALPROTO_HTTP1);
154 }
155 
156 /**
157  * \brief this function setup the http.request_body keyword used in the rule
158  *
159  * \param de_ctx Pointer to the Detection Engine Context
160  * \param s Pointer to the Signature to which the current keyword belongs
161  * \param str Should hold an empty string always
162  *
163  * \retval 0 On success
164  */
165 static int DetectHttpClientBodySetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
166 {
167  if (DetectBufferSetActiveList(de_ctx, s, g_http_client_body_buffer_id) < 0)
168  return -1;
170  return -1;
171  // we cannot use a transactional rule with a fast pattern to client and this
173  SCLogError("fast_pattern cannot be used on to_client keyword for "
174  "transactional rule with a streaming buffer to server %u",
175  s->id);
176  return -1;
177  }
179  return 0;
180 }
181 
182 static inline HtpBody *GetRequestBody(htp_tx_t *tx)
183 {
184  HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx);
185  if (htud == NULL) {
186  SCLogDebug("no htud");
187  return NULL;
188  }
189 
190  return &htud->request_body;
191 }
192 
194  int list_id;
196  const MpmCtx *mpm_ctx;
199 
200 static void PrefilterMpmHttpRequestBodyFree(void *ptr)
201 {
202  SCFree(ptr);
203 }
204 
205 static inline InspectionBuffer *HttpRequestBodyXformsGetDataCallback(DetectEngineThreadCtx *det_ctx,
206  const DetectEngineTransforms *transforms, const int list_id, InspectionBuffer *base_buffer)
207 {
208  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
209  if (buffer->inspect != NULL)
210  return buffer;
211 
212  InspectionBufferSetup(det_ctx, list_id, buffer, base_buffer->inspect, base_buffer->inspect_len);
213  buffer->inspect_offset = base_buffer->inspect_offset;
214  InspectionBufferApplyTransforms(det_ctx, buffer, transforms);
215  SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len);
216  SCReturnPtr(buffer, "InspectionBuffer");
217 }
218 
219 static InspectionBuffer *HttpRequestBodyGetDataCallback(DetectEngineThreadCtx *det_ctx,
220  const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
221  const int list_id, const int base_id)
222 {
223  SCEnter();
224 
225  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, base_id);
226  if (base_id != list_id && buffer->inspect != NULL)
227  return HttpRequestBodyXformsGetDataCallback(det_ctx, transforms, list_id, buffer);
228  else if (buffer->inspect != NULL)
229  return buffer;
230 
231  htp_tx_t *tx = txv;
232  HtpState *htp_state = f->alstate;
233  const uint8_t flags = flow_flags;
234 
235  HtpBody *body = GetRequestBody(tx);
236  if (body == NULL) {
237  return NULL;
238  }
239 
240  /* no new data */
241  if (body->body_inspected == body->content_len_so_far) {
242  SCLogDebug("no new data");
243  return NULL;
244  }
245 
246  HtpBodyChunk *cur = body->first;
247  if (cur == NULL) {
248  SCLogDebug("No http chunks to inspect for this transaction");
249  return NULL;
250  }
251 
252  SCLogDebug("request.body_limit %u request_body.content_len_so_far %" PRIu64
253  ", request.inspect_min_size %" PRIu32 ", EOF %s, progress > body? %s",
254  htp_state->cfg->request.body_limit, body->content_len_so_far,
255  htp_state->cfg->request.inspect_min_size, flags & STREAM_EOF ? "true" : "false",
257  HTP_REQUEST_PROGRESS_BODY)
258  ? "true"
259  : "false");
260 
261  if (!htp_state->cfg->http_body_inline) {
262  /* inspect the body if the transfer is complete or we have hit
263  * our body size limit */
264  if ((htp_state->cfg->request.body_limit == 0 ||
265  body->content_len_so_far < htp_state->cfg->request.body_limit) &&
266  body->content_len_so_far < htp_state->cfg->request.inspect_min_size &&
267  !(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, tx, flags) >
268  HTP_REQUEST_PROGRESS_BODY) &&
269  !(flags & STREAM_EOF)) {
270  SCLogDebug("we still haven't seen the entire request body. "
271  "Let's defer body inspection till we see the "
272  "entire body.");
273  return NULL;
274  }
275  }
276 
277  /* get the inspect buffer
278  *
279  * make sure that we have at least the configured inspect_win size.
280  * If we have more, take at least 1/4 of the inspect win size before
281  * the new data.
282  */
283  uint64_t offset = 0;
284  if (body->body_inspected > htp_state->cfg->request.inspect_min_size) {
286  uint64_t inspect_win = body->content_len_so_far - body->body_inspected;
287  SCLogDebug("inspect_win %"PRIu64, inspect_win);
288  if (inspect_win < htp_state->cfg->request.inspect_window) {
289  uint64_t inspect_short = htp_state->cfg->request.inspect_window - inspect_win;
290  if (body->body_inspected < inspect_short)
291  offset = 0;
292  else
293  offset = body->body_inspected - inspect_short;
294  } else {
295  offset = body->body_inspected - (htp_state->cfg->request.inspect_window / 4);
296  }
297  }
298 
299  const uint8_t *data;
300  uint32_t data_len;
301 
303  &data, &data_len, offset);
304  InspectionBufferSetup(det_ctx, base_id, buffer, data, data_len);
305  buffer->inspect_offset = offset;
306  body->body_inspected = body->content_len_so_far;
307  SCLogDebug("body->body_inspected now: %" PRIu64, body->body_inspected);
308 
309  if (base_id != list_id) {
310  buffer = HttpRequestBodyXformsGetDataCallback(det_ctx, transforms, list_id, buffer);
311  }
312  SCReturnPtr(buffer, "InspectionBuffer");
313 }
314 
315 static uint8_t DetectEngineInspectBufferHttpBody(DetectEngineCtx *de_ctx,
317  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
318 {
319  bool eof =
320  (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress);
321  const InspectionBuffer *buffer = HttpRequestBodyGetDataCallback(
322  det_ctx, engine->v2.transforms, f, flags, txv, engine->sm_list, engine->sm_list_base);
323  if (buffer == NULL || buffer->inspect == NULL) {
324  if (eof && engine->match_on_null) {
326  }
328  }
329 
330  const uint32_t data_len = buffer->inspect_len;
331  const uint8_t *data = buffer->inspect;
332  const uint64_t offset = buffer->inspect_offset;
333 
334  uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0;
335  ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
336  ci_flags |= buffer->flags;
337 
338  /* Inspect all the uricontents fetched on each
339  * transaction at the app layer */
340  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, data,
342  if (match) {
344  }
345 
346  if (flags & STREAM_TOSERVER) {
347  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, txv, flags) >
348  HTP_REQUEST_PROGRESS_BODY)
350  } else {
351  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, txv, flags) >
352  HTP_RESPONSE_PROGRESS_BODY)
354  }
356 }
357 
358 /** \brief HTTP Request body callback
359  *
360  * \param det_ctx detection engine thread ctx
361  * \param pectx inspection context
362  * \param p packet to inspect
363  * \param f flow to inspect
364  * \param txv tx to inspect
365  * \param idx transaction id
366  * \param flags STREAM_* flags including direction
367  */
368 static void PrefilterTxHttpRequestBody(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
369  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
370 {
371  SCEnter();
372 
374  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
375  const int list_id = ctx->list_id;
376 
377  InspectionBuffer *buffer = HttpRequestBodyGetDataCallback(
378  det_ctx, ctx->transforms, f, flags, txv, list_id, ctx->base_list_id);
379  if (buffer == NULL)
380  return;
381 
382  if (buffer->inspect_len >= mpm_ctx->minlen) {
383  (void)mpm_table[mpm_ctx->mpm_type].Search(
384  mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
385  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
386  }
387 }
388 
389 static int PrefilterMpmHttpRequestBodyRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
390  MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
391 {
392  PrefilterMpmHttpRequestBody *pectx = SCCalloc(1, sizeof(*pectx));
393  if (pectx == NULL)
394  return -1;
395  pectx->list_id = list_id;
396  pectx->base_list_id = mpm_reg->sm_list_base;
397  SCLogDebug("list_id %d base_list_id %d", list_id, pectx->base_list_id);
398  pectx->mpm_ctx = mpm_ctx;
399  pectx->transforms = &mpm_reg->transforms;
400 
401  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttpRequestBody, mpm_reg->app_v2.alproto,
402  mpm_reg->app_v2.tx_min_progress, pectx, PrefilterMpmHttpRequestBodyFree,
403  mpm_reg->pname);
404 }
405 
406 #ifdef UNITTESTS
407 #include "detect-engine-alert.h"
409 #endif /* UNITTESTS */
410 
411 /**
412  * @}
413  */
HtpState_::cfg
const struct HTPCfgRec_ * cfg
Definition: app-layer-htp.h:188
DetectEngineAppInspectionEngine_
Definition: detect.h:436
SigTableElmt_::url
const char * url
Definition: detect.h:1405
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2218
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:95
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1616
SigTableElmt_::desc
const char * desc
Definition: detect.h:1404
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DETECT_CI_FLAGS_START
#define DETECT_CI_FLAGS_START
Definition: detect-engine-content-inspection.h:40
flow-util.h
SIGMATCH_INFO_CONTENT_MODIFIER
#define SIGMATCH_INFO_CONTENT_MODIFIER
Definition: detect.h:1614
SigTableElmt_::name
const char * name
Definition: detect.h:1402
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1570
DetectHttpClientBodyRegisterTests
void DetectHttpClientBodyRegisterTests(void)
Definition: detect-http-client-body.c:2850
HtpBody_::sb
StreamingBuffer * sb
Definition: app-layer-htp.h:134
DetectEngineTransforms
Definition: detect.h:415
DetectBufferMpmRegistry_::sm_list_base
int16_t sm_list_base
Definition: detect.h:768
SIG_FLAG_INIT_NEED_FLUSH
#define SIG_FLAG_INIT_NEED_FLUSH
Definition: detect.h:296
PrefilterMpmHttpRequestBody::list_id
int list_id
Definition: detect-http-client-body.c:194
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
HTPCfgDir_::body_limit
uint32_t body_limit
Definition: app-layer-htp.h:95
SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT
#define SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT
Definition: detect.h:305
Flow_::proto
uint8_t proto
Definition: flow.h:378
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1422
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1096
InspectionBuffer
Definition: detect.h:380
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
DetectBufferTypeRegisterSetupCallback
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
Definition: detect-engine.c:1351
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1298
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1396
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:920
PrefilterMpmFiledataRegister
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-file-data.c:508
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@79 v2
HtpTxUserData_::request_body
HtpBody request_body
Definition: app-layer-htp.h:164
detect-http-client-body.h
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:763
detect-file-data.h
DetectEngineAppInspectionEngine_::sm_list_base
uint16_t sm_list_base
Definition: detect.h:445
InspectionBuffer::flags
uint8_t flags
Definition: detect.h:385
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:609
StreamingBufferGetDataAtOffset
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
Definition: util-streaming-buffer.c:1830
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1387
detect-pcre.h
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:776
detect-engine-prefilter.h
PrefilterMpmHttpRequestBody
struct PrefilterMpmHttpRequestBody PrefilterMpmHttpRequestBody
HTPCfgDir_::inspect_window
uint32_t inspect_window
Definition: app-layer-htp.h:97
util-unittest.h
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1578
HtpBody_::first
HtpBodyChunk * first
Definition: app-layer-htp.h:131
DETECT_HTTP_REQUEST_BODY
@ DETECT_HTTP_REQUEST_BODY
Definition: detect-engine-register.h:156
HtpState_
Definition: app-layer-htp.h:181
util-unittest-helper.h
PrefilterMpmHttpRequestBody
Definition: detect-http-client-body.c:193
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1157
HtpBody_::content_len_so_far
uint64_t content_len_so_far
Definition: app-layer-htp.h:137
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:444
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
app-layer-htp.h
decode.h
util-debug.h
HTPCfgRec_::http_body_inline
int http_body_inline
Definition: app-layer-htp.h:108
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
PrefilterMpmHttpRequestBody::transforms
const DetectEngineTransforms * transforms
Definition: detect-http-client-body.c:197
DetectEngineThreadCtx_
Definition: detect.h:1197
HTPCfgDir_::inspect_min_size
uint32_t inspect_min_size
Definition: app-layer-htp.h:96
AppLayerHtpEnableRequestBodyCallback
void AppLayerHtpEnableRequestBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
Definition: app-layer-htp.c:570
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect-http-client-body.c
Handle HTTP request body match corresponding to http_client_body keyword.
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@87::@89 app_v2
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:382
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1400
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:151
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:104
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:309
util-profiling.h
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:222
Packet_
Definition: decode.h:484
DETECT_CI_FLAGS_END
#define DETECT_CI_FLAGS_END
Definition: detect-engine-content-inspection.h:42
detect-engine-alert.h
DetectEngineAppInspectionEngine_::match_on_null
bool match_on_null
Definition: detect.h:443
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:748
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:177
DETECT_HTTP_CLIENT_BODY
@ DETECT_HTTP_CLIENT_BODY
Definition: detect-engine-register.h:155
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:39
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1294
detect-engine-content-inspection.h
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:458
PrefilterMpmHttpRequestBody::base_list_id
int base_list_id
Definition: detect-http-client-body.c:195
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1466
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:286
HtpBody_
Definition: app-layer-htp.h:130
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
PrefilterMpmHttpRequestBody::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-http-client-body.c:196
HTPCfgRec_::request
HTPCfgDir request
Definition: app-layer-htp.h:115
HtpBodyChunk_
Definition: app-layer-htp.h:122
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectHttpClientBodyRegister
void DetectHttpClientBodyRegister(void)
Registers the keyword handlers for the "http_client_body" keyword.
Definition: detect-http-client-body.c:84
util-spm.h
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:352
HtpTxUserData_
Definition: app-layer-htp.h:151
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1650
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
DetectEngineAppInspectionEngine_::progress
int16_t progress
Definition: detect.h:446
SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER
#define SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER
Definition: detect.h:303
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:383
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:381
str
#define str(s)
Definition: suricata-common.h:300
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1712
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:479
Signature_::id
uint32_t id
Definition: detect.h:714
detect-parse.h
Signature_
Signature container.
Definition: detect.h:669
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:455
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:75
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1592
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:245
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1254
MpmCtx_
Definition: util-mpm.h:93
flow.h
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:733
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
flow-var.h
DetectEngineInspectFiledata
uint8_t DetectEngineInspectFiledata(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect-file-data.c:411
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1394
HtpBody_::body_inspected
uint64_t body_inspected
Definition: app-layer-htp.h:141
app-layer.h
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:765