suricata
detect-http-header.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29  *
30  * Implements support for http_header keyword.
31  */
32 
33 #include "suricata-common.h"
34 #include "threads.h"
35 #include "decode.h"
36 
37 #include "detect.h"
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
44 #include "detect-content.h"
45 #include "detect-pcre.h"
46 
47 #include "util-debug.h"
48 #include "util-print.h"
49 #include "util-memcmp.h"
50 #include "util-profiling.h"
51 
52 #include "app-layer.h"
53 #include "app-layer-parser.h"
54 
55 #include "app-layer-htp.h"
56 #include "detect-http-header.h"
58 
59 static int DetectHttpHeaderSetup(DetectEngineCtx *, Signature *, const char *);
60 #ifdef UNITTESTS
61 static void DetectHttpHeaderRegisterTests(void);
62 #endif
63 static int g_http_header_buffer_id = 0;
64 static int g_keyword_thread_id = 0;
65 
66 #define BUFFER_SIZE_STEP 1024
68 
69 static uint8_t *GetBufferForTX(
70  htp_tx_t *tx, DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, uint32_t *buffer_len)
71 {
72  *buffer_len = 0;
73 
74  HttpHeaderThreadData *hdr_td = NULL;
75  HttpHeaderBuffer *buf =
76  HttpHeaderGetBufferSpace(det_ctx, f, flags, g_keyword_thread_id, &hdr_td);
77  if (unlikely(buf == NULL)) {
78  return NULL;
79  }
80 
81  htp_table_t *headers;
82  if (flags & STREAM_TOSERVER) {
83  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, tx, flags) <=
84  HTP_REQUEST_HEADERS)
85  return NULL;
86  headers = tx->request_headers;
87  } else {
88  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, tx, flags) <=
89  HTP_RESPONSE_HEADERS)
90  return NULL;
91  headers = tx->response_headers;
92  }
93  if (headers == NULL)
94  return NULL;
95 
96  size_t i = 0;
97  size_t no_of_headers = htp_table_size(headers);
98  for (; i < no_of_headers; i++) {
99  htp_header_t *h = htp_table_get_index(headers, i, NULL);
100  size_t size1 = bstr_size(h->name);
101  size_t size2 = bstr_size(h->value);
102 
103  if (flags & STREAM_TOSERVER) {
104  if (size1 == 6 &&
105  SCMemcmpLowercase("cookie", bstr_ptr(h->name), 6) == 0) {
106  continue;
107  }
108  } else {
109  if (size1 == 10 &&
110  SCMemcmpLowercase("set-cookie", bstr_ptr(h->name), 10) == 0) {
111  continue;
112  }
113  }
114 
115  size_t size = size1 + size2 + 4;
116 #if 0
117  if (i + 1 == no_of_headers)
118  size += 2;
119 #endif
120  if (size + buf->len > buf->size) {
121  if (HttpHeaderExpandBuffer(hdr_td, buf, size) != 0) {
122  return NULL;
123  }
124  }
125 
126  memcpy(buf->buffer + buf->len, bstr_ptr(h->name), bstr_size(h->name));
127  buf->len += bstr_size(h->name);
128  buf->buffer[buf->len++] = ':';
129  buf->buffer[buf->len++] = ' ';
130  memcpy(buf->buffer + buf->len, bstr_ptr(h->value), bstr_size(h->value));
131  buf->len += bstr_size(h->value);
132  buf->buffer[buf->len++] = '\r';
133  buf->buffer[buf->len++] = '\n';
134 #if 0 // looks like this breaks existing rules
135  if (i + 1 == no_of_headers) {
136  buf->buffer[buf->len++] = '\r';
137  buf->buffer[buf->len++] = '\n';
138  }
139 #endif
140  }
141 
142  *buffer_len = buf->len;
143  return buf->buffer;
144 }
145 
146 static InspectionBuffer *GetBuffer2ForTX(DetectEngineThreadCtx *det_ctx,
147  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv,
148  const int list_id)
149 {
150  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
151  if (buffer->inspect == NULL) {
152  uint32_t b_len = 0;
153  const uint8_t *b = NULL;
154 
155  if (rs_http2_tx_get_headers(txv, flow_flags, &b, &b_len) != 1)
156  return NULL;
157  if (b == NULL || b_len == 0)
158  return NULL;
159 
160  InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
161  InspectionBufferApplyTransforms(buffer, transforms);
162  }
163 
164  return buffer;
165 }
166 
167 /** \internal
168  * \brief custom inspect function to utilize the cached headers
169  */
170 static uint8_t DetectEngineInspectBufferHttpHeader(DetectEngineCtx *de_ctx,
172  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
173 {
174  SCEnter();
175 
176  const int list_id = engine->sm_list;
177  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
178  if (buffer->inspect == NULL) {
179  SCLogDebug("setting up inspect buffer %d", list_id);
180 
181  /* if prefilter didn't already run, we need to consider transformations */
182  const DetectEngineTransforms *transforms = NULL;
183  if (!engine->mpm) {
184  transforms = engine->v2.transforms;
185  }
186 
187  uint32_t rawdata_len = 0;
188  uint8_t *rawdata = GetBufferForTX(txv, det_ctx, f, flags, &rawdata_len);
189  if (rawdata_len == 0) {
190  SCLogDebug("no data");
191  goto end;
192  }
193  /* setup buffer and apply transforms */
194  InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len);
195  InspectionBufferApplyTransforms(buffer, transforms);
196  }
197 
198  const uint32_t data_len = buffer->inspect_len;
199  const uint8_t *data = buffer->inspect;
200  const uint64_t offset = buffer->inspect_offset;
201 
202  det_ctx->discontinue_matching = 0;
203  det_ctx->buffer_offset = 0;
204  det_ctx->inspection_recursion_counter = 0;
205 
206  /* Inspect all the uricontents fetched on each
207  * transaction at the app layer */
208  int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
209  NULL, f, (uint8_t *)data, data_len, offset,
211  SCLogDebug("r = %d", r);
212  if (r == 1) {
214  }
215 end:
216  if (flags & STREAM_TOSERVER) {
217  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, txv, flags) >
218  HTP_REQUEST_HEADERS)
220  } else {
221  if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, txv, flags) >
222  HTP_RESPONSE_HEADERS)
224  }
226 }
227 
229  int list_id;
230  const MpmCtx *mpm_ctx;
233 
234 /** \brief Generic Mpm prefilter callback
235  *
236  * \param det_ctx detection engine thread ctx
237  * \param p packet to inspect
238  * \param f flow to inspect
239  * \param txv tx to inspect
240  * \param pectx inspection context
241  */
242 static void PrefilterMpmHttpHeader(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
243  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
244 {
245  SCEnter();
246 
247  const PrefilterMpmHttpHeaderCtx *ctx = pectx;
248  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
249  SCLogDebug("running on list %d", ctx->list_id);
250 
251  const int list_id = ctx->list_id;
252  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
253  if (buffer->inspect == NULL) {
254  uint32_t rawdata_len = 0;
255  uint8_t *rawdata = GetBufferForTX(txv, det_ctx, f, flags, &rawdata_len);
256  if (rawdata_len == 0)
257  return;
258 
259  /* setup buffer and apply transforms */
260  InspectionBufferSetup(det_ctx, list_id, buffer, rawdata, rawdata_len);
262  }
263 
264  const uint32_t data_len = buffer->inspect_len;
265  const uint8_t *data = buffer->inspect;
266 
267  SCLogDebug("mpm'ing buffer:");
268  //PrintRawDataFp(stdout, data, data_len);
269 
270  if (data != NULL && data_len >= mpm_ctx->minlen) {
271  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
272  &det_ctx->mtcu, &det_ctx->pmq, data, data_len);
273  PREFILTER_PROFILING_ADD_BYTES(det_ctx, data_len);
274  }
275 }
276 
277 static void PrefilterMpmHttpTrailer(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
278  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
279 {
280  SCEnter();
281 
282  htp_tx_t *tx = txv;
283  const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
284  /* if the request wasn't flagged as having a trailer, we skip */
285  if (htud && (
286  ((flags & STREAM_TOSERVER) && !htud->request_has_trailers) ||
287  ((flags & STREAM_TOCLIENT) && !htud->response_has_trailers))) {
288  SCReturn;
289  }
290  PrefilterMpmHttpHeader(det_ctx, pectx, p, f, txv, idx, _txd, flags);
291  SCReturn;
292 }
293 
294 static void PrefilterMpmHttpHeaderFree(void *ptr)
295 {
296  SCFree(ptr);
297 }
298 
299 static int PrefilterMpmHttpHeaderRequestRegister(DetectEngineCtx *de_ctx,
300  SigGroupHead *sgh, MpmCtx *mpm_ctx,
301  const DetectBufferMpmRegistery *mpm_reg, int list_id)
302 {
303  SCEnter();
304 
305  /* header */
306  PrefilterMpmHttpHeaderCtx *pectx = SCCalloc(1, sizeof(*pectx));
307  if (pectx == NULL)
308  return -1;
309  pectx->list_id = list_id;
310  pectx->mpm_ctx = mpm_ctx;
311  pectx->transforms = &mpm_reg->transforms;
312 
313  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeader,
314  mpm_reg->app_v2.alproto, HTP_REQUEST_HEADERS,
315  pectx, PrefilterMpmHttpHeaderFree, mpm_reg->pname);
316  if (r != 0) {
317  SCFree(pectx);
318  return r;
319  }
320 
321  /* trailer */
322  pectx = SCCalloc(1, sizeof(*pectx));
323  if (pectx == NULL)
324  return -1;
325  pectx->list_id = list_id;
326  pectx->mpm_ctx = mpm_ctx;
327  pectx->transforms = &mpm_reg->transforms;
328 
329  r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailer,
330  mpm_reg->app_v2.alproto, HTP_REQUEST_TRAILER,
331  pectx, PrefilterMpmHttpHeaderFree, mpm_reg->pname);
332  if (r != 0) {
333  SCFree(pectx);
334  }
335  return r;
336 }
337 
338 static int PrefilterMpmHttpHeaderResponseRegister(DetectEngineCtx *de_ctx,
339  SigGroupHead *sgh, MpmCtx *mpm_ctx,
340  const DetectBufferMpmRegistery *mpm_reg, int list_id)
341 {
342  SCEnter();
343 
344  /* header */
345  PrefilterMpmHttpHeaderCtx *pectx = SCCalloc(1, sizeof(*pectx));
346  if (pectx == NULL)
347  return -1;
348  pectx->list_id = list_id;
349  pectx->mpm_ctx = mpm_ctx;
350  pectx->transforms = &mpm_reg->transforms;
351 
352  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeader,
353  mpm_reg->app_v2.alproto, HTP_RESPONSE_HEADERS,
354  pectx, PrefilterMpmHttpHeaderFree, mpm_reg->pname);
355  if (r != 0) {
356  SCFree(pectx);
357  return r;
358  }
359 
360  /* trailer */
361  pectx = SCCalloc(1, sizeof(*pectx));
362  if (pectx == NULL)
363  return -1;
364  pectx->list_id = list_id;
365  pectx->mpm_ctx = mpm_ctx;
366  pectx->transforms = &mpm_reg->transforms;
367 
368  r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailer,
369  mpm_reg->app_v2.alproto, HTP_RESPONSE_TRAILER,
370  pectx, PrefilterMpmHttpHeaderFree, mpm_reg->pname);
371  if (r != 0) {
372  SCFree(pectx);
373  }
374  return r;
375 }
376 
377 /**
378  * \brief The setup function for the http_header keyword for a signature.
379  *
380  * \param de_ctx Pointer to the detection engine context.
381  * \param s Pointer to signature for the current Signature being parsed
382  * from the rules.
383  * \param m Pointer to the head of the SigMatchs for the current rule
384  * being parsed.
385  * \param arg Pointer to the string holding the keyword value.
386  *
387  * \retval 0 On success.
388  * \retval -1 On failure.
389  */
390 static int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
391 {
393  de_ctx, s, arg, DETECT_AL_HTTP_HEADER, g_http_header_buffer_id, ALPROTO_HTTP1);
394 }
395 
396 /**
397  * \brief this function setup the http.header keyword used in the rule
398  *
399  * \param de_ctx Pointer to the Detection Engine Context
400  * \param s Pointer to the Signature to which the current keyword belongs
401  * \param str Should hold an empty string always
402  *
403  * \retval 0 On success
404  */
405 static int DetectHttpHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
406 {
407  if (DetectBufferSetActiveList(s, g_http_header_buffer_id) < 0)
408  return -1;
410  return -1;
411  return 0;
412 }
413 
414 /**
415  * \brief Registers the keyword handlers for the "http_header" keyword.
416  */
418 {
419  /* http_header content modifier */
420  sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header";
421  sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer";
422  sigmatch_table[DETECT_AL_HTTP_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header";
423  sigmatch_table[DETECT_AL_HTTP_HEADER].Setup = DetectHttpHeaderSetup;
424 #ifdef UNITTESTS
426 #endif
430 
431  /* http.header sticky buffer */
432  sigmatch_table[DETECT_HTTP_HEADER].name = "http.header";
433  sigmatch_table[DETECT_HTTP_HEADER].desc = "sticky buffer to match on the normalized HTTP header-buffer";
434  sigmatch_table[DETECT_HTTP_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header";
435  sigmatch_table[DETECT_HTTP_HEADER].Setup = DetectHttpHeaderSetupSticky;
438 
440  HTP_REQUEST_HEADERS, DetectEngineInspectBufferHttpHeader, NULL);
442  PrefilterMpmHttpHeaderRequestRegister, NULL, ALPROTO_HTTP1,
443  0); /* not used, registered twice: HEADERS/TRAILER */
444 
446  HTP_RESPONSE_HEADERS, DetectEngineInspectBufferHttpHeader, NULL);
448  PrefilterMpmHttpHeaderResponseRegister, NULL, ALPROTO_HTTP1,
449  0); /* not used, registered twice: HEADERS/TRAILER */
450 
452  HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetBuffer2ForTX);
454  GetBuffer2ForTX, ALPROTO_HTTP2, HTTP2StateDataClient);
455 
457  HTTP2StateDataServer, DetectEngineInspectBufferGeneric, GetBuffer2ForTX);
459  GetBuffer2ForTX, ALPROTO_HTTP2, HTTP2StateDataServer);
460 
462  "http headers");
463 
464  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
465 
466  g_keyword_thread_id = DetectRegisterThreadCtxGlobalFuncs("http_header",
468 }
469 
470 /************************************Unittests*********************************/
471 
472 #ifdef UNITTESTS
474 #endif
475 
476 /**
477  * @}
478  */
DetectEngineAppInspectionEngine_
Definition: detect.h:390
SigTableElmt_::url
const char * url
Definition: detect.h:1241
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1498
BUFFER_SIZE_STEP
#define BUFFER_SIZE_STEP
Definition: detect-http-header.c:66
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:394
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1053
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1447
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1991
SIGMATCH_INFO_CONTENT_MODIFIER
#define SIGMATCH_INFO_CONTENT_MODIFIER
Definition: detect.h:1445
SigTableElmt_::name
const char * name
Definition: detect.h:1238
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1395
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectEngineTransforms
Definition: detect.h:372
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:640
HttpHeaderBuffer_::len
uint32_t len
Definition: detect-http-header-common.h:30
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1122
InspectionBuffer
Definition: detect.h:337
threads.h
Flow_
Flow data structure.
Definition: flow.h:357
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1134
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:749
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
detect-http-header.h
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:626
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
detect-pcre.h
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1132
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1364
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
util-memcmp.h
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:396
DETECT_AL_HTTP_HEADER
@ DETECT_AL_HTTP_HEADER
Definition: detect-engine-register.h:136
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
app-layer-htp.h
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
HtpTxUserData_::response_has_trailers
uint8_t response_has_trailers
Definition: app-layer-htp.h:213
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:339
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1236
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
HtpTxUserData_::request_has_trailers
uint8_t request_has_trailers
Definition: app-layer-htp.h:212
util-profiling.h
SCReturn
#define SCReturn
Definition: util-debug.h:273
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:149
detect-http-header.c
Packet_
Definition: decode.h:428
detect-http-header-common.h
HttpHeaderThreadConfig_
Definition: detect-http-header-common.h:33
HttpHeaderBuffer_::buffer
uint8_t * buffer
Definition: detect-http-header-common.h:28
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:61
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1092
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:106
HttpHeaderThreadDataInit
void * HttpHeaderThreadDataInit(void *data)
Definition: detect-http-header-common.c:57
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1303
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:307
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:628
flags
uint8_t flags
Definition: decode-gre.h:0
PrefilterMpmHttpHeaderCtx::list_id
int list_id
Definition: detect-http-header.c:229
PrefilterMpmHttpHeaderCtx
Definition: detect-http-header.c:228
DetectHttpHeaderRegister
void DetectHttpHeaderRegister(void)
Registers the keyword handlers for the "http_header" keyword.
Definition: detect-http-header.c:417
suricata-common.h
DETECT_HTTP_HEADER
@ DETECT_HTTP_HEADER
Definition: detect-engine-register.h:137
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1550
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1111
HttpHeaderBuffer_::size
uint32_t size
Definition: detect-http-header-common.h:29
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
HtpTxUserData_
Definition: app-layer-htp.h:207
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
PrefilterMpmHttpHeaderCtx::transforms
const DetectEngineTransforms * transforms
Definition: detect-http-header.c:231
PrefilterMpmHttpHeaderCtx
struct PrefilterMpmHttpHeaderCtx PrefilterMpmHttpHeaderCtx
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:340
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:338
PrefilterMpmHttpHeaderCtx::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-http-header.c:230
str
#define str(s)
Definition: suricata-common.h:280
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1446
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:404
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
HttpHeaderGetBufferSpace
HttpHeaderBuffer * HttpHeaderGetBufferSpace(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, const int keyword_id, HttpHeaderThreadData **ret_hdr_td)
Definition: detect-http-header-common.c:100
HttpHeaderExpandBuffer
int HttpHeaderExpandBuffer(HttpHeaderThreadData *td, HttpHeaderBuffer *buf, uint32_t size)
Definition: detect-http-header-common.c:81
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1423
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1293
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1176
MpmCtx_
Definition: util-mpm.h:88
HttpHeaderBuffer_
Definition: detect-http-header-common.h:27
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectHttpHeaderRegisterTests
void DetectHttpHeaderRegisterTests(void)
Definition: detect-http-header.c:4903
HttpHeaderThreadData_
Definition: detect-http-header-common.h:37
HttpHeaderThreadDataFree
void HttpHeaderThreadDataFree(void *data)
Definition: detect-http-header-common.c:74
DetectRegisterThreadCtxGlobalFuncs
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
Definition: detect-engine.c:3521
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
app-layer.h