suricata
detect-http-host.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
29  *
30  * Implements support for the http_host keyword.
31  */
32 
33 #include "suricata-common.h"
34 #include "threads.h"
35 #include "decode.h"
36 
37 #include "detect.h"
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-buffer.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-engine-prefilter.h"
43 #include "detect-content.h"
44 #include "detect-pcre.h"
45 
46 #include "flow.h"
47 #include "flow-var.h"
48 #include "flow-util.h"
49 
50 #include "util-debug.h"
51 #include "util-unittest.h"
52 #include "util-unittest-helper.h"
53 #include "util-spm.h"
54 
55 #include "app-layer.h"
56 #include "app-layer-parser.h"
57 
58 #include "app-layer-htp.h"
59 #include "stream-tcp.h"
60 #include "detect-http-host.h"
61 
62 static int DetectHttpHHSetup(DetectEngineCtx *, Signature *, const char *);
63 #ifdef UNITTESTS
64 static void DetectHttpHHRegisterTests(void);
65 #endif
66 static bool DetectHttpHostValidateCallback(
67  const Signature *s, const char **sigerror, const DetectBufferType *dbt);
68 static int DetectHttpHostSetup(DetectEngineCtx *, Signature *, const char *);
69 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
70  const DetectEngineTransforms *transforms,
71  Flow *_f, const uint8_t _flow_flags,
72  void *txv, const int list_id);
73 static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
74  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
75  const int list_id);
76 static int DetectHttpHRHSetup(DetectEngineCtx *, Signature *, const char *);
77 static int g_http_raw_host_buffer_id = 0;
78 static int DetectHttpHostRawSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
79 static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
80  const DetectEngineTransforms *transforms, Flow *_f,
81  const uint8_t _flow_flags, void *txv, const int list_id);
82 static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx,
83  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
84  const int list_id);
85 static int g_http_host_buffer_id = 0;
86 static int g_http2_thread_id = 0;
87 static int g_http2_raw_thread_id = 0;
88 
89 /**
90  * \brief Registers the keyword handlers for the "http_host" keyword.
91  */
92 void DetectHttpHHRegister(void)
93 {
94  /* http_host content modifier */
95  sigmatch_table[DETECT_HTTP_HOST_CM].name = "http_host";
96  sigmatch_table[DETECT_HTTP_HOST_CM].desc = "content modifier to match on the HTTP hostname";
97  // no doc url for this obsolete keyword, see http.host
98  sigmatch_table[DETECT_HTTP_HOST_CM].Setup = DetectHttpHHSetup;
99 #ifdef UNITTESTS
100  sigmatch_table[DETECT_HTTP_HOST_CM].RegisterTests = DetectHttpHHRegisterTests;
101 #endif
102  sigmatch_table[DETECT_HTTP_HOST_CM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
103  sigmatch_table[DETECT_HTTP_HOST_CM].alternative = DETECT_HTTP_HOST;
104 
105  /* http.host sticky buffer */
106  sigmatch_table[DETECT_HTTP_HOST].name = "http.host";
107  sigmatch_table[DETECT_HTTP_HOST].desc = "sticky buffer to match on the HTTP Host buffer";
108  sigmatch_table[DETECT_HTTP_HOST].url = "/rules/http-keywords.html#http-host";
109  sigmatch_table[DETECT_HTTP_HOST].Setup = DetectHttpHostSetup;
110  sigmatch_table[DETECT_HTTP_HOST].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
111 
112  DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
113  HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetData);
114 
115  DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
116  GetData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);
117 
118  DetectAppLayerInspectEngineRegister("http_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
119  HTTP2StateOpen, DetectEngineInspectBufferGeneric, GetData2);
120 
121  DetectAppLayerMpmRegister("http_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
122  GetData2, ALPROTO_HTTP2, HTTP2StateOpen);
123 
124  DetectBufferTypeRegisterValidateCallback("http_host",
125  DetectHttpHostValidateCallback);
126 
127  DetectBufferTypeSetDescriptionByName("http_host",
128  "http host");
129 
130  g_http2_thread_id = DetectRegisterThreadCtxGlobalFuncs(
131  "http_host", SCHttp2ThreadBufDataInit, NULL, SCHttp2ThreadBufDataFree);
132 
133  g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");
134 
135  /* http_raw_host content modifier */
136  sigmatch_table[DETECT_HTTP_RAW_HOST].name = "http_raw_host";
137  sigmatch_table[DETECT_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header "
138  "or the raw hostname from the HTTP uri";
139  // no doc url for this obsolete keyword, see http.host.raw
140  sigmatch_table[DETECT_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup;
141  sigmatch_table[DETECT_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
142  sigmatch_table[DETECT_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW;
143 
144  /* http.host sticky buffer */
145  sigmatch_table[DETECT_HTTP_HOST_RAW].name = "http.host.raw";
146  sigmatch_table[DETECT_HTTP_HOST_RAW].desc = "sticky buffer to match on the HTTP host header or the raw hostname from the HTTP uri";
147  sigmatch_table[DETECT_HTTP_HOST_RAW].url = "/rules/http-keywords.html#http-host-raw";
148  sigmatch_table[DETECT_HTTP_HOST_RAW].Setup = DetectHttpHostRawSetupSticky;
149  sigmatch_table[DETECT_HTTP_HOST_RAW].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
150 
151  DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
152  HTP_REQUEST_PROGRESS_HEADERS, DetectEngineInspectBufferGeneric, GetRawData);
153 
154  DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
155  GetRawData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);
156 
157  DetectAppLayerInspectEngineRegister("http_raw_host", ALPROTO_HTTP2, SIG_FLAG_TOSERVER,
158  HTTP2StateOpen, DetectEngineInspectBufferGeneric, GetRawData2);
159 
160  DetectAppLayerMpmRegister("http_raw_host", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
161  GetRawData2, ALPROTO_HTTP2, HTTP2StateOpen);
162 
163  DetectBufferTypeSetDescriptionByName("http_raw_host",
164  "http raw host header");
165 
166  g_http2_raw_thread_id = DetectRegisterThreadCtxGlobalFuncs(
167  "http_raw_host", SCHttp2ThreadBufDataInit, NULL, SCHttp2ThreadBufDataFree);
168 
169  g_http_raw_host_buffer_id = DetectBufferTypeGetByName("http_raw_host");
170 }
171 
172 /**
173  * \brief The setup function for the http_host keyword for a signature.
174  *
175  * \param de_ctx Pointer to the detection engine context.
176  * \param s Pointer to the signature for the current Signature being
177  * parsed from the rules.
178  * \param m Pointer to the head of the SigMatch for the current rule
179  * being parsed.
180  * \param arg Pointer to the string holding the keyword value.
181  *
182  * \retval 0 On success
183  * \retval -1 On failure
184  */
185 static int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
186 {
187  return DetectEngineContentModifierBufferSetup(
188  de_ctx, s, arg, DETECT_HTTP_HOST_CM, g_http_host_buffer_id, ALPROTO_HTTP1);
189 }
190 
191 static bool DetectHttpHostValidateCallback(
192  const Signature *s, const char **sigerror, const DetectBufferType *dbt)
193 {
194  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
195  if (s->init_data->buffers[x].id != (uint32_t)dbt->id)
196  continue;
197  const SigMatch *sm = s->init_data->buffers[x].head;
198  for (; sm != NULL; sm = sm->next) {
199  if (sm->type == DETECT_CONTENT) {
200  DetectContentData *cd = (DetectContentData *)sm->ctx;
201  if (cd->flags & DETECT_CONTENT_NOCASE) {
202  *sigerror = "http.host keyword "
203  "specified along with \"nocase\". "
204  "The hostname buffer is normalized "
205  "to lowercase, specifying "
206  "nocase is redundant.";
207  SCLogWarning("rule %u: %s", s->id, *sigerror);
208  return false;
209  } else {
210  uint32_t u;
211  for (u = 0; u < cd->content_len; u++) {
212  if (isupper(cd->content[u]))
213  break;
214  }
215  if (u != cd->content_len) {
216  *sigerror = "A pattern with "
217  "uppercase characters detected for http.host. "
218  "The hostname buffer is normalized to lowercase, "
219  "please specify a lowercase pattern.";
220  SCLogWarning("rule %u: %s", s->id, *sigerror);
221  return false;
222  }
223  }
224  }
225  }
226  }
227 
228  return true;
229 }
230 
231 /**
232  * \brief this function setup the http.host keyword used in the rule
233  *
234  * \param de_ctx Pointer to the Detection Engine Context
235  * \param s Pointer to the Signature to which the current keyword belongs
236  * \param str Should hold an empty string always
237  *
238  * \retval 0 On success
239  */
240 static int DetectHttpHostSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
241 {
242  if (SCDetectBufferSetActiveList(de_ctx, s, g_http_host_buffer_id) < 0)
243  return -1;
244  if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
245  return -1;
246  return 0;
247 }
248 
249 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
250  const DetectEngineTransforms *transforms, Flow *_f,
251  const uint8_t _flow_flags, void *txv, const int list_id)
252 {
253  InspectionBuffer *buffer = SCInspectionBufferGet(det_ctx, list_id);
254  if (buffer->inspect == NULL) {
255  htp_tx_t *tx = (htp_tx_t *)txv;
256 
257  if (htp_tx_request_hostname(tx) == NULL)
258  return NULL;
259 
260  const uint32_t data_len = (uint32_t)bstr_len(htp_tx_request_hostname(tx));
261  const uint8_t *data = bstr_ptr(htp_tx_request_hostname(tx));
262 
263  SCInspectionBufferSetupAndApplyTransforms(
264  det_ctx, list_id, buffer, data, data_len, transforms);
265  }
266 
267  return buffer;
268 }
269 
270 static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
271  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
272  const int list_id)
273 {
274  InspectionBuffer *buffer = SCInspectionBufferGet(det_ctx, list_id);
275  if (buffer->inspect == NULL) {
276  uint32_t b_len = 0;
277  const uint8_t *b = NULL;
278  void *thread_buf = DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, g_http2_thread_id);
279  if (thread_buf == NULL)
280  return NULL;
281  if (SCHttp2TxGetHostNorm(txv, &b, &b_len, thread_buf) != 1)
282  return NULL;
283  if (b == NULL || b_len == 0)
284  return NULL;
285 
286  SCInspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
287  }
288 
289  return buffer;
290 }
291 
292 static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx,
293  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
294  const int list_id)
295 {
296  InspectionBuffer *buffer = SCInspectionBufferGet(det_ctx, list_id);
297  if (buffer->inspect == NULL) {
298  uint32_t b_len = 0;
299  const uint8_t *b = NULL;
300  void *thread_buf = DetectThreadCtxGetGlobalKeywordThreadCtx(det_ctx, g_http2_raw_thread_id);
301  if (thread_buf == NULL)
302  return NULL;
303 
304  if (SCHttp2TxGetHost(txv, &b, &b_len, thread_buf) != 1)
305  return NULL;
306  if (b == NULL || b_len == 0)
307  return NULL;
308 
309  SCInspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms);
310  }
311 
312  return buffer;
313 }
314 
315 /**
316  * \brief The setup function for the http_raw_host keyword for a signature.
317  *
318  * \param de_ctx Pointer to the detection engine context.
319  * \param s Pointer to the signature for the current Signature being
320  * parsed from the rules.
321  * \param m Pointer to the head of the SigMatch for the current rule
322  * being parsed.
323  * \param arg Pointer to the string holding the keyword value.
324  *
325  * \retval 0 On success
326  * \retval -1 On failure
327  */
328 int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
329 {
330  return DetectEngineContentModifierBufferSetup(
331  de_ctx, s, arg, DETECT_HTTP_RAW_HOST, g_http_raw_host_buffer_id, ALPROTO_HTTP1);
332 }
333 
334 /**
335  * \brief this function setup the http.host keyword used in the rule
336  *
337  * \param de_ctx Pointer to the Detection Engine Context
338  * \param s Pointer to the Signature to which the current keyword belongs
339  * \param str Should hold an empty string always
340  *
341  * \retval 0 On success
342  */
343 static int DetectHttpHostRawSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
344 {
345  if (SCDetectBufferSetActiveList(de_ctx, s, g_http_raw_host_buffer_id) < 0)
346  return -1;
347  if (SCDetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
348  return -1;
349  return 0;
350 }
351 
352 static InspectionBuffer *GetRawData(DetectEngineThreadCtx *det_ctx,
353  const DetectEngineTransforms *transforms, Flow *_f,
354  const uint8_t _flow_flags, void *txv, const int list_id)
355 {
356  InspectionBuffer *buffer = SCInspectionBufferGet(det_ctx, list_id);
357  if (buffer->inspect == NULL) {
358  htp_tx_t *tx = (htp_tx_t *)txv;
359 
360  const uint8_t *data = NULL;
361  uint32_t data_len = 0;
362 
363  if (htp_uri_hostname(htp_tx_parsed_uri(tx)) == NULL) {
364  if (htp_tx_request_headers(tx) == NULL)
365  return NULL;
366 
367  const htp_header_t *h = htp_tx_request_header(tx, "Host");
368  if (h == NULL || htp_header_value(h) == NULL)
369  return NULL;
370 
371  data = htp_header_value_ptr(h);
372  data_len = (uint32_t)htp_header_value_len(h);
373  } else {
374  data = (const uint8_t *)bstr_ptr(htp_uri_hostname(htp_tx_parsed_uri(tx)));
375  data_len = (uint32_t)bstr_len(htp_uri_hostname(htp_tx_parsed_uri(tx)));
376  }
377 
378  SCInspectionBufferSetupAndApplyTransforms(
379  det_ctx, list_id, buffer, data, data_len, transforms);
380  }
381 
382  return buffer;
383 }
384 
385 /************************************Unittests*********************************/
386 
387 #ifdef UNITTESTS
388 #include "tests/detect-http-host.c"
389 #endif /* UNITTESTS */
390 
391 /**
392  * @}
393  */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectHttpHHRegister
void DetectHttpHHRegister(void)
Registers the keyword handlers for the "http_host" keyword.
Definition: detect-http-host.c:92
SigTableElmt_::url
const char * url
Definition: detect.h:1503
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:535
detect-content.h
detect-engine.h
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect-engine-register.h:306
SigTableElmt_::desc
const char * desc
Definition: detect.h:1502
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2049
flow-util.h
SCInspectionBufferGet
InspectionBuffer * SCInspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine-inspect-buffer.c:56
DETECT_HTTP_HOST
@ DETECT_HTTP_HOST
Definition: detect-engine-register.h:189
SigTableElmt_::name
const char * name
Definition: detect.h:1500
stream-tcp.h
DetectEngineTransforms
Definition: detect.h:391
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:71
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1491
InspectionBuffer
Definition: detect-engine-inspect-buffer.h:34
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:966
DetectBufferTypeRegisterValidateCallback
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror, const DetectBufferType *))
Definition: detect-engine.c:1481
DETECT_HTTP_RAW_HOST
@ DETECT_HTTP_RAW_HOST
Definition: detect-engine-register.h:190
SCInspectionBufferSetupAndApplyTransforms
void SCInspectionBufferSetupAndApplyTransforms(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len, const DetectEngineTransforms *transforms)
setup the buffer with our initial data
Definition: detect-engine-inspect-buffer.c:197
SCDetectBufferSetActiveList
int SCDetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine-buffer.c:29
DetectBufferType_
Definition: detect.h:449
DetectContentData_
Definition: detect-content.h:93
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2277
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1482
detect-pcre.h
detect-http-host.c
Handle HTTP host header. HHHD - Http Host Header Data.
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1278
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
app-layer-htp.h
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
DetectEngineThreadCtx_
Definition: detect.h:1284
DetectHttpHHRegisterTests
void DetectHttpHHRegisterTests(void)
Definition: detect-http-host.c:2576
detect-engine-mpm.h
detect.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DETECT_HTTP_HOST_RAW
@ DETECT_HTTP_HOST_RAW
Definition: detect-engine-register.h:191
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:1580
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:262
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1498
DetectAppLayerMpmRegister
void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register an app layer keyword for mpm
Definition: detect-engine-mpm.c:152
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
SIGMATCH_INFO_CONTENT_MODIFIER
#define SIGMATCH_INFO_CONTENT_MODIFIER
Definition: detect-engine-register.h:326
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:146
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:751
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:69
detect-http-host.h
DetectBufferType_::id
int id
Definition: detect.h:452
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
util-spm.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
detect-engine-buffer.h
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:651
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect-engine-inspect-buffer.h:35
str
#define str(s)
Definition: suricata-common.h:308
DETECT_HTTP_HOST_CM
@ DETECT_HTTP_HOST_CM
Definition: detect-engine-register.h:188
DetectThreadCtxGetGlobalKeywordThreadCtx
void * DetectThreadCtxGetGlobalKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3818
Signature_::id
uint32_t id
Definition: detect.h:717
detect-parse.h
SignatureInitDataBuffer_::id
uint32_t id
Definition: detect.h:526
Signature_
Signature container.
Definition: detect.h:672
SigMatch_
a single match condition for a signature
Definition: detect.h:356
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:76
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect-engine-register.h:328
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:273
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1375
flow.h
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:652
flow-var.h
DetectRegisterThreadCtxGlobalFuncs
int DetectRegisterThreadCtxGlobalFuncs(const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *))
Register Thread keyword context Funcs (Global)
Definition: detect-engine.c:3774
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1489
app-layer.h