suricata
detect-http-raw-header.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup httplayer
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
29  *
30  * Implements support for http_raw_header keyword.
31  */
32 
33 #include "suricata-common.h"
34 #include "threads.h"
35 #include "decode.h"
36 
37 #include "detect.h"
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
42 #include "detect-content.h"
43 
44 #include "flow.h"
45 #include "flow-var.h"
46 #include "flow-util.h"
47 
48 #include "util-debug.h"
49 #include "util-profiling.h"
50 
51 #include "app-layer.h"
52 #include "app-layer-parser.h"
53 #include "app-layer-htp.h"
54 #include "detect-http-raw-header.h"
55 
56 static int DetectHttpRawHeaderSetup(DetectEngineCtx *, Signature *, const char *);
57 static int DetectHttpRawHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
58 #ifdef UNITTESTS
59 static void DetectHttpRawHeaderRegisterTests(void);
60 #endif
61 static bool DetectHttpRawHeaderValidateCallback(const Signature *s, const char **sigerror);
62 static int g_http_raw_header_buffer_id = 0;
63 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
64  const DetectEngineTransforms *transforms, Flow *_f,
65  const uint8_t flow_flags, void *txv, const int list_id);
66 static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
67  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv,
68  const int list_id);
69 
70 static int PrefilterMpmHttpHeaderRawRequestRegister(DetectEngineCtx *de_ctx,
71  SigGroupHead *sgh, MpmCtx *mpm_ctx,
72  const DetectBufferMpmRegistery *mpm_reg, int list_id);
73 static int PrefilterMpmHttpHeaderRawResponseRegister(DetectEngineCtx *de_ctx,
74  SigGroupHead *sgh, MpmCtx *mpm_ctx,
75  const DetectBufferMpmRegistery *mpm_reg, int list_id);
76 
77 /**
78  * \brief Registers the keyword handlers for the "http_raw_header" keyword.
79  */
81 {
82  /* http_raw_header content modifier */
83  sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].name = "http_raw_header";
84  sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].desc = "content modifier to match the raw HTTP header buffer";
85  sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header";
86  sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetup;
87 #ifdef UNITTESTS
89 #endif
92 
93  /* http.header.raw sticky buffer */
94  sigmatch_table[DETECT_HTTP_RAW_HEADER].name = "http.header.raw";
95  sigmatch_table[DETECT_HTTP_RAW_HEADER].desc = "sticky buffer to match the raw HTTP header buffer";
96  sigmatch_table[DETECT_HTTP_RAW_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header";
97  sigmatch_table[DETECT_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetupSticky;
99 
101  HTP_REQUEST_HEADERS + 1, DetectEngineInspectBufferGeneric, GetData);
103  HTP_RESPONSE_HEADERS + 1, DetectEngineInspectBufferGeneric, GetData);
104 
105  DetectAppLayerMpmRegister2("http_raw_header", SIG_FLAG_TOSERVER, 2,
106  PrefilterMpmHttpHeaderRawRequestRegister, NULL, ALPROTO_HTTP1,
107  0); /* progress handled in register */
108  DetectAppLayerMpmRegister2("http_raw_header", SIG_FLAG_TOCLIENT, 2,
109  PrefilterMpmHttpHeaderRawResponseRegister, NULL, ALPROTO_HTTP1,
110  0); /* progress handled in register */
111 
113  HTTP2StateDataClient, DetectEngineInspectBufferGeneric, GetData2);
115  HTTP2StateDataServer, DetectEngineInspectBufferGeneric, GetData2);
116 
118  GetData2, ALPROTO_HTTP2, HTTP2StateDataClient);
120  GetData2, ALPROTO_HTTP2, HTTP2StateDataServer);
121 
122  DetectBufferTypeSetDescriptionByName("http_raw_header",
123  "raw http headers");
124 
126  DetectHttpRawHeaderValidateCallback);
127 
128  g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");
129 }
130 
131 /**
132  * \brief The setup function for the http_raw_header keyword for a signature.
133  *
134  * \param de_ctx Pointer to the detection engine context.
135  * \param s Pointer to signature for the current Signature being parsed
136  * from the rules.
137  * \param m Pointer to the head of the SigMatchs for the current rule
138  * being parsed.
139  * \param arg Pointer to the string holding the keyword value.
140  *
141  * \retval 0 On success.
142  * \retval -1 On failure.
143  */
144 int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
145 {
147  de_ctx, s, arg, DETECT_AL_HTTP_RAW_HEADER, g_http_raw_header_buffer_id, ALPROTO_HTTP1);
148 }
149 
150 /**
151  * \brief this function setup the http.header.raw keyword used in the rule
152  *
153  * \param de_ctx Pointer to the Detection Engine Context
154  * \param s Pointer to the Signature to which the current keyword belongs
155  * \param str Should hold an empty string always
156  *
157  * \retval 0 On success
158  */
159 static int DetectHttpRawHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
160 {
161  if (DetectBufferSetActiveList(s, g_http_raw_header_buffer_id) < 0)
162  return -1;
164  return -1;
165  return 0;
166 }
167 
168 static bool DetectHttpRawHeaderValidateCallback(const Signature *s, const char **sigerror)
169 {
171  *sigerror = "http_raw_header signature "
172  "without a flow direction. Use flow:to_server for "
173  "inspecting request headers or flow:to_client for "
174  "inspecting response headers.";
175 
176  SCLogError(SC_ERR_INVALID_SIGNATURE, "%s", *sigerror);
177  SCReturnInt(false);
178  }
179  return true;
180 }
181 
182 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
183  const DetectEngineTransforms *transforms, Flow *_f,
184  const uint8_t flow_flags, void *txv, const int list_id)
185 {
186  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
187  if (buffer->inspect == NULL) {
188  htp_tx_t *tx = (htp_tx_t *)txv;
189 
190  HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
191  if (tx_ud == NULL)
192  return NULL;
193 
194  const bool ts = ((flow_flags & STREAM_TOSERVER) != 0);
195  const uint8_t *data = ts ?
197  if (data == NULL)
198  return NULL;
199  const uint32_t data_len = ts ?
201 
202  InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
203  InspectionBufferApplyTransforms(buffer, transforms);
204  }
205 
206  return buffer;
207 }
208 
209 static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx,
210  const DetectEngineTransforms *transforms, Flow *_f, const uint8_t flow_flags, void *txv,
211  const int list_id)
212 {
213  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
214  if (buffer->inspect == NULL) {
215  uint32_t b_len = 0;
216  const uint8_t *b = NULL;
217 
218  if (rs_http2_tx_get_headers_raw(txv, flow_flags, &b, &b_len) != 1)
219  return NULL;
220  if (b == NULL || b_len == 0)
221  return NULL;
222 
223  InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
224  InspectionBufferApplyTransforms(buffer, transforms);
225  }
226 
227  return buffer;
228 }
229 
231  int list_id;
232  const MpmCtx *mpm_ctx;
235 
236 /** \brief Generic Mpm prefilter callback
237  *
238  * \param det_ctx detection engine thread ctx
239  * \param p packet to inspect
240  * \param f flow to inspect
241  * \param txv tx to inspect
242  * \param pectx inspection context
243  */
244 static void PrefilterMpmHttpHeaderRaw(DetectEngineThreadCtx *det_ctx,
245  const void *pectx,
246  Packet *p, Flow *f, void *txv,
247  const uint64_t idx, const uint8_t flags)
248 {
249  SCEnter();
250 
251  const PrefilterMpmHttpHeaderRawCtx *ctx = pectx;
252  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
253  SCLogDebug("running on list %d", ctx->list_id);
254 
255  const int list_id = ctx->list_id;
256 
257  InspectionBuffer *buffer = GetData(det_ctx, ctx->transforms, f,
258  flags, txv, list_id);
259  if (buffer == NULL)
260  return;
261 
262  const uint32_t data_len = buffer->inspect_len;
263  const uint8_t *data = buffer->inspect;
264 
265  SCLogDebug("mpm'ing buffer:");
266  //PrintRawDataFp(stdout, data, data_len);
267 
268  if (data != NULL && data_len >= mpm_ctx->minlen) {
269  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
270  &det_ctx->mtcu, &det_ctx->pmq, data, data_len);
271  PREFILTER_PROFILING_ADD_BYTES(det_ctx, data_len);
272  }
273 }
274 
275 static void PrefilterMpmHttpTrailerRaw(DetectEngineThreadCtx *det_ctx,
276  const void *pectx,
277  Packet *p, Flow *f, void *txv,
278  const uint64_t idx, const uint8_t flags)
279 {
280  SCEnter();
281 
282  htp_tx_t *tx = txv;
283  const HtpTxUserData *htud = (const HtpTxUserData *)htp_tx_get_user_data(tx);
284  /* if the request wasn't flagged as having a trailer, we skip */
285  if (htud && (
286  ((flags & STREAM_TOSERVER) && !htud->request_has_trailers) ||
287  ((flags & STREAM_TOCLIENT) && !htud->response_has_trailers))) {
288  SCReturn;
289  }
290  PrefilterMpmHttpHeaderRaw(det_ctx, pectx, p, f, txv, idx, flags);
291  SCReturn;
292 }
293 
294 static void PrefilterMpmHttpHeaderRawFree(void *ptr)
295 {
296  SCFree(ptr);
297 }
298 
299 static int PrefilterMpmHttpHeaderRawRequestRegister(DetectEngineCtx *de_ctx,
300  SigGroupHead *sgh, MpmCtx *mpm_ctx,
301  const DetectBufferMpmRegistery *mpm_reg, int list_id)
302 {
303  SCEnter();
304 
305  /* header */
306  PrefilterMpmHttpHeaderRawCtx *pectx = SCCalloc(1, sizeof(*pectx));
307  if (pectx == NULL)
308  return -1;
309  pectx->list_id = list_id;
310  pectx->mpm_ctx = mpm_ctx;
311  pectx->transforms = &mpm_reg->transforms;
312 
313  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeaderRaw,
314  mpm_reg->app_v2.alproto, HTP_REQUEST_HEADERS+1,
315  pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
316  if (r != 0) {
317  SCFree(pectx);
318  return r;
319  }
320 
321  /* trailer */
322  pectx = SCCalloc(1, sizeof(*pectx));
323  if (pectx == NULL)
324  return -1;
325  pectx->list_id = list_id;
326  pectx->mpm_ctx = mpm_ctx;
327  pectx->transforms = &mpm_reg->transforms;
328 
329  r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailerRaw,
330  mpm_reg->app_v2.alproto, HTP_REQUEST_TRAILER+1,
331  pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
332  if (r != 0) {
333  SCFree(pectx);
334  }
335  return r;
336 }
337 
338 static int PrefilterMpmHttpHeaderRawResponseRegister(DetectEngineCtx *de_ctx,
339  SigGroupHead *sgh, MpmCtx *mpm_ctx,
340  const DetectBufferMpmRegistery *mpm_reg, int list_id)
341 {
342  SCEnter();
343 
344  /* header */
345  PrefilterMpmHttpHeaderRawCtx *pectx = SCCalloc(1, sizeof(*pectx));
346  if (pectx == NULL)
347  return -1;
348  pectx->list_id = list_id;
349  pectx->mpm_ctx = mpm_ctx;
350  pectx->transforms = &mpm_reg->transforms;
351 
352  int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpHeaderRaw,
353  mpm_reg->app_v2.alproto, HTP_RESPONSE_HEADERS,
354  pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
355  if (r != 0) {
356  SCFree(pectx);
357  return r;
358  }
359 
360  /* trailer */
361  pectx = SCCalloc(1, sizeof(*pectx));
362  if (pectx == NULL)
363  return -1;
364  pectx->list_id = list_id;
365  pectx->mpm_ctx = mpm_ctx;
366  pectx->transforms = &mpm_reg->transforms;
367 
368  r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmHttpTrailerRaw,
369  mpm_reg->app_v2.alproto, HTP_RESPONSE_TRAILER,
370  pectx, PrefilterMpmHttpHeaderRawFree, mpm_reg->pname);
371  if (r != 0) {
372  SCFree(pectx);
373  }
374  return r;
375 }
376 
377 /************************************Unittests*********************************/
378 
379 #ifdef UNITTESTS
381 #endif
382 
383 /**
384  * @}
385  */
SigTableElmt_::url
const char * url
Definition: detect.h:1248
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
ts
uint64_t ts
Definition: source-erf-file.c:55
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1455
PrefilterMpmHttpHeaderRawCtx::list_id
int list_id
Definition: detect-http-raw-header.c:231
SigTableElmt_::desc
const char * desc
Definition: detect.h:1247
DetectEngineInspectBufferGeneric
uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1994
flow-util.h
SIGMATCH_INFO_CONTENT_MODIFIER
#define SIGMATCH_INFO_CONTENT_MODIFIER
Definition: detect.h:1453
HtpTxUserData_::request_headers_raw_len
uint32_t request_headers_raw_len
Definition: app-layer-htp.h:235
SigTableElmt_::name
const char * name
Definition: detect.h:1245
PrefilterMpmHttpHeaderRawCtx::transforms
const DetectEngineTransforms * transforms
Definition: detect-http-raw-header.c:233
DETECT_HTTP_RAW_HEADER
@ DETECT_HTTP_RAW_HEADER
Definition: detect-engine-register.h:147
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1403
DetectEngineTransforms
Definition: detect.h:372
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:640
InspectionBuffer
Definition: detect.h:338
DetectHttpRawHeaderRegister
void DetectHttpRawHeaderRegister(void)
Registers the keyword handlers for the "http_raw_header" keyword.
Definition: detect-http-raw-header.c:80
DetectHttpRawHeaderRegisterTests
void DetectHttpRawHeaderRegisterTests(void)
Definition: detect-http-raw-header.c:4367
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1141
PrefilterGenericMpmRegister
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
Definition: detect-engine-prefilter.c:755
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1239
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DETECT_AL_HTTP_RAW_HEADER
@ DETECT_AL_HTTP_RAW_HEADER
Definition: detect-engine-register.h:146
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
PrefilterMpmHttpHeaderRawCtx::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-http-raw-header.c:232
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:626
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:231
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1230
detect-http-raw-header.c
Handle HTTP raw header match.
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1139
InspectionBufferGet
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1369
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1086
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:230
app-layer-htp.h
PrefilterMpmHttpHeaderRawCtx
struct PrefilterMpmHttpHeaderRawCtx PrefilterMpmHttpHeaderRawCtx
decode.h
util-debug.h
DetectBufferTypeRegisterValidateCallback
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror))
Definition: detect-engine.c:1280
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1034
PrefilterMpmHttpHeaderRawCtx
Definition: detect-http-raw-header.c:230
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect-engine-mpm.h
detect.h
HtpTxUserData_::response_has_trailers
uint8_t response_has_trailers
Definition: app-layer-htp.h:219
HtpTxUserData_::request_headers_raw
uint8_t * request_headers_raw
Definition: app-layer-htp.h:233
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1243
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
HtpTxUserData_::request_has_trailers
uint8_t request_has_trailers
Definition: app-layer-htp.h:218
util-profiling.h
SCReturn
#define SCReturn
Definition: util-debug.h:300
Signature_::flags
uint32_t flags
Definition: detect.h:541
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:146
Packet_
Definition: decode.h:434
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:227
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:62
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:304
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:628
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
HtpTxUserData_::response_headers_raw
uint8_t * response_headers_raw
Definition: app-layer-htp.h:234
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1552
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
HtpTxUserData_
Definition: app-layer-htp.h:213
detect-http-raw-header.h
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:341
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:339
str
#define str(s)
Definition: suricata-common.h:272
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1450
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1431
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1300
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1183
MpmCtx_
Definition: util-mpm.h:88
HtpTxUserData_::response_headers_raw_len
uint32_t response_headers_raw_len
Definition: app-layer-htp.h:236
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
flow-var.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1237
app-layer.h