suricata
detect-http2.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Philippe Antoine <p.antoine@catenacyber.fr>
22  *
23  */
24 
25 #include "suricata-common.h"
26 
27 #include "detect.h"
28 #include "detect-parse.h"
29 #include "detect-engine.h"
30 #include "detect-engine-uint.h"
31 #include "detect-engine-mpm.h"
34 
35 #include "detect-http2.h"
36 #include "util-byte.h"
37 #include "rust.h"
38 
39 #ifdef UNITTESTS
46 #endif
47 
48 /* prototypes */
49 static int DetectHTTP2frametypeMatch(DetectEngineThreadCtx *det_ctx,
50  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
51  const SigMatchCtx *ctx);
52 static int DetectHTTP2frametypeSetup (DetectEngineCtx *, Signature *, const char *);
54 
55 static int DetectHTTP2errorcodeMatch(DetectEngineThreadCtx *det_ctx,
56  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
57  const SigMatchCtx *ctx);
58 static int DetectHTTP2errorcodeSetup (DetectEngineCtx *, Signature *, const char *);
60 
61 static int DetectHTTP2priorityMatch(DetectEngineThreadCtx *det_ctx,
62  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
63  const SigMatchCtx *ctx);
64 static int DetectHTTP2prioritySetup (DetectEngineCtx *, Signature *, const char *);
66 
67 static int DetectHTTP2windowMatch(DetectEngineThreadCtx *det_ctx,
68  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
69  const SigMatchCtx *ctx);
70 static int DetectHTTP2windowSetup (DetectEngineCtx *, Signature *, const char *);
71 void DetectHTTP2windowFree (DetectEngineCtx *, void *);
72 
73 static int DetectHTTP2sizeUpdateMatch(DetectEngineThreadCtx *det_ctx,
74  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
75  const SigMatchCtx *ctx);
76 static int DetectHTTP2sizeUpdateSetup (DetectEngineCtx *, Signature *, const char *);
78 
79 static int DetectHTTP2settingsMatch(DetectEngineThreadCtx *det_ctx,
80  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
81  const SigMatchCtx *ctx);
82 static int DetectHTTP2settingsSetup (DetectEngineCtx *, Signature *, const char *);
84 
85 static int DetectHTTP2headerNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg);
86 static int PrefilterMpmHttp2HeaderNameRegister(DetectEngineCtx *de_ctx,
87  SigGroupHead *sgh, MpmCtx *mpm_ctx,
88  const DetectBufferMpmRegistery *mpm_reg, int list_id);
89 static int DetectEngineInspectHttp2HeaderName(
91  const DetectEngineAppInspectionEngine *engine,
92  const Signature *s,
93  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
94 
95 static int DetectHTTP2headerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg);
96 static int PrefilterMpmHttp2HeaderRegister(DetectEngineCtx *de_ctx,
97  SigGroupHead *sgh, MpmCtx *mpm_ctx,
98  const DetectBufferMpmRegistery *mpm_reg, int list_id);
99 static int DetectEngineInspectHttp2Header(
101  const DetectEngineAppInspectionEngine *engine,
102  const Signature *s,
103  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
104 static bool DetectHttp2HeaderValidateCallback(const Signature *s, const char **sigerror);
105 
106 #ifdef UNITTESTS
108 #endif
109 
110 static int g_http2_match_buffer_id = 0;
111 static int g_http2_header_name_buffer_id = 0;
112 static int g_http2_header_buffer_id = 0;
113 
114 static int DetectEngineInspectHTTP2(ThreadVars *tv, DetectEngineCtx *de_ctx,
115  DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd,
116  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
117 {
118  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
119  f, flags, alstate, txv, tx_id);
120 }
121 
122 /**
123  * \brief Registration function for HTTP2 keywords
124  */
125 
127 {
128  sigmatch_table[DETECT_HTTP2_FRAMETYPE].name = "http2.frametype";
129  sigmatch_table[DETECT_HTTP2_FRAMETYPE].desc = "match on HTTP2 frame type field";
130  sigmatch_table[DETECT_HTTP2_FRAMETYPE].url = "/rules/http2-keywords.html#frametype";
132  sigmatch_table[DETECT_HTTP2_FRAMETYPE].AppLayerTxMatch = DetectHTTP2frametypeMatch;
133  sigmatch_table[DETECT_HTTP2_FRAMETYPE].Setup = DetectHTTP2frametypeSetup;
135 #ifdef UNITTESTS
137 #endif
138 
139  sigmatch_table[DETECT_HTTP2_ERRORCODE].name = "http2.errorcode";
140  sigmatch_table[DETECT_HTTP2_ERRORCODE].desc = "match on HTTP2 error code field";
141  sigmatch_table[DETECT_HTTP2_ERRORCODE].url = "/rules/http2-keywords.html#errorcode";
143  sigmatch_table[DETECT_HTTP2_ERRORCODE].AppLayerTxMatch = DetectHTTP2errorcodeMatch;
144  sigmatch_table[DETECT_HTTP2_ERRORCODE].Setup = DetectHTTP2errorcodeSetup;
146 #ifdef UNITTESTS
148 #endif
149 
150  sigmatch_table[DETECT_HTTP2_PRIORITY].name = "http2.priority";
151  sigmatch_table[DETECT_HTTP2_PRIORITY].desc = "match on HTTP2 priority weight field";
152  sigmatch_table[DETECT_HTTP2_PRIORITY].url = "/rules/http2-keywords.html#priority";
154  sigmatch_table[DETECT_HTTP2_PRIORITY].AppLayerTxMatch = DetectHTTP2priorityMatch;
155  sigmatch_table[DETECT_HTTP2_PRIORITY].Setup = DetectHTTP2prioritySetup;
157 #ifdef UNITTESTS
159 #endif
160 
161  sigmatch_table[DETECT_HTTP2_WINDOW].name = "http2.window";
162  sigmatch_table[DETECT_HTTP2_WINDOW].desc = "match on HTTP2 window update size increment field";
163  sigmatch_table[DETECT_HTTP2_WINDOW].url = "/rules/http2-keywords.html#window";
165  sigmatch_table[DETECT_HTTP2_WINDOW].AppLayerTxMatch = DetectHTTP2windowMatch;
166  sigmatch_table[DETECT_HTTP2_WINDOW].Setup = DetectHTTP2windowSetup;
168 #ifdef UNITTESTS
170 #endif
171 
172  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].name = "http2.size_update";
173  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].desc = "match on HTTP2 dynamic headers table size update";
174  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].url = "/rules/http2-keywords.html#sizeupdate";
176  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].AppLayerTxMatch = DetectHTTP2sizeUpdateMatch;
177  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].Setup = DetectHTTP2sizeUpdateSetup;
179 #ifdef UNITTESTS
181 #endif
182 
183  sigmatch_table[DETECT_HTTP2_SETTINGS].name = "http2.settings";
184  sigmatch_table[DETECT_HTTP2_SETTINGS].desc = "match on HTTP2 settings identifier and value fields";
185  sigmatch_table[DETECT_HTTP2_SETTINGS].url = "/rules/http2-keywords.html#settings";
187  sigmatch_table[DETECT_HTTP2_SETTINGS].AppLayerTxMatch = DetectHTTP2settingsMatch;
188  sigmatch_table[DETECT_HTTP2_SETTINGS].Setup = DetectHTTP2settingsSetup;
190 #ifdef UNITTESTS
192 #endif
193 
194  sigmatch_table[DETECT_HTTP2_HEADERNAME].name = "http2.header_name";
195  sigmatch_table[DETECT_HTTP2_HEADERNAME].desc = "sticky buffer to match on one HTTP2 header name";
196  sigmatch_table[DETECT_HTTP2_HEADERNAME].url = "/rules/http2-keywords.html#header_name";
197  sigmatch_table[DETECT_HTTP2_HEADERNAME].Setup = DetectHTTP2headerNameSetup;
199 
200  DetectAppLayerMpmRegister2("http2_header_name", SIG_FLAG_TOCLIENT, 2,
201  PrefilterMpmHttp2HeaderNameRegister, NULL,
202  ALPROTO_HTTP2, HTTP2StateOpen);
203  DetectAppLayerInspectEngineRegister2("http2_header_name",
204  ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateOpen,
205  DetectEngineInspectHttp2HeaderName, NULL);
206  DetectAppLayerMpmRegister2("http2_header_name", SIG_FLAG_TOSERVER, 2,
207  PrefilterMpmHttp2HeaderNameRegister, NULL,
208  ALPROTO_HTTP2, HTTP2StateOpen);
209  DetectAppLayerInspectEngineRegister2("http2_header_name",
210  ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateOpen,
211  DetectEngineInspectHttp2HeaderName, NULL);
212 
213  DetectBufferTypeSetDescriptionByName("http2_header_name",
214  "HTTP2 header name");
215  g_http2_header_name_buffer_id = DetectBufferTypeGetByName("http2_header_name");
216 
217  sigmatch_table[DETECT_HTTP2_HEADER].name = "http2.header";
218  sigmatch_table[DETECT_HTTP2_HEADER].desc = "sticky buffer to match on one HTTP2 header name and value";
219  sigmatch_table[DETECT_HTTP2_HEADER].url = "/rules/http2-keywords.html#header";
220  sigmatch_table[DETECT_HTTP2_HEADER].Setup = DetectHTTP2headerSetup;
222 
224  PrefilterMpmHttp2HeaderRegister, NULL,
225  ALPROTO_HTTP2, HTTP2StateOpen);
227  ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateOpen,
228  DetectEngineInspectHttp2Header, NULL);
230  PrefilterMpmHttp2HeaderRegister, NULL,
231  ALPROTO_HTTP2, HTTP2StateOpen);
233  ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateOpen,
234  DetectEngineInspectHttp2Header, NULL);
235 
237  "HTTP2 header name and value");
238  DetectBufferTypeRegisterValidateCallback("http2_header", DetectHttp2HeaderValidateCallback);
239  g_http2_header_buffer_id = DetectBufferTypeGetByName("http2_header");
240 
243  DetectEngineInspectHTTP2);
246  DetectEngineInspectHTTP2);
247 
248  g_http2_match_buffer_id = DetectBufferTypeRegister("http2");
250 
251  return;
252 }
253 
254 /**
255  * \brief This function is used to match HTTP2 frame type rule option on a transaction with those passed via http2.frametype:
256  *
257  * \retval 0 no match
258  * \retval 1 match
259  */
260 static int DetectHTTP2frametypeMatch(DetectEngineThreadCtx *det_ctx,
261  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
262  const SigMatchCtx *ctx)
263 
264 {
265  uint8_t *detect = (uint8_t *)ctx;
266 
267  return rs_http2_tx_has_frametype(txv, flags, *detect);
268 }
269 
270 static int DetectHTTP2FuncParseFrameType(const char *str, uint8_t *ft)
271 {
272  // first parse numeric value
273  if (ByteExtractStringUint8(ft, 10, strlen(str), str) >= 0) {
274  return 1;
275  }
276 
277  // it it failed so far, parse string value from enumeration
278  int r = rs_http2_parse_frametype(str);
279  if (r >= 0) {
280  *ft = r;
281  return 1;
282  }
283 
284  return 0;
285 }
286 
287 /**
288  * \brief this function is used to attach the parsed http2.frametype data into the current signature
289  *
290  * \param de_ctx pointer to the Detection Engine Context
291  * \param s pointer to the Current Signature
292  * \param str pointer to the user provided http2.frametype options
293  *
294  * \retval 0 on Success
295  * \retval -1 on Failure
296  */
297 static int DetectHTTP2frametypeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
298 {
299  uint8_t frame_type;
300 
302  return -1;
303 
304  if (!DetectHTTP2FuncParseFrameType(str, &frame_type)) {
306  "Invalid argument \"%s\" supplied to http2.frametype keyword.", str);
307  return -1;
308  }
309 
310  uint8_t *http2ft = SCCalloc(1, sizeof(uint8_t));
311  if (http2ft == NULL)
312  return -1;
313  *http2ft = frame_type;
314 
315  SigMatch *sm = SigMatchAlloc();
316  if (sm == NULL) {
317  DetectHTTP2frametypeFree(NULL, http2ft);
318  return -1;
319  }
320 
322  sm->ctx = (SigMatchCtx *)http2ft;
323 
324  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
325 
326  return 0;
327 }
328 
329 /**
330  * \brief this function will free memory associated with uint8_t
331  *
332  * \param ptr pointer to uint8_t
333  */
335 {
336  SCFree(ptr);
337 }
338 
339 /**
340  * \brief This function is used to match HTTP2 error code rule option on a transaction with those passed via http2.errorcode:
341  *
342  * \retval 0 no match
343  * \retval 1 match
344  */
345 static int DetectHTTP2errorcodeMatch(DetectEngineThreadCtx *det_ctx,
346  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
347  const SigMatchCtx *ctx)
348 
349 {
350  uint32_t *detect = (uint32_t *)ctx;
351 
352  return rs_http2_tx_has_errorcode(txv, flags, *detect);
353  //TODOask handle negation rules
354 }
355 
356 static int DetectHTTP2FuncParseErrorCode(const char *str, uint32_t *ec)
357 {
358  // first parse numeric value
359  if (ByteExtractStringUint32(ec, 10, strlen(str), str) >= 0) {
360  return 1;
361  }
362 
363  // it it failed so far, parse string value from enumeration
364  int r = rs_http2_parse_errorcode(str);
365  if (r >= 0) {
366  *ec = r;
367  return 1;
368  }
369 
370  return 0;
371 }
372 
373 /**
374  * \brief this function is used to attach the parsed http2.errorcode data into the current signature
375  *
376  * \param de_ctx pointer to the Detection Engine Context
377  * \param s pointer to the Current Signature
378  * \param str pointer to the user provided http2.errorcode options
379  *
380  * \retval 0 on Success
381  * \retval -1 on Failure
382  */
383 static int DetectHTTP2errorcodeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
384 {
385  uint32_t error_code;
386 
388  return -1;
389 
390  if (!DetectHTTP2FuncParseErrorCode(str, &error_code)) {
392  "Invalid argument \"%s\" supplied to http2.errorcode keyword.", str);
393  return -1;
394  }
395 
396  uint32_t *http2ec = SCCalloc(1, sizeof(uint32_t));
397  if (http2ec == NULL)
398  return -1;
399  *http2ec = error_code;
400 
401  SigMatch *sm = SigMatchAlloc();
402  if (sm == NULL) {
403  DetectHTTP2errorcodeFree(NULL, http2ec);
404  return -1;
405  }
406 
408  sm->ctx = (SigMatchCtx *)http2ec;
409 
410  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
411 
412  return 0;
413 }
414 
415 /**
416  * \brief this function will free memory associated with uint32_t
417  *
418  * \param ptr pointer to uint32_t
419  */
421 {
422  SCFree(ptr);
423 }
424 
425 /**
426  * \brief This function is used to match HTTP2 error code rule option on a transaction with those passed via http2.priority:
427  *
428  * \retval 0 no match
429  * \retval 1 match
430  */
431 static int DetectHTTP2priorityMatch(DetectEngineThreadCtx *det_ctx,
432  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
433  const SigMatchCtx *ctx)
434 
435 {
436  uint32_t nb = 0;
437  int value = rs_http2_tx_get_next_priority(txv, flags, nb);
438  const DetectU8Data *du8 = (const DetectU8Data *)ctx;
439  while (value >= 0) {
440  if (DetectU8Match(value, du8)) {
441  return 1;
442  }
443  nb++;
444  value = rs_http2_tx_get_next_priority(txv, flags, nb);
445  }
446  return 0;
447 }
448 
449 /**
450  * \brief this function is used to attach the parsed http2.priority data into the current signature
451  *
452  * \param de_ctx pointer to the Detection Engine Context
453  * \param s pointer to the Current Signature
454  * \param str pointer to the user provided http2.priority options
455  *
456  * \retval 0 on Success
457  * \retval -1 on Failure
458  */
459 static int DetectHTTP2prioritySetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
460 {
462  return -1;
463 
464  DetectU8Data *prio = DetectU8Parse(str);
465  if (prio == NULL)
466  return -1;
467 
468  SigMatch *sm = SigMatchAlloc();
469  if (sm == NULL) {
470  SCFree(prio);
471  return -1;
472  }
473 
475  sm->ctx = (SigMatchCtx *)prio;
476 
477  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
478 
479  return 0;
480 }
481 
482 /**
483  * \brief this function will free memory associated with uint32_t
484  *
485  * \param ptr pointer to DetectU8Data
486  */
488 {
489  SCFree(ptr);
490 }
491 
492 /**
493  * \brief This function is used to match HTTP2 window rule option on a transaction with those passed via http2.window:
494  *
495  * \retval 0 no match
496  * \retval 1 match
497  */
498 static int DetectHTTP2windowMatch(DetectEngineThreadCtx *det_ctx,
499  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
500  const SigMatchCtx *ctx)
501 
502 {
503  uint32_t nb = 0;
504  int value = rs_http2_tx_get_next_window(txv, flags, nb);
505  const DetectU32Data *du32 = (const DetectU32Data *)ctx;
506  while (value >= 0) {
507  if (DetectU32Match(value, du32)) {
508  return 1;
509  }
510  nb++;
511  value = rs_http2_tx_get_next_window(txv, flags, nb);
512  }
513  return 0;
514 }
515 
516 /**
517  * \brief this function is used to attach the parsed http2.window data into the current signature
518  *
519  * \param de_ctx pointer to the Detection Engine Context
520  * \param s pointer to the Current Signature
521  * \param str pointer to the user provided http2.window options
522  *
523  * \retval 0 on Success
524  * \retval -1 on Failure
525  */
526 static int DetectHTTP2windowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
527 {
529  return -1;
530 
532  if (wu == NULL)
533  return -1;
534 
535  SigMatch *sm = SigMatchAlloc();
536  if (sm == NULL) {
537  SCFree(wu);
538  return -1;
539  }
540 
542  sm->ctx = (SigMatchCtx *)wu;
543 
544  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
545 
546  return 0;
547 }
548 
549 /**
550  * \brief this function will free memory associated with uint32_t
551  *
552  * \param ptr pointer to DetectU8Data
553  */
555 {
556  SCFree(ptr);
557 }
558 
559 /**
560  * \brief This function is used to match HTTP2 size update rule option on a transaction with those passed via http2.size_update:
561  *
562  * \retval 0 no match
563  * \retval 1 match
564  */
565 static int DetectHTTP2sizeUpdateMatch(DetectEngineThreadCtx *det_ctx,
566  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
567  const SigMatchCtx *ctx)
568 
569 {
570  return rs_http2_detect_sizeupdatectx_match(ctx, txv, flags);
571 }
572 
573 /**
574  * \brief this function is used to attach the parsed http2.size_update data into the current signature
575  *
576  * \param de_ctx pointer to the Detection Engine Context
577  * \param s pointer to the Current Signature
578  * \param str pointer to the user provided http2.size_update options
579  *
580  * \retval 0 on Success
581  * \retval -1 on Failure
582  */
583 static int DetectHTTP2sizeUpdateSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
584 {
586  return -1;
587 
588  void *su = rs_detect_u64_parse(str);
589  if (su == NULL)
590  return -1;
591 
592  SigMatch *sm = SigMatchAlloc();
593  if (sm == NULL) {
594  DetectHTTP2settingsFree(NULL, su);
595  return -1;
596  }
597 
599  sm->ctx = (SigMatchCtx *)su;
600 
601  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
602 
603  return 0;
604 }
605 
606 /**
607  * \brief this function will free memory associated with uint32_t
608  *
609  * \param ptr pointer to DetectU8Data
610  */
612 {
613  rs_detect_u64_free(ptr);
614 }
615 
616 /**
617  * \brief This function is used to match HTTP2 error code rule option on a transaction with those passed via http2.settings:
618  *
619  * \retval 0 no match
620  * \retval 1 match
621  */
622 static int DetectHTTP2settingsMatch(DetectEngineThreadCtx *det_ctx,
623  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
624  const SigMatchCtx *ctx)
625 
626 {
627  return rs_http2_detect_settingsctx_match(ctx, txv, flags);
628 }
629 
630 /**
631  * \brief this function is used to attach the parsed http2.settings data into the current signature
632  *
633  * \param de_ctx pointer to the Detection Engine Context
634  * \param s pointer to the Current Signature
635  * \param str pointer to the user provided http2.settings options
636  *
637  * \retval 0 on Success
638  * \retval -1 on Failure
639  */
640 static int DetectHTTP2settingsSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
641 {
643  return -1;
644 
645  void *http2set = rs_http2_detect_settingsctx_parse(str);
646  if (http2set == NULL)
647  return -1;
648 
649  SigMatch *sm = SigMatchAlloc();
650  if (sm == NULL) {
651  DetectHTTP2settingsFree(NULL, http2set);
652  return -1;
653  }
654 
656  sm->ctx = (SigMatchCtx *)http2set;
657 
658  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
659 
660  return 0;
661 }
662 
663 /**
664  * \brief this function will free memory associated with rust signature context
665  *
666  * \param ptr pointer to rust signature context
667  */
669 {
670  rs_http2_detect_settingsctx_free(ptr);
671 }
672 
673 static int DetectHTTP2headerNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
674 {
675  if (DetectBufferSetActiveList(s, g_http2_header_name_buffer_id) < 0)
676  return -1;
677 
679  return -1;
680 
681  return 0;
682 }
683 
684 static void PrefilterMpmHttp2HNameFree(void *ptr)
685 {
686  SCFree(ptr);
687 }
688 
689 static InspectionBuffer *GetHttp2HNameData(DetectEngineThreadCtx *det_ctx,
690  const uint8_t flags, const DetectEngineTransforms *transforms,
691  Flow *_f, const struct MpmListIdDataArgs *cbdata,
692  int list_id, bool first)
693 {
694  SCEnter();
695 
698  if (buffer == NULL)
699  return NULL;
700  if (!first && buffer->inspect != NULL)
701  return buffer;
702 
703  uint32_t b_len = 0;
704  const uint8_t *b = NULL;
705 
706  if (rs_http2_tx_get_header_name(cbdata->txv, flags, (uint32_t)cbdata->local_id, &b, &b_len) != 1)
707  return NULL;
708  if (b == NULL || b_len == 0)
709  return NULL;
710 
711  InspectionBufferSetup(buffer, b, b_len);
712  InspectionBufferApplyTransforms(buffer, transforms);
713 
714  SCReturnPtr(buffer, "InspectionBuffer");
715 }
716 
717 static void PrefilterTxHttp2HName(DetectEngineThreadCtx *det_ctx,
718  const void *pectx,
719  Packet *p, Flow *f, void *txv,
720  const uint64_t idx, const uint8_t flags)
721 {
722  SCEnter();
723 
724  const PrefilterMpmListId *ctx = (const PrefilterMpmListId *)pectx;
725  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
726  const int list_id = ctx->list_id;
727 
728  int local_id = 0;
729 
730  while(1) {
731  // loop until we get a NULL
732 
733  struct MpmListIdDataArgs cbdata = { local_id, txv };
734  InspectionBuffer *buffer = GetHttp2HNameData(det_ctx, flags, ctx->transforms,
735  f, &cbdata, list_id, true);
736  if (buffer == NULL)
737  break;
738 
739  if (buffer->inspect_len >= mpm_ctx->minlen) {
740  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
741  &det_ctx->mtcu, &det_ctx->pmq,
742  buffer->inspect, buffer->inspect_len);
743  }
744 
745  local_id++;
746  }
747 }
748 
749 static int PrefilterMpmHttp2HeaderNameRegister(DetectEngineCtx *de_ctx,
750  SigGroupHead *sgh, MpmCtx *mpm_ctx,
751  const DetectBufferMpmRegistery *mpm_reg, int list_id)
752 {
753  //TODOask use PrefilterMpmListId elsewhere
754  PrefilterMpmListId *pectx = SCCalloc(1, sizeof(*pectx));
755  if (pectx == NULL)
756  return -1;
757  pectx->list_id = list_id;
758  pectx->mpm_ctx = mpm_ctx;
759  pectx->transforms = &mpm_reg->transforms;
760 
761  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttp2HName,
762  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
763  pectx, PrefilterMpmHttp2HNameFree, mpm_reg->name);
764 }
765 
766 static int DetectEngineInspectHttp2HeaderName(
768  const DetectEngineAppInspectionEngine *engine,
769  const Signature *s,
770  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
771 {
772  int local_id = 0;
773 
774  const DetectEngineTransforms *transforms = NULL;
775  if (!engine->mpm) {
776  transforms = engine->v2.transforms;
777  }
778 
779  while (1) {
780  //TODOask use MpmListIdDataArgs elsewhere
781  struct MpmListIdDataArgs cbdata = { local_id, txv, };
782  InspectionBuffer *buffer = GetHttp2HNameData(det_ctx, flags,
783  transforms, f, &cbdata, engine->sm_list, false);
784 
785  if (buffer == NULL || buffer->inspect == NULL)
786  break;
787 
788  det_ctx->buffer_offset = 0;
789  det_ctx->discontinue_matching = 0;
790  det_ctx->inspection_recursion_counter = 0;
791 
792  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
793  NULL, f,
794  (uint8_t *)buffer->inspect,
795  buffer->inspect_len,
798  if (match == 1) {
800  }
801  local_id++;
802  }
803 
805 }
806 
807 static int DetectHTTP2headerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
808 {
809  if (DetectBufferSetActiveList(s, g_http2_header_buffer_id) < 0)
810  return -1;
811 
813  return -1;
814 
815  return 0;
816 }
817 
818 static void PrefilterMpmHttp2HeaderFree(void *ptr)
819 {
820  SCFree(ptr);
821 }
822 
823 static InspectionBuffer *GetHttp2HeaderData(DetectEngineThreadCtx *det_ctx,
824  const uint8_t flags, const DetectEngineTransforms *transforms,
825  Flow *_f, const struct MpmListIdDataArgs *cbdata,
826  int list_id, bool first)
827 {
828  SCEnter();
829 
832  if (buffer == NULL)
833  return NULL;
834  if (!first && buffer->inspect != NULL)
835  return buffer;
836 
837  uint32_t b_len = 0;
838  const uint8_t *b = NULL;
839 
840  if (rs_http2_tx_get_header(cbdata->txv, flags, (uint32_t)cbdata->local_id, &b, &b_len) != 1)
841  return NULL;
842  if (b == NULL || b_len == 0)
843  return NULL;
844 
845  InspectionBufferSetup(buffer, b, b_len);
846  InspectionBufferApplyTransforms(buffer, transforms);
847 
848  SCReturnPtr(buffer, "InspectionBuffer");
849 }
850 
851 static void PrefilterTxHttp2Header(DetectEngineThreadCtx *det_ctx,
852  const void *pectx,
853  Packet *p, Flow *f, void *txv,
854  const uint64_t idx, const uint8_t flags)
855 {
856  SCEnter();
857 
858  const PrefilterMpmListId *ctx = (const PrefilterMpmListId *)pectx;
859  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
860  const int list_id = ctx->list_id;
861 
862  int local_id = 0;
863 
864  while(1) {
865  // loop until we get a NULL
866 
867  struct MpmListIdDataArgs cbdata = { local_id, txv };
868  InspectionBuffer *buffer = GetHttp2HeaderData(det_ctx, flags, ctx->transforms,
869  f, &cbdata, list_id, true);
870  if (buffer == NULL)
871  break;
872 
873  if (buffer->inspect_len >= mpm_ctx->minlen) {
874  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
875  &det_ctx->mtcu, &det_ctx->pmq,
876  buffer->inspect, buffer->inspect_len);
877  }
878 
879  local_id++;
880  }
881 }
882 
883 static int PrefilterMpmHttp2HeaderRegister(DetectEngineCtx *de_ctx,
884  SigGroupHead *sgh, MpmCtx *mpm_ctx,
885  const DetectBufferMpmRegistery *mpm_reg, int list_id)
886 {
887  PrefilterMpmListId *pectx = SCCalloc(1, sizeof(*pectx));
888  if (pectx == NULL)
889  return -1;
890  pectx->list_id = list_id;
891  pectx->mpm_ctx = mpm_ctx;
892  pectx->transforms = &mpm_reg->transforms;
893 
894  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttp2Header,
895  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
896  pectx, PrefilterMpmHttp2HeaderFree, mpm_reg->name);
897 }
898 
899 static int DetectEngineInspectHttp2Header(
901  const DetectEngineAppInspectionEngine *engine,
902  const Signature *s,
903  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
904 {
905  int local_id = 0;
906 
907  const DetectEngineTransforms *transforms = NULL;
908  if (!engine->mpm) {
909  transforms = engine->v2.transforms;
910  }
911 
912  while (1) {
913  struct MpmListIdDataArgs cbdata = { local_id, txv, };
914  InspectionBuffer *buffer = GetHttp2HeaderData(det_ctx, flags,
915  transforms, f, &cbdata, engine->sm_list, false);
916 
917  if (buffer == NULL || buffer->inspect == NULL)
918  break;
919 
920  det_ctx->buffer_offset = 0;
921  det_ctx->discontinue_matching = 0;
922  det_ctx->inspection_recursion_counter = 0;
923 
924  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
925  NULL, f,
926  (uint8_t *)buffer->inspect,
927  buffer->inspect_len,
930  if (match == 1) {
932  }
933  local_id++;
934  }
935 
937 }
938 
939 static bool DetectHttp2HeaderValidateCallback(const Signature *s, const char **sigerror)
940 {
941  const SigMatch *sm = s->init_data->smlists[g_http2_header_buffer_id];
942  for ( ; sm != NULL; sm = sm->next) {
943  if (sm->type != DETECT_CONTENT)
944  continue;
945  const DetectContentData *cd = (DetectContentData *)sm->ctx;
946  bool escaped = false;
947  bool namevaluesep = false;
948  for (size_t i = 0; i < cd->content_len; ++i) {
949  if (escaped) {
950  if (cd->content[i] == ' ') {
951  if (namevaluesep) {
952  *sigerror = "Invalid http2.header string : "
953  "': ' is a special sequence for separation between name and value "
954  " and thus can only be present once";
955  SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
956  return false;
957  }
958  namevaluesep = true;
959  } else if (cd->content[i] != ':') {
960  *sigerror = "Invalid http2.header string : "
961  "':' is an escaping character for itself, "
962  "or space for the separation between name and value";
963  SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
964  return false;
965  }
966  escaped = false;
967  } else if(cd->content[i] == ':') {
968  escaped = true;
969  }
970  }
971  if (escaped) {
972  *sigerror = "Invalid http2.header string : "
973  "':' is an escaping character for itself, "
974  "or space for the separation between name and value";
975  SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
976  return false;
977  }
978  }
979  return true;
980 }
981 
982 #ifdef UNITTESTS
983 #include "tests/detect-http2.c"
984 #endif
util-byte.h
detect-engine-uint.h
DetectEngineAppInspectionEngine_
Definition: detect.h:402
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1041
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1404
DetectHTTP2priorityRegisterTests
void DetectHTTP2priorityRegisterTests(void)
Definition: detect-http2.c:90
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
SigTableElmt_::name
const char * name
Definition: detect.h:1211
MpmListIdDataArgs
Definition: detect-engine-mpm.h:129
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1347
DetectEngineTransforms
Definition: detect.h:376
DetectHTTP2RegisterTests
void DetectHTTP2RegisterTests(void)
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:624
InspectionBuffer
Definition: detect.h:344
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1111
DETECT_HTTP2_SETTINGS
@ DETECT_HTTP2_SETTINGS
Definition: detect-engine-register.h:180
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DETECT_HTTP2_HEADER
@ DETECT_HTTP2_HEADER
Definition: detect-engine-register.h:182
DetectHTTP2priorityFree
void DetectHTTP2priorityFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:487
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DETECT_HTTP2_SIZEUPDATE
@ DETECT_HTTP2_SIZEUPDATE
Definition: detect-engine-register.h:179
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1182
rust.h
MpmListIdDataArgs::txv
void * txv
Definition: detect-engine-mpm.h:131
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:611
DetectHTTP2sizeUpdateFree
void DetectHTTP2sizeUpdateFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:611
DETECT_HTTP2_HEADERNAME
@ DETECT_HTTP2_HEADERNAME
Definition: detect-engine-register.h:181
DetectU32Parse
DetectU32Data * DetectU32Parse(const char *u32str)
This function is used to parse u32 options passed via some u32 keyword.
Definition: detect-engine-uint.c:78
DetectContentData_
Definition: detect-content.h:86
DetectEngineContentInspection
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:104
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectU8Data *du8)
Definition: detect-engine-uint.c:234
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1109
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1596
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
DetectU8Data_
Definition: detect-engine-uint.h:50
SC_WARN_POOR_RULE
@ SC_WARN_POOR_RULE
Definition: util-error.h:309
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:408
InspectionBufferMultipleForList
Definition: detect.h:364
PrefilterMpmListId
Definition: detect-engine-mpm.h:123
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
DetectU32Match
int DetectU32Match(const uint32_t parg, const DetectU32Data *du32)
Definition: detect-engine-uint.c:39
DetectBufferTypeRegisterValidateCallback
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror))
Definition: detect-engine.c:972
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-http2.h
DetectEngineThreadCtx_
Definition: detect.h:1010
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
MpmListIdDataArgs::local_id
int local_id
Definition: detect-engine-mpm.h:130
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineAppInspectionEngine_::mpm
uint16_t mpm
Definition: detect.h:406
DetectHTTP2sizeUpdateRegisterTests
void DetectHTTP2sizeUpdateRegisterTests(void)
Definition: detect-http2.c:158
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
DetectHTTP2settingsFree
void DetectHTTP2settingsFree(DetectEngineCtx *, void *)
this function will free memory associated with rust signature context
Definition: detect-http2.c:668
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:324
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:346
PrefilterMpmListId::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-mpm.h:126
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
DetectHTTP2settingsRegisterTests
void DetectHTTP2settingsRegisterTests(void)
Definition: detect-http2.c:135
DetectBufferMpmRegistery_::name
const char * name
Definition: detect.h:612
PrefilterMpmListId::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-mpm.h:125
Packet_
Definition: decode.h:414
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:232
ByteExtractStringUint32
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:239
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:597
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:522
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:59
DetectHTTP2windowRegisterTests
void DetectHTTP2windowRegisterTests(void)
Definition: detect-http2.c:112
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:162
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatch_::type
uint8_t type
Definition: detect.h:321
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1076
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:426
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:46
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:836
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectHTTP2windowFree
void DetectHTTP2windowFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:554
DETECT_HTTP2_ERRORCODE
@ DETECT_HTTP2_ERRORCODE
Definition: detect-engine-register.h:176
InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1120
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1211
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1088
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectHttp2Register
void DetectHttp2Register(void)
Registration function for HTTP2 keywords.
Definition: detect-http2.c:126
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:347
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@93::@95 app_v2
ByteExtractStringUint8
int ByteExtractStringUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:285
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:345
str
#define str(s)
Definition: suricata-common.h:273
DetectU32Data_
Definition: detect-engine-uint.h:36
DetectHTTP2errorCodeRegisterTests
void DetectHTTP2errorCodeRegisterTests(void)
Definition: detect-http2.c:68
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
DetectU8Parse
DetectU8Data * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
Definition: detect-engine-uint.c:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Signature_::id
uint32_t id
Definition: detect.h:561
DETECT_HTTP2_WINDOW
@ DETECT_HTTP2_WINDOW
Definition: detect-engine-register.h:178
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:257
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:423
PrefilterMpmListId::list_id
int list_id
Definition: detect-engine-mpm.h:124
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
DETECT_HTTP2_PRIORITY
@ DETECT_HTTP2_PRIORITY
Definition: detect-engine-register.h:177
detect-http2.c
InspectionBufferGetMulti
InspectionBufferMultipleForList * InspectionBufferGetMulti(DetectEngineThreadCtx *det_ctx, const int list_id)
Definition: detect-engine.c:1100
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1380
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:992
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:908
DetectHTTP2frameTypeRegisterTests
void DetectHTTP2frameTypeRegisterTests(void)
this function registers unit tests for DetectHTTP2frameType
Definition: detect-http2.c:46
DetectHTTP2errorcodeFree
void DetectHTTP2errorcodeFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:420
MpmCtx_
Definition: util-mpm.h:88
DetectHTTP2frametypeFree
void DetectHTTP2frametypeFree(DetectEngineCtx *, void *)
this function will free memory associated with uint8_t
Definition: detect-http2.c:334
DetectUintRegister
void DetectUintRegister(void)
Definition: detect-engine-uint.c:224
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:171
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@91 v2
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:35
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(InspectionBufferMultipleForList *fb, uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1074
DETECT_HTTP2_FRAMETYPE
@ DETECT_HTTP2_FRAMETYPE
Definition: detect-engine-register.h:175
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203