suricata
detect-http2.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Philippe Antoine <p.antoine@catenacyber.fr>
22  *
23  */
24 
25 #include "suricata-common.h"
26 
27 #include "detect.h"
28 #include "detect-parse.h"
29 #include "detect-engine.h"
30 #include "detect-engine-uint.h"
31 #include "detect-engine-mpm.h"
34 
35 #include "detect-http2.h"
36 #include "util-byte.h"
37 #include "rust.h"
38 
39 #ifdef UNITTESTS
46 #endif
47 
48 /* prototypes */
49 static int DetectHTTP2frametypeMatch(DetectEngineThreadCtx *det_ctx,
50  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
51  const SigMatchCtx *ctx);
52 static int DetectHTTP2frametypeSetup (DetectEngineCtx *, Signature *, const char *);
54 
55 static int DetectHTTP2errorcodeMatch(DetectEngineThreadCtx *det_ctx,
56  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
57  const SigMatchCtx *ctx);
58 static int DetectHTTP2errorcodeSetup (DetectEngineCtx *, Signature *, const char *);
60 
61 static int DetectHTTP2priorityMatch(DetectEngineThreadCtx *det_ctx,
62  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
63  const SigMatchCtx *ctx);
64 static int DetectHTTP2prioritySetup (DetectEngineCtx *, Signature *, const char *);
66 
67 static int DetectHTTP2windowMatch(DetectEngineThreadCtx *det_ctx,
68  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
69  const SigMatchCtx *ctx);
70 static int DetectHTTP2windowSetup (DetectEngineCtx *, Signature *, const char *);
71 void DetectHTTP2windowFree (DetectEngineCtx *, void *);
72 
73 static int DetectHTTP2sizeUpdateMatch(DetectEngineThreadCtx *det_ctx,
74  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
75  const SigMatchCtx *ctx);
76 static int DetectHTTP2sizeUpdateSetup (DetectEngineCtx *, Signature *, const char *);
78 
79 static int DetectHTTP2settingsMatch(DetectEngineThreadCtx *det_ctx,
80  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
81  const SigMatchCtx *ctx);
82 static int DetectHTTP2settingsSetup (DetectEngineCtx *, Signature *, const char *);
84 
85 static int DetectHTTP2headerNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg);
86 static int PrefilterMpmHttp2HeaderNameRegister(DetectEngineCtx *de_ctx,
87  SigGroupHead *sgh, MpmCtx *mpm_ctx,
88  const DetectBufferMpmRegistery *mpm_reg, int list_id);
89 static int DetectEngineInspectHttp2HeaderName(
91  const DetectEngineAppInspectionEngine *engine,
92  const Signature *s,
93  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
94 
95 static int DetectHTTP2headerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg);
96 static int PrefilterMpmHttp2HeaderRegister(DetectEngineCtx *de_ctx,
97  SigGroupHead *sgh, MpmCtx *mpm_ctx,
98  const DetectBufferMpmRegistery *mpm_reg, int list_id);
99 static int DetectEngineInspectHttp2Header(
101  const DetectEngineAppInspectionEngine *engine,
102  const Signature *s,
103  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
104 static bool DetectHttp2HeaderValidateCallback(const Signature *s, const char **sigerror);
105 
106 #ifdef UNITTESTS
108 #endif
109 
110 static int g_http2_match_buffer_id = 0;
111 static int g_http2_header_name_buffer_id = 0;
112 static int g_http2_header_buffer_id = 0;
113 
114 static int DetectEngineInspectHTTP2(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
115  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
116  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
117 {
119  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
120 }
121 
122 /**
123  * \brief Registration function for HTTP2 keywords
124  */
125 
127 {
128  sigmatch_table[DETECT_HTTP2_FRAMETYPE].name = "http2.frametype";
129  sigmatch_table[DETECT_HTTP2_FRAMETYPE].desc = "match on HTTP2 frame type field";
130  sigmatch_table[DETECT_HTTP2_FRAMETYPE].url = "/rules/http2-keywords.html#frametype";
132  sigmatch_table[DETECT_HTTP2_FRAMETYPE].AppLayerTxMatch = DetectHTTP2frametypeMatch;
133  sigmatch_table[DETECT_HTTP2_FRAMETYPE].Setup = DetectHTTP2frametypeSetup;
135 #ifdef UNITTESTS
137 #endif
138 
139  sigmatch_table[DETECT_HTTP2_ERRORCODE].name = "http2.errorcode";
140  sigmatch_table[DETECT_HTTP2_ERRORCODE].desc = "match on HTTP2 error code field";
141  sigmatch_table[DETECT_HTTP2_ERRORCODE].url = "/rules/http2-keywords.html#errorcode";
143  sigmatch_table[DETECT_HTTP2_ERRORCODE].AppLayerTxMatch = DetectHTTP2errorcodeMatch;
144  sigmatch_table[DETECT_HTTP2_ERRORCODE].Setup = DetectHTTP2errorcodeSetup;
146 #ifdef UNITTESTS
148 #endif
149 
150  sigmatch_table[DETECT_HTTP2_PRIORITY].name = "http2.priority";
151  sigmatch_table[DETECT_HTTP2_PRIORITY].desc = "match on HTTP2 priority weight field";
152  sigmatch_table[DETECT_HTTP2_PRIORITY].url = "/rules/http2-keywords.html#priority";
154  sigmatch_table[DETECT_HTTP2_PRIORITY].AppLayerTxMatch = DetectHTTP2priorityMatch;
155  sigmatch_table[DETECT_HTTP2_PRIORITY].Setup = DetectHTTP2prioritySetup;
157 #ifdef UNITTESTS
159 #endif
160 
161  sigmatch_table[DETECT_HTTP2_WINDOW].name = "http2.window";
162  sigmatch_table[DETECT_HTTP2_WINDOW].desc = "match on HTTP2 window update size increment field";
163  sigmatch_table[DETECT_HTTP2_WINDOW].url = "/rules/http2-keywords.html#window";
165  sigmatch_table[DETECT_HTTP2_WINDOW].AppLayerTxMatch = DetectHTTP2windowMatch;
166  sigmatch_table[DETECT_HTTP2_WINDOW].Setup = DetectHTTP2windowSetup;
168 #ifdef UNITTESTS
170 #endif
171 
172  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].name = "http2.size_update";
173  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].desc = "match on HTTP2 dynamic headers table size update";
174  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].url = "/rules/http2-keywords.html#sizeupdate";
176  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].AppLayerTxMatch = DetectHTTP2sizeUpdateMatch;
177  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].Setup = DetectHTTP2sizeUpdateSetup;
179 #ifdef UNITTESTS
181 #endif
182 
183  sigmatch_table[DETECT_HTTP2_SETTINGS].name = "http2.settings";
184  sigmatch_table[DETECT_HTTP2_SETTINGS].desc = "match on HTTP2 settings identifier and value fields";
185  sigmatch_table[DETECT_HTTP2_SETTINGS].url = "/rules/http2-keywords.html#settings";
187  sigmatch_table[DETECT_HTTP2_SETTINGS].AppLayerTxMatch = DetectHTTP2settingsMatch;
188  sigmatch_table[DETECT_HTTP2_SETTINGS].Setup = DetectHTTP2settingsSetup;
190 #ifdef UNITTESTS
192 #endif
193 
194  sigmatch_table[DETECT_HTTP2_HEADERNAME].name = "http2.header_name";
195  sigmatch_table[DETECT_HTTP2_HEADERNAME].desc = "sticky buffer to match on one HTTP2 header name";
196  sigmatch_table[DETECT_HTTP2_HEADERNAME].url = "/rules/http2-keywords.html#header_name";
197  sigmatch_table[DETECT_HTTP2_HEADERNAME].Setup = DetectHTTP2headerNameSetup;
199 
200  DetectAppLayerMpmRegister2("http2_header_name", SIG_FLAG_TOCLIENT, 2,
201  PrefilterMpmHttp2HeaderNameRegister, NULL,
202  ALPROTO_HTTP2, HTTP2StateOpen);
203  DetectAppLayerInspectEngineRegister2("http2_header_name",
204  ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateOpen,
205  DetectEngineInspectHttp2HeaderName, NULL);
206  DetectAppLayerMpmRegister2("http2_header_name", SIG_FLAG_TOSERVER, 2,
207  PrefilterMpmHttp2HeaderNameRegister, NULL,
208  ALPROTO_HTTP2, HTTP2StateOpen);
209  DetectAppLayerInspectEngineRegister2("http2_header_name",
210  ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateOpen,
211  DetectEngineInspectHttp2HeaderName, NULL);
212 
213  DetectBufferTypeSetDescriptionByName("http2_header_name",
214  "HTTP2 header name");
215  g_http2_header_name_buffer_id = DetectBufferTypeGetByName("http2_header_name");
216 
217  sigmatch_table[DETECT_HTTP2_HEADER].name = "http2.header";
218  sigmatch_table[DETECT_HTTP2_HEADER].desc = "sticky buffer to match on one HTTP2 header name and value";
219  sigmatch_table[DETECT_HTTP2_HEADER].url = "/rules/http2-keywords.html#header";
220  sigmatch_table[DETECT_HTTP2_HEADER].Setup = DetectHTTP2headerSetup;
222 
224  PrefilterMpmHttp2HeaderRegister, NULL,
225  ALPROTO_HTTP2, HTTP2StateOpen);
227  ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateOpen,
228  DetectEngineInspectHttp2Header, NULL);
230  PrefilterMpmHttp2HeaderRegister, NULL,
231  ALPROTO_HTTP2, HTTP2StateOpen);
233  ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateOpen,
234  DetectEngineInspectHttp2Header, NULL);
235 
237  "HTTP2 header name and value");
238  DetectBufferTypeRegisterValidateCallback("http2_header", DetectHttp2HeaderValidateCallback);
239  g_http2_header_buffer_id = DetectBufferTypeGetByName("http2_header");
240 
242  "http2", ALPROTO_HTTP2, SIG_FLAG_TOSERVER, 0, DetectEngineInspectHTTP2, NULL);
244  "http2", ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectHTTP2, NULL);
245 
246  g_http2_match_buffer_id = DetectBufferTypeRegister("http2");
248 
249  return;
250 }
251 
252 /**
253  * \brief This function is used to match HTTP2 frame type rule option on a transaction with those passed via http2.frametype:
254  *
255  * \retval 0 no match
256  * \retval 1 match
257  */
258 static int DetectHTTP2frametypeMatch(DetectEngineThreadCtx *det_ctx,
259  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
260  const SigMatchCtx *ctx)
261 
262 {
263  uint8_t *detect = (uint8_t *)ctx;
264 
265  return rs_http2_tx_has_frametype(txv, flags, *detect);
266 }
267 
268 static int DetectHTTP2FuncParseFrameType(const char *str, uint8_t *ft)
269 {
270  // first parse numeric value
271  if (ByteExtractStringUint8(ft, 10, strlen(str), str) >= 0) {
272  return 1;
273  }
274 
275  // it it failed so far, parse string value from enumeration
276  int r = rs_http2_parse_frametype(str);
277  if (r >= 0) {
278  *ft = r;
279  return 1;
280  }
281 
282  return 0;
283 }
284 
285 /**
286  * \brief this function is used to attach the parsed http2.frametype data into the current signature
287  *
288  * \param de_ctx pointer to the Detection Engine Context
289  * \param s pointer to the Current Signature
290  * \param str pointer to the user provided http2.frametype options
291  *
292  * \retval 0 on Success
293  * \retval -1 on Failure
294  */
295 static int DetectHTTP2frametypeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
296 {
297  uint8_t frame_type;
298 
300  return -1;
301 
302  if (!DetectHTTP2FuncParseFrameType(str, &frame_type)) {
304  "Invalid argument \"%s\" supplied to http2.frametype keyword.", str);
305  return -1;
306  }
307 
308  uint8_t *http2ft = SCCalloc(1, sizeof(uint8_t));
309  if (http2ft == NULL)
310  return -1;
311  *http2ft = frame_type;
312 
313  SigMatch *sm = SigMatchAlloc();
314  if (sm == NULL) {
315  DetectHTTP2frametypeFree(NULL, http2ft);
316  return -1;
317  }
318 
320  sm->ctx = (SigMatchCtx *)http2ft;
321 
322  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
323 
324  return 0;
325 }
326 
327 /**
328  * \brief this function will free memory associated with uint8_t
329  *
330  * \param ptr pointer to uint8_t
331  */
333 {
334  SCFree(ptr);
335 }
336 
337 /**
338  * \brief This function is used to match HTTP2 error code rule option on a transaction with those passed via http2.errorcode:
339  *
340  * \retval 0 no match
341  * \retval 1 match
342  */
343 static int DetectHTTP2errorcodeMatch(DetectEngineThreadCtx *det_ctx,
344  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
345  const SigMatchCtx *ctx)
346 
347 {
348  uint32_t *detect = (uint32_t *)ctx;
349 
350  return rs_http2_tx_has_errorcode(txv, flags, *detect);
351  //TODOask handle negation rules
352 }
353 
354 static int DetectHTTP2FuncParseErrorCode(const char *str, uint32_t *ec)
355 {
356  // first parse numeric value
357  if (ByteExtractStringUint32(ec, 10, strlen(str), str) >= 0) {
358  return 1;
359  }
360 
361  // it it failed so far, parse string value from enumeration
362  int r = rs_http2_parse_errorcode(str);
363  if (r >= 0) {
364  *ec = r;
365  return 1;
366  }
367 
368  return 0;
369 }
370 
371 /**
372  * \brief this function is used to attach the parsed http2.errorcode data into the current signature
373  *
374  * \param de_ctx pointer to the Detection Engine Context
375  * \param s pointer to the Current Signature
376  * \param str pointer to the user provided http2.errorcode options
377  *
378  * \retval 0 on Success
379  * \retval -1 on Failure
380  */
381 static int DetectHTTP2errorcodeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
382 {
383  uint32_t error_code;
384 
386  return -1;
387 
388  if (!DetectHTTP2FuncParseErrorCode(str, &error_code)) {
390  "Invalid argument \"%s\" supplied to http2.errorcode keyword.", str);
391  return -1;
392  }
393 
394  uint32_t *http2ec = SCCalloc(1, sizeof(uint32_t));
395  if (http2ec == NULL)
396  return -1;
397  *http2ec = error_code;
398 
399  SigMatch *sm = SigMatchAlloc();
400  if (sm == NULL) {
401  DetectHTTP2errorcodeFree(NULL, http2ec);
402  return -1;
403  }
404 
406  sm->ctx = (SigMatchCtx *)http2ec;
407 
408  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
409 
410  return 0;
411 }
412 
413 /**
414  * \brief this function will free memory associated with uint32_t
415  *
416  * \param ptr pointer to uint32_t
417  */
419 {
420  SCFree(ptr);
421 }
422 
423 /**
424  * \brief This function is used to match HTTP2 error code rule option on a transaction with those passed via http2.priority:
425  *
426  * \retval 0 no match
427  * \retval 1 match
428  */
429 static int DetectHTTP2priorityMatch(DetectEngineThreadCtx *det_ctx,
430  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
431  const SigMatchCtx *ctx)
432 
433 {
434  uint32_t nb = 0;
435  int value = rs_http2_tx_get_next_priority(txv, flags, nb);
436  const DetectU8Data *du8 = (const DetectU8Data *)ctx;
437  while (value >= 0) {
438  if (DetectU8Match(value, du8)) {
439  return 1;
440  }
441  nb++;
442  value = rs_http2_tx_get_next_priority(txv, flags, nb);
443  }
444  return 0;
445 }
446 
447 /**
448  * \brief this function is used to attach the parsed http2.priority data into the current signature
449  *
450  * \param de_ctx pointer to the Detection Engine Context
451  * \param s pointer to the Current Signature
452  * \param str pointer to the user provided http2.priority options
453  *
454  * \retval 0 on Success
455  * \retval -1 on Failure
456  */
457 static int DetectHTTP2prioritySetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
458 {
460  return -1;
461 
462  DetectU8Data *prio = DetectU8Parse(str);
463  if (prio == NULL)
464  return -1;
465 
466  SigMatch *sm = SigMatchAlloc();
467  if (sm == NULL) {
468  SCFree(prio);
469  return -1;
470  }
471 
473  sm->ctx = (SigMatchCtx *)prio;
474 
475  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
476 
477  return 0;
478 }
479 
480 /**
481  * \brief this function will free memory associated with uint32_t
482  *
483  * \param ptr pointer to DetectU8Data
484  */
486 {
487  SCFree(ptr);
488 }
489 
490 /**
491  * \brief This function is used to match HTTP2 window rule option on a transaction with those passed via http2.window:
492  *
493  * \retval 0 no match
494  * \retval 1 match
495  */
496 static int DetectHTTP2windowMatch(DetectEngineThreadCtx *det_ctx,
497  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
498  const SigMatchCtx *ctx)
499 
500 {
501  uint32_t nb = 0;
502  int value = rs_http2_tx_get_next_window(txv, flags, nb);
503  const DetectU32Data *du32 = (const DetectU32Data *)ctx;
504  while (value >= 0) {
505  if (DetectU32Match(value, du32)) {
506  return 1;
507  }
508  nb++;
509  value = rs_http2_tx_get_next_window(txv, flags, nb);
510  }
511  return 0;
512 }
513 
514 /**
515  * \brief this function is used to attach the parsed http2.window data into the current signature
516  *
517  * \param de_ctx pointer to the Detection Engine Context
518  * \param s pointer to the Current Signature
519  * \param str pointer to the user provided http2.window options
520  *
521  * \retval 0 on Success
522  * \retval -1 on Failure
523  */
524 static int DetectHTTP2windowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
525 {
527  return -1;
528 
530  if (wu == NULL)
531  return -1;
532 
533  SigMatch *sm = SigMatchAlloc();
534  if (sm == NULL) {
535  SCFree(wu);
536  return -1;
537  }
538 
540  sm->ctx = (SigMatchCtx *)wu;
541 
542  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
543 
544  return 0;
545 }
546 
547 /**
548  * \brief this function will free memory associated with uint32_t
549  *
550  * \param ptr pointer to DetectU8Data
551  */
553 {
554  SCFree(ptr);
555 }
556 
557 /**
558  * \brief This function is used to match HTTP2 size update rule option on a transaction with those passed via http2.size_update:
559  *
560  * \retval 0 no match
561  * \retval 1 match
562  */
563 static int DetectHTTP2sizeUpdateMatch(DetectEngineThreadCtx *det_ctx,
564  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
565  const SigMatchCtx *ctx)
566 
567 {
568  return rs_http2_detect_sizeupdatectx_match(ctx, txv, flags);
569 }
570 
571 /**
572  * \brief this function is used to attach the parsed http2.size_update data into the current signature
573  *
574  * \param de_ctx pointer to the Detection Engine Context
575  * \param s pointer to the Current Signature
576  * \param str pointer to the user provided http2.size_update options
577  *
578  * \retval 0 on Success
579  * \retval -1 on Failure
580  */
581 static int DetectHTTP2sizeUpdateSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
582 {
584  return -1;
585 
586  void *su = rs_detect_u64_parse(str);
587  if (su == NULL)
588  return -1;
589 
590  SigMatch *sm = SigMatchAlloc();
591  if (sm == NULL) {
592  DetectHTTP2settingsFree(NULL, su);
593  return -1;
594  }
595 
597  sm->ctx = (SigMatchCtx *)su;
598 
599  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
600 
601  return 0;
602 }
603 
604 /**
605  * \brief this function will free memory associated with uint32_t
606  *
607  * \param ptr pointer to DetectU8Data
608  */
610 {
611  rs_detect_u64_free(ptr);
612 }
613 
614 /**
615  * \brief This function is used to match HTTP2 error code rule option on a transaction with those passed via http2.settings:
616  *
617  * \retval 0 no match
618  * \retval 1 match
619  */
620 static int DetectHTTP2settingsMatch(DetectEngineThreadCtx *det_ctx,
621  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
622  const SigMatchCtx *ctx)
623 
624 {
625  return rs_http2_detect_settingsctx_match(ctx, txv, flags);
626 }
627 
628 /**
629  * \brief this function is used to attach the parsed http2.settings data into the current signature
630  *
631  * \param de_ctx pointer to the Detection Engine Context
632  * \param s pointer to the Current Signature
633  * \param str pointer to the user provided http2.settings options
634  *
635  * \retval 0 on Success
636  * \retval -1 on Failure
637  */
638 static int DetectHTTP2settingsSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
639 {
641  return -1;
642 
643  void *http2set = rs_http2_detect_settingsctx_parse(str);
644  if (http2set == NULL)
645  return -1;
646 
647  SigMatch *sm = SigMatchAlloc();
648  if (sm == NULL) {
649  DetectHTTP2settingsFree(NULL, http2set);
650  return -1;
651  }
652 
654  sm->ctx = (SigMatchCtx *)http2set;
655 
656  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
657 
658  return 0;
659 }
660 
661 /**
662  * \brief this function will free memory associated with rust signature context
663  *
664  * \param ptr pointer to rust signature context
665  */
667 {
668  rs_http2_detect_settingsctx_free(ptr);
669 }
670 
671 static int DetectHTTP2headerNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
672 {
673  if (DetectBufferSetActiveList(s, g_http2_header_name_buffer_id) < 0)
674  return -1;
675 
677  return -1;
678 
679  return 0;
680 }
681 
682 static void PrefilterMpmHttp2HNameFree(void *ptr)
683 {
684  SCFree(ptr);
685 }
686 
687 static InspectionBuffer *GetHttp2HNameData(DetectEngineThreadCtx *det_ctx,
688  const uint8_t flags, const DetectEngineTransforms *transforms,
689  Flow *_f, const struct MpmListIdDataArgs *cbdata,
690  int list_id, bool first)
691 {
692  SCEnter();
693 
694  InspectionBuffer *buffer =
695  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
696  if (buffer == NULL)
697  return NULL;
698  if (!first && buffer->inspect != NULL)
699  return buffer;
700 
701  uint32_t b_len = 0;
702  const uint8_t *b = NULL;
703 
704  if (rs_http2_tx_get_header_name(cbdata->txv, flags, cbdata->local_id, &b, &b_len) != 1)
705  return NULL;
706  if (b == NULL || b_len == 0)
707  return NULL;
708 
709  InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
710  InspectionBufferApplyTransforms(buffer, transforms);
711 
712  SCReturnPtr(buffer, "InspectionBuffer");
713 }
714 
715 static void PrefilterTxHttp2HName(DetectEngineThreadCtx *det_ctx,
716  const void *pectx,
717  Packet *p, Flow *f, void *txv,
718  const uint64_t idx, const uint8_t flags)
719 {
720  SCEnter();
721 
722  const PrefilterMpmListId *ctx = (const PrefilterMpmListId *)pectx;
723  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
724  const int list_id = ctx->list_id;
725 
726  uint32_t local_id = 0;
727 
728  while(1) {
729  // loop until we get a NULL
730 
731  struct MpmListIdDataArgs cbdata = { local_id, txv };
732  InspectionBuffer *buffer = GetHttp2HNameData(det_ctx, flags, ctx->transforms,
733  f, &cbdata, list_id, true);
734  if (buffer == NULL)
735  break;
736 
737  if (buffer->inspect_len >= mpm_ctx->minlen) {
738  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
739  &det_ctx->mtcu, &det_ctx->pmq,
740  buffer->inspect, buffer->inspect_len);
741  }
742 
743  local_id++;
744  }
745 }
746 
747 static int PrefilterMpmHttp2HeaderNameRegister(DetectEngineCtx *de_ctx,
748  SigGroupHead *sgh, MpmCtx *mpm_ctx,
749  const DetectBufferMpmRegistery *mpm_reg, int list_id)
750 {
751  //TODOask use PrefilterMpmListId elsewhere
752  PrefilterMpmListId *pectx = SCCalloc(1, sizeof(*pectx));
753  if (pectx == NULL)
754  return -1;
755  pectx->list_id = list_id;
756  pectx->mpm_ctx = mpm_ctx;
757  pectx->transforms = &mpm_reg->transforms;
758 
759  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttp2HName,
760  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
761  pectx, PrefilterMpmHttp2HNameFree, mpm_reg->name);
762 }
763 
764 static int DetectEngineInspectHttp2HeaderName(
766  const DetectEngineAppInspectionEngine *engine,
767  const Signature *s,
768  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
769 {
770  uint32_t local_id = 0;
771 
772  const DetectEngineTransforms *transforms = NULL;
773  if (!engine->mpm) {
774  transforms = engine->v2.transforms;
775  }
776 
777  while (1) {
778  //TODOask use MpmListIdDataArgs elsewhere
779  struct MpmListIdDataArgs cbdata = { local_id, txv, };
780  InspectionBuffer *buffer = GetHttp2HNameData(det_ctx, flags,
781  transforms, f, &cbdata, engine->sm_list, false);
782 
783  if (buffer == NULL || buffer->inspect == NULL)
784  break;
785 
786  det_ctx->buffer_offset = 0;
787  det_ctx->discontinue_matching = 0;
788  det_ctx->inspection_recursion_counter = 0;
789 
790  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
791  NULL, f,
792  (uint8_t *)buffer->inspect,
793  buffer->inspect_len,
796  if (match == 1) {
798  }
799  local_id++;
800  }
801 
803 }
804 
805 static int DetectHTTP2headerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
806 {
807  if (DetectBufferSetActiveList(s, g_http2_header_buffer_id) < 0)
808  return -1;
809 
811  return -1;
812 
813  return 0;
814 }
815 
816 static void PrefilterMpmHttp2HeaderFree(void *ptr)
817 {
818  SCFree(ptr);
819 }
820 
821 static InspectionBuffer *GetHttp2HeaderData(DetectEngineThreadCtx *det_ctx,
822  const uint8_t flags, const DetectEngineTransforms *transforms,
823  Flow *_f, const struct MpmListIdDataArgs *cbdata,
824  int list_id, bool first)
825 {
826  SCEnter();
827 
828  InspectionBuffer *buffer =
829  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
830  if (buffer == NULL)
831  return NULL;
832  if (!first && buffer->inspect != NULL)
833  return buffer;
834 
835  uint32_t b_len = 0;
836  const uint8_t *b = NULL;
837 
838  if (rs_http2_tx_get_header(cbdata->txv, flags, cbdata->local_id, &b, &b_len) != 1)
839  return NULL;
840  if (b == NULL || b_len == 0)
841  return NULL;
842 
843  InspectionBufferSetupMulti(buffer, transforms, b, b_len);
844 
845  SCReturnPtr(buffer, "InspectionBuffer");
846 }
847 
848 static void PrefilterTxHttp2Header(DetectEngineThreadCtx *det_ctx,
849  const void *pectx,
850  Packet *p, Flow *f, void *txv,
851  const uint64_t idx, const uint8_t flags)
852 {
853  SCEnter();
854 
855  const PrefilterMpmListId *ctx = (const PrefilterMpmListId *)pectx;
856  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
857  const int list_id = ctx->list_id;
858 
859  uint32_t local_id = 0;
860 
861  while(1) {
862  // loop until we get a NULL
863 
864  struct MpmListIdDataArgs cbdata = { local_id, txv };
865  InspectionBuffer *buffer = GetHttp2HeaderData(det_ctx, flags, ctx->transforms,
866  f, &cbdata, list_id, true);
867  if (buffer == NULL)
868  break;
869 
870  if (buffer->inspect_len >= mpm_ctx->minlen) {
871  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
872  &det_ctx->mtcu, &det_ctx->pmq,
873  buffer->inspect, buffer->inspect_len);
874  }
875 
876  local_id++;
877  }
878 }
879 
880 static int PrefilterMpmHttp2HeaderRegister(DetectEngineCtx *de_ctx,
881  SigGroupHead *sgh, MpmCtx *mpm_ctx,
882  const DetectBufferMpmRegistery *mpm_reg, int list_id)
883 {
884  PrefilterMpmListId *pectx = SCCalloc(1, sizeof(*pectx));
885  if (pectx == NULL)
886  return -1;
887  pectx->list_id = list_id;
888  pectx->mpm_ctx = mpm_ctx;
889  pectx->transforms = &mpm_reg->transforms;
890 
891  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttp2Header,
892  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
893  pectx, PrefilterMpmHttp2HeaderFree, mpm_reg->name);
894 }
895 
896 static int DetectEngineInspectHttp2Header(
898  const DetectEngineAppInspectionEngine *engine,
899  const Signature *s,
900  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
901 {
902  uint32_t local_id = 0;
903 
904  const DetectEngineTransforms *transforms = NULL;
905  if (!engine->mpm) {
906  transforms = engine->v2.transforms;
907  }
908 
909  while (1) {
910  struct MpmListIdDataArgs cbdata = { local_id, txv, };
911  InspectionBuffer *buffer = GetHttp2HeaderData(det_ctx, flags,
912  transforms, f, &cbdata, engine->sm_list, false);
913 
914  if (buffer == NULL || buffer->inspect == NULL)
915  break;
916 
917  det_ctx->buffer_offset = 0;
918  det_ctx->discontinue_matching = 0;
919  det_ctx->inspection_recursion_counter = 0;
920 
921  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
922  NULL, f,
923  (uint8_t *)buffer->inspect,
924  buffer->inspect_len,
927  if (match == 1) {
929  }
930  local_id++;
931  }
932 
934 }
935 
936 static bool DetectHttp2HeaderValidateCallback(const Signature *s, const char **sigerror)
937 {
938  const SigMatch *sm = s->init_data->smlists[g_http2_header_buffer_id];
939  for ( ; sm != NULL; sm = sm->next) {
940  if (sm->type != DETECT_CONTENT)
941  continue;
942  const DetectContentData *cd = (DetectContentData *)sm->ctx;
943  bool escaped = false;
944  bool namevaluesep = false;
945  for (size_t i = 0; i < cd->content_len; ++i) {
946  if (escaped) {
947  if (cd->content[i] == ' ') {
948  if (namevaluesep) {
949  *sigerror = "Invalid http2.header string : "
950  "': ' is a special sequence for separation between name and value "
951  " and thus can only be present once";
952  SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
953  return false;
954  }
955  namevaluesep = true;
956  } else if (cd->content[i] != ':') {
957  *sigerror = "Invalid http2.header string : "
958  "':' is an escaping character for itself, "
959  "or space for the separation between name and value";
960  SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
961  return false;
962  }
963  escaped = false;
964  } else if(cd->content[i] == ':') {
965  escaped = true;
966  }
967  }
968  if (escaped) {
969  *sigerror = "Invalid http2.header string : "
970  "':' is an escaping character for itself, "
971  "or space for the separation between name and value";
972  SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
973  return false;
974  }
975  }
976  return true;
977 }
978 
979 #ifdef UNITTESTS
980 #include "tests/detect-http2.c"
981 #endif
util-byte.h
detect-engine-uint.h
DetectEngineAppInspectionEngine_
Definition: detect.h:397
SigTableElmt_::url
const char * url
Definition: detect.h:1204
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1489
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:401
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1031
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1397
DetectHTTP2priorityRegisterTests
void DetectHTTP2priorityRegisterTests(void)
Definition: detect-http2.c:90
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1191
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1575
SigTableElmt_::name
const char * name
Definition: detect.h:1201
MpmListIdDataArgs
Definition: detect-engine-mpm.h:127
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1346
DetectEngineTransforms
Definition: detect.h:378
DetectHTTP2RegisterTests
void DetectHTTP2RegisterTests(void)
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:60
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:615
InspectionBuffer
Definition: detect.h:344
Flow_
Flow data structure.
Definition: flow.h:353
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1101
DETECT_HTTP2_SETTINGS
@ DETECT_HTTP2_SETTINGS
Definition: detect-engine-register.h:181
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1195
DETECT_HTTP2_HEADER
@ DETECT_HTTP2_HEADER
Definition: detect-engine-register.h:183
DetectHTTP2priorityFree
void DetectHTTP2priorityFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:485
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:758
MpmListIdDataArgs::local_id
uint32_t local_id
Definition: detect-engine-mpm.h:128
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DETECT_HTTP2_SIZEUPDATE
@ DETECT_HTTP2_SIZEUPDATE
Definition: detect-engine-register.h:180
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1172
rust.h
MpmListIdDataArgs::txv
void * txv
Definition: detect-engine-mpm.h:129
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:601
DetectHTTP2sizeUpdateFree
void DetectHTTP2sizeUpdateFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:609
DETECT_HTTP2_HEADERNAME
@ DETECT_HTTP2_HEADERNAME
Definition: detect-engine-register.h:182
DetectU32Parse
DetectU32Data * DetectU32Parse(const char *u32str)
This function is used to parse u32 options passed via some u32 keyword.
Definition: detect-engine-uint.c:115
DetectContentData_
Definition: detect-content.h:86
DetectEngineContentInspection
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:102
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectU8Data *du8)
Definition: detect-engine-uint.c:294
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1099
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:829
DetectU8Data_
Definition: detect-engine-uint.h:52
SC_WARN_POOR_RULE
@ SC_WARN_POOR_RULE
Definition: util-error.h:309
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:403
PrefilterMpmListId
Definition: detect-engine-mpm.h:121
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
DetectU32Match
int DetectU32Match(const uint32_t parg, const DetectU32Data *du32)
Definition: detect-engine-uint.c:39
DetectBufferTypeRegisterValidateCallback
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror))
Definition: detect-engine.c:921
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-http2.h
DetectEngineThreadCtx_
Definition: detect.h:1003
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
DetectHTTP2sizeUpdateRegisterTests
void DetectHTTP2sizeUpdateRegisterTests(void)
Definition: detect-http2.c:158
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
DetectHTTP2settingsFree
void DetectHTTP2settingsFree(DetectEngineCtx *, void *)
this function will free memory associated with rust signature context
Definition: detect-http2.c:666
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:324
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:346
PrefilterMpmListId::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-mpm.h:124
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
DetectHTTP2settingsRegisterTests
void DetectHTTP2settingsRegisterTests(void)
Definition: detect-http2.c:135
DetectBufferMpmRegistery_::name
const char * name
Definition: detect.h:602
PrefilterMpmListId::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-mpm.h:123
Packet_
Definition: decode.h:414
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:174
ByteExtractStringUint32
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:239
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:587
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1169
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:511
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:59
DetectHTTP2windowRegisterTests
void DetectHTTP2windowRegisterTests(void)
Definition: detect-http2.c:112
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@85::@87 app_v2
SigMatch_::type
uint8_t type
Definition: detect.h:321
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1066
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:414
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:46
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:785
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectHTTP2windowFree
void DetectHTTP2windowFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:552
DETECT_HTTP2_ERRORCODE
@ DETECT_HTTP2_ERRORCODE
Definition: detect-engine-register.h:177
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1193
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1078
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectHttp2Register
void DetectHttp2Register(void)
Registration function for HTTP2 keywords.
Definition: detect-http2.c:126
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1077
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:347
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@83 v2
ByteExtractStringUint8
int ByteExtractStringUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:285
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:345
str
#define str(s)
Definition: suricata-common.h:272
DetectU32Data_
Definition: detect-engine-uint.h:38
DetectHTTP2errorCodeRegisterTests
void DetectHTTP2errorCodeRegisterTests(void)
Definition: detect-http2.c:68
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1091
DetectU8Parse
DetectU8Data * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
Definition: detect-engine-uint.c:370
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Signature_::id
uint32_t id
Definition: detect.h:551
DETECT_HTTP2_WINDOW
@ DETECT_HTTP2_WINDOW
Definition: detect-engine-register.h:179
detect-parse.h
Signature_
Signature container.
Definition: detect.h:517
SigMatch_
a single match condition for a signature
Definition: detect.h:320
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:259
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:411
PrefilterMpmListId::list_id
int list_id
Definition: detect-engine-mpm.h:122
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
DETECT_HTTP2_PRIORITY
@ DETECT_HTTP2_PRIORITY
Definition: detect-engine-register.h:178
detect-http2.c
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1030
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:35
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1373
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:941
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:857
DetectHTTP2frameTypeRegisterTests
void DetectHTTP2frameTypeRegisterTests(void)
this function registers unit tests for DetectHTTP2frameType
Definition: detect-http2.c:46
DetectHTTP2errorcodeFree
void DetectHTTP2errorcodeFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:418
MpmCtx_
Definition: util-mpm.h:88
DetectHTTP2frametypeFree
void DetectHTTP2frametypeFree(DetectEngineCtx *, void *)
this function will free memory associated with uint8_t
Definition: detect-http2.c:332
DetectUintRegister
void DetectUintRegister(void)
Definition: detect-engine-uint.c:284
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
DETECT_HTTP2_FRAMETYPE
@ DETECT_HTTP2_FRAMETYPE
Definition: detect-engine-register.h:176
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193