suricata
detect-http2.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Philippe Antoine <p.antoine@catenacyber.fr>
22  *
23  */
24 
25 #include "suricata-common.h"
26 
27 #include "detect.h"
28 #include "detect-parse.h"
29 #include "detect-content.h"
30 
31 #include "detect-engine.h"
32 #include "detect-engine-uint.h"
33 #include "detect-engine-mpm.h"
36 
37 #include "detect-http2.h"
38 #include "util-byte.h"
39 #include "rust.h"
40 #include "util-profiling.h"
41 
42 #ifdef UNITTESTS
49 #endif
50 
51 /* prototypes */
52 static int DetectHTTP2frametypeMatch(DetectEngineThreadCtx *det_ctx,
53  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
54  const SigMatchCtx *ctx);
55 static int DetectHTTP2frametypeSetup (DetectEngineCtx *, Signature *, const char *);
57 
58 static int DetectHTTP2errorcodeMatch(DetectEngineThreadCtx *det_ctx,
59  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
60  const SigMatchCtx *ctx);
61 static int DetectHTTP2errorcodeSetup (DetectEngineCtx *, Signature *, const char *);
63 
64 static int DetectHTTP2priorityMatch(DetectEngineThreadCtx *det_ctx,
65  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
66  const SigMatchCtx *ctx);
67 static int DetectHTTP2prioritySetup (DetectEngineCtx *, Signature *, const char *);
69 
70 static int DetectHTTP2windowMatch(DetectEngineThreadCtx *det_ctx,
71  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
72  const SigMatchCtx *ctx);
73 static int DetectHTTP2windowSetup (DetectEngineCtx *, Signature *, const char *);
74 void DetectHTTP2windowFree (DetectEngineCtx *, void *);
75 
76 static int DetectHTTP2sizeUpdateMatch(DetectEngineThreadCtx *det_ctx,
77  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
78  const SigMatchCtx *ctx);
79 static int DetectHTTP2sizeUpdateSetup (DetectEngineCtx *, Signature *, const char *);
81 
82 static int DetectHTTP2settingsMatch(DetectEngineThreadCtx *det_ctx,
83  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
84  const SigMatchCtx *ctx);
85 static int DetectHTTP2settingsSetup (DetectEngineCtx *, Signature *, const char *);
87 
88 static int DetectHTTP2headerNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg);
89 static int PrefilterMpmHttp2HeaderNameRegister(DetectEngineCtx *de_ctx,
90  SigGroupHead *sgh, MpmCtx *mpm_ctx,
91  const DetectBufferMpmRegistery *mpm_reg, int list_id);
92 static uint8_t DetectEngineInspectHttp2HeaderName(DetectEngineCtx *de_ctx,
94  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
95 
96 static int DetectHTTP2headerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg);
97 static int PrefilterMpmHttp2HeaderRegister(DetectEngineCtx *de_ctx,
98  SigGroupHead *sgh, MpmCtx *mpm_ctx,
99  const DetectBufferMpmRegistery *mpm_reg, int list_id);
100 static uint8_t DetectEngineInspectHttp2Header(DetectEngineCtx *de_ctx,
102  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
103 static bool DetectHttp2HeaderValidateCallback(const Signature *s, const char **sigerror);
104 
105 #ifdef UNITTESTS
107 #endif
108 
109 static int g_http2_match_buffer_id = 0;
110 static int g_http2_header_name_buffer_id = 0;
111 static int g_http2_header_buffer_id = 0;
112 
113 
114 /**
115  * \brief Registration function for HTTP2 keywords
116  */
117 
119 {
120  sigmatch_table[DETECT_HTTP2_FRAMETYPE].name = "http2.frametype";
121  sigmatch_table[DETECT_HTTP2_FRAMETYPE].desc = "match on HTTP2 frame type field";
122  sigmatch_table[DETECT_HTTP2_FRAMETYPE].url = "/rules/http2-keywords.html#frametype";
124  sigmatch_table[DETECT_HTTP2_FRAMETYPE].AppLayerTxMatch = DetectHTTP2frametypeMatch;
125  sigmatch_table[DETECT_HTTP2_FRAMETYPE].Setup = DetectHTTP2frametypeSetup;
127 #ifdef UNITTESTS
129 #endif
130 
131  sigmatch_table[DETECT_HTTP2_ERRORCODE].name = "http2.errorcode";
132  sigmatch_table[DETECT_HTTP2_ERRORCODE].desc = "match on HTTP2 error code field";
133  sigmatch_table[DETECT_HTTP2_ERRORCODE].url = "/rules/http2-keywords.html#errorcode";
135  sigmatch_table[DETECT_HTTP2_ERRORCODE].AppLayerTxMatch = DetectHTTP2errorcodeMatch;
136  sigmatch_table[DETECT_HTTP2_ERRORCODE].Setup = DetectHTTP2errorcodeSetup;
138 #ifdef UNITTESTS
140 #endif
141 
142  sigmatch_table[DETECT_HTTP2_PRIORITY].name = "http2.priority";
143  sigmatch_table[DETECT_HTTP2_PRIORITY].desc = "match on HTTP2 priority weight field";
144  sigmatch_table[DETECT_HTTP2_PRIORITY].url = "/rules/http2-keywords.html#priority";
146  sigmatch_table[DETECT_HTTP2_PRIORITY].AppLayerTxMatch = DetectHTTP2priorityMatch;
147  sigmatch_table[DETECT_HTTP2_PRIORITY].Setup = DetectHTTP2prioritySetup;
149 #ifdef UNITTESTS
151 #endif
152 
153  sigmatch_table[DETECT_HTTP2_WINDOW].name = "http2.window";
154  sigmatch_table[DETECT_HTTP2_WINDOW].desc = "match on HTTP2 window update size increment field";
155  sigmatch_table[DETECT_HTTP2_WINDOW].url = "/rules/http2-keywords.html#window";
157  sigmatch_table[DETECT_HTTP2_WINDOW].AppLayerTxMatch = DetectHTTP2windowMatch;
158  sigmatch_table[DETECT_HTTP2_WINDOW].Setup = DetectHTTP2windowSetup;
160 #ifdef UNITTESTS
162 #endif
163 
164  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].name = "http2.size_update";
165  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].desc = "match on HTTP2 dynamic headers table size update";
166  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].url = "/rules/http2-keywords.html#sizeupdate";
168  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].AppLayerTxMatch = DetectHTTP2sizeUpdateMatch;
169  sigmatch_table[DETECT_HTTP2_SIZEUPDATE].Setup = DetectHTTP2sizeUpdateSetup;
171 #ifdef UNITTESTS
173 #endif
174 
175  sigmatch_table[DETECT_HTTP2_SETTINGS].name = "http2.settings";
176  sigmatch_table[DETECT_HTTP2_SETTINGS].desc = "match on HTTP2 settings identifier and value fields";
177  sigmatch_table[DETECT_HTTP2_SETTINGS].url = "/rules/http2-keywords.html#settings";
179  sigmatch_table[DETECT_HTTP2_SETTINGS].AppLayerTxMatch = DetectHTTP2settingsMatch;
180  sigmatch_table[DETECT_HTTP2_SETTINGS].Setup = DetectHTTP2settingsSetup;
182 #ifdef UNITTESTS
184 #endif
185 
186  sigmatch_table[DETECT_HTTP2_HEADERNAME].name = "http2.header_name";
187  sigmatch_table[DETECT_HTTP2_HEADERNAME].desc = "sticky buffer to match on one HTTP2 header name";
188  sigmatch_table[DETECT_HTTP2_HEADERNAME].url = "/rules/http2-keywords.html#header_name";
189  sigmatch_table[DETECT_HTTP2_HEADERNAME].Setup = DetectHTTP2headerNameSetup;
191 
192  DetectAppLayerMpmRegister2("http2_header_name", SIG_FLAG_TOCLIENT, 2,
193  PrefilterMpmHttp2HeaderNameRegister, NULL,
194  ALPROTO_HTTP2, HTTP2StateOpen);
195  DetectAppLayerInspectEngineRegister2("http2_header_name",
196  ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateOpen,
197  DetectEngineInspectHttp2HeaderName, NULL);
198  DetectAppLayerMpmRegister2("http2_header_name", SIG_FLAG_TOSERVER, 2,
199  PrefilterMpmHttp2HeaderNameRegister, NULL,
200  ALPROTO_HTTP2, HTTP2StateOpen);
201  DetectAppLayerInspectEngineRegister2("http2_header_name",
202  ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateOpen,
203  DetectEngineInspectHttp2HeaderName, NULL);
204 
205  DetectBufferTypeSetDescriptionByName("http2_header_name",
206  "HTTP2 header name");
207  g_http2_header_name_buffer_id = DetectBufferTypeGetByName("http2_header_name");
208 
209  sigmatch_table[DETECT_HTTP2_HEADER].name = "http2.header";
210  sigmatch_table[DETECT_HTTP2_HEADER].desc = "sticky buffer to match on one HTTP2 header name and value";
211  sigmatch_table[DETECT_HTTP2_HEADER].url = "/rules/http2-keywords.html#header";
212  sigmatch_table[DETECT_HTTP2_HEADER].Setup = DetectHTTP2headerSetup;
214 
216  PrefilterMpmHttp2HeaderRegister, NULL,
217  ALPROTO_HTTP2, HTTP2StateOpen);
219  ALPROTO_HTTP2, SIG_FLAG_TOCLIENT, HTTP2StateOpen,
220  DetectEngineInspectHttp2Header, NULL);
222  PrefilterMpmHttp2HeaderRegister, NULL,
223  ALPROTO_HTTP2, HTTP2StateOpen);
225  ALPROTO_HTTP2, SIG_FLAG_TOSERVER, HTTP2StateOpen,
226  DetectEngineInspectHttp2Header, NULL);
227 
229  "HTTP2 header name and value");
230  DetectBufferTypeRegisterValidateCallback("http2_header", DetectHttp2HeaderValidateCallback);
231  g_http2_header_buffer_id = DetectBufferTypeGetByName("http2_header");
232 
237 
238  g_http2_match_buffer_id = DetectBufferTypeRegister("http2");
239  return;
240 }
241 
242 /**
243  * \brief This function is used to match HTTP2 frame type rule option on a transaction with those passed via http2.frametype:
244  *
245  * \retval 0 no match
246  * \retval 1 match
247  */
248 static int DetectHTTP2frametypeMatch(DetectEngineThreadCtx *det_ctx,
249  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
250  const SigMatchCtx *ctx)
251 
252 {
253  uint8_t *detect = (uint8_t *)ctx;
254 
255  return rs_http2_tx_has_frametype(txv, flags, *detect);
256 }
257 
258 static int DetectHTTP2FuncParseFrameType(const char *str, uint8_t *ft)
259 {
260  // first parse numeric value
261  if (ByteExtractStringUint8(ft, 10, (uint16_t)strlen(str), str) >= 0) {
262  return 1;
263  }
264 
265  // it it failed so far, parse string value from enumeration
266  int r = rs_http2_parse_frametype(str);
267  if (r >= 0 && r <= UINT8_MAX) {
268  *ft = (uint8_t)r;
269  return 1;
270  }
271 
272  return 0;
273 }
274 
275 /**
276  * \brief this function is used to attach the parsed http2.frametype data into the current signature
277  *
278  * \param de_ctx pointer to the Detection Engine Context
279  * \param s pointer to the Current Signature
280  * \param str pointer to the user provided http2.frametype options
281  *
282  * \retval 0 on Success
283  * \retval -1 on Failure
284  */
285 static int DetectHTTP2frametypeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
286 {
287  uint8_t frame_type;
288 
290  return -1;
291 
292  if (!DetectHTTP2FuncParseFrameType(str, &frame_type)) {
293  SCLogError("Invalid argument \"%s\" supplied to http2.frametype keyword.", str);
294  return -1;
295  }
296 
297  uint8_t *http2ft = SCCalloc(1, sizeof(uint8_t));
298  if (http2ft == NULL)
299  return -1;
300  *http2ft = frame_type;
301 
302  SigMatch *sm = SigMatchAlloc();
303  if (sm == NULL) {
304  DetectHTTP2frametypeFree(NULL, http2ft);
305  return -1;
306  }
307 
309  sm->ctx = (SigMatchCtx *)http2ft;
310 
311  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
312 
313  return 0;
314 }
315 
316 /**
317  * \brief this function will free memory associated with uint8_t
318  *
319  * \param ptr pointer to uint8_t
320  */
322 {
323  SCFree(ptr);
324 }
325 
326 /**
327  * \brief This function is used to match HTTP2 error code rule option on a transaction with those passed via http2.errorcode:
328  *
329  * \retval 0 no match
330  * \retval 1 match
331  */
332 static int DetectHTTP2errorcodeMatch(DetectEngineThreadCtx *det_ctx,
333  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
334  const SigMatchCtx *ctx)
335 
336 {
337  uint32_t *detect = (uint32_t *)ctx;
338 
339  return rs_http2_tx_has_errorcode(txv, flags, *detect);
340  //TODOask handle negation rules
341 }
342 
343 static int DetectHTTP2FuncParseErrorCode(const char *str, uint32_t *ec)
344 {
345  // first parse numeric value
346  if (ByteExtractStringUint32(ec, 10, (uint16_t)strlen(str), str) >= 0) {
347  return 1;
348  }
349 
350  // it it failed so far, parse string value from enumeration
351  int r = rs_http2_parse_errorcode(str);
352  if (r >= 0) {
353  *ec = r;
354  return 1;
355  }
356 
357  return 0;
358 }
359 
360 /**
361  * \brief this function is used to attach the parsed http2.errorcode data into the current signature
362  *
363  * \param de_ctx pointer to the Detection Engine Context
364  * \param s pointer to the Current Signature
365  * \param str pointer to the user provided http2.errorcode options
366  *
367  * \retval 0 on Success
368  * \retval -1 on Failure
369  */
370 static int DetectHTTP2errorcodeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
371 {
372  uint32_t error_code;
373 
375  return -1;
376 
377  if (!DetectHTTP2FuncParseErrorCode(str, &error_code)) {
378  SCLogError("Invalid argument \"%s\" supplied to http2.errorcode keyword.", str);
379  return -1;
380  }
381 
382  uint32_t *http2ec = SCCalloc(1, sizeof(uint32_t));
383  if (http2ec == NULL)
384  return -1;
385  *http2ec = error_code;
386 
387  SigMatch *sm = SigMatchAlloc();
388  if (sm == NULL) {
389  DetectHTTP2errorcodeFree(NULL, http2ec);
390  return -1;
391  }
392 
394  sm->ctx = (SigMatchCtx *)http2ec;
395 
396  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
397 
398  return 0;
399 }
400 
401 /**
402  * \brief this function will free memory associated with uint32_t
403  *
404  * \param ptr pointer to uint32_t
405  */
407 {
408  SCFree(ptr);
409 }
410 
411 /**
412  * \brief This function is used to match HTTP2 error code rule option on a transaction with those passed via http2.priority:
413  *
414  * \retval 0 no match
415  * \retval 1 match
416  */
417 static int DetectHTTP2priorityMatch(DetectEngineThreadCtx *det_ctx,
418  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
419  const SigMatchCtx *ctx)
420 
421 {
422  uint32_t nb = 0;
423  int value = rs_http2_tx_get_next_priority(txv, flags, nb);
424  const DetectU8Data *du8 = (const DetectU8Data *)ctx;
425  while (value >= 0) {
426  if (DetectU8Match((uint8_t)value, du8)) {
427  return 1;
428  }
429  nb++;
430  value = rs_http2_tx_get_next_priority(txv, flags, nb);
431  }
432  return 0;
433 }
434 
435 /**
436  * \brief this function is used to attach the parsed http2.priority data into the current signature
437  *
438  * \param de_ctx pointer to the Detection Engine Context
439  * \param s pointer to the Current Signature
440  * \param str pointer to the user provided http2.priority options
441  *
442  * \retval 0 on Success
443  * \retval -1 on Failure
444  */
445 static int DetectHTTP2prioritySetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
446 {
448  return -1;
449 
450  DetectU8Data *prio = DetectU8Parse(str);
451  if (prio == NULL)
452  return -1;
453 
454  SigMatch *sm = SigMatchAlloc();
455  if (sm == NULL) {
456  rs_detect_u8_free(prio);
457  return -1;
458  }
459 
461  sm->ctx = (SigMatchCtx *)prio;
462 
463  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
464 
465  return 0;
466 }
467 
468 /**
469  * \brief this function will free memory associated with uint32_t
470  *
471  * \param ptr pointer to DetectU8Data
472  */
474 {
475  rs_detect_u8_free(ptr);
476 }
477 
478 /**
479  * \brief This function is used to match HTTP2 window rule option on a transaction with those passed via http2.window:
480  *
481  * \retval 0 no match
482  * \retval 1 match
483  */
484 static int DetectHTTP2windowMatch(DetectEngineThreadCtx *det_ctx,
485  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
486  const SigMatchCtx *ctx)
487 
488 {
489  uint32_t nb = 0;
490  int value = rs_http2_tx_get_next_window(txv, flags, nb);
491  const DetectU32Data *du32 = (const DetectU32Data *)ctx;
492  while (value >= 0) {
493  if (DetectU32Match(value, du32)) {
494  return 1;
495  }
496  nb++;
497  value = rs_http2_tx_get_next_window(txv, flags, nb);
498  }
499  return 0;
500 }
501 
502 /**
503  * \brief this function is used to attach the parsed http2.window data into the current signature
504  *
505  * \param de_ctx pointer to the Detection Engine Context
506  * \param s pointer to the Current Signature
507  * \param str pointer to the user provided http2.window options
508  *
509  * \retval 0 on Success
510  * \retval -1 on Failure
511  */
512 static int DetectHTTP2windowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
513 {
515  return -1;
516 
518  if (wu == NULL)
519  return -1;
520 
521  SigMatch *sm = SigMatchAlloc();
522  if (sm == NULL) {
523  rs_detect_u32_free(wu);
524  return -1;
525  }
526 
528  sm->ctx = (SigMatchCtx *)wu;
529 
530  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
531 
532  return 0;
533 }
534 
535 /**
536  * \brief this function will free memory associated with uint32_t
537  *
538  * \param ptr pointer to DetectU8Data
539  */
541 {
542  rs_detect_u32_free(ptr);
543 }
544 
545 /**
546  * \brief This function is used to match HTTP2 size update rule option on a transaction with those passed via http2.size_update:
547  *
548  * \retval 0 no match
549  * \retval 1 match
550  */
551 static int DetectHTTP2sizeUpdateMatch(DetectEngineThreadCtx *det_ctx,
552  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
553  const SigMatchCtx *ctx)
554 
555 {
556  return rs_http2_detect_sizeupdatectx_match(ctx, txv, flags);
557 }
558 
559 /**
560  * \brief this function is used to attach the parsed http2.size_update data into the current signature
561  *
562  * \param de_ctx pointer to the Detection Engine Context
563  * \param s pointer to the Current Signature
564  * \param str pointer to the user provided http2.size_update options
565  *
566  * \retval 0 on Success
567  * \retval -1 on Failure
568  */
569 static int DetectHTTP2sizeUpdateSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
570 {
572  return -1;
573 
574  void *su = rs_detect_u64_parse(str);
575  if (su == NULL)
576  return -1;
577 
578  SigMatch *sm = SigMatchAlloc();
579  if (sm == NULL) {
580  DetectHTTP2settingsFree(NULL, su);
581  return -1;
582  }
583 
585  sm->ctx = (SigMatchCtx *)su;
586 
587  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
588 
589  return 0;
590 }
591 
592 /**
593  * \brief this function will free memory associated with uint32_t
594  *
595  * \param ptr pointer to DetectU8Data
596  */
598 {
599  rs_detect_u64_free(ptr);
600 }
601 
602 /**
603  * \brief This function is used to match HTTP2 error code rule option on a transaction with those passed via http2.settings:
604  *
605  * \retval 0 no match
606  * \retval 1 match
607  */
608 static int DetectHTTP2settingsMatch(DetectEngineThreadCtx *det_ctx,
609  Flow *f, uint8_t flags, void *state, void *txv, const Signature *s,
610  const SigMatchCtx *ctx)
611 
612 {
613  return rs_http2_detect_settingsctx_match(ctx, txv, flags);
614 }
615 
616 /**
617  * \brief this function is used to attach the parsed http2.settings data into the current signature
618  *
619  * \param de_ctx pointer to the Detection Engine Context
620  * \param s pointer to the Current Signature
621  * \param str pointer to the user provided http2.settings options
622  *
623  * \retval 0 on Success
624  * \retval -1 on Failure
625  */
626 static int DetectHTTP2settingsSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
627 {
629  return -1;
630 
631  void *http2set = rs_http2_detect_settingsctx_parse(str);
632  if (http2set == NULL)
633  return -1;
634 
635  SigMatch *sm = SigMatchAlloc();
636  if (sm == NULL) {
637  DetectHTTP2settingsFree(NULL, http2set);
638  return -1;
639  }
640 
642  sm->ctx = (SigMatchCtx *)http2set;
643 
644  SigMatchAppendSMToList(s, sm, g_http2_match_buffer_id);
645 
646  return 0;
647 }
648 
649 /**
650  * \brief this function will free memory associated with rust signature context
651  *
652  * \param ptr pointer to rust signature context
653  */
655 {
656  rs_http2_detect_settingsctx_free(ptr);
657 }
658 
659 static int DetectHTTP2headerNameSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
660 {
661  if (DetectBufferSetActiveList(s, g_http2_header_name_buffer_id) < 0)
662  return -1;
663 
665  return -1;
666 
667  return 0;
668 }
669 
670 static void PrefilterMpmHttp2HNameFree(void *ptr)
671 {
672  SCFree(ptr);
673 }
674 
675 static InspectionBuffer *GetHttp2HNameData(DetectEngineThreadCtx *det_ctx, const uint8_t flags,
676  const DetectEngineTransforms *transforms, Flow *_f, const struct MpmListIdDataArgs *cbdata,
677  int list_id)
678 {
679  SCEnter();
680 
681  InspectionBuffer *buffer =
682  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
683  if (buffer == NULL)
684  return NULL;
685  if (buffer->initialized)
686  return buffer;
687 
688  uint32_t b_len = 0;
689  const uint8_t *b = NULL;
690 
691  if (rs_http2_tx_get_header_name(cbdata->txv, flags, cbdata->local_id, &b, &b_len) != 1)
692  return NULL;
693  if (b == NULL || b_len == 0)
694  return NULL;
695 
696  InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
697  InspectionBufferApplyTransforms(buffer, transforms);
698 
699  SCReturnPtr(buffer, "InspectionBuffer");
700 }
701 
702 static void PrefilterTxHttp2HName(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
703  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
704 {
705  SCEnter();
706 
707  const PrefilterMpmListId *ctx = (const PrefilterMpmListId *)pectx;
708  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
709  const int list_id = ctx->list_id;
710 
711  uint32_t local_id = 0;
712 
713  while(1) {
714  // loop until we get a NULL
715 
716  struct MpmListIdDataArgs cbdata = { local_id, txv };
717  InspectionBuffer *buffer =
718  GetHttp2HNameData(det_ctx, flags, ctx->transforms, f, &cbdata, list_id);
719  if (buffer == NULL)
720  break;
721 
722  if (buffer->inspect_len >= mpm_ctx->minlen) {
723  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
724  &det_ctx->mtcu, &det_ctx->pmq,
725  buffer->inspect, buffer->inspect_len);
726  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
727  }
728 
729  local_id++;
730  }
731 }
732 
733 static int PrefilterMpmHttp2HeaderNameRegister(DetectEngineCtx *de_ctx,
734  SigGroupHead *sgh, MpmCtx *mpm_ctx,
735  const DetectBufferMpmRegistery *mpm_reg, int list_id)
736 {
737  //TODOask use PrefilterMpmListId elsewhere
738  PrefilterMpmListId *pectx = SCCalloc(1, sizeof(*pectx));
739  if (pectx == NULL)
740  return -1;
741  pectx->list_id = list_id;
742  pectx->mpm_ctx = mpm_ctx;
743  pectx->transforms = &mpm_reg->transforms;
744 
745  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttp2HName,
746  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
747  pectx, PrefilterMpmHttp2HNameFree, mpm_reg->name);
748 }
749 
750 static uint8_t DetectEngineInspectHttp2HeaderName(DetectEngineCtx *de_ctx,
752  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
753 {
754  uint32_t local_id = 0;
755 
756  const DetectEngineTransforms *transforms = NULL;
757  if (!engine->mpm) {
758  transforms = engine->v2.transforms;
759  }
760 
761  while (1) {
762  //TODOask use MpmListIdDataArgs elsewhere
763  struct MpmListIdDataArgs cbdata = { local_id, txv, };
764  InspectionBuffer *buffer =
765  GetHttp2HNameData(det_ctx, flags, transforms, f, &cbdata, engine->sm_list);
766 
767  if (buffer == NULL || buffer->inspect == NULL)
768  break;
769 
770  det_ctx->buffer_offset = 0;
771  det_ctx->discontinue_matching = 0;
772  det_ctx->inspection_recursion_counter = 0;
773 
774  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
775  NULL, f,
776  (uint8_t *)buffer->inspect,
777  buffer->inspect_len,
780  if (match == 1) {
782  }
783  local_id++;
784  }
785 
787 }
788 
789 static int DetectHTTP2headerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
790 {
791  if (DetectBufferSetActiveList(s, g_http2_header_buffer_id) < 0)
792  return -1;
793 
795  return -1;
796 
797  return 0;
798 }
799 
800 static void PrefilterMpmHttp2HeaderFree(void *ptr)
801 {
802  SCFree(ptr);
803 }
804 
805 static InspectionBuffer *GetHttp2HeaderData(DetectEngineThreadCtx *det_ctx, const uint8_t flags,
806  const DetectEngineTransforms *transforms, Flow *_f, const struct MpmListIdDataArgs *cbdata,
807  int list_id)
808 {
809  SCEnter();
810 
811  InspectionBuffer *buffer =
812  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
813  if (buffer == NULL)
814  return NULL;
815  if (buffer->initialized)
816  return buffer;
817 
818  uint32_t b_len = 0;
819  const uint8_t *b = NULL;
820 
821  if (rs_http2_tx_get_header(cbdata->txv, flags, cbdata->local_id, &b, &b_len) != 1)
822  return NULL;
823  if (b == NULL || b_len == 0)
824  return NULL;
825 
826  InspectionBufferSetupMulti(buffer, transforms, b, b_len);
827 
828  SCReturnPtr(buffer, "InspectionBuffer");
829 }
830 
831 static void PrefilterTxHttp2Header(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
832  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
833 {
834  SCEnter();
835 
836  const PrefilterMpmListId *ctx = (const PrefilterMpmListId *)pectx;
837  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
838  const int list_id = ctx->list_id;
839 
840  uint32_t local_id = 0;
841 
842  while(1) {
843  // loop until we get a NULL
844 
845  struct MpmListIdDataArgs cbdata = { local_id, txv };
846  InspectionBuffer *buffer =
847  GetHttp2HeaderData(det_ctx, flags, ctx->transforms, f, &cbdata, list_id);
848  if (buffer == NULL)
849  break;
850 
851  if (buffer->inspect_len >= mpm_ctx->minlen) {
852  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
853  &det_ctx->mtcu, &det_ctx->pmq,
854  buffer->inspect, buffer->inspect_len);
855  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
856  }
857 
858  local_id++;
859  }
860 }
861 
862 static int PrefilterMpmHttp2HeaderRegister(DetectEngineCtx *de_ctx,
863  SigGroupHead *sgh, MpmCtx *mpm_ctx,
864  const DetectBufferMpmRegistery *mpm_reg, int list_id)
865 {
866  PrefilterMpmListId *pectx = SCCalloc(1, sizeof(*pectx));
867  if (pectx == NULL)
868  return -1;
869  pectx->list_id = list_id;
870  pectx->mpm_ctx = mpm_ctx;
871  pectx->transforms = &mpm_reg->transforms;
872 
873  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxHttp2Header,
874  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
875  pectx, PrefilterMpmHttp2HeaderFree, mpm_reg->name);
876 }
877 
878 static uint8_t DetectEngineInspectHttp2Header(DetectEngineCtx *de_ctx,
880  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
881 {
882  uint32_t local_id = 0;
883 
884  const DetectEngineTransforms *transforms = NULL;
885  if (!engine->mpm) {
886  transforms = engine->v2.transforms;
887  }
888 
889  while (1) {
890  struct MpmListIdDataArgs cbdata = { local_id, txv, };
891  InspectionBuffer *buffer =
892  GetHttp2HeaderData(det_ctx, flags, transforms, f, &cbdata, engine->sm_list);
893 
894  if (buffer == NULL || buffer->inspect == NULL)
895  break;
896 
897  det_ctx->buffer_offset = 0;
898  det_ctx->discontinue_matching = 0;
899  det_ctx->inspection_recursion_counter = 0;
900 
901  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
902  NULL, f,
903  (uint8_t *)buffer->inspect,
904  buffer->inspect_len,
907  if (match == 1) {
909  }
910  local_id++;
911  }
912 
914 }
915 
916 static bool DetectHttp2HeaderValidateCallback(const Signature *s, const char **sigerror)
917 {
918  const SigMatch *sm = s->init_data->smlists[g_http2_header_buffer_id];
919  for ( ; sm != NULL; sm = sm->next) {
920  if (sm->type != DETECT_CONTENT)
921  continue;
922  const DetectContentData *cd = (DetectContentData *)sm->ctx;
923  bool escaped = false;
924  bool namevaluesep = false;
925  for (size_t i = 0; i < cd->content_len; ++i) {
926  if (escaped) {
927  if (cd->content[i] == ' ') {
928  if (namevaluesep) {
929  *sigerror = "Invalid http2.header string : "
930  "': ' is a special sequence for separation between name and value "
931  " and thus can only be present once";
932  SCLogWarning("rule %u: %s", s->id, *sigerror);
933  return false;
934  }
935  namevaluesep = true;
936  } else if (cd->content[i] != ':') {
937  *sigerror = "Invalid http2.header string : "
938  "':' is an escaping character for itself, "
939  "or space for the separation between name and value";
940  SCLogWarning("rule %u: %s", s->id, *sigerror);
941  return false;
942  }
943  escaped = false;
944  } else if(cd->content[i] == ':') {
945  escaped = true;
946  }
947  }
948  if (escaped) {
949  *sigerror = "Invalid http2.header string : "
950  "':' is an escaping character for itself, "
951  "or space for the separation between name and value";
952  SCLogWarning("rule %u: %s", s->id, *sigerror);
953  return false;
954  }
955  }
956  return true;
957 }
958 
959 #ifdef UNITTESTS
960 #include "tests/detect-http2.c"
961 #endif
util-byte.h
detect-engine-uint.h
DetectEngineAppInspectionEngine_
Definition: detect.h:390
SigTableElmt_::url
const char * url
Definition: detect.h:1241
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1498
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:394
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1053
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1447
DetectHTTP2priorityRegisterTests
void DetectHTTP2priorityRegisterTests(void)
Definition: detect-http2.c:90
DetectU32Match
int DetectU32Match(const uint32_t parg, const DetectUintData_u32 *du32)
Definition: detect-engine-uint.c:31
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1228
SigTableElmt_::name
const char * name
Definition: detect.h:1238
InspectionBuffer::initialized
bool initialized
Definition: detect.h:341
MpmListIdDataArgs
Definition: detect-engine-mpm.h:138
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1395
DetectEngineTransforms
Definition: detect.h:372
DetectHTTP2RegisterTests
void DetectHTTP2RegisterTests(void)
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
DetectU32Parse
DetectUintData_u32 * DetectU32Parse(const char *u32str)
This function is used to parse u32 options passed via some u32 keyword.
Definition: detect-engine-uint.c:45
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:640
InspectionBuffer
Definition: detect.h:337
Flow_
Flow data structure.
Definition: flow.h:357
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1134
DETECT_HTTP2_SETTINGS
@ DETECT_HTTP2_SETTINGS
Definition: detect-engine-register.h:188
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DETECT_HTTP2_HEADER
@ DETECT_HTTP2_HEADER
Definition: detect-engine-register.h:190
DetectHTTP2priorityFree
void DetectHTTP2priorityFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:473
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
MpmListIdDataArgs::local_id
uint32_t local_id
Definition: detect-engine-mpm.h:139
DETECT_HTTP2_SIZEUPDATE
@ DETECT_HTTP2_SIZEUPDATE
Definition: detect-engine-register.h:187
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1209
rust.h
MpmListIdDataArgs::txv
void * txv
Definition: detect-engine-mpm.h:140
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:626
ByteExtractStringUint32
int ByteExtractStringUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:239
DetectHTTP2sizeUpdateFree
void DetectHTTP2sizeUpdateFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:597
DETECT_HTTP2_HEADERNAME
@ DETECT_HTTP2_HEADERNAME
Definition: detect-engine-register.h:189
DetectContentData_
Definition: detect-content.h:86
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1132
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:396
DetectU8Parse
DetectUintData_u8 * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
Definition: detect-engine-uint.c:85
PrefilterMpmListId
Definition: detect-engine-mpm.h:132
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
DetectBufferTypeRegisterValidateCallback
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror))
Definition: detect-engine.c:1273
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-http2.h
DetectEngineThreadCtx_
Definition: detect.h:1025
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
DetectHTTP2sizeUpdateRegisterTests
void DetectHTTP2sizeUpdateRegisterTests(void)
Definition: detect-http2.c:158
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
DetectHTTP2settingsFree
void DetectHTTP2settingsFree(DetectEngineCtx *, void *)
this function will free memory associated with rust signature context
Definition: detect-http2.c:654
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:339
DetectU8Data
DetectUintData_u8 DetectU8Data
Definition: detect-engine-uint.h:43
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
PrefilterMpmListId::transforms
const DetectEngineTransforms * transforms
Definition: detect-engine-mpm.h:135
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
DetectHTTP2settingsRegisterTests
void DetectHTTP2settingsRegisterTests(void)
Definition: detect-http2.c:135
util-profiling.h
DetectBufferMpmRegistery_::name
const char * name
Definition: detect.h:627
PrefilterMpmListId::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-mpm.h:134
Packet_
Definition: decode.h:428
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1206
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:61
DetectHTTP2windowRegisterTests
void DetectHTTP2windowRegisterTests(void)
Definition: detect-http2.c:112
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:239
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1092
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:106
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
ByteExtractStringUint8
int ByteExtractStringUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:285
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1303
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:307
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectUintData_u8 *du8)
Definition: detect-engine-uint.c:71
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1025
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectHTTP2windowFree
void DetectHTTP2windowFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:540
SigMatch_::type
uint16_t type
Definition: detect.h:314
DETECT_HTTP2_ERRORCODE
@ DETECT_HTTP2_ERRORCODE
Definition: detect-engine-register.h:184
InspectionBufferApplyTransforms
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
Definition: detect-engine.c:1550
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1111
DetectU32Data
DetectUintData_u32 DetectU32Data
Definition: detect-engine-uint.h:41
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
DetectHttp2Register
void DetectHttp2Register(void)
Registration function for HTTP2 keywords.
Definition: detect-http2.c:118
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1431
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1948
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:340
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:338
str
#define str(s)
Definition: suricata-common.h:280
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
DetectHTTP2errorCodeRegisterTests
void DetectHTTP2errorCodeRegisterTests(void)
Definition: detect-http2.c:68
InspectionBufferSetup
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1446
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Signature_::id
uint32_t id
Definition: detect.h:574
DETECT_HTTP2_WINDOW
@ DETECT_HTTP2_WINDOW
Definition: detect-engine-register.h:186
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:404
PrefilterMpmListId::list_id
int list_id
Definition: detect-engine-mpm.h:133
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
DETECT_HTTP2_PRIORITY
@ DETECT_HTTP2_PRIORITY
Definition: detect-engine-register.h:185
detect-http2.c
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1384
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1423
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1293
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1176
DetectHTTP2frameTypeRegisterTests
void DetectHTTP2frameTypeRegisterTests(void)
this function registers unit tests for DetectHTTP2frameType
Definition: detect-http2.c:46
DetectHTTP2errorcodeFree
void DetectHTTP2errorcodeFree(DetectEngineCtx *, void *)
this function will free memory associated with uint32_t
Definition: detect-http2.c:406
MpmCtx_
Definition: util-mpm.h:88
DetectHTTP2frametypeFree
void DetectHTTP2frametypeFree(DetectEngineCtx *, void *)
this function will free memory associated with uint8_t
Definition: detect-http2.c:321
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:354
DETECT_HTTP2_FRAMETYPE
@ DETECT_HTTP2_FRAMETYPE
Definition: detect-engine-register.h:183
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230