suricata
detect-lua.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "conf.h"
27 
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 
33 #include "detect-engine.h"
34 #include "detect-engine-buffer.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-build.h"
37 
38 #include "detect-byte.h"
39 
40 #include "flow.h"
41 #include "flow-var.h"
42 #include "flow-util.h"
43 
44 #include "util-byte.h"
45 
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 
49 #include "app-layer.h"
50 #include "app-layer-parser.h"
51 #include "app-layer-htp.h"
52 #include "app-layer-ssl.h"
53 
54 #include "stream-tcp.h"
55 
56 #include "detect-lua.h"
57 #include "detect-lua-extensions.h"
58 
59 #include "util-var-name.h"
60 
61 #include "util-lua.h"
62 #include "util-lua-builtins.h"
63 #include "util-lua-common.h"
64 #include "util-lua-sandbox.h"
65 
66 static int DetectLuaMatch (DetectEngineThreadCtx *,
67  Packet *, const Signature *, const SigMatchCtx *);
68 static int DetectLuaAppTxMatch (DetectEngineThreadCtx *det_ctx,
69  Flow *f, uint8_t flags,
70  void *state, void *txv, const Signature *s,
71  const SigMatchCtx *ctx);
72 static int DetectLuaSetup (DetectEngineCtx *, Signature *, const char *);
73 #ifdef UNITTESTS
74 static void DetectLuaRegisterTests(void);
75 #endif
76 static void DetectLuaFree(DetectEngineCtx *, void *);
77 static int g_lua_ja3_list_id = 0;
78 static int g_lua_ja3s_list_id = 0;
79 
80 /**
81  * \brief Registration function for keyword: lua
82  */
84 {
86  sigmatch_table[DETECT_LUA].desc = "match via a lua script";
87  sigmatch_table[DETECT_LUA].url = "/rules/rule-lua-scripting.html";
88  sigmatch_table[DETECT_LUA].Match = DetectLuaMatch;
89  sigmatch_table[DETECT_LUA].AppLayerTxMatch = DetectLuaAppTxMatch;
90  sigmatch_table[DETECT_LUA].Setup = DetectLuaSetup;
91  sigmatch_table[DETECT_LUA].Free = DetectLuaFree;
92 #ifdef UNITTESTS
93  sigmatch_table[DETECT_LUA].RegisterTests = DetectLuaRegisterTests;
94 #endif
95 
96  g_lua_ja3_list_id = DetectBufferTypeRegister("ja3.lua");
101 
102  g_lua_ja3s_list_id = DetectBufferTypeRegister("ja3s.lua");
107 
108  SCLogDebug("registering lua rule option");
109 }
110 
111 /* Flags for DetectLuaThreadData. */
112 #define FLAG_DATATYPE_PACKET BIT_U32(0)
113 #define FLAG_DATATYPE_PAYLOAD BIT_U32(1)
114 #define FLAG_DATATYPE_STREAM BIT_U32(2)
115 #define FLAG_LIST_JA3 BIT_U32(3)
116 #define FLAG_LIST_JA3S BIT_U32(4)
117 #define FLAG_DATATYPE_BUFFER BIT_U32(22)
118 #define FLAG_ERROR_LOGGED BIT_U32(23)
119 #define FLAG_BLOCKED_FUNCTION_LOGGED BIT_U32(24)
120 #define FLAG_INSTRUCTION_LIMIT_LOGGED BIT_U32(25)
121 #define FLAG_MEMORY_LIMIT_LOGGED BIT_U32(26)
122 
123 #define DEFAULT_LUA_ALLOC_LIMIT 500000
124 #define DEFAULT_LUA_INSTRUCTION_LIMIT 500000
125 
126 /** \brief dump stack from lua state to screen */
127 void LuaDumpStack(lua_State *state, const char *prefix)
128 {
129  int size = lua_gettop(state);
130  printf("%s: size %d\n", prefix, size);
131 
132  for (int i = 1; i <= size; i++) {
133  int type = lua_type(state, i);
134  printf("- %s: Stack size=%d, level=%d, type=%d, ", prefix, size, i, type);
135 
136  switch (type) {
137  case LUA_TFUNCTION:
138  printf("function %s", lua_tostring(state, i));
139  break;
140  case LUA_TBOOLEAN:
141  printf("bool %s", lua_toboolean(state, i) ? "true" : "false");
142  break;
143  case LUA_TNUMBER:
144  printf("number %g", lua_tonumber(state, i));
145  break;
146  case LUA_TSTRING:
147  printf("string `%s'", lua_tostring(state, i));
148  break;
149  case LUA_TTABLE:
150  printf("table `%s'", lua_tostring(state, i));
151  break;
152  default:
153  printf("other %s", lua_typename(state, type));
154  break;
155 
156  }
157  printf("\n");
158  }
159 }
160 
161 static void LuaStateSetDetectLuaData(lua_State *state, DetectLuaData *data)
162 {
163  lua_pushlightuserdata(state, (void *)&luaext_key_ld);
164  lua_pushlightuserdata(state, (void *)data);
165  lua_settable(state, LUA_REGISTRYINDEX);
166 }
167 
168 /**
169  * \brief Common function to run the Lua match function and process
170  * the return value.
171  */
172 static int DetectLuaRunMatch(
173  DetectEngineThreadCtx *det_ctx, const DetectLuaData *lua, DetectLuaThreadData *tlua)
174 {
175  /* Reset instruction count. */
177 
178  if (lua_pcall(tlua->luastate, 1, 1, 0) != 0) {
179  const char *reason = lua_tostring(tlua->luastate, -1);
180  SCLuaSbState *context = SCLuaSbGetContext(tlua->luastate);
181  uint32_t flag = 0;
182  if (context->blocked_function_error) {
183  StatsIncr(det_ctx->tv, det_ctx->lua_blocked_function_errors);
185  } else if (context->instruction_count_error) {
186  StatsIncr(det_ctx->tv, det_ctx->lua_instruction_limit_errors);
188  } else if (context->memory_limit_error) {
189  StatsIncr(det_ctx->tv, det_ctx->lua_memory_limit_errors);
190  reason = "memory limit exceeded";
192  } else {
193  flag = FLAG_ERROR_LOGGED;
194  }
195 
196  /* Log once per thread per error type, the message from Lua
197  * will include the filename. */
198  if (!(tlua->flags & flag)) {
199  SCLogWarning("Lua script failed to run successfully: %s", reason);
200  tlua->flags |= flag;
201  }
202 
203  StatsIncr(det_ctx->tv, det_ctx->lua_rule_errors);
204  while (lua_gettop(tlua->luastate) > 0) {
205  lua_pop(tlua->luastate, 1);
206  }
207  SCReturnInt(0);
208  }
209 
210  int match = 0;
211 
212  /* process returns from script */
213  if (lua_gettop(tlua->luastate) > 0) {
214  /* script returns a number (return 1 or return 0) */
215  if (lua_type(tlua->luastate, 1) == LUA_TNUMBER) {
216  lua_Integer script_ret = lua_tointeger(tlua->luastate, 1);
217  SCLogDebug("script_ret %lld", script_ret);
218  lua_pop(tlua->luastate, 1);
219  if (script_ret == 1)
220  match = 1;
221  } else {
222  SCLogDebug("Unsupported datatype returned from Lua script");
223  }
224  }
225 
226  if (lua->negated) {
227  if (match == 1)
228  match = 0;
229  else
230  match = 1;
231  }
232 
233  while (lua_gettop(tlua->luastate) > 0) {
234  lua_pop(tlua->luastate, 1);
235  }
236 
237  SCReturnInt(match);
238 }
239 
241  const SigMatchData *smd, const uint8_t *buffer, uint32_t buffer_len, uint32_t offset,
242  Flow *f)
243 {
244  SCEnter();
245 
246  if (buffer == NULL || buffer_len == 0)
247  SCReturnInt(0);
248 
249  DetectLuaData *lua = (DetectLuaData *)smd->ctx;
250  if (lua == NULL)
251  SCReturnInt(0);
252 
253  DetectLuaThreadData *tlua =
255  if (tlua == NULL)
256  SCReturnInt(0);
257 
258  LuaExtensionsMatchSetup(tlua->luastate, lua, det_ctx, f, /* no packet in the ctx */ NULL, s, 0);
259 
260  /* prepare data to pass to script */
261  lua_getglobal(tlua->luastate, "match");
262  lua_newtable(tlua->luastate); /* stack at -1 */
263 
264  lua_pushliteral(tlua->luastate, "offset"); /* stack at -2 */
265  lua_pushnumber(tlua->luastate, (int)(offset + 1));
266  lua_settable(tlua->luastate, -3);
267 
268  lua_pushstring(tlua->luastate, lua->buffername); /* stack at -2 */
269  LuaPushStringBuffer(tlua->luastate, (const uint8_t *)buffer, (size_t)buffer_len);
270  lua_settable(tlua->luastate, -3);
271 
272  SCReturnInt(DetectLuaRunMatch(det_ctx, lua, tlua));
273 }
274 
275 /**
276  * \brief match the specified lua script
277  *
278  * \param t thread local vars
279  * \param det_ctx pattern matcher thread local data
280  * \param p packet
281  * \param s signature being inspected
282  * \param m sigmatch that we will cast into DetectLuaData
283  *
284  * \retval 0 no match
285  * \retval 1 match
286  */
287 static int DetectLuaMatch (DetectEngineThreadCtx *det_ctx,
288  Packet *p, const Signature *s, const SigMatchCtx *ctx)
289 {
290  SCEnter();
291  DetectLuaData *lua = (DetectLuaData *)ctx;
292  if (lua == NULL)
293  SCReturnInt(0);
294 
296  if (tlua == NULL)
297  SCReturnInt(0);
298 
299  /* setup extension data for use in lua c functions */
300  uint8_t flags = 0;
301  if (p->flowflags & FLOW_PKT_TOSERVER)
302  flags = STREAM_TOSERVER;
303  else if (p->flowflags & FLOW_PKT_TOCLIENT)
304  flags = STREAM_TOCLIENT;
305 
306  LuaStateSetThreadVars(tlua->luastate, det_ctx->tv);
307 
308  LuaExtensionsMatchSetup(tlua->luastate, lua, det_ctx, p->flow, p, s, flags);
309 
310  if ((tlua->flags & FLAG_DATATYPE_PAYLOAD) && p->payload_len == 0)
311  SCReturnInt(0);
312  if ((tlua->flags & FLAG_DATATYPE_PACKET) && GET_PKT_LEN(p) == 0)
313  SCReturnInt(0);
314 
315  lua_getglobal(tlua->luastate, "match");
316  lua_newtable(tlua->luastate); /* stack at -1 */
317 
318  SCReturnInt(DetectLuaRunMatch(det_ctx, lua, tlua));
319 }
320 
321 static int DetectLuaAppMatchCommon (DetectEngineThreadCtx *det_ctx,
322  Flow *f, uint8_t flags, void *state,
323  const Signature *s, const SigMatchCtx *ctx)
324 {
325  SCEnter();
326  DetectLuaData *lua = (DetectLuaData *)ctx;
327  if (lua == NULL)
328  SCReturnInt(0);
329 
331  if (tlua == NULL)
332  SCReturnInt(0);
333 
334  /* setup extension data for use in lua c functions */
335  LuaExtensionsMatchSetup(tlua->luastate, lua, det_ctx, f, NULL, s, flags);
336 
337  lua_getglobal(tlua->luastate, "match");
338  lua_newtable(tlua->luastate); /* stack at -1 */
339 
340  SCReturnInt(DetectLuaRunMatch(det_ctx, lua, tlua));
341 }
342 
343 /**
344  * \brief match the specified lua script in a list with a tx
345  *
346  * \param t thread local vars
347  * \param det_ctx pattern matcher thread local data
348  * \param s signature being inspected
349  * \param m sigmatch that we will cast into DetectLuaData
350  *
351  * \retval 0 no match
352  * \retval 1 match
353  */
354 static int DetectLuaAppTxMatch (DetectEngineThreadCtx *det_ctx,
355  Flow *f, uint8_t flags,
356  void *state, void *txv, const Signature *s,
357  const SigMatchCtx *ctx)
358 {
359  return DetectLuaAppMatchCommon(det_ctx, f, flags, state, s, ctx);
360 }
361 
362 #ifdef UNITTESTS
363 /* if this ptr is set the lua setup functions will use this buffer as the
364  * lua script instead of calling luaL_loadfile on the filename supplied. */
365 static const char *ut_script = NULL;
366 #endif
367 
368 static void *DetectLuaThreadInit(void *data)
369 {
370  int status;
371  DetectLuaData *lua = (DetectLuaData *)data;
372  BUG_ON(lua == NULL);
373 
375  if (unlikely(t == NULL)) {
376  SCLogError("couldn't alloc ctx memory");
377  return NULL;
378  }
379 
380  t->flags = lua->flags;
381 
383  if (t->luastate == NULL) {
384  SCLogError("luastate pool depleted");
385  goto error;
386  }
387 
388  if (lua->allow_restricted_functions) {
389  luaL_openlibs(t->luastate);
391  } else {
393  }
394 
395  LuaStateSetDetectLuaData(t->luastate, lua);
396 
397  /* hackish, needed to allow unittests to pass buffers as scripts instead of files */
398 #ifdef UNITTESTS
399  if (ut_script != NULL) {
400  status = luaL_loadbuffer(t->luastate, ut_script, strlen(ut_script), "unittest");
401  if (status) {
402  SCLogError("couldn't load file: %s", lua_tostring(t->luastate, -1));
403  goto error;
404  }
405  } else {
406 #endif
407  status = luaL_loadfile(t->luastate, lua->filename);
408  if (status) {
409  SCLogError("couldn't load file: %s", lua_tostring(t->luastate, -1));
410  goto error;
411  }
412 #ifdef UNITTESTS
413  }
414 #endif
415 
416  /* prime the script (or something) */
417  if (lua_pcall(t->luastate, 0, 0, 0) != 0) {
418  SCLogError("couldn't prime file: %s", lua_tostring(t->luastate, -1));
419  goto error;
420  }
421 
422  /* thread_init call */
423  lua_getglobal(t->luastate, "thread_init");
424  if (lua_isfunction(t->luastate, -1)) {
425  if (lua_pcall(t->luastate, 0, 0, 0) != 0) {
426  SCLogError("couldn't run script 'thread_init' function: %s",
427  lua_tostring(t->luastate, -1));
428  goto error;
429  }
430  } else {
431  lua_pop(t->luastate, 1);
432  }
433 
434  return (void *)t;
435 
436 error:
437  if (t->luastate != NULL)
439  SCFree(t);
440  return NULL;
441 }
442 
443 static void DetectLuaThreadFree(void *ctx)
444 {
445  if (ctx != NULL) {
447  if (t->luastate != NULL)
449  SCFree(t);
450  }
451 }
452 
453 /**
454  * \brief Parse the lua keyword
455  *
456  * \param de_ctx Pointer to the detection engine context
457  * \param str Pointer to the user provided option
458  *
459  * \retval lua pointer to DetectLuaData on success
460  * \retval NULL on failure
461  */
462 static DetectLuaData *DetectLuaParse (DetectEngineCtx *de_ctx, const char *str)
463 {
464  DetectLuaData *lua = NULL;
465 
466  /* We have a correct lua option */
467  lua = SCCalloc(1, sizeof(DetectLuaData));
468  if (unlikely(lua == NULL))
469  goto error;
470 
471  if (strlen(str) && str[0] == '!') {
472  lua->negated = 1;
473  str++;
474  }
475 
476  /* get full filename */
478  if (lua->filename == NULL) {
479  goto error;
480  }
481 
482  return lua;
483 
484 error:
485  if (lua != NULL)
486  DetectLuaFree(de_ctx, lua);
487  return NULL;
488 }
489 
490 static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld, const Signature *s)
491 {
492  int status;
493 
495  if (luastate == NULL)
496  return -1;
497  if (ld->allow_restricted_functions) {
498  luaL_openlibs(luastate);
499  SCLuaRequirefBuiltIns(luastate);
500  } else {
501  SCLuaSbLoadLibs(luastate);
502  }
503  LuaStateSetDetectLuaData(luastate, ld);
504 
505  /* hackish, needed to allow unittests to pass buffers as scripts instead of files */
506 #ifdef UNITTESTS
507  if (ut_script != NULL) {
508  status = luaL_loadbuffer(luastate, ut_script, strlen(ut_script), "unittest");
509  if (status) {
510  SCLogError("couldn't load file: %s", lua_tostring(luastate, -1));
511  goto error;
512  }
513  } else {
514 #endif
515  status = luaL_loadfile(luastate, ld->filename);
516  if (status) {
517  SCLogError("couldn't load file: %s", lua_tostring(luastate, -1));
518  goto error;
519  }
520 #ifdef UNITTESTS
521  }
522 #endif
523 
524  /* prime the script (or something) */
525  if (lua_pcall(luastate, 0, 0, 0) != 0) {
526  SCLogError("couldn't prime file: %s", lua_tostring(luastate, -1));
527  goto error;
528  }
529 
530  lua_getglobal(luastate, "init");
531  if (lua_type(luastate, -1) != LUA_TFUNCTION) {
532  SCLogError("no init function in script");
533  goto error;
534  }
535 
536  /* Pass the signature as the first argument, setting up bytevars depends on
537  * access to the signature. */
538  lua_pushlightuserdata(luastate, (void *)s);
539 
540  if (lua_pcall(luastate, 1, 1, 0) != 0) {
541  SCLogError("couldn't run script 'init' function: %s", lua_tostring(luastate, -1));
542  goto error;
543  }
544 
545  /* process returns from script */
546  if (lua_gettop(luastate) == 0) {
547  SCLogError("init function in script should return table, nothing returned");
548  goto error;
549  }
550  if (lua_type(luastate, 1) != LUA_TTABLE) {
551  SCLogError("init function in script should return table, returned is not table");
552  goto error;
553  }
554 
555  lua_pushnil(luastate);
556  const char *k;
557  while (lua_next(luastate, -2)) {
558  k = lua_tostring(luastate, -2);
559  if (k == NULL)
560  continue;
561 
562  /* handle flowvar and bytes separately as they have a table as value */
563  if (strcmp(k, "flowvar") == 0) {
564  if (lua_istable(luastate, -1)) {
565  lua_pushnil(luastate);
566  while (lua_next(luastate, -2) != 0) {
567  /* value at -1, key is at -2 which we ignore */
568  const char *value = lua_tostring(luastate, -1);
569  SCLogDebug("value %s", value);
570  /* removes 'value'; keeps 'key' for next iteration */
571  lua_pop(luastate, 1);
572 
573  if (ld->flowvars == DETECT_LUA_MAX_FLOWVARS) {
574  SCLogError("too many flowvars registered");
575  goto error;
576  }
577 
578  uint32_t idx = VarNameStoreRegister(value, VAR_TYPE_FLOW_VAR);
579  ld->flowvar[ld->flowvars++] = idx;
580  SCLogDebug("script uses flowvar %u with script id %u", idx, ld->flowvars - 1);
581  }
582  }
583  lua_pop(luastate, 1);
584  continue;
585  } else if (strcmp(k, "flowint") == 0) {
586  if (lua_istable(luastate, -1)) {
587  lua_pushnil(luastate);
588  while (lua_next(luastate, -2) != 0) {
589  /* value at -1, key is at -2 which we ignore */
590  const char *value = lua_tostring(luastate, -1);
591  SCLogDebug("value %s", value);
592  /* removes 'value'; keeps 'key' for next iteration */
593  lua_pop(luastate, 1);
594 
595  if (ld->flowints == DETECT_LUA_MAX_FLOWINTS) {
596  SCLogError("too many flowints registered");
597  goto error;
598  }
599 
600  uint32_t idx = VarNameStoreRegister(value, VAR_TYPE_FLOW_INT);
601  ld->flowint[ld->flowints++] = idx;
602  SCLogDebug("script uses flowint %u with script id %u", idx, ld->flowints - 1);
603  }
604  }
605  lua_pop(luastate, 1);
606  continue;
607  }
608 
609  bool required = lua_toboolean(luastate, -1);
610  lua_pop(luastate, 1);
611  if (!required) {
612  continue;
613  }
614 
615  if (strcmp(k, "ja3") == 0) {
616  ld->flags |= FLAG_LIST_JA3;
617  } else if (strcmp(k, "ja3s") == 0) {
618  ld->flags |= FLAG_LIST_JA3S;
619  } else if (strcmp(k, "packet") == 0) {
621  } else if (strcmp(k, "payload") == 0) {
623  } else if (strcmp(k, "buffer") == 0) {
625 
626  ld->buffername = SCStrdup("buffer");
627  if (ld->buffername == NULL) {
628  SCLogError("alloc error");
629  goto error;
630  }
631  } else if (strcmp(k, "stream") == 0) {
633 
634  ld->buffername = SCStrdup("stream");
635  if (ld->buffername == NULL) {
636  SCLogError("alloc error");
637  goto error;
638  }
639  /* old options no longer supported */
640  } else if (strncmp(k, "http", 4) == 0 || strncmp(k, "dns", 3) == 0 ||
641  strncmp(k, "tls", 3) == 0 || strncmp(k, "ssh", 3) == 0 ||
642  strncmp(k, "smtp", 4) == 0 || strncmp(k, "dnp3", 4) == 0) {
643  SCLogError("data type %s no longer supported, use rule hooks", k);
644  goto error;
645 
646  } else {
647  SCLogError("unsupported data type %s", k);
648  goto error;
649  }
650  }
651 
652  /* pop the table */
653  lua_pop(luastate, 1);
654  SCLuaSbStateClose(luastate);
655  return 0;
656 error:
657  SCLuaSbStateClose(luastate);
658  return -1;
659 }
660 
661 /**
662  * \brief this function is used to parse lua options
663  * \brief into the current signature
664  *
665  * \param de_ctx pointer to the Detection Engine Context
666  * \param s pointer to the Current Signature
667  * \param str pointer to the user provided "lua" option
668  *
669  * \retval 0 on Success
670  * \retval -1 on Failure
671  */
672 static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
673 {
674  /* First check if Lua rules are enabled, by default Lua in rules
675  * is disabled. */
676  int enabled = 0;
677  if (SCConfGetBool("security.lua.allow-rules", &enabled) == 1 && !enabled) {
678  SCLogError("Lua rules disabled by security configuration: security.lua.allow-rules");
679  return -1;
680  }
681 
682  DetectLuaData *lua = DetectLuaParse(de_ctx, str);
683  if (lua == NULL)
684  return -1;
685 
686  /* Load lua sandbox configurations */
687  intmax_t lua_alloc_limit = DEFAULT_LUA_ALLOC_LIMIT;
688  intmax_t lua_instruction_limit = DEFAULT_LUA_INSTRUCTION_LIMIT;
689  (void)SCConfGetInt("security.lua.max-bytes", &lua_alloc_limit);
690  (void)SCConfGetInt("security.lua.max-instructions", &lua_instruction_limit);
691  lua->alloc_limit = lua_alloc_limit;
692  lua->instruction_limit = lua_instruction_limit;
693 
694  int allow_restricted_functions = 0;
695  (void)SCConfGetBool("security.lua.allow-restricted-functions", &allow_restricted_functions);
696  lua->allow_restricted_functions = allow_restricted_functions;
697 
698  if (DetectLuaSetupPrime(de_ctx, lua, s) == -1) {
699  goto error;
700  }
701 
703  DetectLuaThreadInit, (void *)lua,
704  DetectLuaThreadFree, 0);
705  if (lua->thread_ctx_id == -1)
706  goto error;
707 
708  int list = DetectBufferGetActiveList(de_ctx, s);
709  SCLogDebug("buffer list %d -> %d", list, s->init_data->list);
710  if (list == -1 || (list == 0 && s->init_data->list == INT_MAX)) {
711  /* what needs to happen here is: we register to the rule hook, so e.g.
712  * http1.request_complete. This means we need a list.
713  *
714  * This includes each pkt, payload, stream, etc. */
715 
717  list = s->init_data->hook.sm_list;
718  SCLogDebug("setting list %d", list);
719  }
720  }
721 
722  if (list == -1) {
723  SCLogError("lua failed to set up");
724  goto error;
725  }
726  if (list == 0) {
727  if (lua->flags & FLAG_LIST_JA3) {
728  list = g_lua_ja3_list_id;
729  } else if (lua->flags & FLAG_LIST_JA3S) {
730  list = g_lua_ja3s_list_id;
731  }
732  }
733 
734  if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_LUA, (SigMatchCtx *)lua, list) == NULL) {
735  goto error;
736  }
737 
738  return 0;
739 
740 error:
741  if (lua != NULL)
742  DetectLuaFree(de_ctx, lua);
743  return -1;
744 }
745 
746 /**
747  * \brief this function will free memory associated with DetectLuaData
748  *
749  * \param ptr pointer to DetectLuaData
750  */
751 static void DetectLuaFree(DetectEngineCtx *de_ctx, void *ptr)
752 {
753  if (ptr != NULL) {
754  DetectLuaData *lua = (DetectLuaData *)ptr;
755 
756  if (lua->buffername)
757  SCFree(lua->buffername);
758  if (lua->filename)
759  SCFree(lua->filename);
760 
761  for (uint16_t i = 0; i < lua->flowints; i++) {
763  }
764  for (uint16_t i = 0; i < lua->flowvars; i++) {
766  }
767  for (uint16_t i = 0; i < lua->bytevars; i++) {
768  SCFree(lua->bytevar[i].name);
769  }
770 
772 
773  SCFree(lua);
774  }
775 }
776 
777 #ifdef UNITTESTS
778 #include "detect-engine-alert.h"
779 
780 /** \test http buffer */
781 static int LuaMatchTest01(void)
782 {
783  SCConfSetFinal("security.lua.allow-rules", "true");
784 
785  const char script[] = "local flowvarlib = require(\"suricata.flowvar\")\n"
786  "function init (args)\n"
787  " flowvarlib.register(\"cnt\")\n"
788  " return {}\n"
789  "end\n"
790  "function thread_init (args)\n"
791  " cnt = flowvarlib.get(\"cnt\")\n"
792  "end\n"
793  "\n"
794  "function match(args)\n"
795  " a = cnt:value()\n"
796  " if a then\n"
797  " a = tostring(tonumber(a)+1)\n"
798  " print (a)\n"
799  " cnt:set(a, #a)\n"
800  " else\n"
801  " a = tostring(1)\n"
802  " print (a)\n"
803  " cnt:set(a, #a)\n"
804  " end\n"
805  " \n"
806  " print (\"pre check: \" .. (a))\n"
807  " if tonumber(a) == 2 then\n"
808  " print \"match\"\n"
809  " return 1\n"
810  " end\n"
811  " return 0\n"
812  "end\n"
813  "return 0\n";
814  char sig[] = "alert http1:request_complete any any -> any any (flow:to_server; lua:unittest; "
815  "sid:1;)";
816  uint8_t httpbuf1[] =
817  "POST / HTTP/1.1\r\n"
818  "Host: www.emergingthreats.net\r\n\r\n";
819  uint8_t httpbuf2[] =
820  "POST / HTTP/1.1\r\n"
821  "Host: www.openinfosecfoundation.org\r\n\r\n";
822  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
823  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
824  TcpSession ssn;
825  Flow f;
826  ThreadVars th_v;
827  DetectEngineThreadCtx *det_ctx;
828 
830 
831  ut_script = script;
832 
833  memset(&th_v, 0, sizeof(th_v));
834  memset(&f, 0, sizeof(f));
835  memset(&ssn, 0, sizeof(ssn));
836 
837  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
838  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
839 
840  FLOW_INITIALIZE(&f);
841  f.protoctx = (void *)&ssn;
842  f.proto = IPPROTO_TCP;
843  f.flags |= FLOW_IPV4;
845 
846  p1->flow = &f;
850  p2->flow = &f;
854 
855  StreamTcpInitConfig(true);
856 
859  de_ctx->flags |= DE_QUIET;
860 
862  FAIL_IF_NULL(s);
863 
865  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
866 
867  int r = AppLayerParserParse(
868  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
869  FAIL_IF(r != 0);
870  HtpState *http_state = f.alstate;
871  FAIL_IF_NULL(http_state);
872 
873  /* do detect for p1 */
874  SCLogDebug("inspecting p1");
875  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
876  FAIL_IF(PacketAlertCheck(p1, 1));
877 
878  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
879  FAIL_IF(r != 0);
880 
881  /* do detect for p2 */
882  SCLogDebug("inspecting p2");
883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
885 
886  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_VAR);
887  FAIL_IF(id == 0);
888 
889  FlowVar *fv = FlowVarGet(&f, id);
890  FAIL_IF_NULL(fv);
891  FAIL_IF(fv->data.fv_str.value_len != 1);
892  FAIL_IF(memcmp(fv->data.fv_str.value, "2", 1) != 0);
893 
894  UTHFreePackets(&p1, 1);
895  UTHFreePackets(&p2, 1);
896  FLOW_DESTROY(&f);
897 
899  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
901  StreamTcpFreeConfig(true);
902  StatsThreadCleanup(&th_v);
903  PASS;
904 }
905 
906 static int LuaMatchTest01a(void)
907 {
908  const char script[] = "local flowvarlib = require(\"suricata.flowvar\")\n"
909  "function init (args)\n"
910  " flowvarlib.register(\"cnt\")\n"
911  " return {}\n"
912  "end\n"
913  "function thread_init (args)\n"
914  " cnt = flowvarlib.get(\"cnt\")\n"
915  "end\n"
916  "\n"
917  "function match(args)\n"
918  " a = cnt:value(0)\n"
919  " if a then\n"
920  " a = tostring(tonumber(a)+1)\n"
921  " print (a)\n"
922  " cnt:set(a, #a)\n"
923  " else\n"
924  " a = tostring(1)\n"
925  " print (a)\n"
926  " cnt:set(a, #a)\n"
927  " end\n"
928  " \n"
929  " print (\"pre check: \" .. (a))\n"
930  " if tonumber(a) == 2 then\n"
931  " print \"match\"\n"
932  " return 1\n"
933  " end\n"
934  " return 0\n"
935  "end\n"
936  "return 0\n";
937  char sig[] = "alert http1:request_complete any any -> any any (flow:to_server; lua:unittest; "
938  "sid:1;)";
939  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n"
940  "Host: www.emergingthreats.net\r\n\r\n";
941  uint8_t httpbuf2[] = "POST / HTTP/1.1\r\n"
942  "Host: www.openinfosecfoundation.org\r\n\r\n";
943  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
944  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
945  TcpSession ssn;
946  Flow f;
947  ThreadVars th_v;
948  DetectEngineThreadCtx *det_ctx;
949 
951 
952  ut_script = script;
953 
954  memset(&th_v, 0, sizeof(th_v));
955  memset(&f, 0, sizeof(f));
956  memset(&ssn, 0, sizeof(ssn));
957 
958  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
959  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
960 
961  FLOW_INITIALIZE(&f);
962  f.protoctx = (void *)&ssn;
963  f.proto = IPPROTO_TCP;
964  f.flags |= FLOW_IPV4;
966 
967  p1->flow = &f;
971  p2->flow = &f;
975 
976  StreamTcpInitConfig(true);
977 
980  de_ctx->flags |= DE_QUIET;
981 
983  FAIL_IF_NULL(s);
984 
986  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
987 
988  int r = AppLayerParserParse(
989  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
990  FAIL_IF(r != 0);
991 
992  HtpState *http_state = f.alstate;
993  FAIL_IF_NULL(http_state);
994 
995  /* do detect for p1 */
996  SCLogDebug("inspecting p1");
997  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
998  FAIL_IF(PacketAlertCheck(p1, 1));
999 
1000  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1001  FAIL_IF(r != 0);
1002  /* do detect for p2 */
1003  SCLogDebug("inspecting p2");
1004  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1005  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
1006 
1007  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_VAR);
1008  FAIL_IF(id == 0);
1009 
1010  FlowVar *fv = FlowVarGet(&f, id);
1011  FAIL_IF_NULL(fv);
1012  FAIL_IF(fv->data.fv_str.value_len != 1);
1013  FAIL_IF(memcmp(fv->data.fv_str.value, "2", 1) != 0);
1014 
1015  UTHFreePackets(&p1, 1);
1016  UTHFreePackets(&p2, 1);
1017  FLOW_DESTROY(&f);
1018 
1020  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1022  StreamTcpFreeConfig(true);
1023  StatsThreadCleanup(&th_v);
1024  PASS;
1025 }
1026 
1027 /** \test payload buffer */
1028 static int LuaMatchTest02(void)
1029 {
1030  const char script[] = "local flowvarlib = require(\"suricata.flowvar\")\n"
1031  "function init (args)\n"
1032  " flowvarlib.register(\"cnt\")\n"
1033  " local needs = {}\n"
1034  " needs[\"payload\"] = tostring(true)\n"
1035  " return needs\n"
1036  "end\n"
1037  "function thread_init (args)\n"
1038  " cnt = flowvarlib.get(\"cnt\")\n"
1039  "end\n"
1040  "\n"
1041  "function match(args)\n"
1042  " a = cnt:value()\n"
1043  " if a then\n"
1044  " a = tostring(tonumber(a)+1)\n"
1045  " print (a)\n"
1046  " cnt:set(a, #a)\n"
1047  " else\n"
1048  " a = tostring(1)\n"
1049  " print (a)\n"
1050  " cnt:set(a, #a)\n"
1051  " end\n"
1052  " \n"
1053  " print (\"pre check: \" .. (a))\n"
1054  " if tonumber(a) == 2 then\n"
1055  " print \"match\"\n"
1056  " return 1\n"
1057  " end\n"
1058  " return 0\n"
1059  "end\n"
1060  "return 0\n";
1061  char sig[] = "alert tcp any any -> any any (flow:to_server; lua:unittest; sid:1;)";
1062  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n"
1063  "Host: www.emergingthreats.net\r\n\r\n";
1064  uint8_t httpbuf2[] = "POST / HTTP/1.1\r\n"
1065  "Host: www.openinfosecfoundation.org\r\n\r\n";
1066  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1067  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1068  TcpSession ssn;
1069  Flow f;
1070  ThreadVars th_v;
1071  DetectEngineThreadCtx *det_ctx;
1072 
1073  ut_script = script;
1074 
1075  memset(&th_v, 0, sizeof(th_v));
1076  memset(&f, 0, sizeof(f));
1077  memset(&ssn, 0, sizeof(ssn));
1078 
1079  Packet *p1 = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
1080  Packet *p2 = UTHBuildPacket(httpbuf2, httplen2, IPPROTO_TCP);
1081 
1082  FLOW_INITIALIZE(&f);
1083  f.protoctx = (void *)&ssn;
1084  f.proto = IPPROTO_TCP;
1085  f.flags |= FLOW_IPV4;
1086  f.alproto = ALPROTO_HTTP1;
1087 
1088  p1->flow = &f;
1092  p2->flow = &f;
1096 
1097  StreamTcpInitConfig(true);
1098 
1101  de_ctx->flags |= DE_QUIET;
1102 
1104  FAIL_IF_NULL(s);
1105 
1107  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1108 
1109  /* do detect for p1 */
1110  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1111 
1112  FAIL_IF(PacketAlertCheck(p1, 1));
1113 
1114  /* do detect for p2 */
1115  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1116 
1117  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
1118 
1119  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_VAR);
1120  FAIL_IF(id == 0);
1121 
1122  FlowVar *fv = FlowVarGet(&f, id);
1123  FAIL_IF_NULL(fv);
1124  FAIL_IF(fv->data.fv_str.value_len != 1);
1125  FAIL_IF(memcmp(fv->data.fv_str.value, "2", 1) != 0);
1126 
1127  UTHFreePackets(&p1, 1);
1128  UTHFreePackets(&p2, 1);
1129  FLOW_DESTROY(&f);
1130 
1131  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1133  StreamTcpFreeConfig(true);
1134  StatsThreadCleanup(&th_v);
1135  PASS;
1136 }
1137 
1138 /** \test payload buffer */
1139 static int LuaMatchTest02a(void)
1140 {
1141  const char script[] = "local flowvarlib = require(\"suricata.flowvar\")\n"
1142  "function init (args)\n"
1143  " flowvarlib.register(\"cnt\")"
1144  " local needs = {}\n"
1145  " needs[\"payload\"] = tostring(true)\n"
1146  " return needs\n"
1147  "end\n"
1148  "function thread_init (args)\n"
1149  " cnt = flowvarlib.get(\"cnt\")"
1150  "end\n"
1151  "\n"
1152  "function match(args)\n"
1153  " a = cnt:value()\n"
1154  " if a then\n"
1155  " a = tostring(tonumber(a)+1)\n"
1156  " print (a)\n"
1157  " cnt:set(a, #a)\n"
1158  " else\n"
1159  " a = tostring(1)\n"
1160  " print (a)\n"
1161  " cnt:set(a, #a)\n"
1162  " end\n"
1163  " \n"
1164  " print (\"pre check: \" .. (a))\n"
1165  " if tonumber(a) == 2 then\n"
1166  " print \"match\"\n"
1167  " return 1\n"
1168  " end\n"
1169  " return 0\n"
1170  "end\n"
1171  "return 0\n";
1172  char sig[] = "alert tcp any any -> any any (flow:to_server; lua:unittest; sid:1;)";
1173  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n"
1174  "Host: www.emergingthreats.net\r\n\r\n";
1175  uint8_t httpbuf2[] = "POST / HTTP/1.1\r\n"
1176  "Host: www.openinfosecfoundation.org\r\n\r\n";
1177  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1178  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1179  TcpSession ssn;
1180  Flow f;
1181  ThreadVars th_v;
1182  DetectEngineThreadCtx *det_ctx;
1183 
1184  ut_script = script;
1185 
1186  memset(&th_v, 0, sizeof(th_v));
1187  memset(&f, 0, sizeof(f));
1188  memset(&ssn, 0, sizeof(ssn));
1189 
1190  Packet *p1 = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
1191  Packet *p2 = UTHBuildPacket(httpbuf2, httplen2, IPPROTO_TCP);
1192 
1193  FLOW_INITIALIZE(&f);
1194  f.protoctx = (void *)&ssn;
1195  f.proto = IPPROTO_TCP;
1196  f.flags |= FLOW_IPV4;
1197  f.alproto = ALPROTO_HTTP1;
1198 
1199  p1->flow = &f;
1203  p2->flow = &f;
1207 
1208  StreamTcpInitConfig(true);
1209 
1212  de_ctx->flags |= DE_QUIET;
1213 
1215  FAIL_IF_NULL(s);
1216 
1218  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1219 
1220  /* do detect for p1 */
1221  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1222  FAIL_IF(PacketAlertCheck(p1, 1));
1223 
1224  /* do detect for p2 */
1225  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1226  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
1227 
1228  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_VAR);
1229  FAIL_IF(id == 0);
1230 
1231  FlowVar *fv = FlowVarGet(&f, id);
1232  FAIL_IF_NULL(fv);
1233  FAIL_IF(fv->data.fv_str.value_len != 1);
1234  FAIL_IF(memcmp(fv->data.fv_str.value, "2", 1) != 0);
1235 
1236  UTHFreePackets(&p1, 1);
1237  UTHFreePackets(&p2, 1);
1238  FLOW_DESTROY(&f);
1239 
1240  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1242  StreamTcpFreeConfig(true);
1243  StatsThreadCleanup(&th_v);
1244  PASS;
1245 }
1246 
1247 /** \test packet buffer */
1248 static int LuaMatchTest03(void)
1249 {
1250  const char script[] = "local flowvarlib = require(\"suricata.flowvar\")\n"
1251  "function init (args)\n"
1252  " flowvarlib.register(\"cnt\")\n"
1253  " local needs = {}\n"
1254  " needs[\"packet\"] = tostring(true)\n"
1255  " return needs\n"
1256  "end\n"
1257  "\n"
1258  "function thread_init (args)\n"
1259  " cnt = flowvarlib.get(\"cnt\")\n"
1260  "end\n"
1261  "\n"
1262  "function match(args)\n"
1263  " a = cnt:value()\n"
1264  " if a then\n"
1265  " a = tostring(tonumber(a)+1)\n"
1266  " print (a)\n"
1267  " cnt:set(a, #a)\n"
1268  " else\n"
1269  " a = tostring(1)\n"
1270  " print (a)\n"
1271  " cnt:set(a, #a)\n"
1272  " end\n"
1273  " \n"
1274  " print (\"pre check: \" .. (a))\n"
1275  " if tonumber(a) == 2 then\n"
1276  " print \"match\"\n"
1277  " return 1\n"
1278  " end\n"
1279  " return 0\n"
1280  "end\n"
1281  "return 0\n";
1282  char sig[] = "alert tcp any any -> any any (flow:to_server; lua:unittest; sid:1;)";
1283  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n"
1284  "Host: www.emergingthreats.net\r\n\r\n";
1285  uint8_t httpbuf2[] = "POST / HTTP/1.1\r\n"
1286  "Host: www.openinfosecfoundation.org\r\n\r\n";
1287  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1288  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1289  TcpSession ssn;
1290  Flow f;
1291  ThreadVars th_v;
1292  DetectEngineThreadCtx *det_ctx;
1293 
1294  ut_script = script;
1295 
1296  memset(&th_v, 0, sizeof(th_v));
1297  memset(&f, 0, sizeof(f));
1298  memset(&ssn, 0, sizeof(ssn));
1299 
1300  Packet *p1 = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
1301  Packet *p2 = UTHBuildPacket(httpbuf2, httplen2, IPPROTO_TCP);
1302 
1303  FLOW_INITIALIZE(&f);
1304  f.protoctx = (void *)&ssn;
1305  f.proto = IPPROTO_TCP;
1306  f.flags |= FLOW_IPV4;
1307  f.alproto = ALPROTO_HTTP1;
1308 
1309  p1->flow = &f;
1313  p2->flow = &f;
1317 
1318  StreamTcpInitConfig(true);
1319 
1322  de_ctx->flags |= DE_QUIET;
1323 
1325  FAIL_IF_NULL(s);
1326 
1328  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1329 
1330  /* do detect for p1 */
1331  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1332  FAIL_IF(PacketAlertCheck(p1, 1));
1333 
1334  /* do detect for p2 */
1335  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1336  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
1337 
1338  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_VAR);
1339  FAIL_IF(id == 0);
1340  FlowVar *fv = FlowVarGet(&f, id);
1341  FAIL_IF_NULL(fv);
1342  FAIL_IF(fv->data.fv_str.value_len != 1);
1343  FAIL_IF(memcmp(fv->data.fv_str.value, "2", 1) != 0);
1344 
1345  UTHFreePackets(&p1, 1);
1346  UTHFreePackets(&p2, 1);
1347  FLOW_DESTROY(&f);
1348 
1349  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1351  StreamTcpFreeConfig(true);
1352  StatsThreadCleanup(&th_v);
1353  PASS;
1354 }
1355 
1356 /** \test packet buffer */
1357 static int LuaMatchTest03a(void)
1358 {
1359  const char script[] = "local flowvarlib = require(\"suricata.flowvar\")\n"
1360  "function init (args)\n"
1361  " flowvarlib.register(\"cnt\")\n"
1362  " local needs = {}\n"
1363  " needs[\"packet\"] = tostring(true)\n"
1364  " return needs\n"
1365  "end\n"
1366  "\n"
1367  "function thread_init (args)\n"
1368  " cnt = flowvarlib.get(\"cnt\")\n"
1369  "end\n"
1370  "\n"
1371  "function match(args)\n"
1372  " a = cnt:value()\n"
1373  " if a then\n"
1374  " a = tostring(tonumber(a)+1)\n"
1375  " print (a)\n"
1376  " cnt:set(a, #a)\n"
1377  " else\n"
1378  " a = tostring(1)\n"
1379  " print (a)\n"
1380  " cnt:set(a, #a)\n"
1381  " end\n"
1382  " \n"
1383  " print (\"pre check: \" .. (a))\n"
1384  " if tonumber(a) == 2 then\n"
1385  " print \"match\"\n"
1386  " return 1\n"
1387  " end\n"
1388  " return 0\n"
1389  "end\n"
1390  "return 0\n";
1391  char sig[] = "alert tcp any any -> any any (flow:to_server; lua:unittest; sid:1;)";
1392  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n"
1393  "Host: www.emergingthreats.net\r\n\r\n";
1394  uint8_t httpbuf2[] = "POST / HTTP/1.1\r\n"
1395  "Host: www.openinfosecfoundation.org\r\n\r\n";
1396  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1397  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1398  TcpSession ssn;
1399  Flow f;
1400  ThreadVars th_v;
1401  DetectEngineThreadCtx *det_ctx;
1402 
1403  ut_script = script;
1404 
1405  memset(&th_v, 0, sizeof(th_v));
1406  memset(&f, 0, sizeof(f));
1407  memset(&ssn, 0, sizeof(ssn));
1408 
1409  Packet *p1 = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
1410  Packet *p2 = UTHBuildPacket(httpbuf2, httplen2, IPPROTO_TCP);
1411 
1412  FLOW_INITIALIZE(&f);
1413  f.protoctx = (void *)&ssn;
1414  f.proto = IPPROTO_TCP;
1415  f.flags |= FLOW_IPV4;
1416  f.alproto = ALPROTO_HTTP1;
1417 
1418  p1->flow = &f;
1422  p2->flow = &f;
1426 
1427  StreamTcpInitConfig(true);
1428 
1431  de_ctx->flags |= DE_QUIET;
1432 
1434  FAIL_IF_NULL(s);
1435 
1437  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1438 
1439  /* do detect for p1 */
1440  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1441  FAIL_IF(PacketAlertCheck(p1, 1));
1442 
1443  /* do detect for p2 */
1444  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1445  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
1446 
1447  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_VAR);
1448  FAIL_IF(id == 0);
1449  FlowVar *fv = FlowVarGet(&f, id);
1450  FAIL_IF_NULL(fv);
1451  FAIL_IF(fv->data.fv_str.value_len != 1);
1452  FAIL_IF(memcmp(fv->data.fv_str.value, "2", 1) != 0);
1453 
1454  UTHFreePackets(&p1, 1);
1455  UTHFreePackets(&p2, 1);
1456  FLOW_DESTROY(&f);
1457 
1458  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1460  StreamTcpFreeConfig(true);
1461  StatsThreadCleanup(&th_v);
1462  PASS;
1463 }
1464 
1465 /** \test http buffer, flowints */
1466 static int LuaMatchTest04(void)
1467 {
1468  const char script[] = "local flowintlib = require(\"suricata.flowint\")\n"
1469  "function init (args)\n"
1470  " flowintlib.register(\"cnt\")\n"
1471  " return {}\n"
1472  "end\n"
1473  "\n"
1474  "function thread_init (args)\n"
1475  " cnt = flowintlib.get(\"cnt\")\n"
1476  "end\n"
1477  "\n"
1478  "function match(args)\n"
1479  " print \"inspecting\""
1480  " a = cnt:value()\n"
1481  " if a then\n"
1482  " cnt:set(a + 1)\n"
1483  " else\n"
1484  " cnt:set(1)\n"
1485  " end\n"
1486  " \n"
1487  " a = cnt:value()\n"
1488  " if a == 2 then\n"
1489  " print \"match\"\n"
1490  " return 1\n"
1491  " end\n"
1492  " return 0\n"
1493  "end\n"
1494  "return 0\n";
1495  char sig[] = "alert http1:request_complete any any -> any any (flow:to_server; lua:unittest; "
1496  "sid:1;)";
1497  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n"
1498  "Host: www.emergingthreats.net\r\n\r\n";
1499  uint8_t httpbuf2[] = "POST / HTTP/1.1\r\n"
1500  "Host: www.openinfosecfoundation.org\r\n\r\n";
1501  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1502  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1503  TcpSession ssn;
1504  Flow f;
1505  ThreadVars th_v;
1506  DetectEngineThreadCtx *det_ctx;
1507 
1509 
1510  ut_script = script;
1511 
1512  memset(&th_v, 0, sizeof(th_v));
1513  memset(&f, 0, sizeof(f));
1514  memset(&ssn, 0, sizeof(ssn));
1515 
1516  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1517  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1518 
1519  FLOW_INITIALIZE(&f);
1520  f.protoctx = (void *)&ssn;
1521  f.proto = IPPROTO_TCP;
1522  f.flags |= FLOW_IPV4;
1523  f.alproto = ALPROTO_HTTP1;
1524 
1525  p1->flow = &f;
1529 
1530  p2->flow = &f;
1534 
1535  StreamTcpInitConfig(true);
1536 
1539  de_ctx->flags |= DE_QUIET;
1540 
1542  FAIL_IF_NULL(s);
1543 
1545  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1546 
1547  int r = AppLayerParserParse(
1548  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1549  FAIL_IF(r != 0);
1550  HtpState *http_state = f.alstate;
1551  FAIL_IF_NULL(http_state);
1552 
1553  /* do detect for p1 */
1554  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1555  FAIL_IF(PacketAlertCheck(p1, 1));
1556 
1557  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1558  FAIL_IF(r != 0);
1559 
1560  /* do detect for p2 */
1561  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1562  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
1563 
1564  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_INT);
1565  FAIL_IF(id == 0);
1566  FlowVar *fv = FlowVarGet(&f, id);
1567  FAIL_IF_NULL(fv);
1568  FAIL_IF(fv->data.fv_int.value != 2);
1569 
1570  UTHFreePackets(&p1, 1);
1571  UTHFreePackets(&p2, 1);
1572  FLOW_DESTROY(&f);
1573 
1575  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1577  StreamTcpFreeConfig(true);
1578  StatsThreadCleanup(&th_v);
1579  PASS;
1580 }
1581 
1582 /** \test http buffer, flowints */
1583 static int LuaMatchTest04a(void)
1584 {
1585  const char script[] = "local flowintlib = require(\"suricata.flowint\")\n"
1586  "function init (args)\n"
1587  " flowintlib.register(\"cnt\")\n"
1588  " return {}\n"
1589  "end\n"
1590  "\n"
1591  "function thread_init (args)\n"
1592  " cnt = flowintlib.get(\"cnt\")\n"
1593  "end\n"
1594  "\n"
1595  "function match(args)\n"
1596  " print \"inspecting\""
1597  " a = cnt:value()\n"
1598  " if a then\n"
1599  " cnt:set(a + 1)\n"
1600  " else\n"
1601  " cnt:set(1)\n"
1602  " end\n"
1603  " \n"
1604  " a = cnt:value()\n"
1605  " if a == 2 then\n"
1606  " print \"match\"\n"
1607  " return 1\n"
1608  " end\n"
1609  " return 0\n"
1610  "end\n"
1611  "return 0\n";
1612  char sig[] = "alert http1:request_complete any any -> any any (flow:to_server; lua:unittest; "
1613  "sid:1;)";
1614  uint8_t httpbuf1[] =
1615  "POST / HTTP/1.1\r\n"
1616  "Host: www.emergingthreats.net\r\n\r\n";
1617  uint8_t httpbuf2[] =
1618  "POST / HTTP/1.1\r\n"
1619  "Host: www.openinfosecfoundation.org\r\n\r\n";
1620  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1621  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1622  TcpSession ssn;
1623  Flow f;
1624  ThreadVars th_v;
1625  DetectEngineThreadCtx *det_ctx;
1626 
1628 
1629  ut_script = script;
1630 
1631  memset(&th_v, 0, sizeof(th_v));
1632  memset(&f, 0, sizeof(f));
1633  memset(&ssn, 0, sizeof(ssn));
1634 
1635  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1636  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1637 
1638  FLOW_INITIALIZE(&f);
1639  f.protoctx = (void *)&ssn;
1640  f.proto = IPPROTO_TCP;
1641  f.flags |= FLOW_IPV4;
1642  f.alproto = ALPROTO_HTTP1;
1643 
1644  p1->flow = &f;
1648 
1649  p2->flow = &f;
1653 
1654  StreamTcpInitConfig(true);
1655 
1658  de_ctx->flags |= DE_QUIET;
1659 
1661  FAIL_IF_NULL(s);
1662 
1664  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1665 
1666  int r = AppLayerParserParse(
1667  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1668  FAIL_IF(r != 0);
1669  HtpState *http_state = f.alstate;
1670  FAIL_IF_NULL(http_state);
1671 
1672  /* do detect for p1 */
1673  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1674  FAIL_IF(PacketAlertCheck(p1, 1));
1675 
1676  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1677  FAIL_IF(r != 0);
1678 
1679  /* do detect for p2 */
1680  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1681  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
1682 
1683  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_INT);
1684  FAIL_IF(id == 0);
1685  FlowVar *fv = FlowVarGet(&f, id);
1686  FAIL_IF_NULL(fv);
1687  FAIL_IF(fv->data.fv_int.value != 2);
1688 
1689  UTHFreePackets(&p1, 1);
1690  UTHFreePackets(&p2, 1);
1691  FLOW_DESTROY(&f);
1692 
1694  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1696  StreamTcpFreeConfig(true);
1697  StatsThreadCleanup(&th_v);
1698  PASS;
1699 }
1700 
1701 /** \test http buffer, flowints */
1702 static int LuaMatchTest05(void)
1703 {
1704  const char script[] = "local flowintlib = require(\"suricata.flowint\")\n"
1705  "function init (args)\n"
1706  " flowintlib.register(\"cnt\")\n"
1707  " return {}\n"
1708  "end\n"
1709  "\n"
1710  "function thread_init (args)\n"
1711  " cnt = flowintlib.get(\"cnt\")\n"
1712  "end\n"
1713  "\n"
1714  "function match(args)\n"
1715  " print \"inspecting\""
1716  " a = cnt:incr()\n"
1717  " if a == 2 then\n"
1718  " print \"match\"\n"
1719  " return 1\n"
1720  " end\n"
1721  " return 0\n"
1722  "end\n"
1723  "return 0\n";
1724  char sig[] = "alert http1:request_complete any any -> any any (flow:to_server; lua:unittest; "
1725  "sid:1;)";
1726  uint8_t httpbuf1[] =
1727  "POST / HTTP/1.1\r\n"
1728  "Host: www.emergingthreats.net\r\n\r\n";
1729  uint8_t httpbuf2[] =
1730  "POST / HTTP/1.1\r\n"
1731  "Host: www.openinfosecfoundation.org\r\n\r\n";
1732  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1733  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1734  TcpSession ssn;
1735  Flow f;
1736  ThreadVars th_v;
1737  DetectEngineThreadCtx *det_ctx;
1738 
1740 
1741  ut_script = script;
1742 
1743  memset(&th_v, 0, sizeof(th_v));
1744  memset(&f, 0, sizeof(f));
1745  memset(&ssn, 0, sizeof(ssn));
1746 
1747  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1748  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1749 
1750  FLOW_INITIALIZE(&f);
1751  f.protoctx = (void *)&ssn;
1752  f.proto = IPPROTO_TCP;
1753  f.flags |= FLOW_IPV4;
1754  f.alproto = ALPROTO_HTTP1;
1755 
1756  p1->flow = &f;
1760 
1761  p2->flow = &f;
1765 
1766  StreamTcpInitConfig(true);
1767 
1770  de_ctx->flags |= DE_QUIET;
1771 
1773  FAIL_IF_NULL(s);
1774 
1776  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1777 
1778  int r = AppLayerParserParse(
1779  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1780  FAIL_IF(r != 0);
1781  HtpState *http_state = f.alstate;
1782  FAIL_IF_NULL(http_state);
1783 
1784  /* do detect for p1 */
1785  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1786  FAIL_IF(PacketAlertCheck(p1, 1));
1787 
1788  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1789  FAIL_IF(r != 0);
1790 
1791  /* do detect for p2 */
1792  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1793  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
1794 
1795  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_INT);
1796  FAIL_IF(id == 0);
1797  FlowVar *fv = FlowVarGet(&f, id);
1798  FAIL_IF_NULL(fv);
1799  FAIL_IF(fv->data.fv_int.value != 2);
1800 
1801  UTHFreePackets(&p1, 1);
1802  UTHFreePackets(&p2, 1);
1803  FLOW_DESTROY(&f);
1804 
1806  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1808  StreamTcpFreeConfig(true);
1809  StatsThreadCleanup(&th_v);
1810  PASS;
1811 }
1812 
1813 /** \test http buffer, flowints */
1814 static int LuaMatchTest05a(void)
1815 {
1816  const char script[] = "local flowintlib = require(\"suricata.flowint\")\n"
1817  "function init (args)\n"
1818  " flowintlib.register(\"cnt\")\n"
1819  " return {}\n"
1820  "end\n"
1821  "\n"
1822  "function thread_init (args)\n"
1823  " cnt = flowintlib.get(\"cnt\")\n"
1824  "end\n"
1825  "\n"
1826  "function match(args)\n"
1827  " print \"inspecting\""
1828  " a = cnt:incr()\n"
1829  " if a == 2 then\n"
1830  " print \"match\"\n"
1831  " return 1\n"
1832  " end\n"
1833  " return 0\n"
1834  "end\n"
1835  "return 0\n";
1836  char sig[] = "alert http1:request_complete any any -> any any (flow:to_server; lua:unittest; "
1837  "sid:1;)";
1838  uint8_t httpbuf1[] =
1839  "POST / HTTP/1.1\r\n"
1840  "Host: www.emergingthreats.net\r\n\r\n";
1841  uint8_t httpbuf2[] =
1842  "POST / HTTP/1.1\r\n"
1843  "Host: www.openinfosecfoundation.org\r\n\r\n";
1844  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1845  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1846  TcpSession ssn;
1847  Flow f;
1848  ThreadVars th_v;
1849  DetectEngineThreadCtx *det_ctx;
1850 
1852 
1853  ut_script = script;
1854 
1855  memset(&th_v, 0, sizeof(th_v));
1856  memset(&f, 0, sizeof(f));
1857  memset(&ssn, 0, sizeof(ssn));
1858 
1859  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1860  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1861 
1862  FLOW_INITIALIZE(&f);
1863  f.protoctx = (void *)&ssn;
1864  f.proto = IPPROTO_TCP;
1865  f.flags |= FLOW_IPV4;
1866  f.alproto = ALPROTO_HTTP1;
1867 
1868  p1->flow = &f;
1872 
1873  p2->flow = &f;
1877 
1878  StreamTcpInitConfig(true);
1879 
1882  de_ctx->flags |= DE_QUIET;
1883 
1885  FAIL_IF_NULL(s);
1886 
1888  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1889 
1890  int r = AppLayerParserParse(
1891  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1892  FAIL_IF(r != 0);
1893  HtpState *http_state = f.alstate;
1894  FAIL_IF_NULL(http_state);
1895 
1896  /* do detect for p1 */
1897  SCLogInfo("p1");
1898  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1899  FAIL_IF(PacketAlertCheck(p1, 1));
1900 
1901  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1902  FAIL_IF(r != 0);
1903  /* do detect for p2 */
1904  SCLogInfo("p2");
1905  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1906 
1907  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
1908 
1909  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_INT);
1910  FAIL_IF(id == 0);
1911  FlowVar *fv = FlowVarGet(&f, id);
1912  FAIL_IF_NULL(fv);
1913  FAIL_IF(fv->data.fv_int.value != 2);
1914 
1915  UTHFreePackets(&p1, 1);
1916  UTHFreePackets(&p2, 1);
1917  FLOW_DESTROY(&f);
1918 
1920  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1922  StreamTcpFreeConfig(true);
1923  StatsThreadCleanup(&th_v);
1924  PASS;
1925 }
1926 
1927 /** \test http buffer, flowints */
1928 static int LuaMatchTest06(void)
1929 {
1930  const char script[] = "local flowintlib = require(\"suricata.flowint\")\n"
1931  "function init (args)\n"
1932  " flowintlib.register(\"cnt\")\n"
1933  " return {}\n"
1934  "end\n"
1935  "\n"
1936  "function thread_init (args)\n"
1937  " cnt = flowintlib.get(\"cnt\")\n"
1938  "end\n"
1939  "\n"
1940  "function match(args)\n"
1941  " print \"inspecting\""
1942  " a = cnt:value()\n"
1943  " if a == nil then\n"
1944  " print \"new var set to 2\""
1945  " cnt:set(2)\n"
1946  " end\n"
1947  " a = cnt:decr()\n"
1948  " if a == 0 then\n"
1949  " print \"match\"\n"
1950  " return 1\n"
1951  " end\n"
1952  " return 0\n"
1953  "end\n"
1954  "return 0\n";
1955  char sig[] = "alert http1:request_complete any any -> any any (flow:to_server; lua:unittest; "
1956  "sid:1;)";
1957  uint8_t httpbuf1[] =
1958  "POST / HTTP/1.1\r\n"
1959  "Host: www.emergingthreats.net\r\n\r\n";
1960  uint8_t httpbuf2[] =
1961  "POST / HTTP/1.1\r\n"
1962  "Host: www.openinfosecfoundation.org\r\n\r\n";
1963  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1964  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1965  TcpSession ssn;
1966  Flow f;
1967  ThreadVars th_v;
1968  DetectEngineThreadCtx *det_ctx;
1969 
1971 
1972  ut_script = script;
1973 
1974  memset(&th_v, 0, sizeof(th_v));
1975  memset(&f, 0, sizeof(f));
1976  memset(&ssn, 0, sizeof(ssn));
1977 
1978  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1979  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1980 
1981  FLOW_INITIALIZE(&f);
1982  f.protoctx = (void *)&ssn;
1983  f.proto = IPPROTO_TCP;
1984  f.flags |= FLOW_IPV4;
1985  f.alproto = ALPROTO_HTTP1;
1986 
1987  p1->flow = &f;
1991 
1992  p2->flow = &f;
1996 
1997  StreamTcpInitConfig(true);
1998 
2001  de_ctx->flags |= DE_QUIET;
2002 
2004  FAIL_IF_NULL(s);
2005 
2007  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2008 
2009  int r = AppLayerParserParse(
2010  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2011  FAIL_IF(r != 0);
2012  HtpState *http_state = f.alstate;
2013  FAIL_IF_NULL(http_state);
2014 
2015  /* do detect for p1 */
2016  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2017  FAIL_IF(PacketAlertCheck(p1, 1));
2018 
2019  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
2020  FAIL_IF(r != 0);
2021 
2022  /* do detect for p2 */
2023  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2024  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
2025 
2026  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_INT);
2027  FAIL_IF(id == 0);
2028  FlowVar *fv = FlowVarGet(&f, id);
2029  FAIL_IF_NULL(fv);
2030  FAIL_IF(fv->data.fv_int.value != 0);
2031 
2032  UTHFreePackets(&p1, 1);
2033  UTHFreePackets(&p2, 1);
2034  FLOW_DESTROY(&f);
2035 
2037  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2039  StreamTcpFreeConfig(true);
2040  StatsThreadCleanup(&th_v);
2041  PASS;
2042 }
2043 
2044 /** \test http buffer, flowints */
2045 static int LuaMatchTest06a(void)
2046 {
2047  const char script[] = "local flowintlib = require(\"suricata.flowint\")\n"
2048  "function init (args)\n"
2049  " flowintlib.register(\"cnt\")\n"
2050  " return {}\n"
2051  "end\n"
2052  "\n"
2053  "function thread_init (args)\n"
2054  " cnt = flowintlib.get(\"cnt\")\n"
2055  "end\n"
2056  "\n"
2057  "function match(args)\n"
2058  " print \"inspecting\""
2059  " a = cnt:value()\n"
2060  " if a == nil then\n"
2061  " print \"new var set to 2\""
2062  " cnt:set(2)\n"
2063  " end\n"
2064  " a = cnt:decr()\n"
2065  " if a == 0 then\n"
2066  " print \"match\"\n"
2067  " return 1\n"
2068  " end\n"
2069  " return 0\n"
2070  "end\n"
2071  "return 0\n";
2072  char sig[] = "alert http1:request_complete any any -> any any (flow:to_server; lua:unittest; "
2073  "sid:1;)";
2074  uint8_t httpbuf1[] =
2075  "POST / HTTP/1.1\r\n"
2076  "Host: www.emergingthreats.net\r\n\r\n";
2077  uint8_t httpbuf2[] =
2078  "POST / HTTP/1.1\r\n"
2079  "Host: www.openinfosecfoundation.org\r\n\r\n";
2080  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
2081  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
2082  TcpSession ssn;
2083  Flow f;
2084  ThreadVars th_v;
2085  DetectEngineThreadCtx *det_ctx;
2086 
2088 
2089  ut_script = script;
2090 
2091  memset(&th_v, 0, sizeof(th_v));
2092  memset(&f, 0, sizeof(f));
2093  memset(&ssn, 0, sizeof(ssn));
2094 
2095  Packet *p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2096  Packet *p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
2097 
2098  FLOW_INITIALIZE(&f);
2099  f.protoctx = (void *)&ssn;
2100  f.proto = IPPROTO_TCP;
2101  f.flags |= FLOW_IPV4;
2102  f.alproto = ALPROTO_HTTP1;
2103 
2104  p1->flow = &f;
2108 
2109  p2->flow = &f;
2113 
2114  StreamTcpInitConfig(true);
2115 
2118  de_ctx->flags |= DE_QUIET;
2119 
2121  FAIL_IF_NULL(s);
2122 
2124  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2125 
2126  int r = AppLayerParserParse(
2127  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
2128  FAIL_IF(r != 0);
2129  HtpState *http_state = f.alstate;
2130  FAIL_IF_NULL(http_state);
2131 
2132  /* do detect for p1 */
2133  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2134  FAIL_IF(PacketAlertCheck(p1, 1));
2135 
2136  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
2137  FAIL_IF(r != 0);
2138 
2139  /* do detect for p2 */
2140  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2141  FAIL_IF_NOT(PacketAlertCheck(p2, 1));
2142 
2143  uint32_t id = VarNameStoreLookupByName("cnt", VAR_TYPE_FLOW_INT);
2144  FAIL_IF(id == 0);
2145  FlowVar *fv = FlowVarGet(&f, id);
2146  FAIL_IF_NULL(fv);
2147  FAIL_IF(fv->data.fv_int.value != 0);
2148 
2149  UTHFreePackets(&p1, 1);
2150  UTHFreePackets(&p2, 1);
2151  FLOW_DESTROY(&f);
2152 
2154  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2156  StreamTcpFreeConfig(true);
2157  StatsThreadCleanup(&th_v);
2158  PASS;
2159 }
2160 
2161 void DetectLuaRegisterTests(void)
2162 {
2163  UtRegisterTest("LuaMatchTest01", LuaMatchTest01);
2164  UtRegisterTest("LuaMatchTest01a", LuaMatchTest01a);
2165  UtRegisterTest("LuaMatchTest02", LuaMatchTest02);
2166  UtRegisterTest("LuaMatchTest02a", LuaMatchTest02a);
2167  UtRegisterTest("LuaMatchTest03", LuaMatchTest03);
2168  UtRegisterTest("LuaMatchTest03a", LuaMatchTest03a);
2169  UtRegisterTest("LuaMatchTest04", LuaMatchTest04);
2170  UtRegisterTest("LuaMatchTest04a", LuaMatchTest04a);
2171  UtRegisterTest("LuaMatchTest05", LuaMatchTest05);
2172  UtRegisterTest("LuaMatchTest05a", LuaMatchTest05a);
2173  UtRegisterTest("LuaMatchTest06", LuaMatchTest06);
2174  UtRegisterTest("LuaMatchTest06a", LuaMatchTest06a);
2175 }
2176 #endif
FLAG_MEMORY_LIMIT_LOGGED
#define FLAG_MEMORY_LIMIT_LOGGED
Definition: detect-lua.c:121
util-byte.h
DetectLuaData::bytevars
uint16_t bytevars
Definition: detect-lua.h:54
DetectLuaData
Definition: detect-lua.h:44
SigTableElmt_::url
const char * url
Definition: detect.h:1460
SCLuaSbState::memory_limit_error
bool memory_limit_error
Definition: util-lua-sandbox.h:56
detect-engine.h
LuaStateSetThreadVars
void LuaStateSetThreadVars(lua_State *luastate, ThreadVars *tv)
Definition: util-lua.c:110
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
SigTableElmt_::desc
const char * desc
Definition: detect.h:1459
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
util-lua-common.h
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1444
SignatureHook_::sm_list
int sm_list
Definition: detect.h:573
FLAG_BLOCKED_FUNCTION_LOGGED
#define FLAG_BLOCKED_FUNCTION_LOGGED
Definition: detect-lua.c:119
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1457
stream-tcp.h
DetectThreadCtxGetKeywordThreadCtx
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3724
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:39
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
DetectLuaDataBytevarEntry_::name
char * name
Definition: detect-lua.h:40
DetectLuaData::flags
uint32_t flags
Definition: detect-lua.h:48
SCLuaSbGetContext
SCLuaSbState * SCLuaSbGetContext(lua_State *L)
Definition: util-lua-sandbox.c:352
Flow_::proto
uint8_t proto
Definition: flow.h:370
util-lua.h
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:57
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
FlowVarTypeStr::value_len
uint16_t value_len
Definition: flow-var.h:41
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
Packet_::flags
uint32_t flags
Definition: decode.h:544
SCLuaSbState
Definition: util-lua-sandbox.h:40
Flow_
Flow data structure.
Definition: flow.h:348
DetectLuaData::allow_restricted_functions
int allow_restricted_functions
Definition: detect-lua.h:58
FLAG_INSTRUCTION_LIMIT_LOGGED
#define FLAG_INSTRUCTION_LIMIT_LOGGED
Definition: detect-lua.c:120
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineThreadCtx_::lua_blocked_function_errors
uint16_t lua_blocked_function_errors
Definition: detect.h:1377
DEFAULT_LUA_INSTRUCTION_LIMIT
#define DEFAULT_LUA_INSTRUCTION_LIMIT
Definition: detect-lua.c:124
FlowVar_::fv_str
FlowVarTypeStr fv_str
Definition: flow-var.h:64
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
detect-lua.h
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1422
DETECT_LUA_MAX_FLOWVARS
#define DETECT_LUA_MAX_FLOWVARS
Definition: detect-lua.h:35
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
util-var-name.h
TLS_STATE_SERVER_HELLO_DONE
@ TLS_STATE_SERVER_HELLO_DONE
Definition: app-layer-ssl.h:89
SCConfGetBool
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:497
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
DetectLuaData::flowvar
uint32_t flowvar[DETECT_LUA_MAX_FLOWVARS]
Definition: detect-lua.h:53
util-lua-builtins.h
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:155
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
DetectEngineThreadCtx_::lua_instruction_limit_errors
uint16_t lua_instruction_limit_errors
Definition: detect.h:1380
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:272
Flow_::protoctx
void * protoctx
Definition: flow.h:433
SigMatchData_
Data needed for Match()
Definition: detect.h:365
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1439
FLAG_DATATYPE_PACKET
#define FLAG_DATATYPE_PACKET
Definition: detect-lua.c:112
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:606
util-unittest.h
HtpState_
Definition: app-layer-htp.h:181
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectLuaThreadData::flags
uint32_t flags
Definition: detect-lua.h:32
DetectLuaThreadData::luastate
lua_State * luastate
Definition: detect-lua.h:31
lua_State
struct lua_State lua_State
Definition: suricata-common.h:523
DetectEngineThreadCtx_::lua_rule_errors
uint16_t lua_rule_errors
Definition: detect.h:1374
FlowVar_::fv_int
FlowVarTypeInt fv_int
Definition: flow-var.h:65
DetectLuaData::buffername
char * buffername
Definition: detect-lua.h:49
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
DetectLuaData::negated
int negated
Definition: detect-lua.h:46
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:271
app-layer-htp.h
FLAG_LIST_JA3S
#define FLAG_LIST_JA3S
Definition: detect-lua.c:116
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:319
decode.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
DetectLuaData::thread_ctx_id
int thread_ctx_id
Definition: detect-lua.h:45
DetectLuaData::instruction_limit
uint64_t instruction_limit
Definition: detect-lua.h:57
TLS_STATE_CLIENT_HELLO_DONE
@ TLS_STATE_CLIENT_HELLO_DONE
Definition: app-layer-ssl.h:79
SCConfGetInt
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:414
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
DETECT_LUA
@ DETECT_LUA
Definition: detect-engine-register.h:92
SignatureInitData_::list
int list
Definition: detect.h:628
SCEnter
#define SCEnter(...)
Definition: util-debug.h:281
detect-engine-mpm.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectLuaRegister
void DetectLuaRegister(void)
Registration function for keyword: lua.
Definition: detect-lua.c:83
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:201
DETECT_LUA_MAX_FLOWINTS
#define DETECT_LUA_MAX_FLOWINTS
Definition: detect-lua.h:36
FLAG_DATATYPE_PAYLOAD
#define FLAG_DATATYPE_PAYLOAD
Definition: detect-lua.c:113
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:259
app-layer-parser.h
DetectLuaMatchBuffer
int DetectLuaMatchBuffer(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *buffer, uint32_t buffer_len, uint32_t offset, Flow *f)
Definition: detect-lua.c:240
SignatureInitData_::hook
SignatureHook hook
Definition: detect.h:590
SIGNATURE_HOOK_TYPE_NOT_SET
@ SIGNATURE_HOOK_TYPE_NOT_SET
Definition: detect.h:547
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:317
DetectEngineThreadCtx_::lua_memory_limit_errors
uint16_t lua_memory_limit_errors
Definition: detect.h:1383
DetectLuaData::bytevar
DetectLuaDataBytevarEntry bytevar[DETECT_LUA_MAX_BYTEVARS]
Definition: detect-lua.h:55
DetectLuaData::alloc_limit
uint64_t alloc_limit
Definition: detect-lua.h:56
DetectLuaData::flowints
uint16_t flowints
Definition: detect-lua.h:51
Packet_
Definition: decode.h:501
detect-engine-build.h
type
uint16_t type
Definition: decode-vlan.c:106
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
FLAG_DATATYPE_STREAM
#define FLAG_DATATYPE_STREAM
Definition: detect-lua.c:114
SCLuaSbStateClose
void SCLuaSbStateClose(lua_State *L)
Definition: util-lua-sandbox.c:361
DetectLuaData::flowint
uint32_t flowint[DETECT_LUA_MAX_FLOWINTS]
Definition: detect-lua.h:50
FlowVar_::data
union FlowVar_::@122 data
detect-engine-alert.h
conf.h
FLAG_ERROR_LOGGED
#define FLAG_ERROR_LOGGED
Definition: detect-lua.c:118
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1419
detect-byte.h
SCLuaRequirefBuiltIns
void SCLuaRequirefBuiltIns(lua_State *L)
Register Suricata built-in modules for loading in a non-sandboxed environment.
Definition: util-lua-builtins.c:85
SCLuaSbState::blocked_function_error
bool blocked_function_error
Definition: util-lua-sandbox.h:54
DetectLuaThreadData
Definition: detect-lua.h:30
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
LuaExtensionsMatchSetup
void LuaExtensionsMatchSetup(lua_State *lua_state, DetectLuaData *ld, DetectEngineThreadCtx *det_ctx, Flow *f, Packet *p, const Signature *s, uint8_t flags)
Definition: detect-lua-extensions.c:47
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:229
LuaDumpStack
void LuaDumpStack(lua_State *state, const char *prefix)
dump stack from lua state to screen
Definition: detect-lua.c:127
FlowVarTypeInt_::value
uint32_t value
Definition: flow-var.h:46
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
SCConfSetFinal
int SCConfSetFinal(const char *name, const char *val)
Set a final configuration value.
Definition: conf.c:318
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
util-lua-sandbox.h
SCLuaSbLoadLibs
void SCLuaSbLoadLibs(lua_State *L)
Definition: util-lua-sandbox.c:280
FlowVarTypeStr::value
uint8_t * value
Definition: flow-var.h:40
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1214
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
flags
uint8_t flags
Definition: decode-gre.h:0
DetectRegisterThreadCtxFuncs
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
Definition: detect-engine.c:3654
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
detect-lua-extensions.h
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DEFAULT_LUA_ALLOC_LIMIT
#define DEFAULT_LUA_ALLOC_LIMIT
Definition: detect-lua.c:123
SignatureHook_::type
enum SignatureHookType type
Definition: detect.h:572
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3596
detect-engine-buffer.h
SCLuaSbResetInstructionCounter
void SCLuaSbResetInstructionCounter(lua_State *L)
Definition: util-lua-sandbox.c:388
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1946
DetectLuaData::flowvars
uint16_t flowvars
Definition: detect-lua.h:52
luaext_key_ld
const char luaext_key_ld[]
Definition: detect-lua-extensions.c:45
str
#define str(s)
Definition: suricata-common.h:308
DetectEngineThreadCtx_::tv
ThreadVars * tv
Definition: detect.h:1252
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:271
FLAG_DATATYPE_BUFFER
#define FLAG_DATATYPE_BUFFER
Definition: detect-lua.c:117
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:39
VAR_TYPE_FLOW_INT
@ VAR_TYPE_FLOW_INT
Definition: util-var.h:37
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
SCLuaSbState::instruction_count_error
bool instruction_count_error
Definition: util-lua-sandbox.h:55
DetectLoadCompleteSigPath
char * DetectLoadCompleteSigPath(const DetectEngineCtx *de_ctx, const char *sig_file)
Create the path if default-rule-path was specified.
Definition: detect-engine-loader.c:106
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
Definition: detect-engine.c:273
SCLuaSbStateNew
lua_State * SCLuaSbStateNew(uint64_t alloclimit, uint64_t instructionlimit)
Allocate a new Lua sandbox.
Definition: util-lua-sandbox.c:320
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
FlowVarGet
FlowVar * FlowVarGet(Flow *f, uint32_t idx)
get the flowvar with index 'idx' from the flow
Definition: flow-var.c:84
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
DetectUnregisterThreadCtxFuncs
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
Remove Thread keyword context registration.
Definition: detect-engine.c:3706
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:285
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine-buffer.c:109
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
flow-var.h
DetectLuaData::filename
char * filename
Definition: detect-lua.h:47
FlowVar_
Definition: flow-var.h:55
app-layer-ssl.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1446
LuaPushStringBuffer
int LuaPushStringBuffer(lua_State *luastate, const uint8_t *input, size_t input_len)
Definition: util-lua.c:319
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456
FLAG_LIST_JA3
#define FLAG_LIST_JA3
Definition: detect-lua.c:115