suricata
detect-nfs-procedure.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "debug.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-nfs-procedure.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer-nfs-tcp.h"
47 #include "rust.h"
48 
49 /**
50  * [nfs_procedure]:[<|>]<proc>[<><proc>];
51  */
52 #define PARSE_REGEX "^\\s*(<=|>=|<|>)?\\s*([0-9]+)\\s*(?:(<>)\\s*([0-9]+))?\\s*$"
53 static DetectParseRegex parse_regex;
54 
56  PROCEDURE_EQ = 1, /* equal */
57  PROCEDURE_LT, /* less than */
58  PROCEDURE_LE, /* less than */
59  PROCEDURE_GT, /* greater than */
60  PROCEDURE_GE, /* greater than */
61  PROCEDURE_RA, /* range */
62 };
63 
64 typedef struct DetectNfsProcedureData_ {
65  uint32_t lo;
66  uint32_t hi;
69 
70 static DetectNfsProcedureData *DetectNfsProcedureParse (const char *);
71 static int DetectNfsProcedureSetup (DetectEngineCtx *, Signature *s, const char *str);
72 static void DetectNfsProcedureFree(DetectEngineCtx *, void *);
73 static void DetectNfsProcedureRegisterTests(void);
74 static int g_nfs_request_buffer_id = 0;
75 
76 static int DetectEngineInspectNfsRequestGeneric(ThreadVars *tv,
78  const Signature *s, const SigMatchData *smd,
79  Flow *f, uint8_t flags, void *alstate,
80  void *txv, uint64_t tx_id);
81 
82 static int DetectNfsProcedureMatch (DetectEngineThreadCtx *, Flow *,
83  uint8_t, void *, void *, const Signature *,
84  const SigMatchCtx *);
85 
86 /**
87  * \brief Registration function for nfs_procedure keyword.
88  */
90 {
91  sigmatch_table[DETECT_AL_NFS_PROCEDURE].name = "nfs_procedure";
92  sigmatch_table[DETECT_AL_NFS_PROCEDURE].desc = "match NFS procedure";
93  sigmatch_table[DETECT_AL_NFS_PROCEDURE].url = "/rules/nfs-keywords.html#procedure";
95  sigmatch_table[DETECT_AL_NFS_PROCEDURE].AppLayerTxMatch = DetectNfsProcedureMatch;
96  sigmatch_table[DETECT_AL_NFS_PROCEDURE].Setup = DetectNfsProcedureSetup;
97  sigmatch_table[DETECT_AL_NFS_PROCEDURE].Free = DetectNfsProcedureFree;
98  sigmatch_table[DETECT_AL_NFS_PROCEDURE].RegisterTests = DetectNfsProcedureRegisterTests;
99 
100 
101  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
102 
105  DetectEngineInspectNfsRequestGeneric);
106 
107  g_nfs_request_buffer_id = DetectBufferTypeGetByName("nfs_request");
108 
109  SCLogDebug("g_nfs_request_buffer_id %d", g_nfs_request_buffer_id);
110 }
111 
112 static int DetectEngineInspectNfsRequestGeneric(ThreadVars *tv,
114  const Signature *s, const SigMatchData *smd,
115  Flow *f, uint8_t flags, void *alstate,
116  void *txv, uint64_t tx_id)
117 {
118  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
119  f, flags, alstate, txv, tx_id);
120 }
121 
122 static inline int
123 ProcedureMatch(const uint32_t procedure,
124  enum DetectNfsProcedureMode mode, uint32_t lo, uint32_t hi)
125 {
126  switch (mode) {
127  case PROCEDURE_EQ:
128  if (procedure == lo)
129  SCReturnInt(1);
130  break;
131  case PROCEDURE_LT:
132  if (procedure < lo)
133  SCReturnInt(1);
134  break;
135  case PROCEDURE_LE:
136  if (procedure <= lo)
137  SCReturnInt(1);
138  break;
139  case PROCEDURE_GT:
140  if (procedure > lo)
141  SCReturnInt(1);
142  break;
143  case PROCEDURE_GE:
144  if (procedure >= lo)
145  SCReturnInt(1);
146  break;
147  case PROCEDURE_RA:
148  if (procedure >= lo && procedure <= hi)
149  SCReturnInt(1);
150  break;
151  }
152  SCReturnInt(0);
153 }
154 
155 /**
156  * \internal
157  * \brief Function to match procedure of a TX
158  *
159  * For 'file txs'
160  *
161  * \param t Pointer to thread vars.
162  * \param det_ctx Pointer to the pattern matcher thread.
163  * \param f Pointer to the current flow.
164  * \param flags Flags.
165  * \param state App layer state.
166  * \param s Pointer to the Signature.
167  * \param m Pointer to the sigmatch that we will cast into
168  * DetectNfsProcedureData.
169  *
170  * \retval 0 no match.
171  * \retval 1 match.
172  */
173 static int DetectNfsProcedureMatch (DetectEngineThreadCtx *det_ctx,
174  Flow *f, uint8_t flags, void *state,
175  void *txv, const Signature *s,
176  const SigMatchCtx *ctx)
177 {
178  SCEnter();
179 
180  const DetectNfsProcedureData *dd = (const DetectNfsProcedureData *)ctx;
181  uint16_t i;
182  for (i = 0; i < 256; i++) {
183  uint32_t procedure;
184  if (rs_nfs_tx_get_procedures(txv, i, &procedure) == 1) {
185  SCLogDebug("proc %u mode %u lo %u hi %u",
186  procedure, dd->mode, dd->lo, dd->hi);
187  if (ProcedureMatch(procedure, dd->mode, dd->lo, dd->hi))
188  SCReturnInt(1);
189  continue;
190  }
191  break;
192  }
193  SCReturnInt(0);
194 }
195 
196 /**
197  * \internal
198  * \brief Function to parse options passed via tls validity keywords.
199  *
200  * \param rawstr Pointer to the user provided options.
201  *
202  * \retval dd pointer to DetectNfsProcedureData on success.
203  * \retval NULL on failure.
204  */
205 static DetectNfsProcedureData *DetectNfsProcedureParse (const char *rawstr)
206 {
207  DetectNfsProcedureData *dd = NULL;
208  int ret = 0, res = 0;
209  int ov[MAX_SUBSTRINGS];
210  char mode[2] = "";
211  char value1[20] = "";
212  char value2[20] = "";
213  char range[3] = "";
214 
215  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
216  if (ret < 3 || ret > 5) {
217  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", rawstr);
218  goto error;
219  }
220 
221  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, mode,
222  sizeof(mode));
223  if (res < 0) {
224  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
225  goto error;
226  }
227  SCLogDebug("mode \"%s\"", mode);
228 
229  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, value1,
230  sizeof(value1));
231  if (res < 0) {
232  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
233  goto error;
234  }
235  SCLogDebug("value1 \"%s\"", value1);
236 
237  if (ret > 3) {
238  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3,
239  range, sizeof(range));
240  if (res < 0) {
241  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
242  goto error;
243  }
244  SCLogDebug("range \"%s\"", range);
245 
246  if (ret > 4) {
247  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4,
248  value2, sizeof(value2));
249  if (res < 0) {
251  "pcre_copy_substring failed");
252  goto error;
253  }
254  SCLogDebug("value2 \"%s\"", value2);
255  }
256  }
257 
258  dd = SCCalloc(1, sizeof(DetectNfsProcedureData));
259  if (unlikely(dd == NULL))
260  goto error;
261 
262  if (strlen(mode) == 1) {
263  if (mode[0] == '<')
264  dd->mode = PROCEDURE_LT;
265  else if (mode[0] == '>')
266  dd->mode = PROCEDURE_GT;
267  } else if (strlen(mode) == 2) {
268  if (strcmp(mode, "<=") == 0)
269  dd->mode = PROCEDURE_LE;
270  if (strcmp(mode, ">=") == 0)
271  dd->mode = PROCEDURE_GE;
272  }
273 
274  if (strlen(range) > 0) {
275  if (strcmp("<>", range) == 0)
276  dd->mode = PROCEDURE_RA;
277  }
278 
279  if (strlen(range) != 0 && strlen(mode) != 0) {
281  "Range specified but mode also set");
282  goto error;
283  }
284 
285  if (dd->mode == 0) {
286  dd->mode = PROCEDURE_EQ;
287  }
288 
289  /* set the first value */
290  dd->lo = atoi(value1); //TODO
291 
292  /* set the second value if specified */
293  if (strlen(value2) > 0) {
294  if (!(dd->mode == PROCEDURE_RA)) {
296  "Multiple tls validity values specified but mode is not range");
297  goto error;
298  }
299 
300  //
301  dd->hi = atoi(value2); // TODO
302 
303  if (dd->hi <= dd->lo) {
305  "Second value in range must not be smaller than the first");
306  goto error;
307  }
308  }
309  return dd;
310 
311 error:
312  if (dd)
313  SCFree(dd);
314  return NULL;
315 }
316 
317 
318 
319 /**
320  * \brief Function to add the parsed tls validity field into the current signature.
321  *
322  * \param de_ctx Pointer to the Detection Engine Context.
323  * \param s Pointer to the Current Signature.
324  * \param rawstr Pointer to the user provided flags options.
325  * \param type Defines if this is notBefore or notAfter.
326  *
327  * \retval 0 on Success.
328  * \retval -1 on Failure.
329  */
330 static int DetectNfsProcedureSetup (DetectEngineCtx *de_ctx, Signature *s,
331  const char *rawstr)
332 {
333  DetectNfsProcedureData *dd = NULL;
334  SigMatch *sm = NULL;
335 
336  SCLogDebug("\'%s\'", rawstr);
337 
339  return -1;
340 
341  dd = DetectNfsProcedureParse(rawstr);
342  if (dd == NULL) {
343  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
344  goto error;
345  }
346 
347  /* okay so far so good, lets get this into a SigMatch
348  * and put it in the Signature. */
349  sm = SigMatchAlloc();
350  if (sm == NULL)
351  goto error;
352 
354  sm->ctx = (void *)dd;
355 
356  SCLogDebug("low %u hi %u", dd->lo, dd->hi);
357  SigMatchAppendSMToList(s, sm, g_nfs_request_buffer_id);
358  return 0;
359 
360 error:
361  DetectNfsProcedureFree(de_ctx, dd);
362  return -1;
363 }
364 
365 /**
366  * \internal
367  * \brief Function to free memory associated with DetectNfsProcedureData.
368  *
369  * \param de_ptr Pointer to DetectNfsProcedureData.
370  */
371 void DetectNfsProcedureFree(DetectEngineCtx *de_ctx, void *ptr)
372 {
373  SCFree(ptr);
374 }
375 
376 #ifdef UNITTESTS
377 
378 /**
379  * \test This is a test for a valid value 1430000000.
380  *
381  * \retval 1 on success.
382  * \retval 0 on failure.
383  */
384 static int ValidityTestParse01 (void)
385 {
386  DetectNfsProcedureData *dd = NULL;
387  dd = DetectNfsProcedureParse("1430000000");
388  FAIL_IF_NULL(dd);
389  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_EQ);
390  DetectNfsProcedureFree(NULL, dd);
391  PASS;
392 }
393 
394 /**
395  * \test This is a test for a valid value >1430000000.
396  *
397  * \retval 1 on success.
398  * \retval 0 on failure.
399  */
400 static int ValidityTestParse02 (void)
401 {
402  DetectNfsProcedureData *dd = NULL;
403  dd = DetectNfsProcedureParse(">1430000000");
404  FAIL_IF_NULL(dd);
405  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
406  DetectNfsProcedureFree(NULL, dd);
407  PASS;
408 }
409 
410 /**
411  * \test This is a test for a valid value <1430000000.
412  *
413  * \retval 1 on success.
414  * \retval 0 on failure.
415  */
416 static int ValidityTestParse03 (void)
417 {
418  DetectNfsProcedureData *dd = NULL;
419  dd = DetectNfsProcedureParse("<1430000000");
420  FAIL_IF_NULL(dd);
421  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_LT);
422  DetectNfsProcedureFree(NULL, dd);
423  PASS;
424 }
425 
426 /**
427  * \test This is a test for a valid value 1430000000<>1470000000.
428  *
429  * \retval 1 on success.
430  * \retval 0 on failure.
431  */
432 static int ValidityTestParse04 (void)
433 {
434  DetectNfsProcedureData *dd = NULL;
435  dd = DetectNfsProcedureParse("1430000000<>1470000000");
436  FAIL_IF_NULL(dd);
437  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1470000000 &&
438  dd->mode == PROCEDURE_RA);
439  DetectNfsProcedureFree(NULL, dd);
440  PASS;
441 }
442 
443 /**
444  * \test This is a test for a invalid value A.
445  *
446  * \retval 1 on success.
447  * \retval 0 on failure.
448  */
449 static int ValidityTestParse05 (void)
450 {
451  DetectNfsProcedureData *dd = NULL;
452  dd = DetectNfsProcedureParse("A");
453  FAIL_IF_NOT_NULL(dd);
454  PASS;
455 }
456 
457 /**
458  * \test This is a test for a invalid value >1430000000<>1470000000.
459  *
460  * \retval 1 on success.
461  * \retval 0 on failure.
462  */
463 static int ValidityTestParse06 (void)
464 {
465  DetectNfsProcedureData *dd = NULL;
466  dd = DetectNfsProcedureParse(">1430000000<>1470000000");
467  FAIL_IF_NOT_NULL(dd);
468  PASS;
469 }
470 
471 /**
472  * \test This is a test for a invalid value 1430000000<>.
473  *
474  * \retval 1 on success.
475  * \retval 0 on failure.
476  */
477 static int ValidityTestParse07 (void)
478 {
479  DetectNfsProcedureData *dd = NULL;
480  dd = DetectNfsProcedureParse("1430000000<>");
481  FAIL_IF_NOT_NULL(dd);
482  PASS;
483 }
484 
485 /**
486  * \test This is a test for a invalid value <>1430000000.
487  *
488  * \retval 1 on success.
489  * \retval 0 on failure.
490  */
491 static int ValidityTestParse08 (void)
492 {
493  DetectNfsProcedureData *dd = NULL;
494  dd = DetectNfsProcedureParse("<>1430000000");
495  FAIL_IF_NOT_NULL(dd);
496  PASS;
497 }
498 
499 /**
500  * \test This is a test for a invalid value "".
501  *
502  * \retval 1 on success.
503  * \retval 0 on failure.
504  */
505 static int ValidityTestParse09 (void)
506 {
507  DetectNfsProcedureData *dd = NULL;
508  dd = DetectNfsProcedureParse("");
509  FAIL_IF_NOT_NULL(dd);
510  PASS;
511 }
512 
513 /**
514  * \test This is a test for a invalid value " ".
515  *
516  * \retval 1 on success.
517  * \retval 0 on failure.
518  */
519 static int ValidityTestParse10 (void)
520 {
521  DetectNfsProcedureData *dd = NULL;
522  dd = DetectNfsProcedureParse(" ");
523  FAIL_IF_NOT_NULL(dd);
524  PASS;
525 }
526 
527 /**
528  * \test This is a test for a invalid value 1490000000<>1430000000.
529  *
530  * \retval 1 on success.
531  * \retval 0 on failure.
532  */
533 static int ValidityTestParse11 (void)
534 {
535  DetectNfsProcedureData *dd = NULL;
536  dd = DetectNfsProcedureParse("1490000000<>1430000000");
537  FAIL_IF_NOT_NULL(dd);
538  PASS;
539 }
540 
541 /**
542  * \test This is a test for a valid value 1430000000 <> 1490000000.
543  *
544  * \retval 1 on success.
545  * \retval 0 on failure.
546  */
547 static int ValidityTestParse12 (void)
548 {
549  DetectNfsProcedureData *dd = NULL;
550  dd = DetectNfsProcedureParse("1430000000 <> 1490000000");
551  FAIL_IF_NULL(dd);
552  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1490000000 &&
553  dd->mode == PROCEDURE_RA);
554  DetectNfsProcedureFree(NULL, dd);
555  PASS;
556 }
557 
558 /**
559  * \test This is a test for a valid value > 1430000000.
560  *
561  * \retval 1 on success.
562  * \retval 0 on failure.
563  */
564 static int ValidityTestParse13 (void)
565 {
566  DetectNfsProcedureData *dd = NULL;
567  dd = DetectNfsProcedureParse("> 1430000000 ");
568  FAIL_IF_NULL(dd);
569  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
570  DetectNfsProcedureFree(NULL, dd);
571  PASS;
572 }
573 
574 /**
575  * \test This is a test for a valid value < 1490000000.
576  *
577  * \retval 1 on success.
578  * \retval 0 on failure.
579  */
580 static int ValidityTestParse14 (void)
581 {
582  DetectNfsProcedureData *dd = NULL;
583  dd = DetectNfsProcedureParse("< 1490000000 ");
584  FAIL_IF_NULL(dd);
585  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_LT);
586  DetectNfsProcedureFree(NULL, dd);
587  PASS;
588 }
589 
590 /**
591  * \test This is a test for a valid value 1490000000.
592  *
593  * \retval 1 on success.
594  * \retval 0 on failure.
595  */
596 static int ValidityTestParse15 (void)
597 {
598  DetectNfsProcedureData *dd = NULL;
599  dd = DetectNfsProcedureParse(" 1490000000 ");
600  FAIL_IF_NULL(dd);
601  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_EQ);
602  DetectNfsProcedureFree(NULL, dd);
603  PASS;
604 }
605 
606 #endif /* UNITTESTS */
607 
608 /**
609  * \brief Register unit tests for nfs_procedure.
610  */
611 void DetectNfsProcedureRegisterTests(void)
612 {
613 #ifdef UNITTESTS /* UNITTESTS */
614  UtRegisterTest("ValidityTestParse01", ValidityTestParse01);
615  UtRegisterTest("ValidityTestParse02", ValidityTestParse02);
616  UtRegisterTest("ValidityTestParse03", ValidityTestParse03);
617  UtRegisterTest("ValidityTestParse04", ValidityTestParse04);
618  UtRegisterTest("ValidityTestParse05", ValidityTestParse05);
619  UtRegisterTest("ValidityTestParse06", ValidityTestParse06);
620  UtRegisterTest("ValidityTestParse07", ValidityTestParse07);
621  UtRegisterTest("ValidityTestParse08", ValidityTestParse08);
622  UtRegisterTest("ValidityTestParse09", ValidityTestParse09);
623  UtRegisterTest("ValidityTestParse10", ValidityTestParse10);
624  UtRegisterTest("ValidityTestParse11", ValidityTestParse11);
625  UtRegisterTest("ValidityTestParse12", ValidityTestParse12);
626  UtRegisterTest("ValidityTestParse13", ValidityTestParse13);
627  UtRegisterTest("ValidityTestParse14", ValidityTestParse14);
628  UtRegisterTest("ValidityTestParse15", ValidityTestParse15);
629 #endif /* UNITTESTS */
630 }
SigTableElmt_::url
const char * url
Definition: detect.h:1212
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1468
detect-content.h
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1209
PROCEDURE_RA
@ PROCEDURE_RA
Definition: detect-nfs-procedure.c:61
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PROCEDURE_GT
@ PROCEDURE_GT
Definition: detect-nfs-procedure.c:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DETECT_AL_NFS_PROCEDURE
@ DETECT_AL_NFS_PROCEDURE
Definition: detect-engine-register.h:157
threads.h
Flow_
Flow data structure.
Definition: flow.h:343
DetectNfsProcedureData
struct DetectNfsProcedureData_ DetectNfsProcedureData
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
PROCEDURE_LT
@ PROCEDURE_LT
Definition: detect-nfs-procedure.c:57
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1181
rust.h
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
DetectNfsProcedureMode
DetectNfsProcedureMode
Definition: detect-nfs-procedure.c:55
SigMatchData_
Data needed for Match()
Definition: detect.h:328
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
detect-pcre.h
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1592
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:876
DetectNfsProcedureData_
Definition: detect-nfs-procedure.c:64
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-nfs-procedure.c:52
DetectEngineThreadCtx_
Definition: detect.h:1009
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2456
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2388
DetectNfsProcedureData_::lo
uint32_t lo
Definition: detect-nfs-procedure.c:65
detect-nfs-procedure.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
PROCEDURE_GE
@ PROCEDURE_GE
Definition: detect-nfs-procedure.c:60
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectNfsProcedureRegister
void DetectNfsProcedureRegister(void)
Registration function for nfs_procedure keyword.
Definition: detect-nfs-procedure.c:89
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
PROCEDURE_EQ
@ PROCEDURE_EQ
Definition: detect-nfs-procedure.c:56
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
PROCEDURE_LE
@ PROCEDURE_LE
Definition: detect-nfs-procedure.c:58
DetectNfsProcedureData_::mode
enum DetectNfsProcedureMode mode
Definition: detect-nfs-procedure.c:67
flow.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:170
DetectNfsProcedureData_::hi
uint32_t hi
Definition: detect-nfs-procedure.c:66
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
app-layer-nfs-tcp.h