suricata
detect-nfs-procedure.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "debug.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-nfs-procedure.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #ifndef HAVE_RUST
48 {
49 }
50 
51 #else
52 
53 #include "app-layer-nfs-tcp.h"
54 #include "rust.h"
55 #include "rust-nfs-nfs-gen.h"
56 
57 /**
58  * [nfs_procedure]:[<|>]<proc>[<><proc>];
59  */
60 #define PARSE_REGEX "^\\s*(<=|>=|<|>)?\\s*([0-9]+)\\s*(?:(<>)\\s*([0-9]+))?\\s*$"
61 static pcre *parse_regex;
62 static pcre_extra *parse_regex_study;
63 
64 enum DetectNfsProcedureMode {
65  PROCEDURE_EQ = 1, /* equal */
66  PROCEDURE_LT, /* less than */
67  PROCEDURE_LE, /* less than */
68  PROCEDURE_GT, /* greater than */
69  PROCEDURE_GE, /* greater than */
70  PROCEDURE_RA, /* range */
71 };
72 
73 typedef struct DetectNfsProcedureData_ {
74  uint32_t lo;
75  uint32_t hi;
76  enum DetectNfsProcedureMode mode;
77 } DetectNfsProcedureData;
78 
79 static DetectNfsProcedureData *DetectNfsProcedureParse (const char *);
80 static int DetectNfsProcedureSetup (DetectEngineCtx *, Signature *s, const char *str);
81 static void DetectNfsProcedureFree(void *);
82 static void DetectNfsProcedureRegisterTests(void);
83 static int g_nfs_request_buffer_id = 0;
84 
85 static int DetectEngineInspectNfsRequestGeneric(ThreadVars *tv,
86  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
87  const Signature *s, const SigMatchData *smd,
88  Flow *f, uint8_t flags, void *alstate,
89  void *txv, uint64_t tx_id);
90 
91 static int DetectNfsProcedureMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
92  uint8_t, void *, void *, const Signature *,
93  const SigMatchCtx *);
94 
95 /**
96  * \brief Registration function for nfs_procedure keyword.
97  */
99 {
100  sigmatch_table[DETECT_AL_NFS_PROCEDURE].name = "nfs_procedure";
101  sigmatch_table[DETECT_AL_NFS_PROCEDURE].desc = "match NFS procedure";
102  sigmatch_table[DETECT_AL_NFS_PROCEDURE].url = DOC_URL DOC_VERSION "/rules/nfs-keywords.html#procedure";
104  sigmatch_table[DETECT_AL_NFS_PROCEDURE].AppLayerTxMatch = DetectNfsProcedureMatch;
105  sigmatch_table[DETECT_AL_NFS_PROCEDURE].Setup = DetectNfsProcedureSetup;
106  sigmatch_table[DETECT_AL_NFS_PROCEDURE].Free = DetectNfsProcedureFree;
107  sigmatch_table[DETECT_AL_NFS_PROCEDURE].RegisterTests = DetectNfsProcedureRegisterTests;
108 
109 
110  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
111 
114  DetectEngineInspectNfsRequestGeneric);
115 
116  g_nfs_request_buffer_id = DetectBufferTypeGetByName("nfs_request");
117 
118  SCLogDebug("g_nfs_request_buffer_id %d", g_nfs_request_buffer_id);
119 }
120 
121 static int DetectEngineInspectNfsRequestGeneric(ThreadVars *tv,
122  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
123  const Signature *s, const SigMatchData *smd,
124  Flow *f, uint8_t flags, void *alstate,
125  void *txv, uint64_t tx_id)
126 {
127  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
128  f, flags, alstate, txv, tx_id);
129 }
130 
131 static inline int
132 ProcedureMatch(const uint32_t procedure,
133  enum DetectNfsProcedureMode mode, uint32_t lo, uint32_t hi)
134 {
135  switch (mode) {
136  case PROCEDURE_EQ:
137  if (procedure == lo)
138  SCReturnInt(1);
139  break;
140  case PROCEDURE_LT:
141  if (procedure < lo)
142  SCReturnInt(1);
143  break;
144  case PROCEDURE_LE:
145  if (procedure <= lo)
146  SCReturnInt(1);
147  break;
148  case PROCEDURE_GT:
149  if (procedure > lo)
150  SCReturnInt(1);
151  break;
152  case PROCEDURE_GE:
153  if (procedure >= lo)
154  SCReturnInt(1);
155  break;
156  case PROCEDURE_RA:
157  if (procedure >= lo && procedure <= hi)
158  SCReturnInt(1);
159  break;
160  }
161  SCReturnInt(0);
162 }
163 
164 /**
165  * \internal
166  * \brief Function to match procedure of a TX
167  *
168  * For 'file txs'
169  *
170  * \param t Pointer to thread vars.
171  * \param det_ctx Pointer to the pattern matcher thread.
172  * \param f Pointer to the current flow.
173  * \param flags Flags.
174  * \param state App layer state.
175  * \param s Pointer to the Signature.
176  * \param m Pointer to the sigmatch that we will cast into
177  * DetectNfsProcedureData.
178  *
179  * \retval 0 no match.
180  * \retval 1 match.
181  */
182 static int DetectNfsProcedureMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
183  Flow *f, uint8_t flags, void *state,
184  void *txv, const Signature *s,
185  const SigMatchCtx *ctx)
186 {
187  SCEnter();
188 
189  const DetectNfsProcedureData *dd = (const DetectNfsProcedureData *)ctx;
190  uint16_t i;
191  for (i = 0; i < 256; i++) {
192  uint32_t procedure;
193  if (rs_nfs_tx_get_procedures(txv, i, &procedure) == 1) {
194  SCLogDebug("proc %u mode %u lo %u hi %u",
195  procedure, dd->mode, dd->lo, dd->hi);
196  if (ProcedureMatch(procedure, dd->mode, dd->lo, dd->hi))
197  SCReturnInt(1);
198  continue;
199  }
200  break;
201  }
202  SCReturnInt(0);
203 }
204 
205 /**
206  * \internal
207  * \brief Function to parse options passed via tls validity keywords.
208  *
209  * \param rawstr Pointer to the user provided options.
210  *
211  * \retval dd pointer to DetectNfsProcedureData on success.
212  * \retval NULL on failure.
213  */
214 static DetectNfsProcedureData *DetectNfsProcedureParse (const char *rawstr)
215 {
216  DetectNfsProcedureData *dd = NULL;
217 #define MAX_SUBSTRINGS 30
218  int ret = 0, res = 0;
219  int ov[MAX_SUBSTRINGS];
220  char mode[2] = "";
221  char value1[20] = "";
222  char value2[20] = "";
223  char range[3] = "";
224 
225  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0,
226  0, ov, MAX_SUBSTRINGS);
227  if (ret < 3 || ret > 5) {
228  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", rawstr);
229  goto error;
230  }
231 
232  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, mode,
233  sizeof(mode));
234  if (res < 0) {
235  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
236  goto error;
237  }
238  SCLogDebug("mode \"%s\"", mode);
239 
240  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, value1,
241  sizeof(value1));
242  if (res < 0) {
243  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
244  goto error;
245  }
246  SCLogDebug("value1 \"%s\"", value1);
247 
248  if (ret > 3) {
249  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3,
250  range, sizeof(range));
251  if (res < 0) {
252  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
253  goto error;
254  }
255  SCLogDebug("range \"%s\"", range);
256 
257  if (ret > 4) {
258  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4,
259  value2, sizeof(value2));
260  if (res < 0) {
262  "pcre_copy_substring failed");
263  goto error;
264  }
265  SCLogDebug("value2 \"%s\"", value2);
266  }
267  }
268 
269  dd = SCCalloc(1, sizeof(DetectNfsProcedureData));
270  if (unlikely(dd == NULL))
271  goto error;
272 
273  if (strlen(mode) == 1) {
274  if (mode[0] == '<')
275  dd->mode = PROCEDURE_LT;
276  else if (mode[0] == '>')
277  dd->mode = PROCEDURE_GT;
278  } else if (strlen(mode) == 2) {
279  if (strcmp(mode, "<=") == 0)
280  dd->mode = PROCEDURE_LE;
281  if (strcmp(mode, ">=") == 0)
282  dd->mode = PROCEDURE_GE;
283  }
284 
285  if (strlen(range) > 0) {
286  if (strcmp("<>", range) == 0)
287  dd->mode = PROCEDURE_RA;
288  }
289 
290  if (strlen(range) != 0 && strlen(mode) != 0) {
292  "Range specified but mode also set");
293  goto error;
294  }
295 
296  if (dd->mode == 0) {
297  dd->mode = PROCEDURE_EQ;
298  }
299 
300  /* set the first value */
301  dd->lo = atoi(value1); //TODO
302 
303  /* set the second value if specified */
304  if (strlen(value2) > 0) {
305  if (!(dd->mode == PROCEDURE_RA)) {
307  "Multiple tls validity values specified but mode is not range");
308  goto error;
309  }
310 
311  //
312  dd->hi = atoi(value2); // TODO
313 
314  if (dd->hi <= dd->lo) {
316  "Second value in range must not be smaller than the first");
317  goto error;
318  }
319  }
320  return dd;
321 
322 error:
323  if (dd)
324  SCFree(dd);
325  return NULL;
326 }
327 
328 
329 
330 /**
331  * \brief Function to add the parsed tls validity field into the current signature.
332  *
333  * \param de_ctx Pointer to the Detection Engine Context.
334  * \param s Pointer to the Current Signature.
335  * \param rawstr Pointer to the user provided flags options.
336  * \param type Defines if this is notBefore or notAfter.
337  *
338  * \retval 0 on Success.
339  * \retval -1 on Failure.
340  */
341 static int DetectNfsProcedureSetup (DetectEngineCtx *de_ctx, Signature *s,
342  const char *rawstr)
343 {
344  DetectNfsProcedureData *dd = NULL;
345  SigMatch *sm = NULL;
346 
347  SCLogDebug("\'%s\'", rawstr);
348 
350  return -1;
351 
352  dd = DetectNfsProcedureParse(rawstr);
353  if (dd == NULL) {
354  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
355  goto error;
356  }
357 
358  /* okay so far so good, lets get this into a SigMatch
359  * and put it in the Signature. */
360  sm = SigMatchAlloc();
361  if (sm == NULL)
362  goto error;
363 
365  sm->ctx = (void *)dd;
366 
367  SCLogDebug("low %u hi %u", dd->lo, dd->hi);
368  SigMatchAppendSMToList(s, sm, g_nfs_request_buffer_id);
369  return 0;
370 
371 error:
372  DetectNfsProcedureFree(dd);
373  return -1;
374 }
375 
376 /**
377  * \internal
378  * \brief Function to free memory associated with DetectNfsProcedureData.
379  *
380  * \param de_ptr Pointer to DetectNfsProcedureData.
381  */
382 void DetectNfsProcedureFree(void *ptr)
383 {
384  SCFree(ptr);
385 }
386 
387 #ifdef UNITTESTS
388 
389 /**
390  * \test This is a test for a valid value 1430000000.
391  *
392  * \retval 1 on success.
393  * \retval 0 on failure.
394  */
395 static int ValidityTestParse01 (void)
396 {
397  DetectNfsProcedureData *dd = NULL;
398  dd = DetectNfsProcedureParse("1430000000");
399  FAIL_IF_NULL(dd);
400  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_EQ);
401  DetectNfsProcedureFree(dd);
402  PASS;
403 }
404 
405 /**
406  * \test This is a test for a valid value >1430000000.
407  *
408  * \retval 1 on success.
409  * \retval 0 on failure.
410  */
411 static int ValidityTestParse02 (void)
412 {
413  DetectNfsProcedureData *dd = NULL;
414  dd = DetectNfsProcedureParse(">1430000000");
415  FAIL_IF_NULL(dd);
416  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
417  DetectNfsProcedureFree(dd);
418  PASS;
419 }
420 
421 /**
422  * \test This is a test for a valid value <1430000000.
423  *
424  * \retval 1 on success.
425  * \retval 0 on failure.
426  */
427 static int ValidityTestParse03 (void)
428 {
429  DetectNfsProcedureData *dd = NULL;
430  dd = DetectNfsProcedureParse("<1430000000");
431  FAIL_IF_NULL(dd);
432  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_LT);
433  DetectNfsProcedureFree(dd);
434  PASS;
435 }
436 
437 /**
438  * \test This is a test for a valid value 1430000000<>1470000000.
439  *
440  * \retval 1 on success.
441  * \retval 0 on failure.
442  */
443 static int ValidityTestParse04 (void)
444 {
445  DetectNfsProcedureData *dd = NULL;
446  dd = DetectNfsProcedureParse("1430000000<>1470000000");
447  FAIL_IF_NULL(dd);
448  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1470000000 &&
449  dd->mode == PROCEDURE_RA);
450  DetectNfsProcedureFree(dd);
451  PASS;
452 }
453 
454 /**
455  * \test This is a test for a invalid value A.
456  *
457  * \retval 1 on success.
458  * \retval 0 on failure.
459  */
460 static int ValidityTestParse05 (void)
461 {
462  DetectNfsProcedureData *dd = NULL;
463  dd = DetectNfsProcedureParse("A");
464  FAIL_IF_NOT_NULL(dd);
465  PASS;
466 }
467 
468 /**
469  * \test This is a test for a invalid value >1430000000<>1470000000.
470  *
471  * \retval 1 on success.
472  * \retval 0 on failure.
473  */
474 static int ValidityTestParse06 (void)
475 {
476  DetectNfsProcedureData *dd = NULL;
477  dd = DetectNfsProcedureParse(">1430000000<>1470000000");
478  FAIL_IF_NOT_NULL(dd);
479  PASS;
480 }
481 
482 /**
483  * \test This is a test for a invalid value 1430000000<>.
484  *
485  * \retval 1 on success.
486  * \retval 0 on failure.
487  */
488 static int ValidityTestParse07 (void)
489 {
490  DetectNfsProcedureData *dd = NULL;
491  dd = DetectNfsProcedureParse("1430000000<>");
492  FAIL_IF_NOT_NULL(dd);
493  PASS;
494 }
495 
496 /**
497  * \test This is a test for a invalid value <>1430000000.
498  *
499  * \retval 1 on success.
500  * \retval 0 on failure.
501  */
502 static int ValidityTestParse08 (void)
503 {
504  DetectNfsProcedureData *dd = NULL;
505  dd = DetectNfsProcedureParse("<>1430000000");
506  FAIL_IF_NOT_NULL(dd);
507  PASS;
508 }
509 
510 /**
511  * \test This is a test for a invalid value "".
512  *
513  * \retval 1 on success.
514  * \retval 0 on failure.
515  */
516 static int ValidityTestParse09 (void)
517 {
518  DetectNfsProcedureData *dd = NULL;
519  dd = DetectNfsProcedureParse("");
520  FAIL_IF_NOT_NULL(dd);
521  PASS;
522 }
523 
524 /**
525  * \test This is a test for a invalid value " ".
526  *
527  * \retval 1 on success.
528  * \retval 0 on failure.
529  */
530 static int ValidityTestParse10 (void)
531 {
532  DetectNfsProcedureData *dd = NULL;
533  dd = DetectNfsProcedureParse(" ");
534  FAIL_IF_NOT_NULL(dd);
535  PASS;
536 }
537 
538 /**
539  * \test This is a test for a invalid value 1490000000<>1430000000.
540  *
541  * \retval 1 on success.
542  * \retval 0 on failure.
543  */
544 static int ValidityTestParse11 (void)
545 {
546  DetectNfsProcedureData *dd = NULL;
547  dd = DetectNfsProcedureParse("1490000000<>1430000000");
548  FAIL_IF_NOT_NULL(dd);
549  PASS;
550 }
551 
552 /**
553  * \test This is a test for a valid value 1430000000 <> 1490000000.
554  *
555  * \retval 1 on success.
556  * \retval 0 on failure.
557  */
558 static int ValidityTestParse12 (void)
559 {
560  DetectNfsProcedureData *dd = NULL;
561  dd = DetectNfsProcedureParse("1430000000 <> 1490000000");
562  FAIL_IF_NULL(dd);
563  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1490000000 &&
564  dd->mode == PROCEDURE_RA);
565  DetectNfsProcedureFree(dd);
566  PASS;
567 }
568 
569 /**
570  * \test This is a test for a valid value > 1430000000.
571  *
572  * \retval 1 on success.
573  * \retval 0 on failure.
574  */
575 static int ValidityTestParse13 (void)
576 {
577  DetectNfsProcedureData *dd = NULL;
578  dd = DetectNfsProcedureParse("> 1430000000 ");
579  FAIL_IF_NULL(dd);
580  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
581  DetectNfsProcedureFree(dd);
582  PASS;
583 }
584 
585 /**
586  * \test This is a test for a valid value < 1490000000.
587  *
588  * \retval 1 on success.
589  * \retval 0 on failure.
590  */
591 static int ValidityTestParse14 (void)
592 {
593  DetectNfsProcedureData *dd = NULL;
594  dd = DetectNfsProcedureParse("< 1490000000 ");
595  FAIL_IF_NULL(dd);
596  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_LT);
597  DetectNfsProcedureFree(dd);
598  PASS;
599 }
600 
601 /**
602  * \test This is a test for a valid value 1490000000.
603  *
604  * \retval 1 on success.
605  * \retval 0 on failure.
606  */
607 static int ValidityTestParse15 (void)
608 {
609  DetectNfsProcedureData *dd = NULL;
610  dd = DetectNfsProcedureParse(" 1490000000 ");
611  FAIL_IF_NULL(dd);
612  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_EQ);
613  DetectNfsProcedureFree(dd);
614  PASS;
615 }
616 
617 #endif /* UNITTESTS */
618 
619 /**
620  * \brief Register unit tests for nfs_procedure.
621  */
622 void DetectNfsProcedureRegisterTests(void)
623 {
624 #ifdef UNITTESTS /* UNITTESTS */
625  UtRegisterTest("ValidityTestParse01", ValidityTestParse01);
626  UtRegisterTest("ValidityTestParse02", ValidityTestParse02);
627  UtRegisterTest("ValidityTestParse03", ValidityTestParse03);
628  UtRegisterTest("ValidityTestParse04", ValidityTestParse04);
629  UtRegisterTest("ValidityTestParse05", ValidityTestParse05);
630  UtRegisterTest("ValidityTestParse06", ValidityTestParse06);
631  UtRegisterTest("ValidityTestParse07", ValidityTestParse07);
632  UtRegisterTest("ValidityTestParse08", ValidityTestParse08);
633  UtRegisterTest("ValidityTestParse09", ValidityTestParse09);
634  UtRegisterTest("ValidityTestParse10", ValidityTestParse10);
635  UtRegisterTest("ValidityTestParse11", ValidityTestParse11);
636  UtRegisterTest("ValidityTestParse12", ValidityTestParse12);
637  UtRegisterTest("ValidityTestParse13", ValidityTestParse13);
638  UtRegisterTest("ValidityTestParse14", ValidityTestParse14);
639  UtRegisterTest("ValidityTestParse15", ValidityTestParse15);
640 #endif /* UNITTESTS */
641 }
642 #endif /* HAVE_RUST */
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
#define SCLogDebug(...)
Definition: util-debug.h:335
#define MAX_SUBSTRINGS
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
Data needed for Match()
Definition: detect.h:333
const char * name
Definition: detect.h:1160
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Signature container.
Definition: detect.h:492
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
main detection engine ctx
Definition: detect.h:720
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SCCalloc(nm, a)
Definition: util-mem.h:205
void(* Free)(void *)
Definition: detect.h:1151
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SIG_FLAG_TOSERVER
Definition: detect.h:243
#define SCEnter(...)
Definition: util-debug.h:337
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
uint8_t type
Definition: detect.h:325
#define SCReturnInt(x)
Definition: util-debug.h:341
const char * desc
Definition: detect.h:1162
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
SigMatchCtx * ctx
Definition: detect.h:327
#define SCFree(a)
Definition: util-mem.h:236
PoolThreadReserved res
uint16_t tx_id
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
const char * url
Definition: detect.h:1163
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
#define DOC_URL
Definition: suricata.h:86
void DetectNfsProcedureRegister(void)
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
Per thread variable structure.
Definition: threadvars.h:57
#define PARSE_REGEX
#define DOC_VERSION
Definition: suricata.h:91
Flow data structure.
Definition: flow.h:327
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
Definition: detect.h:1152
a single match condition for a signature
Definition: detect.h:324
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82