suricata
detect-nfs-procedure.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "debug.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-nfs-procedure.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 #include "util-byte.h"
46 
47 #include "app-layer-nfs-tcp.h"
48 #include "rust.h"
49 
50 /**
51  * [nfs_procedure]:[<|>]<proc>[<><proc>];
52  */
53 #define PARSE_REGEX "^\\s*(<=|>=|<|>)?\\s*([0-9]+)\\s*(?:(<>)\\s*([0-9]+))?\\s*$"
54 static DetectParseRegex parse_regex;
55 
57  PROCEDURE_EQ = 1, /* equal */
58  PROCEDURE_LT, /* less than */
59  PROCEDURE_LE, /* less than */
60  PROCEDURE_GT, /* greater than */
61  PROCEDURE_GE, /* greater than */
62  PROCEDURE_RA, /* range */
63 };
64 
65 typedef struct DetectNfsProcedureData_ {
66  uint32_t lo;
67  uint32_t hi;
70 
71 static DetectNfsProcedureData *DetectNfsProcedureParse (const char *);
72 static int DetectNfsProcedureSetup (DetectEngineCtx *, Signature *s, const char *str);
73 static void DetectNfsProcedureFree(DetectEngineCtx *, void *);
74 #ifdef UNITTESTS
75 static void DetectNfsProcedureRegisterTests(void);
76 #endif
77 static int g_nfs_request_buffer_id = 0;
78 
79 static int DetectEngineInspectNfsRequestGeneric(DetectEngineCtx *de_ctx,
80  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
81  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
82 
83 static int DetectNfsProcedureMatch (DetectEngineThreadCtx *, Flow *,
84  uint8_t, void *, void *, const Signature *,
85  const SigMatchCtx *);
86 
87 /**
88  * \brief Registration function for nfs_procedure keyword.
89  */
91 {
92  sigmatch_table[DETECT_AL_NFS_PROCEDURE].name = "nfs_procedure";
93  sigmatch_table[DETECT_AL_NFS_PROCEDURE].desc = "match NFS procedure";
94  sigmatch_table[DETECT_AL_NFS_PROCEDURE].url = "/rules/nfs-keywords.html#procedure";
96  sigmatch_table[DETECT_AL_NFS_PROCEDURE].AppLayerTxMatch = DetectNfsProcedureMatch;
97  sigmatch_table[DETECT_AL_NFS_PROCEDURE].Setup = DetectNfsProcedureSetup;
98  sigmatch_table[DETECT_AL_NFS_PROCEDURE].Free = DetectNfsProcedureFree;
99 #ifdef UNITTESTS
100  sigmatch_table[DETECT_AL_NFS_PROCEDURE].RegisterTests = DetectNfsProcedureRegisterTests;
101 #endif
102 
103  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
104 
106  DetectEngineInspectNfsRequestGeneric, NULL);
107 
108  g_nfs_request_buffer_id = DetectBufferTypeGetByName("nfs_request");
109 
110  SCLogDebug("g_nfs_request_buffer_id %d", g_nfs_request_buffer_id);
111 }
112 
113 static int DetectEngineInspectNfsRequestGeneric(DetectEngineCtx *de_ctx,
114  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
115  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
116 {
118  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
119 }
120 
121 static inline int
122 ProcedureMatch(const uint32_t procedure,
123  enum DetectNfsProcedureMode mode, uint32_t lo, uint32_t hi)
124 {
125  switch (mode) {
126  case PROCEDURE_EQ:
127  if (procedure == lo)
128  SCReturnInt(1);
129  break;
130  case PROCEDURE_LT:
131  if (procedure < lo)
132  SCReturnInt(1);
133  break;
134  case PROCEDURE_LE:
135  if (procedure <= lo)
136  SCReturnInt(1);
137  break;
138  case PROCEDURE_GT:
139  if (procedure > lo)
140  SCReturnInt(1);
141  break;
142  case PROCEDURE_GE:
143  if (procedure >= lo)
144  SCReturnInt(1);
145  break;
146  case PROCEDURE_RA:
147  if (procedure >= lo && procedure <= hi)
148  SCReturnInt(1);
149  break;
150  }
151  SCReturnInt(0);
152 }
153 
154 /**
155  * \internal
156  * \brief Function to match procedure of a TX
157  *
158  * For 'file txs'
159  *
160  * \param t Pointer to thread vars.
161  * \param det_ctx Pointer to the pattern matcher thread.
162  * \param f Pointer to the current flow.
163  * \param flags Flags.
164  * \param state App layer state.
165  * \param s Pointer to the Signature.
166  * \param m Pointer to the sigmatch that we will cast into
167  * DetectNfsProcedureData.
168  *
169  * \retval 0 no match.
170  * \retval 1 match.
171  */
172 static int DetectNfsProcedureMatch (DetectEngineThreadCtx *det_ctx,
173  Flow *f, uint8_t flags, void *state,
174  void *txv, const Signature *s,
175  const SigMatchCtx *ctx)
176 {
177  SCEnter();
178 
179  const DetectNfsProcedureData *dd = (const DetectNfsProcedureData *)ctx;
180  uint16_t i;
181  for (i = 0; i < 256; i++) {
182  uint32_t procedure;
183  if (rs_nfs_tx_get_procedures(txv, i, &procedure) == 1) {
184  SCLogDebug("proc %u mode %u lo %u hi %u",
185  procedure, dd->mode, dd->lo, dd->hi);
186  if (ProcedureMatch(procedure, dd->mode, dd->lo, dd->hi))
187  SCReturnInt(1);
188  continue;
189  }
190  break;
191  }
192  SCReturnInt(0);
193 }
194 
195 /**
196  * \internal
197  * \brief Function to parse options passed via tls validity keywords.
198  *
199  * \param rawstr Pointer to the user provided options.
200  *
201  * \retval dd pointer to DetectNfsProcedureData on success.
202  * \retval NULL on failure.
203  */
204 static DetectNfsProcedureData *DetectNfsProcedureParse (const char *rawstr)
205 {
206  DetectNfsProcedureData *dd = NULL;
207  int ret = 0, res = 0;
208  size_t pcre2len;
209  char mode[2] = "";
210  char value1[20] = "";
211  char value2[20] = "";
212  char range[3] = "";
213 
214  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
215  if (ret < 3 || ret > 5) {
216  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", rawstr);
217  goto error;
218  }
219 
220  pcre2len = sizeof(mode);
221  res = SC_Pcre2SubstringCopy(parse_regex.match, 1, (PCRE2_UCHAR8 *)mode, &pcre2len);
222  if (res < 0) {
223  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
224  goto error;
225  }
226  SCLogDebug("mode \"%s\"", mode);
227 
228  pcre2len = sizeof(value1);
229  res = pcre2_substring_copy_bynumber(parse_regex.match, 2, (PCRE2_UCHAR8 *)value1, &pcre2len);
230  if (res < 0) {
231  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
232  goto error;
233  }
234  SCLogDebug("value1 \"%s\"", value1);
235 
236  if (ret > 3) {
237  pcre2len = sizeof(range);
238  res = pcre2_substring_copy_bynumber(parse_regex.match, 3, (PCRE2_UCHAR8 *)range, &pcre2len);
239  if (res < 0) {
240  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
241  goto error;
242  }
243  SCLogDebug("range \"%s\"", range);
244 
245  if (ret > 4) {
246  pcre2len = sizeof(value2);
247  res = pcre2_substring_copy_bynumber(
248  parse_regex.match, 4, (PCRE2_UCHAR8 *)value2, &pcre2len);
249  if (res < 0) {
250  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
251  goto error;
252  }
253  SCLogDebug("value2 \"%s\"", value2);
254  }
255  }
256 
257  dd = SCCalloc(1, sizeof(DetectNfsProcedureData));
258  if (unlikely(dd == NULL))
259  goto error;
260 
261  if (strlen(mode) == 1) {
262  if (mode[0] == '<')
263  dd->mode = PROCEDURE_LT;
264  else if (mode[0] == '>')
265  dd->mode = PROCEDURE_GT;
266  } else if (strlen(mode) == 2) {
267  if (strcmp(mode, "<=") == 0)
268  dd->mode = PROCEDURE_LE;
269  if (strcmp(mode, ">=") == 0)
270  dd->mode = PROCEDURE_GE;
271  }
272 
273  if (strlen(range) > 0) {
274  if (strcmp("<>", range) == 0)
275  dd->mode = PROCEDURE_RA;
276  }
277 
278  if (strlen(range) != 0 && strlen(mode) != 0) {
280  "Range specified but mode also set");
281  goto error;
282  }
283 
284  if (dd->mode == 0) {
285  dd->mode = PROCEDURE_EQ;
286  }
287 
288  /* set the first value */
289  if (StringParseUint32(&dd->lo, 10, 0, (const char *)value1) < 0) {
290  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid first value: \"%s\"", value1);
291  goto error;
292  }
293  /* set the second value if specified */
294  if (strlen(value2) > 0) {
295  if (!(dd->mode == PROCEDURE_RA)) {
297  "Multiple tls validity values specified but mode is not range");
298  goto error;
299  }
300 
301  if (StringParseUint32(&dd->hi, 10, 0, (const char *)value2) < 0) {
302  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid second value: \"%s\"", value2);
303  goto error;
304  }
305 
306  if (dd->hi <= dd->lo) {
308  "Second value in range must not be smaller than the first");
309  goto error;
310  }
311  }
312  return dd;
313 
314 error:
315  if (dd)
316  SCFree(dd);
317  return NULL;
318 }
319 
320 
321 
322 /**
323  * \brief Function to add the parsed tls validity field into the current signature.
324  *
325  * \param de_ctx Pointer to the Detection Engine Context.
326  * \param s Pointer to the Current Signature.
327  * \param rawstr Pointer to the user provided flags options.
328  * \param type Defines if this is notBefore or notAfter.
329  *
330  * \retval 0 on Success.
331  * \retval -1 on Failure.
332  */
333 static int DetectNfsProcedureSetup (DetectEngineCtx *de_ctx, Signature *s,
334  const char *rawstr)
335 {
336  DetectNfsProcedureData *dd = NULL;
337  SigMatch *sm = NULL;
338 
339  SCLogDebug("\'%s\'", rawstr);
340 
342  return -1;
343 
344  dd = DetectNfsProcedureParse(rawstr);
345  if (dd == NULL) {
346  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
347  goto error;
348  }
349 
350  /* okay so far so good, lets get this into a SigMatch
351  * and put it in the Signature. */
352  sm = SigMatchAlloc();
353  if (sm == NULL)
354  goto error;
355 
357  sm->ctx = (void *)dd;
358 
359  SCLogDebug("low %u hi %u", dd->lo, dd->hi);
360  SigMatchAppendSMToList(s, sm, g_nfs_request_buffer_id);
361  return 0;
362 
363 error:
364  DetectNfsProcedureFree(de_ctx, dd);
365  return -1;
366 }
367 
368 /**
369  * \internal
370  * \brief Function to free memory associated with DetectNfsProcedureData.
371  *
372  * \param de_ptr Pointer to DetectNfsProcedureData.
373  */
374 void DetectNfsProcedureFree(DetectEngineCtx *de_ctx, void *ptr)
375 {
376  SCFree(ptr);
377 }
378 
379 #ifdef UNITTESTS
380 
381 /**
382  * \test This is a test for a valid value 1430000000.
383  *
384  * \retval 1 on success.
385  * \retval 0 on failure.
386  */
387 static int ValidityTestParse01 (void)
388 {
389  DetectNfsProcedureData *dd = NULL;
390  dd = DetectNfsProcedureParse("1430000000");
391  FAIL_IF_NULL(dd);
392  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_EQ);
393  DetectNfsProcedureFree(NULL, dd);
394  PASS;
395 }
396 
397 /**
398  * \test This is a test for a valid value >1430000000.
399  *
400  * \retval 1 on success.
401  * \retval 0 on failure.
402  */
403 static int ValidityTestParse02 (void)
404 {
405  DetectNfsProcedureData *dd = NULL;
406  dd = DetectNfsProcedureParse(">1430000000");
407  FAIL_IF_NULL(dd);
408  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
409  DetectNfsProcedureFree(NULL, dd);
410  PASS;
411 }
412 
413 /**
414  * \test This is a test for a valid value <1430000000.
415  *
416  * \retval 1 on success.
417  * \retval 0 on failure.
418  */
419 static int ValidityTestParse03 (void)
420 {
421  DetectNfsProcedureData *dd = NULL;
422  dd = DetectNfsProcedureParse("<1430000000");
423  FAIL_IF_NULL(dd);
424  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_LT);
425  DetectNfsProcedureFree(NULL, dd);
426  PASS;
427 }
428 
429 /**
430  * \test This is a test for a valid value 1430000000<>1470000000.
431  *
432  * \retval 1 on success.
433  * \retval 0 on failure.
434  */
435 static int ValidityTestParse04 (void)
436 {
437  DetectNfsProcedureData *dd = NULL;
438  dd = DetectNfsProcedureParse("1430000000<>1470000000");
439  FAIL_IF_NULL(dd);
440  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1470000000 &&
441  dd->mode == PROCEDURE_RA);
442  DetectNfsProcedureFree(NULL, dd);
443  PASS;
444 }
445 
446 /**
447  * \test This is a test for a invalid value A.
448  *
449  * \retval 1 on success.
450  * \retval 0 on failure.
451  */
452 static int ValidityTestParse05 (void)
453 {
454  DetectNfsProcedureData *dd = NULL;
455  dd = DetectNfsProcedureParse("A");
456  FAIL_IF_NOT_NULL(dd);
457  PASS;
458 }
459 
460 /**
461  * \test This is a test for a invalid value >1430000000<>1470000000.
462  *
463  * \retval 1 on success.
464  * \retval 0 on failure.
465  */
466 static int ValidityTestParse06 (void)
467 {
468  DetectNfsProcedureData *dd = NULL;
469  dd = DetectNfsProcedureParse(">1430000000<>1470000000");
470  FAIL_IF_NOT_NULL(dd);
471  PASS;
472 }
473 
474 /**
475  * \test This is a test for a invalid value 1430000000<>.
476  *
477  * \retval 1 on success.
478  * \retval 0 on failure.
479  */
480 static int ValidityTestParse07 (void)
481 {
482  DetectNfsProcedureData *dd = NULL;
483  dd = DetectNfsProcedureParse("1430000000<>");
484  FAIL_IF_NOT_NULL(dd);
485  PASS;
486 }
487 
488 /**
489  * \test This is a test for a invalid value <>1430000000.
490  *
491  * \retval 1 on success.
492  * \retval 0 on failure.
493  */
494 static int ValidityTestParse08 (void)
495 {
496  DetectNfsProcedureData *dd = NULL;
497  dd = DetectNfsProcedureParse("<>1430000000");
498  FAIL_IF_NOT_NULL(dd);
499  PASS;
500 }
501 
502 /**
503  * \test This is a test for a invalid value "".
504  *
505  * \retval 1 on success.
506  * \retval 0 on failure.
507  */
508 static int ValidityTestParse09 (void)
509 {
510  DetectNfsProcedureData *dd = NULL;
511  dd = DetectNfsProcedureParse("");
512  FAIL_IF_NOT_NULL(dd);
513  PASS;
514 }
515 
516 /**
517  * \test This is a test for a invalid value " ".
518  *
519  * \retval 1 on success.
520  * \retval 0 on failure.
521  */
522 static int ValidityTestParse10 (void)
523 {
524  DetectNfsProcedureData *dd = NULL;
525  dd = DetectNfsProcedureParse(" ");
526  FAIL_IF_NOT_NULL(dd);
527  PASS;
528 }
529 
530 /**
531  * \test This is a test for a invalid value 1490000000<>1430000000.
532  *
533  * \retval 1 on success.
534  * \retval 0 on failure.
535  */
536 static int ValidityTestParse11 (void)
537 {
538  DetectNfsProcedureData *dd = NULL;
539  dd = DetectNfsProcedureParse("1490000000<>1430000000");
540  FAIL_IF_NOT_NULL(dd);
541  PASS;
542 }
543 
544 /**
545  * \test This is a test for a valid value 1430000000 <> 1490000000.
546  *
547  * \retval 1 on success.
548  * \retval 0 on failure.
549  */
550 static int ValidityTestParse12 (void)
551 {
552  DetectNfsProcedureData *dd = NULL;
553  dd = DetectNfsProcedureParse("1430000000 <> 1490000000");
554  FAIL_IF_NULL(dd);
555  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1490000000 &&
556  dd->mode == PROCEDURE_RA);
557  DetectNfsProcedureFree(NULL, dd);
558  PASS;
559 }
560 
561 /**
562  * \test This is a test for a valid value > 1430000000.
563  *
564  * \retval 1 on success.
565  * \retval 0 on failure.
566  */
567 static int ValidityTestParse13 (void)
568 {
569  DetectNfsProcedureData *dd = NULL;
570  dd = DetectNfsProcedureParse("> 1430000000 ");
571  FAIL_IF_NULL(dd);
572  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
573  DetectNfsProcedureFree(NULL, dd);
574  PASS;
575 }
576 
577 /**
578  * \test This is a test for a valid value < 1490000000.
579  *
580  * \retval 1 on success.
581  * \retval 0 on failure.
582  */
583 static int ValidityTestParse14 (void)
584 {
585  DetectNfsProcedureData *dd = NULL;
586  dd = DetectNfsProcedureParse("< 1490000000 ");
587  FAIL_IF_NULL(dd);
588  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_LT);
589  DetectNfsProcedureFree(NULL, dd);
590  PASS;
591 }
592 
593 /**
594  * \test This is a test for a valid value 1490000000.
595  *
596  * \retval 1 on success.
597  * \retval 0 on failure.
598  */
599 static int ValidityTestParse15 (void)
600 {
601  DetectNfsProcedureData *dd = NULL;
602  dd = DetectNfsProcedureParse(" 1490000000 ");
603  FAIL_IF_NULL(dd);
604  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_EQ);
605  DetectNfsProcedureFree(NULL, dd);
606  PASS;
607 }
608 
609 /**
610  * \brief Register unit tests for nfs_procedure.
611  */
612 void DetectNfsProcedureRegisterTests(void)
613 {
614  UtRegisterTest("ValidityTestParse01", ValidityTestParse01);
615  UtRegisterTest("ValidityTestParse02", ValidityTestParse02);
616  UtRegisterTest("ValidityTestParse03", ValidityTestParse03);
617  UtRegisterTest("ValidityTestParse04", ValidityTestParse04);
618  UtRegisterTest("ValidityTestParse05", ValidityTestParse05);
619  UtRegisterTest("ValidityTestParse06", ValidityTestParse06);
620  UtRegisterTest("ValidityTestParse07", ValidityTestParse07);
621  UtRegisterTest("ValidityTestParse08", ValidityTestParse08);
622  UtRegisterTest("ValidityTestParse09", ValidityTestParse09);
623  UtRegisterTest("ValidityTestParse10", ValidityTestParse10);
624  UtRegisterTest("ValidityTestParse11", ValidityTestParse11);
625  UtRegisterTest("ValidityTestParse12", ValidityTestParse12);
626  UtRegisterTest("ValidityTestParse13", ValidityTestParse13);
627  UtRegisterTest("ValidityTestParse14", ValidityTestParse14);
628  UtRegisterTest("ValidityTestParse15", ValidityTestParse15);
629 }
630 #endif /* UNITTESTS */
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1252
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1489
detect-content.h
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1251
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2467
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1239
flow-util.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1947
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1249
PROCEDURE_RA
@ PROCEDURE_RA
Definition: detect-nfs-procedure.c:62
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PROCEDURE_GT
@ PROCEDURE_GT
Definition: detect-nfs-procedure.c:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DETECT_AL_NFS_PROCEDURE
@ DETECT_AL_NFS_PROCEDURE
Definition: detect-engine-register.h:161
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
DetectNfsProcedureData
struct DetectNfsProcedureData_ DetectNfsProcedureData
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:801
PROCEDURE_LT
@ PROCEDURE_LT
Definition: detect-nfs-procedure.c:58
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1220
rust.h
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
DetectNfsProcedureMode
DetectNfsProcedureMode
Definition: detect-nfs-procedure.c:56
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1234
detect-pcre.h
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1083
DetectNfsProcedureData_
Definition: detect-nfs-procedure.c:65
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-nfs-procedure.c:53
DetectEngineThreadCtx_
Definition: detect.h:1050
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2590
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
DetectNfsProcedureData_::lo
uint32_t lo
Definition: detect-nfs-procedure.c:66
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
detect-nfs-procedure.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1217
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
PROCEDURE_GE
@ PROCEDURE_GE
Definition: detect-nfs-procedure.c:61
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectNfsProcedureRegister
void DetectNfsProcedureRegister(void)
Registration function for nfs_procedure keyword.
Definition: detect-nfs-procedure.c:90
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
PROCEDURE_EQ
@ PROCEDURE_EQ
Definition: detect-nfs-procedure.c:57
detect-parse.h
Signature_
Signature container.
Definition: detect.h:546
SigMatch_
a single match condition for a signature
Definition: detect.h:321
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2566
PROCEDURE_LE
@ PROCEDURE_LE
Definition: detect-nfs-procedure.c:59
DetectNfsProcedureData_::mode
enum DetectNfsProcedureMode mode
Definition: detect-nfs-procedure.c:68
flow.h
DetectNfsProcedureData_::hi
uint32_t hi
Definition: detect-nfs-procedure.c:67
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1241
app-layer-nfs-tcp.h