suricata
detect-nfs-procedure.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "debug.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-nfs-procedure.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 #include "util-byte.h"
46 
47 #include "app-layer-nfs-tcp.h"
48 #include "rust.h"
49 
50 /**
51  * [nfs_procedure]:[<|>]<proc>[<><proc>];
52  */
53 #define PARSE_REGEX "^\\s*(<=|>=|<|>)?\\s*([0-9]+)\\s*(?:(<>)\\s*([0-9]+))?\\s*$"
54 static DetectParseRegex parse_regex;
55 
57  PROCEDURE_EQ = 1, /* equal */
58  PROCEDURE_LT, /* less than */
59  PROCEDURE_LE, /* less than */
60  PROCEDURE_GT, /* greater than */
61  PROCEDURE_GE, /* greater than */
62  PROCEDURE_RA, /* range */
63 };
64 
65 typedef struct DetectNfsProcedureData_ {
66  uint32_t lo;
67  uint32_t hi;
70 
71 static DetectNfsProcedureData *DetectNfsProcedureParse (const char *);
72 static int DetectNfsProcedureSetup (DetectEngineCtx *, Signature *s, const char *str);
73 static void DetectNfsProcedureFree(DetectEngineCtx *, void *);
74 #ifdef UNITTESTS
75 static void DetectNfsProcedureRegisterTests(void);
76 #endif
77 static int g_nfs_request_buffer_id = 0;
78 
79 static int DetectEngineInspectNfsRequestGeneric(ThreadVars *tv,
81  const Signature *s, const SigMatchData *smd,
82  Flow *f, uint8_t flags, void *alstate,
83  void *txv, uint64_t tx_id);
84 
85 static int DetectNfsProcedureMatch (DetectEngineThreadCtx *, Flow *,
86  uint8_t, void *, void *, const Signature *,
87  const SigMatchCtx *);
88 
89 /**
90  * \brief Registration function for nfs_procedure keyword.
91  */
93 {
94  sigmatch_table[DETECT_AL_NFS_PROCEDURE].name = "nfs_procedure";
95  sigmatch_table[DETECT_AL_NFS_PROCEDURE].desc = "match NFS procedure";
96  sigmatch_table[DETECT_AL_NFS_PROCEDURE].url = "/rules/nfs-keywords.html#procedure";
98  sigmatch_table[DETECT_AL_NFS_PROCEDURE].AppLayerTxMatch = DetectNfsProcedureMatch;
99  sigmatch_table[DETECT_AL_NFS_PROCEDURE].Setup = DetectNfsProcedureSetup;
100  sigmatch_table[DETECT_AL_NFS_PROCEDURE].Free = DetectNfsProcedureFree;
101 #ifdef UNITTESTS
102  sigmatch_table[DETECT_AL_NFS_PROCEDURE].RegisterTests = DetectNfsProcedureRegisterTests;
103 #endif
104 
105  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
106 
109  DetectEngineInspectNfsRequestGeneric);
110 
111  g_nfs_request_buffer_id = DetectBufferTypeGetByName("nfs_request");
112 
113  SCLogDebug("g_nfs_request_buffer_id %d", g_nfs_request_buffer_id);
114 }
115 
116 static int DetectEngineInspectNfsRequestGeneric(ThreadVars *tv,
118  const Signature *s, const SigMatchData *smd,
119  Flow *f, uint8_t flags, void *alstate,
120  void *txv, uint64_t tx_id)
121 {
122  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
123  f, flags, alstate, txv, tx_id);
124 }
125 
126 static inline int
127 ProcedureMatch(const uint32_t procedure,
128  enum DetectNfsProcedureMode mode, uint32_t lo, uint32_t hi)
129 {
130  switch (mode) {
131  case PROCEDURE_EQ:
132  if (procedure == lo)
133  SCReturnInt(1);
134  break;
135  case PROCEDURE_LT:
136  if (procedure < lo)
137  SCReturnInt(1);
138  break;
139  case PROCEDURE_LE:
140  if (procedure <= lo)
141  SCReturnInt(1);
142  break;
143  case PROCEDURE_GT:
144  if (procedure > lo)
145  SCReturnInt(1);
146  break;
147  case PROCEDURE_GE:
148  if (procedure >= lo)
149  SCReturnInt(1);
150  break;
151  case PROCEDURE_RA:
152  if (procedure >= lo && procedure <= hi)
153  SCReturnInt(1);
154  break;
155  }
156  SCReturnInt(0);
157 }
158 
159 /**
160  * \internal
161  * \brief Function to match procedure of a TX
162  *
163  * For 'file txs'
164  *
165  * \param t Pointer to thread vars.
166  * \param det_ctx Pointer to the pattern matcher thread.
167  * \param f Pointer to the current flow.
168  * \param flags Flags.
169  * \param state App layer state.
170  * \param s Pointer to the Signature.
171  * \param m Pointer to the sigmatch that we will cast into
172  * DetectNfsProcedureData.
173  *
174  * \retval 0 no match.
175  * \retval 1 match.
176  */
177 static int DetectNfsProcedureMatch (DetectEngineThreadCtx *det_ctx,
178  Flow *f, uint8_t flags, void *state,
179  void *txv, const Signature *s,
180  const SigMatchCtx *ctx)
181 {
182  SCEnter();
183 
184  const DetectNfsProcedureData *dd = (const DetectNfsProcedureData *)ctx;
185  uint16_t i;
186  for (i = 0; i < 256; i++) {
187  uint32_t procedure;
188  if (rs_nfs_tx_get_procedures(txv, i, &procedure) == 1) {
189  SCLogDebug("proc %u mode %u lo %u hi %u",
190  procedure, dd->mode, dd->lo, dd->hi);
191  if (ProcedureMatch(procedure, dd->mode, dd->lo, dd->hi))
192  SCReturnInt(1);
193  continue;
194  }
195  break;
196  }
197  SCReturnInt(0);
198 }
199 
200 /**
201  * \internal
202  * \brief Function to parse options passed via tls validity keywords.
203  *
204  * \param rawstr Pointer to the user provided options.
205  *
206  * \retval dd pointer to DetectNfsProcedureData on success.
207  * \retval NULL on failure.
208  */
209 static DetectNfsProcedureData *DetectNfsProcedureParse (const char *rawstr)
210 {
211  DetectNfsProcedureData *dd = NULL;
212  int ret = 0, res = 0;
213  int ov[MAX_SUBSTRINGS];
214  char mode[2] = "";
215  char value1[20] = "";
216  char value2[20] = "";
217  char range[3] = "";
218 
219  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
220  if (ret < 3 || ret > 5) {
221  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", rawstr);
222  goto error;
223  }
224 
225  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, mode,
226  sizeof(mode));
227  if (res < 0) {
228  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
229  goto error;
230  }
231  SCLogDebug("mode \"%s\"", mode);
232 
233  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, value1,
234  sizeof(value1));
235  if (res < 0) {
236  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
237  goto error;
238  }
239  SCLogDebug("value1 \"%s\"", value1);
240 
241  if (ret > 3) {
242  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3,
243  range, sizeof(range));
244  if (res < 0) {
245  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
246  goto error;
247  }
248  SCLogDebug("range \"%s\"", range);
249 
250  if (ret > 4) {
251  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4,
252  value2, sizeof(value2));
253  if (res < 0) {
255  "pcre_copy_substring failed");
256  goto error;
257  }
258  SCLogDebug("value2 \"%s\"", value2);
259  }
260  }
261 
262  dd = SCCalloc(1, sizeof(DetectNfsProcedureData));
263  if (unlikely(dd == NULL))
264  goto error;
265 
266  if (strlen(mode) == 1) {
267  if (mode[0] == '<')
268  dd->mode = PROCEDURE_LT;
269  else if (mode[0] == '>')
270  dd->mode = PROCEDURE_GT;
271  } else if (strlen(mode) == 2) {
272  if (strcmp(mode, "<=") == 0)
273  dd->mode = PROCEDURE_LE;
274  if (strcmp(mode, ">=") == 0)
275  dd->mode = PROCEDURE_GE;
276  }
277 
278  if (strlen(range) > 0) {
279  if (strcmp("<>", range) == 0)
280  dd->mode = PROCEDURE_RA;
281  }
282 
283  if (strlen(range) != 0 && strlen(mode) != 0) {
285  "Range specified but mode also set");
286  goto error;
287  }
288 
289  if (dd->mode == 0) {
290  dd->mode = PROCEDURE_EQ;
291  }
292 
293  /* set the first value */
294  if (StringParseUint32(&dd->lo, 10, 0, (const char *)value1) < 0) {
295  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid first value: \"%s\"", value1);
296  goto error;
297  }
298  /* set the second value if specified */
299  if (strlen(value2) > 0) {
300  if (!(dd->mode == PROCEDURE_RA)) {
302  "Multiple tls validity values specified but mode is not range");
303  goto error;
304  }
305 
306  if (StringParseUint32(&dd->hi, 10, 0, (const char *)value2) < 0) {
307  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid second value: \"%s\"", value2);
308  goto error;
309  }
310 
311  if (dd->hi <= dd->lo) {
313  "Second value in range must not be smaller than the first");
314  goto error;
315  }
316  }
317  return dd;
318 
319 error:
320  if (dd)
321  SCFree(dd);
322  return NULL;
323 }
324 
325 
326 
327 /**
328  * \brief Function to add the parsed tls validity field into the current signature.
329  *
330  * \param de_ctx Pointer to the Detection Engine Context.
331  * \param s Pointer to the Current Signature.
332  * \param rawstr Pointer to the user provided flags options.
333  * \param type Defines if this is notBefore or notAfter.
334  *
335  * \retval 0 on Success.
336  * \retval -1 on Failure.
337  */
338 static int DetectNfsProcedureSetup (DetectEngineCtx *de_ctx, Signature *s,
339  const char *rawstr)
340 {
341  DetectNfsProcedureData *dd = NULL;
342  SigMatch *sm = NULL;
343 
344  SCLogDebug("\'%s\'", rawstr);
345 
347  return -1;
348 
349  dd = DetectNfsProcedureParse(rawstr);
350  if (dd == NULL) {
351  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
352  goto error;
353  }
354 
355  /* okay so far so good, lets get this into a SigMatch
356  * and put it in the Signature. */
357  sm = SigMatchAlloc();
358  if (sm == NULL)
359  goto error;
360 
362  sm->ctx = (void *)dd;
363 
364  SCLogDebug("low %u hi %u", dd->lo, dd->hi);
365  SigMatchAppendSMToList(s, sm, g_nfs_request_buffer_id);
366  return 0;
367 
368 error:
369  DetectNfsProcedureFree(de_ctx, dd);
370  return -1;
371 }
372 
373 /**
374  * \internal
375  * \brief Function to free memory associated with DetectNfsProcedureData.
376  *
377  * \param de_ptr Pointer to DetectNfsProcedureData.
378  */
379 void DetectNfsProcedureFree(DetectEngineCtx *de_ctx, void *ptr)
380 {
381  SCFree(ptr);
382 }
383 
384 #ifdef UNITTESTS
385 
386 /**
387  * \test This is a test for a valid value 1430000000.
388  *
389  * \retval 1 on success.
390  * \retval 0 on failure.
391  */
392 static int ValidityTestParse01 (void)
393 {
394  DetectNfsProcedureData *dd = NULL;
395  dd = DetectNfsProcedureParse("1430000000");
396  FAIL_IF_NULL(dd);
397  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_EQ);
398  DetectNfsProcedureFree(NULL, dd);
399  PASS;
400 }
401 
402 /**
403  * \test This is a test for a valid value >1430000000.
404  *
405  * \retval 1 on success.
406  * \retval 0 on failure.
407  */
408 static int ValidityTestParse02 (void)
409 {
410  DetectNfsProcedureData *dd = NULL;
411  dd = DetectNfsProcedureParse(">1430000000");
412  FAIL_IF_NULL(dd);
413  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
414  DetectNfsProcedureFree(NULL, dd);
415  PASS;
416 }
417 
418 /**
419  * \test This is a test for a valid value <1430000000.
420  *
421  * \retval 1 on success.
422  * \retval 0 on failure.
423  */
424 static int ValidityTestParse03 (void)
425 {
426  DetectNfsProcedureData *dd = NULL;
427  dd = DetectNfsProcedureParse("<1430000000");
428  FAIL_IF_NULL(dd);
429  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_LT);
430  DetectNfsProcedureFree(NULL, dd);
431  PASS;
432 }
433 
434 /**
435  * \test This is a test for a valid value 1430000000<>1470000000.
436  *
437  * \retval 1 on success.
438  * \retval 0 on failure.
439  */
440 static int ValidityTestParse04 (void)
441 {
442  DetectNfsProcedureData *dd = NULL;
443  dd = DetectNfsProcedureParse("1430000000<>1470000000");
444  FAIL_IF_NULL(dd);
445  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1470000000 &&
446  dd->mode == PROCEDURE_RA);
447  DetectNfsProcedureFree(NULL, dd);
448  PASS;
449 }
450 
451 /**
452  * \test This is a test for a invalid value A.
453  *
454  * \retval 1 on success.
455  * \retval 0 on failure.
456  */
457 static int ValidityTestParse05 (void)
458 {
459  DetectNfsProcedureData *dd = NULL;
460  dd = DetectNfsProcedureParse("A");
461  FAIL_IF_NOT_NULL(dd);
462  PASS;
463 }
464 
465 /**
466  * \test This is a test for a invalid value >1430000000<>1470000000.
467  *
468  * \retval 1 on success.
469  * \retval 0 on failure.
470  */
471 static int ValidityTestParse06 (void)
472 {
473  DetectNfsProcedureData *dd = NULL;
474  dd = DetectNfsProcedureParse(">1430000000<>1470000000");
475  FAIL_IF_NOT_NULL(dd);
476  PASS;
477 }
478 
479 /**
480  * \test This is a test for a invalid value 1430000000<>.
481  *
482  * \retval 1 on success.
483  * \retval 0 on failure.
484  */
485 static int ValidityTestParse07 (void)
486 {
487  DetectNfsProcedureData *dd = NULL;
488  dd = DetectNfsProcedureParse("1430000000<>");
489  FAIL_IF_NOT_NULL(dd);
490  PASS;
491 }
492 
493 /**
494  * \test This is a test for a invalid value <>1430000000.
495  *
496  * \retval 1 on success.
497  * \retval 0 on failure.
498  */
499 static int ValidityTestParse08 (void)
500 {
501  DetectNfsProcedureData *dd = NULL;
502  dd = DetectNfsProcedureParse("<>1430000000");
503  FAIL_IF_NOT_NULL(dd);
504  PASS;
505 }
506 
507 /**
508  * \test This is a test for a invalid value "".
509  *
510  * \retval 1 on success.
511  * \retval 0 on failure.
512  */
513 static int ValidityTestParse09 (void)
514 {
515  DetectNfsProcedureData *dd = NULL;
516  dd = DetectNfsProcedureParse("");
517  FAIL_IF_NOT_NULL(dd);
518  PASS;
519 }
520 
521 /**
522  * \test This is a test for a invalid value " ".
523  *
524  * \retval 1 on success.
525  * \retval 0 on failure.
526  */
527 static int ValidityTestParse10 (void)
528 {
529  DetectNfsProcedureData *dd = NULL;
530  dd = DetectNfsProcedureParse(" ");
531  FAIL_IF_NOT_NULL(dd);
532  PASS;
533 }
534 
535 /**
536  * \test This is a test for a invalid value 1490000000<>1430000000.
537  *
538  * \retval 1 on success.
539  * \retval 0 on failure.
540  */
541 static int ValidityTestParse11 (void)
542 {
543  DetectNfsProcedureData *dd = NULL;
544  dd = DetectNfsProcedureParse("1490000000<>1430000000");
545  FAIL_IF_NOT_NULL(dd);
546  PASS;
547 }
548 
549 /**
550  * \test This is a test for a valid value 1430000000 <> 1490000000.
551  *
552  * \retval 1 on success.
553  * \retval 0 on failure.
554  */
555 static int ValidityTestParse12 (void)
556 {
557  DetectNfsProcedureData *dd = NULL;
558  dd = DetectNfsProcedureParse("1430000000 <> 1490000000");
559  FAIL_IF_NULL(dd);
560  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1490000000 &&
561  dd->mode == PROCEDURE_RA);
562  DetectNfsProcedureFree(NULL, dd);
563  PASS;
564 }
565 
566 /**
567  * \test This is a test for a valid value > 1430000000.
568  *
569  * \retval 1 on success.
570  * \retval 0 on failure.
571  */
572 static int ValidityTestParse13 (void)
573 {
574  DetectNfsProcedureData *dd = NULL;
575  dd = DetectNfsProcedureParse("> 1430000000 ");
576  FAIL_IF_NULL(dd);
577  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
578  DetectNfsProcedureFree(NULL, dd);
579  PASS;
580 }
581 
582 /**
583  * \test This is a test for a valid value < 1490000000.
584  *
585  * \retval 1 on success.
586  * \retval 0 on failure.
587  */
588 static int ValidityTestParse14 (void)
589 {
590  DetectNfsProcedureData *dd = NULL;
591  dd = DetectNfsProcedureParse("< 1490000000 ");
592  FAIL_IF_NULL(dd);
593  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_LT);
594  DetectNfsProcedureFree(NULL, dd);
595  PASS;
596 }
597 
598 /**
599  * \test This is a test for a valid value 1490000000.
600  *
601  * \retval 1 on success.
602  * \retval 0 on failure.
603  */
604 static int ValidityTestParse15 (void)
605 {
606  DetectNfsProcedureData *dd = NULL;
607  dd = DetectNfsProcedureParse(" 1490000000 ");
608  FAIL_IF_NULL(dd);
609  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_EQ);
610  DetectNfsProcedureFree(NULL, dd);
611  PASS;
612 }
613 
614 /**
615  * \brief Register unit tests for nfs_procedure.
616  */
617 void DetectNfsProcedureRegisterTests(void)
618 {
619  UtRegisterTest("ValidityTestParse01", ValidityTestParse01);
620  UtRegisterTest("ValidityTestParse02", ValidityTestParse02);
621  UtRegisterTest("ValidityTestParse03", ValidityTestParse03);
622  UtRegisterTest("ValidityTestParse04", ValidityTestParse04);
623  UtRegisterTest("ValidityTestParse05", ValidityTestParse05);
624  UtRegisterTest("ValidityTestParse06", ValidityTestParse06);
625  UtRegisterTest("ValidityTestParse07", ValidityTestParse07);
626  UtRegisterTest("ValidityTestParse08", ValidityTestParse08);
627  UtRegisterTest("ValidityTestParse09", ValidityTestParse09);
628  UtRegisterTest("ValidityTestParse10", ValidityTestParse10);
629  UtRegisterTest("ValidityTestParse11", ValidityTestParse11);
630  UtRegisterTest("ValidityTestParse12", ValidityTestParse12);
631  UtRegisterTest("ValidityTestParse13", ValidityTestParse13);
632  UtRegisterTest("ValidityTestParse14", ValidityTestParse14);
633  UtRegisterTest("ValidityTestParse15", ValidityTestParse15);
634 }
635 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
detect-content.h
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
PROCEDURE_RA
@ PROCEDURE_RA
Definition: detect-nfs-procedure.c:62
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PROCEDURE_GT
@ PROCEDURE_GT
Definition: detect-nfs-procedure.c:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DETECT_AL_NFS_PROCEDURE
@ DETECT_AL_NFS_PROCEDURE
Definition: detect-engine-register.h:158
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
DetectNfsProcedureData
struct DetectNfsProcedureData_ DetectNfsProcedureData
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
PROCEDURE_LT
@ PROCEDURE_LT
Definition: detect-nfs-procedure.c:58
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1182
rust.h
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
DetectNfsProcedureMode
DetectNfsProcedureMode
Definition: detect-nfs-procedure.c:56
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
detect-pcre.h
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1596
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
DetectNfsProcedureData_
Definition: detect-nfs-procedure.c:65
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-nfs-procedure.c:53
DetectEngineThreadCtx_
Definition: detect.h:1010
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
DetectNfsProcedureData_::lo
uint32_t lo
Definition: detect-nfs-procedure.c:66
detect-nfs-procedure.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
PROCEDURE_GE
@ PROCEDURE_GE
Definition: detect-nfs-procedure.c:61
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectNfsProcedureRegister
void DetectNfsProcedureRegister(void)
Registration function for nfs_procedure keyword.
Definition: detect-nfs-procedure.c:92
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
PROCEDURE_EQ
@ PROCEDURE_EQ
Definition: detect-nfs-procedure.c:57
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
PROCEDURE_LE
@ PROCEDURE_LE
Definition: detect-nfs-procedure.c:59
DetectNfsProcedureData_::mode
enum DetectNfsProcedureMode mode
Definition: detect-nfs-procedure.c:68
flow.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:171
DetectNfsProcedureData_::hi
uint32_t hi
Definition: detect-nfs-procedure.c:67
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
app-layer-nfs-tcp.h