suricata
detect-nfs-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "debug.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-nfs-version.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 #include "util-byte.h"
46 
47 #include "app-layer-nfs-tcp.h"
48 #include "rust.h"
49 
50 /**
51  * [nfs_procedure]:[<|>]<proc>[<><proc>];
52  */
53 #define PARSE_REGEX "^\\s*(<=|>=|<|>)?\\s*([0-9]+)\\s*(?:(<>)\\s*([0-9]+))?\\s*$"
54 static DetectParseRegex parse_regex;
55 
57  PROCEDURE_EQ = 1, /* equal */
58  PROCEDURE_LT, /* less than */
59  PROCEDURE_LE, /* less than */
60  PROCEDURE_GT, /* greater than */
61  PROCEDURE_GE, /* greater than */
62  PROCEDURE_RA, /* range */
63 };
64 
65 typedef struct DetectNfsVersionData_ {
66  uint32_t lo;
67  uint32_t hi;
70 
71 static DetectNfsVersionData *DetectNfsVersionParse (const char *);
72 static int DetectNfsVersionSetup (DetectEngineCtx *, Signature *s, const char *str);
73 static void DetectNfsVersionFree(DetectEngineCtx *de_ctx, void *);
74 #ifdef UNITTESTS
75 static void DetectNfsVersionRegisterTests(void);
76 #endif
77 static int g_nfs_request_buffer_id = 0;
78 
79 static int DetectEngineInspectNfsRequestGeneric(DetectEngineCtx *de_ctx,
80  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
81  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
82 
83 static int DetectNfsVersionMatch (DetectEngineThreadCtx *, Flow *,
84  uint8_t, void *, void *, const Signature *,
85  const SigMatchCtx *);
86 
87 /**
88  * \brief Registration function for nfs_procedure keyword.
89  */
91 {
92  sigmatch_table[DETECT_AL_NFS_VERSION].name = "nfs.version";
94  sigmatch_table[DETECT_AL_NFS_VERSION].desc = "match NFS version";
95  sigmatch_table[DETECT_AL_NFS_VERSION].url = "/rules/nfs-keywords.html#version";
96  sigmatch_table[DETECT_AL_NFS_VERSION].AppLayerTxMatch = DetectNfsVersionMatch;
97  sigmatch_table[DETECT_AL_NFS_VERSION].Setup = DetectNfsVersionSetup;
98  sigmatch_table[DETECT_AL_NFS_VERSION].Free = DetectNfsVersionFree;
99 #ifdef UNITTESTS
100  sigmatch_table[DETECT_AL_NFS_VERSION].RegisterTests = DetectNfsVersionRegisterTests;
101 #endif
102  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
103 
105  DetectEngineInspectNfsRequestGeneric, NULL);
106 
107  g_nfs_request_buffer_id = DetectBufferTypeGetByName("nfs_request");
108 
109  SCLogDebug("g_nfs_request_buffer_id %d", g_nfs_request_buffer_id);
110 }
111 
112 static int DetectEngineInspectNfsRequestGeneric(DetectEngineCtx *de_ctx,
113  DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
114  const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
115 {
117  de_ctx, det_ctx, s, engine->smd, f, flags, alstate, txv, tx_id);
118 }
119 
120 static inline int
121 VersionMatch(const uint32_t version,
122  enum DetectNfsVersionMode mode, uint32_t lo, uint32_t hi)
123 {
124  switch (mode) {
125  case PROCEDURE_EQ:
126  if (version == lo)
127  SCReturnInt(1);
128  break;
129  case PROCEDURE_LT:
130  if (version < lo)
131  SCReturnInt(1);
132  break;
133  case PROCEDURE_LE:
134  if (version <= lo)
135  SCReturnInt(1);
136  break;
137  case PROCEDURE_GT:
138  if (version > lo)
139  SCReturnInt(1);
140  break;
141  case PROCEDURE_GE:
142  if (version >= lo)
143  SCReturnInt(1);
144  break;
145  case PROCEDURE_RA:
146  if (version >= lo && version <= hi)
147  SCReturnInt(1);
148  break;
149  }
150  SCReturnInt(0);
151 }
152 
153 /**
154  * \internal
155  * \brief Function to match version of a TX
156  *
157  * \param t Pointer to thread vars.
158  * \param det_ctx Pointer to the pattern matcher thread.
159  * \param f Pointer to the current flow.
160  * \param flags Flags.
161  * \param state App layer state.
162  * \param s Pointer to the Signature.
163  * \param m Pointer to the sigmatch that we will cast into
164  * DetectNfsVersionData.
165  *
166  * \retval 0 no match.
167  * \retval 1 match.
168  */
169 static int DetectNfsVersionMatch (DetectEngineThreadCtx *det_ctx,
170  Flow *f, uint8_t flags, void *state,
171  void *txv, const Signature *s,
172  const SigMatchCtx *ctx)
173 {
174  SCEnter();
175 
176  const DetectNfsVersionData *dd = (const DetectNfsVersionData *)ctx;
177  uint32_t version;
178  rs_nfs_tx_get_version(txv, &version);
179  SCLogDebug("version %u mode %u lo %u hi %u",
180  version, dd->mode, dd->lo, dd->hi);
181  if (VersionMatch(version, dd->mode, dd->lo, dd->hi))
182  SCReturnInt(1);
183  SCReturnInt(0);
184 }
185 
186 /**
187  * \internal
188  * \brief Function to parse options passed via tls validity keywords.
189  *
190  * \param rawstr Pointer to the user provided options.
191  *
192  * \retval dd pointer to DetectNfsVersionData on success.
193  * \retval NULL on failure.
194  */
195 static DetectNfsVersionData *DetectNfsVersionParse (const char *rawstr)
196 {
197  DetectNfsVersionData *dd = NULL;
198  int ret = 0, res = 0;
199  size_t pcre2len;
200  char mode[2] = "";
201  char value1[20] = "";
202  char value2[20] = "";
203  char range[3] = "";
204 
205  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
206  if (ret < 3 || ret > 5) {
207  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", rawstr);
208  goto error;
209  }
210 
211  pcre2len = sizeof(mode);
212  res = SC_Pcre2SubstringCopy(parse_regex.match, 1, (PCRE2_UCHAR8 *)mode, &pcre2len);
213  if (res < 0) {
214  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
215  goto error;
216  }
217  SCLogDebug("mode \"%s\"", mode);
218 
219  pcre2len = sizeof(value1);
220  res = pcre2_substring_copy_bynumber(parse_regex.match, 2, (PCRE2_UCHAR8 *)value1, &pcre2len);
221  if (res < 0) {
222  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
223  goto error;
224  }
225  SCLogDebug("value1 \"%s\"", value1);
226 
227  if (ret > 3) {
228  pcre2len = sizeof(range);
229  res = pcre2_substring_copy_bynumber(parse_regex.match, 3, (PCRE2_UCHAR8 *)range, &pcre2len);
230  if (res < 0) {
231  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
232  goto error;
233  }
234  SCLogDebug("range \"%s\"", range);
235 
236  if (ret > 4) {
237  pcre2len = sizeof(value2);
238  res = pcre2_substring_copy_bynumber(
239  parse_regex.match, 4, (PCRE2_UCHAR8 *)value2, &pcre2len);
240  if (res < 0) {
241  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
242  goto error;
243  }
244  SCLogDebug("value2 \"%s\"", value2);
245  }
246  }
247 
248  dd = SCCalloc(1, sizeof(DetectNfsVersionData));
249  if (unlikely(dd == NULL))
250  goto error;
251 
252  if (strlen(mode) == 1) {
253  if (mode[0] == '<')
254  dd->mode = PROCEDURE_LT;
255  else if (mode[0] == '>')
256  dd->mode = PROCEDURE_GT;
257  } else if (strlen(mode) == 2) {
258  if (strcmp(mode, "<=") == 0)
259  dd->mode = PROCEDURE_LE;
260  if (strcmp(mode, ">=") == 0)
261  dd->mode = PROCEDURE_GE;
262  }
263 
264  if (strlen(range) > 0) {
265  if (strcmp("<>", range) == 0)
266  dd->mode = PROCEDURE_RA;
267  }
268 
269  if (strlen(range) != 0 && strlen(mode) != 0) {
271  "Range specified but mode also set");
272  goto error;
273  }
274 
275  if (dd->mode == 0) {
276  dd->mode = PROCEDURE_EQ;
277  }
278 
279  /* set the first value */
280  if (StringParseUint32(&dd->lo, 10, 0, (const char *)value1) < 0) {
281  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid first value: \"%s\"", value1);
282  goto error;
283  }
284  /* set the second value if specified */
285  if (strlen(value2) > 0) {
286  if (!(dd->mode == PROCEDURE_RA)) {
288  "Multiple tls validity values specified but mode is not range");
289  goto error;
290  }
291 
292  if (StringParseUint32(&dd->hi, 10, 0, (const char *)value2) < 0) {
293  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid second value: \"%s\"", value2);
294  goto error;
295  }
296  if (dd->hi <= dd->lo) {
298  "Second value in range must not be smaller than the first");
299  goto error;
300  }
301  }
302  return dd;
303 
304 error:
305  if (dd)
306  SCFree(dd);
307  return NULL;
308 }
309 
310 
311 
312 /**
313  * \brief Function to add the parsed tls validity field into the current signature.
314  *
315  * \param de_ctx Pointer to the Detection Engine Context.
316  * \param s Pointer to the Current Signature.
317  * \param rawstr Pointer to the user provided flags options.
318  * \param type Defines if this is notBefore or notAfter.
319  *
320  * \retval 0 on Success.
321  * \retval -1 on Failure.
322  */
323 static int DetectNfsVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
324  const char *rawstr)
325 {
326  SCLogDebug("\'%s\'", rawstr);
327 
329  return -1;
330 
331  DetectNfsVersionData *dd = DetectNfsVersionParse(rawstr);
332  if (dd == NULL) {
333  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
334  return -1;
335  }
336 
337  /* okay so far so good, lets get this into a SigMatch
338  * and put it in the Signature. */
339  SigMatch *sm = SigMatchAlloc();
340  if (sm == NULL)
341  goto error;
342 
344  sm->ctx = (void *)dd;
345 
346  SCLogDebug("low %u hi %u", dd->lo, dd->hi);
347  SigMatchAppendSMToList(s, sm, g_nfs_request_buffer_id);
348  return 0;
349 
350 error:
351  DetectNfsVersionFree(de_ctx, dd);
352  return -1;
353 }
354 
355 /**
356  * \internal
357  * \brief Function to free memory associated with DetectNfsVersionData.
358  *
359  * \param de_ptr Pointer to DetectNfsVersionData.
360  */
361 void DetectNfsVersionFree(DetectEngineCtx *de_ctx, void *ptr)
362 {
363  SCFree(ptr);
364 }
365 
366 #ifdef UNITTESTS
367 
368 /**
369  * \test This is a test for a valid value 1430000000.
370  *
371  * \retval 1 on success.
372  * \retval 0 on failure.
373  */
374 static int ValidityTestParse01 (void)
375 {
376  DetectNfsVersionData *dd = NULL;
377  dd = DetectNfsVersionParse("1430000000");
378  FAIL_IF_NULL(dd);
379  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_EQ);
380  DetectNfsVersionFree(NULL, dd);
381  PASS;
382 }
383 
384 /**
385  * \test This is a test for a valid value >1430000000.
386  *
387  * \retval 1 on success.
388  * \retval 0 on failure.
389  */
390 static int ValidityTestParse02 (void)
391 {
392  DetectNfsVersionData *dd = NULL;
393  dd = DetectNfsVersionParse(">1430000000");
394  FAIL_IF_NULL(dd);
395  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
396  DetectNfsVersionFree(NULL, dd);
397  PASS;
398 }
399 
400 /**
401  * \test This is a test for a valid value <1430000000.
402  *
403  * \retval 1 on success.
404  * \retval 0 on failure.
405  */
406 static int ValidityTestParse03 (void)
407 {
408  DetectNfsVersionData *dd = NULL;
409  dd = DetectNfsVersionParse("<1430000000");
410  FAIL_IF_NULL(dd);
411  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_LT);
412  DetectNfsVersionFree(NULL, dd);
413  PASS;
414 }
415 
416 /**
417  * \test This is a test for a valid value 1430000000<>1470000000.
418  *
419  * \retval 1 on success.
420  * \retval 0 on failure.
421  */
422 static int ValidityTestParse04 (void)
423 {
424  DetectNfsVersionData *dd = NULL;
425  dd = DetectNfsVersionParse("1430000000<>1470000000");
426  FAIL_IF_NULL(dd);
427  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1470000000 &&
428  dd->mode == PROCEDURE_RA);
429  DetectNfsVersionFree(NULL, dd);
430  PASS;
431 }
432 
433 /**
434  * \test This is a test for a invalid value A.
435  *
436  * \retval 1 on success.
437  * \retval 0 on failure.
438  */
439 static int ValidityTestParse05 (void)
440 {
441  DetectNfsVersionData *dd = NULL;
442  dd = DetectNfsVersionParse("A");
443  FAIL_IF_NOT_NULL(dd);
444  PASS;
445 }
446 
447 /**
448  * \test This is a test for a invalid value >1430000000<>1470000000.
449  *
450  * \retval 1 on success.
451  * \retval 0 on failure.
452  */
453 static int ValidityTestParse06 (void)
454 {
455  DetectNfsVersionData *dd = NULL;
456  dd = DetectNfsVersionParse(">1430000000<>1470000000");
457  FAIL_IF_NOT_NULL(dd);
458  PASS;
459 }
460 
461 /**
462  * \test This is a test for a invalid value 1430000000<>.
463  *
464  * \retval 1 on success.
465  * \retval 0 on failure.
466  */
467 static int ValidityTestParse07 (void)
468 {
469  DetectNfsVersionData *dd = NULL;
470  dd = DetectNfsVersionParse("1430000000<>");
471  FAIL_IF_NOT_NULL(dd);
472  PASS;
473 }
474 
475 /**
476  * \test This is a test for a invalid value <>1430000000.
477  *
478  * \retval 1 on success.
479  * \retval 0 on failure.
480  */
481 static int ValidityTestParse08 (void)
482 {
483  DetectNfsVersionData *dd = NULL;
484  dd = DetectNfsVersionParse("<>1430000000");
485  FAIL_IF_NOT_NULL(dd);
486  PASS;
487 }
488 
489 /**
490  * \test This is a test for a invalid value "".
491  *
492  * \retval 1 on success.
493  * \retval 0 on failure.
494  */
495 static int ValidityTestParse09 (void)
496 {
497  DetectNfsVersionData *dd = NULL;
498  dd = DetectNfsVersionParse("");
499  FAIL_IF_NOT_NULL(dd);
500  PASS;
501 }
502 
503 /**
504  * \test This is a test for a invalid value " ".
505  *
506  * \retval 1 on success.
507  * \retval 0 on failure.
508  */
509 static int ValidityTestParse10 (void)
510 {
511  DetectNfsVersionData *dd = NULL;
512  dd = DetectNfsVersionParse(" ");
513  FAIL_IF_NOT_NULL(dd);
514  PASS;
515 }
516 
517 /**
518  * \test This is a test for a invalid value 1490000000<>1430000000.
519  *
520  * \retval 1 on success.
521  * \retval 0 on failure.
522  */
523 static int ValidityTestParse11 (void)
524 {
525  DetectNfsVersionData *dd = NULL;
526  dd = DetectNfsVersionParse("1490000000<>1430000000");
527  FAIL_IF_NOT_NULL(dd);
528  PASS;
529 }
530 
531 /**
532  * \test This is a test for a valid value 1430000000 <> 1490000000.
533  *
534  * \retval 1 on success.
535  * \retval 0 on failure.
536  */
537 static int ValidityTestParse12 (void)
538 {
539  DetectNfsVersionData *dd = NULL;
540  dd = DetectNfsVersionParse("1430000000 <> 1490000000");
541  FAIL_IF_NULL(dd);
542  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1490000000 &&
543  dd->mode == PROCEDURE_RA);
544  DetectNfsVersionFree(NULL, dd);
545  PASS;
546 }
547 
548 /**
549  * \test This is a test for a valid value > 1430000000.
550  *
551  * \retval 1 on success.
552  * \retval 0 on failure.
553  */
554 static int ValidityTestParse13 (void)
555 {
556  DetectNfsVersionData *dd = NULL;
557  dd = DetectNfsVersionParse("> 1430000000 ");
558  FAIL_IF_NULL(dd);
559  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
560  DetectNfsVersionFree(NULL, dd);
561  PASS;
562 }
563 
564 /**
565  * \test This is a test for a valid value < 1490000000.
566  *
567  * \retval 1 on success.
568  * \retval 0 on failure.
569  */
570 static int ValidityTestParse14 (void)
571 {
572  DetectNfsVersionData *dd = NULL;
573  dd = DetectNfsVersionParse("< 1490000000 ");
574  FAIL_IF_NULL(dd);
575  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_LT);
576  DetectNfsVersionFree(NULL, dd);
577  PASS;
578 }
579 
580 /**
581  * \test This is a test for a valid value 1490000000.
582  *
583  * \retval 1 on success.
584  * \retval 0 on failure.
585  */
586 static int ValidityTestParse15 (void)
587 {
588  DetectNfsVersionData *dd = NULL;
589  dd = DetectNfsVersionParse(" 1490000000 ");
590  FAIL_IF_NULL(dd);
591  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_EQ);
592  DetectNfsVersionFree(NULL, dd);
593  PASS;
594 }
595 
596 /**
597  * \brief Register unit tests for nfs_procedure.
598  */
599 void DetectNfsVersionRegisterTests(void)
600 {
601  UtRegisterTest("ValidityTestParse01", ValidityTestParse01);
602  UtRegisterTest("ValidityTestParse02", ValidityTestParse02);
603  UtRegisterTest("ValidityTestParse03", ValidityTestParse03);
604  UtRegisterTest("ValidityTestParse04", ValidityTestParse04);
605  UtRegisterTest("ValidityTestParse05", ValidityTestParse05);
606  UtRegisterTest("ValidityTestParse06", ValidityTestParse06);
607  UtRegisterTest("ValidityTestParse07", ValidityTestParse07);
608  UtRegisterTest("ValidityTestParse08", ValidityTestParse08);
609  UtRegisterTest("ValidityTestParse09", ValidityTestParse09);
610  UtRegisterTest("ValidityTestParse10", ValidityTestParse10);
611  UtRegisterTest("ValidityTestParse11", ValidityTestParse11);
612  UtRegisterTest("ValidityTestParse12", ValidityTestParse12);
613  UtRegisterTest("ValidityTestParse13", ValidityTestParse13);
614  UtRegisterTest("ValidityTestParse14", ValidityTestParse14);
615  UtRegisterTest("ValidityTestParse15", ValidityTestParse15);
616 }
617 #endif /* UNITTESTS */
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
DetectEngineAppInspectionEngine_
Definition: detect.h:398
SigTableElmt_::url
const char * url
Definition: detect.h:1252
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1489
detect-content.h
PROCEDURE_GT
@ PROCEDURE_GT
Definition: detect-nfs-version.c:60
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectNfsVersionMode
DetectNfsVersionMode
Definition: detect-nfs-version.c:56
PROCEDURE_LE
@ PROCEDURE_LE
Definition: detect-nfs-version.c:59
DetectNfsVersionRegister
void DetectNfsVersionRegister(void)
Registration function for nfs_procedure keyword.
Definition: detect-nfs-version.c:90
SigTableElmt_::desc
const char * desc
Definition: detect.h:1251
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2467
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1239
flow-util.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1947
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1249
PROCEDURE_EQ
@ PROCEDURE_EQ
Definition: detect-nfs-version.c:57
DetectNfsVersionData_::hi
uint32_t hi
Definition: detect-nfs-version.c:67
detect-nfs-version.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
threads.h
Flow_
Flow data structure.
Definition: flow.h:353
DetectNfsVersionData_
Definition: detect-nfs-version.c:65
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:801
DETECT_AL_NFS_VERSION
@ DETECT_AL_NFS_VERSION
Definition: detect-engine-register.h:162
PROCEDURE_GE
@ PROCEDURE_GE
Definition: detect-nfs-version.c:61
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1220
rust.h
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1234
detect-pcre.h
util-unittest.h
PROCEDURE_LT
@ PROCEDURE_LT
Definition: detect-nfs-version.c:58
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1083
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1050
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2590
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-nfs-version.c:53
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
DetectNfsVersionData
struct DetectNfsVersionData_ DetectNfsVersionData
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1250
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
version
uint8_t version
Definition: decode-gre.h:1
PROCEDURE_RA
@ PROCEDURE_RA
Definition: detect-nfs-version.c:62
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:546
SigMatch_
a single match condition for a signature
Definition: detect.h:321
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2566
DetectNfsVersionData_::mode
enum DetectNfsVersionMode mode
Definition: detect-nfs-version.c:68
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1241
app-layer-nfs-tcp.h
DetectNfsVersionData_::lo
uint32_t lo
Definition: detect-nfs-version.c:66