suricata
detect-nfs-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "debug.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-mpm.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-nfs-version.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer-nfs-tcp.h"
47 #include "rust.h"
48 #include "rust-nfs-nfs-gen.h"
49 
50 /**
51  * [nfs_procedure]:[<|>]<proc>[<><proc>];
52  */
53 #define PARSE_REGEX "^\\s*(<=|>=|<|>)?\\s*([0-9]+)\\s*(?:(<>)\\s*([0-9]+))?\\s*$"
54 static pcre *parse_regex;
55 static pcre_extra *parse_regex_study;
56 
58  PROCEDURE_EQ = 1, /* equal */
59  PROCEDURE_LT, /* less than */
60  PROCEDURE_LE, /* less than */
61  PROCEDURE_GT, /* greater than */
62  PROCEDURE_GE, /* greater than */
63  PROCEDURE_RA, /* range */
64 };
65 
66 typedef struct DetectNfsVersionData_ {
67  uint32_t lo;
68  uint32_t hi;
71 
72 static DetectNfsVersionData *DetectNfsVersionParse (const char *);
73 static int DetectNfsVersionSetup (DetectEngineCtx *, Signature *s, const char *str);
74 static void DetectNfsVersionFree(void *);
75 static void DetectNfsVersionRegisterTests(void);
76 static int g_nfs_request_buffer_id = 0;
77 
78 static int DetectEngineInspectNfsRequestGeneric(ThreadVars *tv,
79  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
80  const Signature *s, const SigMatchData *smd,
81  Flow *f, uint8_t flags, void *alstate,
82  void *txv, uint64_t tx_id);
83 
84 static int DetectNfsVersionMatch (DetectEngineThreadCtx *, Flow *,
85  uint8_t, void *, void *, const Signature *,
86  const SigMatchCtx *);
87 
88 /**
89  * \brief Registration function for nfs_procedure keyword.
90  */
92 {
93  sigmatch_table[DETECT_AL_NFS_VERSION].name = "nfs.version";
95  sigmatch_table[DETECT_AL_NFS_VERSION].desc = "match NFS version";
96  sigmatch_table[DETECT_AL_NFS_VERSION].url = DOC_URL DOC_VERSION "/rules/nfs-keywords.html#version";
97  sigmatch_table[DETECT_AL_NFS_VERSION].AppLayerTxMatch = DetectNfsVersionMatch;
98  sigmatch_table[DETECT_AL_NFS_VERSION].Setup = DetectNfsVersionSetup;
99  sigmatch_table[DETECT_AL_NFS_VERSION].Free = DetectNfsVersionFree;
100  sigmatch_table[DETECT_AL_NFS_VERSION].RegisterTests = DetectNfsVersionRegisterTests;
101 
102  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
103 
106  DetectEngineInspectNfsRequestGeneric);
107 
108  g_nfs_request_buffer_id = DetectBufferTypeGetByName("nfs_request");
109 
110  SCLogDebug("g_nfs_request_buffer_id %d", g_nfs_request_buffer_id);
111 }
112 
113 static int DetectEngineInspectNfsRequestGeneric(ThreadVars *tv,
114  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
115  const Signature *s, const SigMatchData *smd,
116  Flow *f, uint8_t flags, void *alstate,
117  void *txv, uint64_t tx_id)
118 {
119  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
120  f, flags, alstate, txv, tx_id);
121 }
122 
123 static inline int
124 VersionMatch(const uint32_t version,
125  enum DetectNfsVersionMode mode, uint32_t lo, uint32_t hi)
126 {
127  switch (mode) {
128  case PROCEDURE_EQ:
129  if (version == lo)
130  SCReturnInt(1);
131  break;
132  case PROCEDURE_LT:
133  if (version < lo)
134  SCReturnInt(1);
135  break;
136  case PROCEDURE_LE:
137  if (version <= lo)
138  SCReturnInt(1);
139  break;
140  case PROCEDURE_GT:
141  if (version > lo)
142  SCReturnInt(1);
143  break;
144  case PROCEDURE_GE:
145  if (version >= lo)
146  SCReturnInt(1);
147  break;
148  case PROCEDURE_RA:
149  if (version >= lo && version <= hi)
150  SCReturnInt(1);
151  break;
152  }
153  SCReturnInt(0);
154 }
155 
156 /**
157  * \internal
158  * \brief Function to match version of a TX
159  *
160  * \param t Pointer to thread vars.
161  * \param det_ctx Pointer to the pattern matcher thread.
162  * \param f Pointer to the current flow.
163  * \param flags Flags.
164  * \param state App layer state.
165  * \param s Pointer to the Signature.
166  * \param m Pointer to the sigmatch that we will cast into
167  * DetectNfsVersionData.
168  *
169  * \retval 0 no match.
170  * \retval 1 match.
171  */
172 static int DetectNfsVersionMatch (DetectEngineThreadCtx *det_ctx,
173  Flow *f, uint8_t flags, void *state,
174  void *txv, const Signature *s,
175  const SigMatchCtx *ctx)
176 {
177  SCEnter();
178 
179  const DetectNfsVersionData *dd = (const DetectNfsVersionData *)ctx;
180  uint32_t version;
181  rs_nfs_tx_get_version(txv, &version);
182  SCLogDebug("version %u mode %u lo %u hi %u",
183  version, dd->mode, dd->lo, dd->hi);
184  if (VersionMatch(version, dd->mode, dd->lo, dd->hi))
185  SCReturnInt(1);
186  SCReturnInt(0);
187 }
188 
189 /**
190  * \internal
191  * \brief Function to parse options passed via tls validity keywords.
192  *
193  * \param rawstr Pointer to the user provided options.
194  *
195  * \retval dd pointer to DetectNfsVersionData on success.
196  * \retval NULL on failure.
197  */
198 static DetectNfsVersionData *DetectNfsVersionParse (const char *rawstr)
199 {
200  DetectNfsVersionData *dd = NULL;
201 #define MAX_SUBSTRINGS 30
202  int ret = 0, res = 0;
203  int ov[MAX_SUBSTRINGS];
204  char mode[2] = "";
205  char value1[20] = "";
206  char value2[20] = "";
207  char range[3] = "";
208 
209  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0,
210  0, ov, MAX_SUBSTRINGS);
211  if (ret < 3 || ret > 5) {
212  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", rawstr);
213  goto error;
214  }
215 
216  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, mode,
217  sizeof(mode));
218  if (res < 0) {
219  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
220  goto error;
221  }
222  SCLogDebug("mode \"%s\"", mode);
223 
224  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, value1,
225  sizeof(value1));
226  if (res < 0) {
227  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
228  goto error;
229  }
230  SCLogDebug("value1 \"%s\"", value1);
231 
232  if (ret > 3) {
233  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3,
234  range, sizeof(range));
235  if (res < 0) {
236  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
237  goto error;
238  }
239  SCLogDebug("range \"%s\"", range);
240 
241  if (ret > 4) {
242  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4,
243  value2, sizeof(value2));
244  if (res < 0) {
246  "pcre_copy_substring failed");
247  goto error;
248  }
249  SCLogDebug("value2 \"%s\"", value2);
250  }
251  }
252 
253  dd = SCCalloc(1, sizeof(DetectNfsVersionData));
254  if (unlikely(dd == NULL))
255  goto error;
256 
257  if (strlen(mode) == 1) {
258  if (mode[0] == '<')
259  dd->mode = PROCEDURE_LT;
260  else if (mode[0] == '>')
261  dd->mode = PROCEDURE_GT;
262  } else if (strlen(mode) == 2) {
263  if (strcmp(mode, "<=") == 0)
264  dd->mode = PROCEDURE_LE;
265  if (strcmp(mode, ">=") == 0)
266  dd->mode = PROCEDURE_GE;
267  }
268 
269  if (strlen(range) > 0) {
270  if (strcmp("<>", range) == 0)
271  dd->mode = PROCEDURE_RA;
272  }
273 
274  if (strlen(range) != 0 && strlen(mode) != 0) {
276  "Range specified but mode also set");
277  goto error;
278  }
279 
280  if (dd->mode == 0) {
281  dd->mode = PROCEDURE_EQ;
282  }
283 
284  /* set the first value */
285  dd->lo = atoi(value1); //TODO
286 
287  /* set the second value if specified */
288  if (strlen(value2) > 0) {
289  if (!(dd->mode == PROCEDURE_RA)) {
291  "Multiple tls validity values specified but mode is not range");
292  goto error;
293  }
294 
295  //
296  dd->hi = atoi(value2); // TODO
297 
298  if (dd->hi <= dd->lo) {
300  "Second value in range must not be smaller than the first");
301  goto error;
302  }
303  }
304  return dd;
305 
306 error:
307  if (dd)
308  SCFree(dd);
309  return NULL;
310 }
311 
312 
313 
314 /**
315  * \brief Function to add the parsed tls validity field into the current signature.
316  *
317  * \param de_ctx Pointer to the Detection Engine Context.
318  * \param s Pointer to the Current Signature.
319  * \param rawstr Pointer to the user provided flags options.
320  * \param type Defines if this is notBefore or notAfter.
321  *
322  * \retval 0 on Success.
323  * \retval -1 on Failure.
324  */
325 static int DetectNfsVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
326  const char *rawstr)
327 {
328  SCLogDebug("\'%s\'", rawstr);
329 
331  return -1;
332 
333  DetectNfsVersionData *dd = DetectNfsVersionParse(rawstr);
334  if (dd == NULL) {
335  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
336  return -1;
337  }
338 
339  /* okay so far so good, lets get this into a SigMatch
340  * and put it in the Signature. */
341  SigMatch *sm = SigMatchAlloc();
342  if (sm == NULL)
343  goto error;
344 
346  sm->ctx = (void *)dd;
347 
348  SCLogDebug("low %u hi %u", dd->lo, dd->hi);
349  SigMatchAppendSMToList(s, sm, g_nfs_request_buffer_id);
350  return 0;
351 
352 error:
353  DetectNfsVersionFree(dd);
354  return -1;
355 }
356 
357 /**
358  * \internal
359  * \brief Function to free memory associated with DetectNfsVersionData.
360  *
361  * \param de_ptr Pointer to DetectNfsVersionData.
362  */
363 void DetectNfsVersionFree(void *ptr)
364 {
365  SCFree(ptr);
366 }
367 
368 #ifdef UNITTESTS
369 
370 /**
371  * \test This is a test for a valid value 1430000000.
372  *
373  * \retval 1 on success.
374  * \retval 0 on failure.
375  */
376 static int ValidityTestParse01 (void)
377 {
378  DetectNfsVersionData *dd = NULL;
379  dd = DetectNfsVersionParse("1430000000");
380  FAIL_IF_NULL(dd);
381  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_EQ);
382  DetectNfsVersionFree(dd);
383  PASS;
384 }
385 
386 /**
387  * \test This is a test for a valid value >1430000000.
388  *
389  * \retval 1 on success.
390  * \retval 0 on failure.
391  */
392 static int ValidityTestParse02 (void)
393 {
394  DetectNfsVersionData *dd = NULL;
395  dd = DetectNfsVersionParse(">1430000000");
396  FAIL_IF_NULL(dd);
397  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
398  DetectNfsVersionFree(dd);
399  PASS;
400 }
401 
402 /**
403  * \test This is a test for a valid value <1430000000.
404  *
405  * \retval 1 on success.
406  * \retval 0 on failure.
407  */
408 static int ValidityTestParse03 (void)
409 {
410  DetectNfsVersionData *dd = NULL;
411  dd = DetectNfsVersionParse("<1430000000");
412  FAIL_IF_NULL(dd);
413  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_LT);
414  DetectNfsVersionFree(dd);
415  PASS;
416 }
417 
418 /**
419  * \test This is a test for a valid value 1430000000<>1470000000.
420  *
421  * \retval 1 on success.
422  * \retval 0 on failure.
423  */
424 static int ValidityTestParse04 (void)
425 {
426  DetectNfsVersionData *dd = NULL;
427  dd = DetectNfsVersionParse("1430000000<>1470000000");
428  FAIL_IF_NULL(dd);
429  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1470000000 &&
430  dd->mode == PROCEDURE_RA);
431  DetectNfsVersionFree(dd);
432  PASS;
433 }
434 
435 /**
436  * \test This is a test for a invalid value A.
437  *
438  * \retval 1 on success.
439  * \retval 0 on failure.
440  */
441 static int ValidityTestParse05 (void)
442 {
443  DetectNfsVersionData *dd = NULL;
444  dd = DetectNfsVersionParse("A");
445  FAIL_IF_NOT_NULL(dd);
446  PASS;
447 }
448 
449 /**
450  * \test This is a test for a invalid value >1430000000<>1470000000.
451  *
452  * \retval 1 on success.
453  * \retval 0 on failure.
454  */
455 static int ValidityTestParse06 (void)
456 {
457  DetectNfsVersionData *dd = NULL;
458  dd = DetectNfsVersionParse(">1430000000<>1470000000");
459  FAIL_IF_NOT_NULL(dd);
460  PASS;
461 }
462 
463 /**
464  * \test This is a test for a invalid value 1430000000<>.
465  *
466  * \retval 1 on success.
467  * \retval 0 on failure.
468  */
469 static int ValidityTestParse07 (void)
470 {
471  DetectNfsVersionData *dd = NULL;
472  dd = DetectNfsVersionParse("1430000000<>");
473  FAIL_IF_NOT_NULL(dd);
474  PASS;
475 }
476 
477 /**
478  * \test This is a test for a invalid value <>1430000000.
479  *
480  * \retval 1 on success.
481  * \retval 0 on failure.
482  */
483 static int ValidityTestParse08 (void)
484 {
485  DetectNfsVersionData *dd = NULL;
486  dd = DetectNfsVersionParse("<>1430000000");
487  FAIL_IF_NOT_NULL(dd);
488  PASS;
489 }
490 
491 /**
492  * \test This is a test for a invalid value "".
493  *
494  * \retval 1 on success.
495  * \retval 0 on failure.
496  */
497 static int ValidityTestParse09 (void)
498 {
499  DetectNfsVersionData *dd = NULL;
500  dd = DetectNfsVersionParse("");
501  FAIL_IF_NOT_NULL(dd);
502  PASS;
503 }
504 
505 /**
506  * \test This is a test for a invalid value " ".
507  *
508  * \retval 1 on success.
509  * \retval 0 on failure.
510  */
511 static int ValidityTestParse10 (void)
512 {
513  DetectNfsVersionData *dd = NULL;
514  dd = DetectNfsVersionParse(" ");
515  FAIL_IF_NOT_NULL(dd);
516  PASS;
517 }
518 
519 /**
520  * \test This is a test for a invalid value 1490000000<>1430000000.
521  *
522  * \retval 1 on success.
523  * \retval 0 on failure.
524  */
525 static int ValidityTestParse11 (void)
526 {
527  DetectNfsVersionData *dd = NULL;
528  dd = DetectNfsVersionParse("1490000000<>1430000000");
529  FAIL_IF_NOT_NULL(dd);
530  PASS;
531 }
532 
533 /**
534  * \test This is a test for a valid value 1430000000 <> 1490000000.
535  *
536  * \retval 1 on success.
537  * \retval 0 on failure.
538  */
539 static int ValidityTestParse12 (void)
540 {
541  DetectNfsVersionData *dd = NULL;
542  dd = DetectNfsVersionParse("1430000000 <> 1490000000");
543  FAIL_IF_NULL(dd);
544  FAIL_IF_NOT(dd->lo == 1430000000 && dd->hi == 1490000000 &&
545  dd->mode == PROCEDURE_RA);
546  DetectNfsVersionFree(dd);
547  PASS;
548 }
549 
550 /**
551  * \test This is a test for a valid value > 1430000000.
552  *
553  * \retval 1 on success.
554  * \retval 0 on failure.
555  */
556 static int ValidityTestParse13 (void)
557 {
558  DetectNfsVersionData *dd = NULL;
559  dd = DetectNfsVersionParse("> 1430000000 ");
560  FAIL_IF_NULL(dd);
561  FAIL_IF_NOT(dd->lo == 1430000000 && dd->mode == PROCEDURE_GT);
562  DetectNfsVersionFree(dd);
563  PASS;
564 }
565 
566 /**
567  * \test This is a test for a valid value < 1490000000.
568  *
569  * \retval 1 on success.
570  * \retval 0 on failure.
571  */
572 static int ValidityTestParse14 (void)
573 {
574  DetectNfsVersionData *dd = NULL;
575  dd = DetectNfsVersionParse("< 1490000000 ");
576  FAIL_IF_NULL(dd);
577  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_LT);
578  DetectNfsVersionFree(dd);
579  PASS;
580 }
581 
582 /**
583  * \test This is a test for a valid value 1490000000.
584  *
585  * \retval 1 on success.
586  * \retval 0 on failure.
587  */
588 static int ValidityTestParse15 (void)
589 {
590  DetectNfsVersionData *dd = NULL;
591  dd = DetectNfsVersionParse(" 1490000000 ");
592  FAIL_IF_NULL(dd);
593  FAIL_IF_NOT(dd->lo == 1490000000 && dd->mode == PROCEDURE_EQ);
594  DetectNfsVersionFree(dd);
595  PASS;
596 }
597 
598 #endif /* UNITTESTS */
599 
600 /**
601  * \brief Register unit tests for nfs_procedure.
602  */
603 void DetectNfsVersionRegisterTests(void)
604 {
605 #ifdef UNITTESTS /* UNITTESTS */
606  UtRegisterTest("ValidityTestParse01", ValidityTestParse01);
607  UtRegisterTest("ValidityTestParse02", ValidityTestParse02);
608  UtRegisterTest("ValidityTestParse03", ValidityTestParse03);
609  UtRegisterTest("ValidityTestParse04", ValidityTestParse04);
610  UtRegisterTest("ValidityTestParse05", ValidityTestParse05);
611  UtRegisterTest("ValidityTestParse06", ValidityTestParse06);
612  UtRegisterTest("ValidityTestParse07", ValidityTestParse07);
613  UtRegisterTest("ValidityTestParse08", ValidityTestParse08);
614  UtRegisterTest("ValidityTestParse09", ValidityTestParse09);
615  UtRegisterTest("ValidityTestParse10", ValidityTestParse10);
616  UtRegisterTest("ValidityTestParse11", ValidityTestParse11);
617  UtRegisterTest("ValidityTestParse12", ValidityTestParse12);
618  UtRegisterTest("ValidityTestParse13", ValidityTestParse13);
619  UtRegisterTest("ValidityTestParse14", ValidityTestParse14);
620  UtRegisterTest("ValidityTestParse15", ValidityTestParse15);
621 #endif /* UNITTESTS */
622 }
enum DetectNfsVersionMode mode
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
#define PARSE_REGEX
Data needed for Match()
Definition: detect.h:327
const char * name
Definition: detect.h:1200
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Signature container.
Definition: detect.h:522
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
main detection engine ctx
Definition: detect.h:761
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SCCalloc(nm, a)
Definition: util-mem.h:253
void(* Free)(void *)
Definition: detect.h:1191
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
#define SCEnter(...)
Definition: util-debug.h:337
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
uint8_t type
Definition: detect.h:319
#define SCReturnInt(x)
Definition: util-debug.h:341
void DetectNfsVersionRegister(void)
Registration function for nfs_procedure keyword.
const char * desc
Definition: detect.h:1202
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:346
SigMatchCtx * ctx
Definition: detect.h:321
const char * alias
Definition: detect.h:1201
uint8_t version
Definition: decode-gre.h:405
#define SCFree(a)
Definition: util-mem.h:322
DetectNfsVersionMode
PoolThreadReserved res
uint16_t tx_id
const char * url
Definition: detect.h:1203
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1173
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
#define DOC_URL
Definition: suricata.h:86
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Per thread variable structure.
Definition: threadvars.h:57
#define DOC_VERSION
Definition: suricata.h:91
#define MAX_SUBSTRINGS
struct DetectNfsVersionData_ DetectNfsVersionData
Flow data structure.
Definition: flow.h:325
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
Definition: detect.h:1192
a single match condition for a signature
Definition: detect.h:318
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82