suricata
detect-parse.c File Reference
#include "suricata-common.h"
#include "debug.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-engine-address.h"
#include "detect-engine-port.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-uricontent.h"
#include "detect-reference.h"
#include "detect-ipproto.h"
#include "detect-flow.h"
#include "detect-app-layer-protocol.h"
#include "detect-lua.h"
#include "detect-app-layer-event.h"
#include "detect-http-method.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "decode.h"
#include "flow.h"
#include "util-rule-vars.h"
#include "conf.h"
#include "conf-yaml-loader.h"
#include "app-layer.h"
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "app-layer-htp.h"
#include "util-classification-config.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-debug.h"
#include "string.h"
#include "detect-parse.h"
#include "detect-engine-iponly.h"
#include "app-layer-detect-proto.h"
Include dependency graph for detect-parse.c:

Go to the source code of this file.

Data Structures

struct  SigDuplWrapper_
 We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table. More...
 
struct  SignatureParser_
 
struct  DetectParseRegex_
 

Macros

#define CONFIG_PARTS   8
 
#define CONFIG_ACTION   0
 
#define CONFIG_PROTO   1
 
#define CONFIG_SRC   2
 
#define CONFIG_SP   3
 
#define CONFIG_DIREC   4
 
#define CONFIG_DST   5
 
#define CONFIG_DP   6
 
#define CONFIG_OPTS   7
 
#define CASE_CODE_STRING(E, S)   case E: return S; break
 
#define CASE_CODE(E)   case E: return #E
 

Typedefs

typedef struct SigDuplWrapper_ SigDuplWrapper
 We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table. More...
 
typedef struct SignatureParser_ SignatureParser
 
typedef struct DetectParseRegex_ DetectParseRegex
 

Functions

const char * DetectListToHumanString (int list)
 
const char * DetectListToString (int list)
 
int DetectEngineContentModifierBufferSetup (DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
 
SigMatchSigMatchAlloc (void)
 
void SigMatchFree (SigMatch *sm)
 free a SigMatch More...
 
void SigMatchAppendSMToList (Signature *s, SigMatch *new, int list)
 Append a SigMatch to the list type. More...
 
void SigMatchRemoveSMFromList (Signature *s, SigMatch *sm, int sm_list)
 
SigMatchDetectGetLastSMFromMpmLists (const DetectEngineCtx *de_ctx, const Signature *s)
 get the last SigMatch from lists that support MPM. More...
 
SigMatchDetectGetLastSMFromLists (const Signature *s,...)
 Returns the sm with the largest index (added latest) from the lists passed to us. More...
 
SigMatchDetectGetLastSMByListPtr (const Signature *s, SigMatch *sm_list,...)
 Returns the sm with the largest index (added last) from the list passed to us as a pointer. More...
 
SigMatchDetectGetLastSMByListId (const Signature *s, int list_id,...)
 Returns the sm with the largest index (added last) from the list passed to us as an id. More...
 
SigMatchDetectGetLastSM (const Signature *s)
 Returns the sm with the largest index (added latest) from this sig. More...
 
int SigMatchListSMBelongsTo (const Signature *s, const SigMatch *key_sm)
 
int SigParse (DetectEngineCtx *de_ctx, Signature *s, const char *sigstr, uint8_t addrs_direction)
 parse a signature More...
 
SignatureSigAlloc (void)
 
void SigFree (Signature *s)
 
int DetectSignatureAddTransform (Signature *s, int transform)
 
int DetectSignatureSetAppProto (Signature *s, AppProto alproto)
 
SigMatchDataSigMatchList2DataArray (SigMatch *head)
 convert SigMatch list to SigMatchData array More...
 
SignatureSigInit (DetectEngineCtx *de_ctx, const char *sigstr)
 Parses a signature and adds it to the Detection Engine Context. More...
 
int DetectParseDupSigHashInit (DetectEngineCtx *de_ctx)
 Initializes the hash table that is used to cull duplicate sigs. More...
 
void DetectParseDupSigHashFree (DetectEngineCtx *de_ctx)
 Frees the hash table that is used to cull duplicate sigs. More...
 
SignatureDetectEngineAppendSig (DetectEngineCtx *de_ctx, const char *sigstr)
 Parse and append a Signature into the Detection Engine Context signature list. More...
 
void DetectParseFreeRegexes (void)
 
void DetectParseRegexAddToFreeList (pcre *regex, pcre_extra *study)
 add regex and/or study to at exit free list More...
 
void DetectSetupParseRegexes (const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
 
void SigParseRegisterTests (void)
 

Variables

int sc_set_caps
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

signature parser

Definition in file detect-parse.c.

Macro Definition Documentation

#define CASE_CODE (   E)    case E: return #E

Definition at line 127 of file detect-parse.c.

Referenced by DetectListToString().

#define CASE_CODE_STRING (   E,
 
)    case E: return S; break

Referenced by DetectListToHumanString().

#define CONFIG_ACTION   0

Definition at line 90 of file detect-parse.c.

#define CONFIG_DIREC   4

Definition at line 94 of file detect-parse.c.

#define CONFIG_DP   6

Definition at line 96 of file detect-parse.c.

#define CONFIG_DST   5

Definition at line 95 of file detect-parse.c.

#define CONFIG_OPTS   7

Definition at line 97 of file detect-parse.c.

#define CONFIG_PARTS   8

Definition at line 88 of file detect-parse.c.

#define CONFIG_PROTO   1

Definition at line 91 of file detect-parse.c.

#define CONFIG_SP   3

Definition at line 93 of file detect-parse.c.

#define CONFIG_SRC   2

Definition at line 92 of file detect-parse.c.

Typedef Documentation

We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.

helper structure for sig parsing

Function Documentation

Signature* DetectEngineAppendSig ( DetectEngineCtx de_ctx,
const char *  sigstr 
)

Parse and append a Signature into the Detection Engine Context signature list.

If the signature is bidirectional it should append two signatures (with the addresses switched) into the list. Also handle duplicate signatures. In case of duplicate sigs, use the ones that have the latest revision. We use the sid and the msg to identifiy duplicate sigs. If 2 sigs have the same sid and gid, they are duplicates.

Parameters
de_ctxPointer to the Detection Engine Context.
sigstrPointer to a character string containing the signature to be parsed.
sig_filePointer to a character string containing the filename from which signature is read
linenoLine number from where signature is read
Return values
Pointerto the head Signature in the detection engine ctx sig_list on success; NULL on failure.

In DetectEngineAppendSig(), the signatures are prepended and we always return the first one so if the signature is bidirectional, the returned sig will point through "next" ptr to the cloned signatures with the switched addresses

Definition at line 2190 of file detect-parse.c.

References Signature_::init_data, SignatureInitData_::init_flags, Signature_::next, SC_ERR_DUPLICATE_SIG, SCLogError, SCLogWarning, SIG_FLAG_INIT_BIDIREC, DetectEngineCtx_::sig_list, SigFree(), and SigInit().

Referenced by DetectAppLayerProtocolRegister(), DetectCipServiceRegister(), DetectDceGetState(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDNP3Register(), DetectDnsQueryRegister(), DetectEngineInspectModbus(), DetectEngineStateResetTxs(), DetectEnipCommandRegister(), DetectFastPatternRegister(), DetectFtpdataRegister(), DetectGidRegister(), DetectHostbitFree(), DetectIsdataatFree(), DetectLoadCompleteSigPath(), DetectLuaRegister(), DetectMetadataHashFree(), DetectPcrePayloadMatch(), DetectSetupParseRegexes(), DetectSidRegister(), DetectSslStateRegister(), DetectTargetRegister(), DetectTemplateRustBufferRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3StringRegister(), DetectTlsSerialRegister(), DetectTlsSniRegister(), DetectTlsSubjectRegister(), DetectTlsValidityRegister(), DetectTransformCompressWhitespaceRegister(), DetectTransformStripWhitespaceRegister(), DetectUricontentRegister(), DetectWithinRegister(), DetectXbitFree(), RegisterModbusParsers(), SCSigSignatureOrderingModuleCleanup(), SCThresholdConfParseFile(), SigGroupHeadContainsSigId(), SMTPParserCleanup(), UTHAppendSigs(), and UTHParseSignature().

Here is the call graph for this function:

Here is the caller graph for this function:

SigMatch* DetectGetLastSM ( const Signature s)

Returns the sm with the largest index (added latest) from this sig.

Return values
sm_lastPointer to last sm

Definition at line 505 of file detect-parse.c.

References SigMatch_::idx, Signature_::init_data, SigMatch_::next, SigMatch_::prev, SignatureInitData_::smlists_array_size, and SignatureInitData_::smlists_tail.

Referenced by DetectPrefilterRegister().

Here is the caller graph for this function:

SigMatch* DetectGetLastSMByListId ( const Signature s,
int  list_id,
  ... 
)

Returns the sm with the largest index (added last) from the list passed to us as an id.

Parameters
list_idid of the list to be searched
va_argslist of keyword types terminated by -1
Return values
sm_lastto last sm.

Definition at line 473 of file detect-parse.c.

References SigMatch_::idx, Signature_::init_data, and SignatureInitData_::smlists_tail.

Referenced by DetectByteExtractDoMatch(), DetectEngineContentModifierBufferSetup(), DetectRawbytesRegister(), DetectReplaceRegister(), SCThresholdConfInitContext(), and SCThresholdConfParseFile().

Here is the caller graph for this function:

SigMatch* DetectGetLastSMByListPtr ( const Signature s,
SigMatch sm_list,
  ... 
)

Returns the sm with the largest index (added last) from the list passed to us as a pointer.

Parameters
sm_listpointer to the SigMatch we should look before
va_argslist of keyword types terminated by -1
Return values
sm_lastto last sm.

Definition at line 441 of file detect-parse.c.

References SigMatch_::idx.

Referenced by DetectDistanceRegister(), DetectEngineContentModifierBufferSetup(), DetectGetLastSMFromMpmLists(), DetectPcrePayloadMatch(), and DetectWithinRegister().

Here is the caller graph for this function:

SigMatch* DetectGetLastSMFromMpmLists ( const DetectEngineCtx de_ctx,
const Signature s 
)

get the last SigMatch from lists that support MPM.

Note
only supports the lists that are registered through DetectBufferTypeSupportsMpm().

Definition at line 362 of file detect-parse.c.

References DETECT_CONTENT, DETECT_SM_LIST_NOTSET, DetectBufferTypeSupportsMpmGetById(), DetectGetLastSMByListPtr(), SigMatch_::idx, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::smlists_array_size, and SignatureInitData_::smlists_tail.

Referenced by DetectFastPatternRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

const char* DetectListToHumanString ( int  list)
const char* DetectListToString ( int  list)
void DetectParseDupSigHashFree ( DetectEngineCtx de_ctx)

Frees the hash table that is used to cull duplicate sigs.

Parameters
de_ctxPointer to the detection engine context that holds this table.

Definition at line 2033 of file detect-parse.c.

References DetectEngineCtx_::dup_sig_hash_table, HashListTableAdd(), HashListTableFree(), HashListTableLookup(), Signature_::init_data, SignatureInitData_::init_flags, Signature_::next, Signature_::rev, SigDuplWrapper_::s, SigDuplWrapper_::s_prev, SCFree, SCMalloc, SIG_FLAG_INIT_BIDIREC, DetectEngineCtx_::sig_list, SigFree(), and unlikely.

Referenced by DetectEngineCtxFree(), and SigLoadSignatures().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectParseDupSigHashInit ( DetectEngineCtx de_ctx)

Initializes the hash table that is used to cull duplicate sigs.

Parameters
de_ctxPointer to the detection engine context.
Return values
0On success.
-1On failure.

Definition at line 2016 of file detect-parse.c.

References DetectEngineCtx_::dup_sig_hash_table, and HashListTableInit().

Referenced by DetectEngineInspectBufferGeneric().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectParseFreeRegexes ( void  )

Definition at line 2244 of file detect-parse.c.

References next, DetectParseRegex_::next, pcre_free_study, DetectParseRegex_::regex, SCFree, and DetectParseRegex_::study.

Referenced by GlobalsInitPreConfig().

Here is the caller graph for this function:

void DetectParseRegexAddToFreeList ( pcre *  regex,
pcre_extra *  study 
)

add regex and/or study to at exit free list

Definition at line 2264 of file detect-parse.c.

References FatalError, DetectParseRegex_::next, DetectParseRegex_::regex, SC_ERR_MEM_ALLOC, SCCalloc, and DetectParseRegex_::study.

Referenced by DetectPcreRegister(), and DetectSetupParseRegexes().

Here is the caller graph for this function:

void DetectSetupParseRegexes ( const char *  parse_str,
pcre **  parse_regex,
pcre_extra **  parse_regex_study 
)

Definition at line 2276 of file detect-parse.c.

References Signature_::alproto, BUG_ON, DE_QUIET, DecodeEthernet(), DETECT_SM_LIST_PMATCH, DetectEngineAppendSig(), DetectEngineCtxFree(), DetectEngineCtxInit(), DetectEngineThreadCtxDeinit(), DetectEngineThreadCtxInit(), DetectParseRegexAddToFreeList(), DetectPortCleanupList(), DetectPortCmp(), DetectPortParse(), DetectPortPrint(), FAIL_IF, FAIL_IF_NOT, FAIL_IF_NOT_NULL, FAIL_IF_NULL, FatalError, Signature_::flags, DetectEngineCtx_::flags, FLOW_QUIET, FlowInitConfig(), FlowShutdown(), Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, Signature_::next, PACKET_RECYCLE, PacketAlertCheck(), PASS, PORT_EQ, Signature_::rev, SigDuplWrapper_::s, SC_ERR_PCRE_COMPILE, SC_ERR_PCRE_STUDY, SCClassConfDeinit(), SCClassConfGenerateValidDummyClassConfigFD01(), SCClassConfInit(), SCClassConfLoadClassficationConfigFile(), SCFree, SCLogDebug, SCMalloc, SCReferenceConfDeinit(), SCReferenceConfInit(), SIG_FLAG_INIT_BIDIREC, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, DetectEngineCtx_::sig_list, SigCleanSignatures(), SigFree(), SigGroupBuild(), SigGroupCleanup(), SigInit(), SigMatchSignatures(), DetectEngineCtx_::signum, SigTableSetup(), SIZE_OF_PACKET, SignatureInitData_::smlists, Signature_::sp, unlikely, UTHAppendSigs(), UTHBuildPacketFromEth(), UTHCheckPacketMatchResults(), and UTHMatchPackets().

Referenced by DetectBase64DecodeRegister(), DetectByteExtractRegister(), DetectBytejumpRegister(), DetectBytetestRegister(), DetectClasstypeRegister(), DetectDceIfaceRegister(), DetectDceOpnumRegister(), DetectDetectionFilterRegister(), DetectDsizeRegister(), DetectEngineEventRegister(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFilestoreRegister(), DetectFlagsRegister(), DetectFlowbitsRegister(), DetectFlowintRegister(), DetectFlowRegister(), DetectFlowvarRegister(), DetectFragBitsRegister(), DetectFragOffsetRegister(), DetectFtpdataRegister(), DetectHostbitsRegister(), DetectIcmpIdRegister(), DetectIcmpSeqRegister(), DetectICodeRegister(), DetectIdRegister(), DetectIpOptsRegister(), DetectIPProtoRegister(), DetectIPRepRegister(), DetectIsdataatRegister(), DetectITypeRegister(), DetectMarkRegister(), DetectModbusRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectPcreRegister(), DetectPktvarRegister(), DetectPriorityRegister(), DetectReferenceRegister(), DetectRpcRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectStreamSizeRegister(), DetectTagRegister(), DetectTargetRegister(), DetectTemplate2Register(), DetectTemplateRegister(), DetectThresholdRegister(), DetectTlsRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTosRegister(), DetectTtlRegister(), DetectUrilenRegister(), DetectWindowRegister(), and DetectXbitsRegister().

Here is the call graph for this function:

int DetectSignatureSetAppProto ( Signature s,
AppProto  alproto 
)

Definition at line 1373 of file detect-parse.c.

References Signature_::addr_dst_match4, Signature_::addr_dst_match4_cnt, Signature_::addr_dst_match6, Signature_::addr_dst_match6_cnt, Signature_::addr_src_match4, Signature_::addr_src_match4_cnt, Signature_::addr_src_match6, Signature_::addr_src_match6_cnt, Signature_::alproto, ALPROTO_FAILED, ALPROTO_UNKNOWN, AppProtoToString(), SignatureInitData_::dst, Signature_::flags, Signature_::init_data, DetectAddress_::ip, DetectMatchAddressIPv4_::ip, DetectMatchAddressIPv6_::ip, DetectAddress_::ip2, DetectMatchAddressIPv4_::ip2, DetectMatchAddressIPv6_::ip2, DetectAddressHead_::ipv4_head, DetectAddressHead_::ipv6_head, len, DetectAddress_::next, SigMatch_::next, SC_ERR_CONFLICTING_RULE_KEYWORDS, SC_ERR_INVALID_ARGUMENT, SCLogError, SCMalloc, SCNtohl, SIG_FLAG_APPLAYER, and SignatureInitData_::src.

Referenced by DetectAppLayerEventRegister(), DetectByteExtractDoMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectCipServiceRegister(), DetectEnipCommandRegister(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectHttpClientBodyRegister(), DetectHttpRawHeaderRegister(), DetectHttpServerBodyRegister(), DetectHttpUARegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectTemplateBufferRegister(), DetectTemplateRustBufferRegister(), DetectTlsFingerprintRegister(), DetectTlsRegister(), DetectTlsSerialRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), and DetectUrilenRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

Signature* SigInit ( DetectEngineCtx de_ctx,
const char *  sigstr 
)

Parses a signature and adds it to the Detection Engine Context.

Parameters
de_ctxPointer to the Detection Engine Context.
sigstrPointer to a character string containing the signature to be parsed.
Return values
Pointerto the Signature instance on success; NULL on failure.

Definition at line 1910 of file detect-parse.c.

References HashListTable_::array_size, Signature_::gid, Signature_::id, Signature_::init_data, SignatureInitData_::init_flags, Signature_::next, SigDuplWrapper_::s, SCEnter, SCFree, SCLogInfo, SCReturnPtr, SIG_DIREC_NORMAL, SIG_DIREC_SWITCHED, SIG_FLAG_INIT_BIDIREC, SigFree(), and DetectEngineCtx_::signum.

Referenced by AlertFastLogInitCtx(), DetectAckRegister(), DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectClasstypeRegister(), DetectDceOpnumRegister(), DetectDceStubDataRegister(), DetectDetectionFilterRegister(), DetectDistanceRegister(), DetectDNP3Register(), DetectEngineAppendSig(), DetectEngineInspectENIP(), DetectEngineInspectModbus(), DetectEngineInspectStream(), DetectEngineStateResetTxs(), DetectFastPatternRegister(), DetectFilesizeRegister(), DetectFilestorePostMatch(), DetectFlowbitsAnalyze(), DetectFlowFree(), DetectFragOffsetFree(), DetectFtpbounceRegister(), DetectGeoipRegister(), DetectHostbitFree(), DetectHttpRequestLineRegister(), DetectHttpResponseLineRegister(), DetectIcmpIdFree(), DetectIcmpSeqFree(), DetectICodeFree(), DetectIPProtoRemoveAllSMs(), DetectIPRepFree(), DetectIsdataatFree(), DetectITypeFree(), DetectL3ProtoRegister(), DetectModbusRegister(), DetectMsgRegister(), DetectPcrePayloadMatch(), DetectPktDataRegister(), DetectPriorityRegister(), DetectProtoContainsProto(), DetectReferenceFree(), DetectReplaceFreeInternal(), DetectRpcFree(), DetectSameipRegister(), DetectSeqRegister(), DetectSetupParseRegexes(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslVersionRegister(), DetectThresholdRegister(), DetectTlsFingerprintRegister(), DetectTlsIssuerRegister(), DetectTlsSerialRegister(), DetectTlsSubjectRegister(), DetectTlsVersionRegister(), DetectUricontentRegister(), DetectUrilenValidateContent(), IPOnlyAddSignature(), MpmACRegister(), MpmACTileRegister(), SCACBSPrintInfo(), SCRuleVarsGetConfVar(), SCSigSignatureOrderingModuleCleanup(), SigGroupHeadContainsSigId(), SigParseApplyDsizeToContent(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().

Here is the call graph for this function:

SigMatch* SigMatchAlloc ( void  )

Definition at line 226 of file detect-parse.c.

References SigMatch_::next, SigMatch_::prev, SCMalloc, and unlikely.

Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectAsn1Register(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectByteExtractDoMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectCipServiceRegister(), DetectContentSetup(), DetectCsumRegister(), DetectDceGetState(), DetectDceOpnumRegister(), DetectDetectionFilterRegister(), DetectDsizeRegister(), DetectEngineEventRegister(), DetectEnipCommandRegister(), DetectFileextRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectFilesizeRegister(), DetectFilestorePostMatch(), DetectFlagsRegister(), DetectFlagsSignatureNeedsSynOnlyPackets(), DetectFlowbitMatch(), DetectFlowintMatch(), DetectFlowSetupImplicit(), DetectFlowvarMatch(), DetectFlowvarPostMatchSetup(), DetectFragBitsRegister(), DetectFragOffsetRegister(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectIcmpIdRegister(), DetectIcmpSeqRegister(), DetectIdRegister(), DetectIpOptsFree(), DetectIPProtoRegister(), DetectIPRepRegister(), DetectIsdataatSetup(), DetectLuaRegister(), DetectMarkRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectPcrePayloadMatch(), DetectPktvarRegister(), DetectRpcRegister(), DetectSameipRegister(), DetectSeqRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectStreamSizeRegister(), DetectTagRegister(), DetectTemplate2Register(), DetectTemplateRegister(), DetectThresholdRegister(), DetectTlsRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTosRegister(), DetectTtlRegister(), DetectUrilenRegister(), DetectWindowRegister(), DetectXbitMatchHost(), DetectXbitsRegister(), and SCThresholdConfInitContext().

void SigMatchAppendSMToList ( Signature s,
SigMatch new,
int  list 
)

Append a SigMatch to the list type.

Parameters
sSignature.
newThe sig match to append.
listThe list to append to.

Definition at line 282 of file detect-parse.c.

References SigMatch_::idx, Signature_::init_data, SigMatch_::next, SigMatch_::prev, SCRealloc, SignatureInitData_::sm_cnt, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, and SignatureInitData_::smlists_tail.

Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectAsn1Register(), DetectBase64DecodeDoMatch(), DetectBypassRegister(), DetectByteExtractDoMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectCipServiceRegister(), DetectContentSetup(), DetectCsumRegister(), DetectDceGetState(), DetectDceOpnumRegister(), DetectDetectionFilterRegister(), DetectDsizeRegister(), DetectEngineEventRegister(), DetectEnipCommandRegister(), DetectFileextRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectFilesizeRegister(), DetectFilestorePostMatch(), DetectFlagsRegister(), DetectFlowbitMatch(), DetectFlowintMatch(), DetectFlowSetupImplicit(), DetectFlowvarMatch(), DetectFlowvarPostMatchSetup(), DetectFragBitsRegister(), DetectFragOffsetRegister(), DetectFtpbounceRegister(), DetectFtpdataRegister(), DetectGeoipRegister(), DetectIcmpIdRegister(), DetectIcmpSeqRegister(), DetectIdRegister(), DetectIPProtoRegister(), DetectIPRepRegister(), DetectIsdataatSetup(), DetectLuaRegister(), DetectMarkRegister(), DetectNfsProcedureRegister(), DetectNfsVersionRegister(), DetectPcrePayloadMatch(), DetectPktvarRegister(), DetectRpcRegister(), DetectSameipRegister(), DetectSeqRegister(), DetectSshSoftwareVersionRegister(), DetectSshVersionRegister(), DetectSslStateRegister(), DetectSslVersionRegister(), DetectStreamSizeRegister(), DetectTagRegister(), DetectTemplate2Register(), DetectTemplateRegister(), DetectThresholdRegister(), DetectTlsRegister(), DetectTlsValidityRegister(), DetectTlsVersionRegister(), DetectTosRegister(), DetectTtlRegister(), DetectUrilenRegister(), DetectWindowRegister(), DetectXbitMatchHost(), DetectXbitsRegister(), and SCThresholdConfInitContext().

void SigMatchFree ( SigMatch sm)

free a SigMatch

Parameters
smSigMatch to free.

free the ctx, for that we call the Free func

Definition at line 241 of file detect-parse.c.

References SigTableElmt_::alias, SigMatch_::ctx, DETECT_TBLSIZE, SigTableElmt_::Free, SigTableElmt_::name, SCFree, sigmatch_table, and SigMatch_::type.

Referenced by DetectAckRegister(), DetectAppLayerEventRegister(), DetectIPProtoRemoveAllSMs(), DetectSeqRegister(), SCThresholdConfInitContext(), SigAddressPrepareStage4(), and SigFree().

Here is the caller graph for this function:

SigMatchData* SigMatchList2DataArray ( SigMatch head)

convert SigMatch list to SigMatchData array

Note
ownership of sm->ctx is transfered to smd->ctx

Definition at line 1510 of file detect-parse.c.

References DetectEngineAppInspectionEngine_::alproto, Signature_::alproto, ALPROTO_HTTP, ALPROTO_SMTP, ALPROTO_UNKNOWN, DetectEngineCtx_::app_inspect_engines, AppLayerHtpNeedFileInspection(), AppLayerParserSupportsFiles(), AppLayerProtoDetectSupportedIpprotos(), AppProtoToString(), BUG_ON, SigMatch_::ctx, SigMatchData_::ctx, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_OFFSET, DETECT_PROTO_ANY, DETECT_REPLACE, DETECT_SM_LIST_BASE64_DATA, DETECT_SM_LIST_MATCH, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DETECT_SM_LIST_POSTMATCH, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_SM_LIST_TMATCH, DETECT_STREAM_SIZE, DetectAddressListsAreEqual(), DetectAppLayerEventPrepare(), DetectBufferRunSetupCallback(), DetectBufferRunValidateCallback(), DetectBufferTypeGetNameById(), DetectBufferTypeSupportsPacketGetById(), DetectContentPMATCHValidateCallback(), DetectFlowSetupImplicit(), DetectGetLastSMFromLists(), DetectLuaPostSetup(), DetectPortListsAreEqual(), DetectEngineAppInspectionEngine_::dir, Signature_::dp, SignatureInitData_::dst, dst, FALSE, Signature_::file_flags, DetectProto_::flags, Signature_::flags, Signature_::gid, head, Signature_::id, SigMatch_::idx, Signature_::init_data, SignatureInitData_::init_flags, DetectAddressHead_::ipv4_head, DetectAddressHead_::ipv6_head, SigMatchData_::is_last, len, SignatureInitData_::list, SigTableElmt_::Match, SigMatch_::next, DetectEngineAppInspectionEngine_::next, Signature_::num, SigMatch_::prev, Signature_::prio, DetectProto_::proto, Signature_::proto, SC_ERR_DETECT_PREPARE, SC_ERR_INVALID_SIGNATURE, SC_ERR_NO_FILES_FOR_PROTOCOL, SCCalloc, SCEnter, SCLogDebug, SCLogError, SCReturnInt, SIG_FLAG_APPLAYER, SIG_FLAG_DP_ANY, SIG_FLAG_DST_ANY, SIG_FLAG_FILESTORE, SIG_FLAG_INIT_FLOW, SIG_FLAG_INIT_PACKET, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, SigAlloc(), DetectEngineCtx_::sigerror, SigFree(), sigmatch_table, SigMatchListSMBelongsTo(), DetectEngineCtx_::signum, SigParse(), DetectEngineAppInspectionEngine_::sm_list, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, Signature_::sp, SignatureInitData_::src, src, ts, SigMatch_::type, and SigMatchData_::type.

Referenced by DetectEngineAppInspectionEngine2Signature(), and SigAddressPrepareStage4().

Here is the call graph for this function:

Here is the caller graph for this function:

int SigMatchListSMBelongsTo ( const Signature s,
const SigMatch key_sm 
)

Definition at line 555 of file detect-parse.c.

References SignatureParser_::action, Signature_::action, ACTION_ALERT, ACTION_DROP, ACTION_PASS, ACTION_REJECT, ACTION_REJECT_BOTH, ACTION_REJECT_DST, Signature_::alproto, ALPROTO_UNKNOWN, AppLayerGetProtoByName(), AppLayerProtoDetectSupportedIpprotos(), DETECT_MAX_RULE_SIZE, DETECT_PROTO_ONLY_PKT, DETECT_PROTO_ONLY_STREAM, DetectParseAddress(), DetectPortParse(), DetectProtoParse(), SignatureParser_::direction, SignatureParser_::dp, Signature_::dp, SignatureParser_::dst, SignatureInitData_::dst, DetectProto_::flags, Signature_::flags, SigTableElmt_::flags, index, Signature_::init_data, SignatureInitData_::init_flags, IPOnlySigParseAddress(), len, SigTableElmt_::name, SignatureInitData_::negated, SigMatch_::next, SignatureParser_::opts, DetectProto_::proto, Signature_::proto, SignatureParser_::protocol, SigDuplWrapper_::s, SC_ERR_INVALID_ACTION, SC_ERR_INVALID_DIRECTION, SC_ERR_INVALID_SIGNATURE, SC_ERR_LIBNET11_INCOMPATIBLE_WITH_LIBCAP_NG, SC_ERR_LIBNET_REQUIRED_FOR_ACTION, SC_ERR_RULE_KEYWORD_UNKNOWN, SC_ERR_UNKNOWN_PROTOCOL, sc_set_caps, SCEnter, SCLogDebug, SCLogError, SCReturnInt, SigTableElmt_::Setup, SIG_DIREC_DST, SIG_DIREC_SRC, SIG_FLAG_APPLAYER, SIG_FLAG_DP_ANY, SIG_FLAG_DST_ANY, SIG_FLAG_INIT_BIDIREC, SIG_FLAG_REQUIRE_PACKET, SIG_FLAG_REQUIRE_STREAM, SIG_FLAG_SP_ANY, SIG_FLAG_SRC_ANY, SIGMATCH_HANDLE_NEGATION, SIGMATCH_NOOPT, SIGMATCH_OPTIONAL_OPT, SIGMATCH_QUOTES_MANDATORY, SIGMATCH_QUOTES_OPTIONAL, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, SignatureParser_::sp, Signature_::sp, SignatureParser_::src, SignatureInitData_::src, strlcpy(), and TRUE.

Referenced by DetectAppLayerInspectEngineRegister2(), DetectBase64DecodeDoMatch(), DetectByteExtractDoMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectEngineAppInspectionEngine2Signature(), DetectIsdataatSetup(), DetectSetFastPatternAndItsId(), EngineAnalysisFP(), EngineAnalysisRules(), MpmStoreFree(), MpmStorePrepareBuffer(), PacketCreateMask(), PerCentEncodingMatch(), and SigMatchList2DataArray().

Here is the call graph for this function:

Here is the caller graph for this function:

void SigMatchRemoveSMFromList ( Signature s,
SigMatch sm,
int  sm_list 
)
int SigParse ( DetectEngineCtx de_ctx,
Signature s,
const char *  sigstr,
uint8_t  addrs_direction 
)

parse a signature

Parameters
de_ctxdetection engine ctx to add it to
smemory structure to store the signature in
sigstrthe raw signature as a null terminated string
addrs_directiondirection (for bi-directional sigs)
-1parse error
0ok

Definition at line 1124 of file detect-parse.c.

References DetectIPProtoRemoveAllSMs(), SignatureParser_::opts, SCEnter, SCLogDebug, SCReturnInt, SCStrdup, Signature_::sig_str, and unlikely.

Referenced by SigMatchList2DataArray().

Here is the call graph for this function:

Here is the caller graph for this function:

void SigParseRegisterTests ( void  )

Definition at line 3987 of file detect-parse.c.

References UtRegisterTest().

Referenced by SigRegisterTests().

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

int sc_set_caps

set caps or not

Definition at line 221 of file suricata.c.

Referenced by RegisterAllModules(), and SigMatchListSMBelongsTo().