74 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
88 #define CONFIG_PARTS 8 90 #define CONFIG_ACTION 0 91 #define CONFIG_PROTO 1 94 #define CONFIG_DIREC 4 113 #define CASE_CODE_STRING(E, S) case E: return S; break 123 #undef CASE_CODE_STRING 127 #define CASE_CODE(E) case E: return #E 144 Signature *
s,
const char *arg,
int sm_type,
int sm_list,
150 if (arg != NULL && strcmp(arg,
"") != 0) {
158 "with a sticky buffer still set. Reset sticky buffer " 159 "with pkt_data before using the modifier.",
173 "found inside the rule without a content context. " 174 "Please use a \"content\" keyword before using the " 182 "be used with the rawbytes rule keyword",
188 "be used with the replace rule keyword",
221 SigMatchTransferSigMatchAcrossLists(sm,
253 if (sm->
ctx != NULL) {
264 ptrdiff_t
offset = e - table;
278 if (st->
name != NULL) {
279 if (strcasecmp(name,st->
name) == 0)
281 if (st->
alias != NULL && strcasecmp(name,st->
alias) == 0)
311 if (strcmp(str,
"all") == 0) {
323 char *xsaveptr = NULL;
324 char *key = strtok_r(copy,
",", &xsaveptr);
325 while (key != NULL) {
331 "argument '%s' not found", key);
333 key = strtok_r(NULL,
",", &xsaveptr);
351 uint32_t new_size = (uint32_t)list + 1;
360 for (uint32_t i = old_size; i < new_size; i++) {
392 if (sm->
prev != NULL)
394 if (sm->
next != NULL)
412 if (sm->
type == type) {
452 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
482 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
487 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
512 va_start(ap, sm_list);
514 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
516 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
519 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
548 va_start(ap, list_id);
550 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
552 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
555 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
576 for (i = 0; i < nlists; i ++) {
580 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
587 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
593 if (sm->
prev != NULL)
595 if (sm->
next != NULL)
598 if (sm == *src_sm_list)
599 *src_sm_list = sm->
next;
600 if (sm == *src_sm_list_tail)
601 *src_sm_list_tail = sm->
prev;
603 if (*dst_sm_list == NULL) {
605 *dst_sm_list_tail = sm;
613 *dst_sm_list_tail = sm;
624 for (list = 0; list < nlists; list++) {
641 char *optname = NULL;
642 char *optvalue = NULL;
645 while (isblank(*optstr)) {
650 char *optend = optstr;
652 optend = strchr(optend,
';');
653 if (optend == NULL) {
657 else if (optend > optstr && *(optend -1 ) ==
'\\') {
666 char *optvalptr = strchr(optstr,
':');
668 *(optvalptr++) =
'\0';
671 for (
size_t i = strlen(optvalptr); i > 0; i--) {
672 if (isblank(optvalptr[i - 1])) {
673 optvalptr[i - 1] =
'\0';
679 optvalue = optvalptr;
683 for (
size_t i = strlen(optstr); i > 0; i--) {
684 if (isblank(optstr[i - 1])) {
685 optstr[i - 1] =
'\0';
693 st = SigTableGet(optname);
700 if (optvalue == NULL || strlen(optvalue) == 0) {
709 #define URL "https://suricata-ids.org/about/deprecation-policy/" 712 "and will be removed soon. See %s", st->
name,
URL);
715 "and will be removed soon. Use '%s' instead. " 723 if (optvalue != NULL && strlen(optvalue) > 0) {
724 size_t ovlen = strlen(optvalue);
725 char *ptr = optvalue;
761 "value must be double quoted \'%s\'", optname, optstr);
766 && ovlen && *ptr ==
'"')
768 for (; ovlen > 0; ovlen--) {
769 if (isblank(ptr[ovlen - 1])) {
770 ptr[ovlen - 1] =
'\0';
775 if (ovlen && ptr[ovlen - 1] !=
'"') {
777 "bad option value formatting (possible missing semicolon) " 778 "for keyword %s: \'%s\'", optname, optvalue);
785 ptr[ovlen - 1] =
'\0';
791 "for keyword %s: \'%s\'", optname, optvalue);
802 setup_ret = st->
Setup(de_ctx, s, ptr);
805 setup_ret = st->
Setup(de_ctx, s, NULL);
811 if (setup_ret == -2) {
823 if (strlen(optend) > 0) {
824 strlcpy(output, optend, output_size);
839 Signature *s,
const char *addrstr,
char flag)
841 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
845 if (strcasecmp(addrstr,
"any") == 0)
853 if (strcasecmp(addrstr,
"any") == 0)
880 static int SigParseProto(
Signature *s,
const char *protostr)
895 "in a signature. Either detection for this protocol " 896 "is not yet supported OR detection has been disabled for " 897 "protocol through the yaml option " 898 "app-layer.protocols.%s.detection-enabled", protostr,
928 Signature *s,
const char *portstr,
char flag)
934 SCLogDebug(
"Port group \"%s\" to be parsed", portstr);
937 if (strcasecmp(portstr,
"any") == 0)
941 }
else if (flag == 1) {
942 if (strcasecmp(portstr,
"any") == 0)
957 static int SigParseActionRejectValidate(
const char *action)
960 #if defined HAVE_LIBCAP_NG && !defined HAVE_LIBNET_CAPABILITIES 963 "incompatible with POSIX based capabilities with privs dropping. " 964 "For rejects to work, run as root/super user.");
970 "required for action \"%s\" but is not compiled into Suricata",
988 static int SigParseAction(
Signature *s,
const char *action)
990 if (strcasecmp(action,
"alert") == 0) {
993 }
else if (strcasecmp(action,
"drop") == 0) {
996 }
else if (strcasecmp(action,
"pass") == 0) {
999 }
else if (strcasecmp(action,
"reject") == 0) {
1000 if (!(SigParseActionRejectValidate(action)))
1004 }
else if (strcasecmp(action,
"rejectsrc") == 0) {
1005 if (!(SigParseActionRejectValidate(action)))
1009 }
else if (strcasecmp(action,
"rejectdst") == 0) {
1010 if (!(SigParseActionRejectValidate(action)))
1014 }
else if (strcasecmp(action,
"rejectboth") == 0) {
1015 if (!(SigParseActionRejectValidate(action)))
1036 static inline int SigParseToken(
char **input,
char *output,
1037 const size_t output_size)
1039 size_t len = *input == NULL ? 0 : strlen(*input);
1045 while (len && isblank(**input)) {
1050 char *endptr = strpbrk(*input,
" \t\n\r");
1051 if (endptr != NULL) {
1054 strlcpy(output, *input, output_size);
1071 static inline int SigParseList(
char **input,
char *output,
1072 const size_t output_size)
1075 size_t len = *input != NULL ? strlen(*input) : 0;
1081 while (len && isblank(**input)) {
1087 for (i = 0; i <
len; i++) {
1088 char c = (*input)[i];
1091 }
else if (c ==
']') {
1093 }
else if (c ==
' ') {
1104 strlcpy(output, *input, output_size);
1105 *input = *input + i + 1;
1123 SigParseToken(&index, parser->
action,
sizeof(parser->
action));
1129 SigParseList(&index, parser->
src,
sizeof(parser->
src));
1132 SigParseList(&index, parser->
sp,
sizeof(parser->
sp));
1138 SigParseList(&index, parser->
dst,
sizeof(parser->
dst));
1141 SigParseList(&index, parser->
dp,
sizeof(parser->
dp));
1144 if (index == NULL) {
1148 while (isspace(*index) || *index ==
'(') {
1151 for (
size_t i = strlen(index); i > 0; i--) {
1152 if (isspace(index[i - 1]) || index[i - 1] ==
')') {
1153 index[i - 1] =
'\0';
1161 if (SigParseAction(s, parser->
action) < 0)
1164 if (SigParseProto(s, parser->
protocol) < 0)
1167 if (strcmp(parser->
direction,
"<>") == 0) {
1169 }
else if (strcmp(parser->
direction,
"->") != 0) {
1171 "\"%s\" is not a valid direction modifier, " 1172 "\"->\" and \"<>\" are supported.", parser->
direction);
1177 if (SigParseAddress(de_ctx, s, parser->
src,
SIG_DIREC_SRC ^ addrs_direction) < 0)
1180 if (SigParseAddress(de_ctx, s, parser->
dst,
SIG_DIREC_DST ^ addrs_direction) < 0)
1187 if (SigParsePort(de_ctx, s, parser->
sp,
SIG_DIREC_SRC ^ addrs_direction) < 0)
1189 if (SigParsePort(de_ctx, s, parser->
dp,
SIG_DIREC_DST ^ addrs_direction) < 0)
1219 int ret = SigParseBasics(de_ctx, s, sigstr, parser, addrs_direction);
1226 if (strlen(parser->
opts) > 0) {
1227 size_t buffer_size = strlen(parser->
opts) + 1;
1228 char input[buffer_size];
1229 char output[buffer_size];
1230 memset(input, 0x00, buffer_size);
1231 memcpy(input, parser->
opts, strlen(parser->
opts)+1);
1237 memset(output, 0x00, buffer_size);
1238 ret = SigParseOptions(de_ctx, s, input, output, buffer_size);
1240 memcpy(input, output, buffer_size);
1296 static void SigMetadataFree(
Signature *s)
1309 for (mdata = s->
metadata; mdata != NULL;) {
1310 next_mdata = mdata->
next;
1340 next_ref = ref->
next;
1350 static void SigMatchFreeArrays(
Signature *s,
int ctxs)
1388 for (i = 0; i < nlists; i++) {
1390 while (sm != NULL) {
1397 SigMatchFreeArrays(s, (s->
init_data == NULL));
1405 if (s->
sp != NULL) {
1408 if (s->
dp != NULL) {
1466 "can't set rule app proto to %s: already set to %s",
1482 static void SigBuildAddressMatchArray(
Signature *s)
1488 for ( ; da != NULL; da = da->
next) {
1509 for ( ; da != NULL; da = da->
next) {
1530 for ( ; da != NULL; da = da->
next) {
1557 for ( ; da != NULL; da = da->
next) {
1581 static int SigMatchListLen(
SigMatch *sm)
1584 for (; sm != NULL; sm = sm->
next)
1595 int len = SigMatchListLen(head);
1608 for (; sm != NULL; sm = sm->
next, smd++) {
1628 uint32_t sig_flags = 0;
1650 struct BufferVsDir {
1654 memset(&bufdir, 0, nlists *
sizeof(
struct BufferVsDir));
1657 for (x = 0; x < nlists; x++) {
1660 for ( ; app != NULL; app = app->
next) {
1666 bufdir[x].ts += (app->
dir == 0);
1667 bufdir[x].tc += (app->
dir == 1);
1680 for (x = 0; x < nlists; x++) {
1681 if (bufdir[x].
ts == 0 && bufdir[x].tc == 0)
1683 ts_excl += (bufdir[x].ts > 0 && bufdir[x].tc == 0);
1684 tc_excl += (bufdir[x].ts == 0 && bufdir[x].tc > 0);
1685 dir_amb += (bufdir[x].ts > 0 && bufdir[x].tc > 0);
1688 x, bufdir[x].
ts, bufdir[x].tc);
1690 if (ts_excl && tc_excl) {
1693 }
else if (ts_excl) {
1694 SCLogDebug(
"%u: implied rule direction is toserver", s->
id);
1699 }
else if (tc_excl) {
1700 SCLogDebug(
"%u: implied rule direction is toclient", s->
id);
1705 }
else if (dir_amb) {
1706 SCLogDebug(
"%u: rule direction cannot be deduced from keywords", s->
id);
1712 "tcp-stream or flow:only_stream. Invalidating signature.");
1716 #if 0 // TODO figure out why this is even necessary 1736 "that require inspection in both directions. Atm we only " 1737 "support keywords in one direction within a rule.");
1742 for (
int i = 0; i < nlists; i++) {
1750 "specific matches (like dsize, flags, ttl) with stream / " 1751 "state matching by matching on app layer proto (like using " 1752 "http_* keywords).");
1762 if (s->
proto.
proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
1767 while (sm != NULL) {
1778 while (sm != NULL) {
1792 for (list = 0; list < nlists; list++) {
1805 "cannot be reset after base64_data.");
1818 for (i = 0; i < nlists; i++) {
1853 memset(&parser, 0x00,
sizeof(parser));
1862 int ret = SigParse(de_ctx, sig, sigstr, dir, &parser);
1866 }
else if (ret < 0) {
1871 if (sig->
prio == -1)
1878 int override_needed = 0;
1882 override_needed = 1;
1884 override_needed = 1;
1886 for (s = 0; s <
sizeof(sig->
proto.
proto); s++) {
1888 override_needed = 0;
1897 if (override_needed)
1910 for ( ; sm != NULL; sm = sm->
next) {
1926 SCLogDebug(
"sig %"PRIu32
" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s",
1930 SigBuildAddressMatchArray(sig);
1939 if (SigValidate(de_ctx, sig) == 0) {
1969 static bool SigHasSameSourceAndDestination(
const Signature *s)
2009 uint32_t oldsignum = de_ctx->
signum;
2019 if (SigHasSameSourceAndDestination(sig)) {
2020 SCLogInfo(
"Rule with ID %u is bidirectional, but source and destination are the same, " 2021 "treating the rule as unidirectional", sig->
id);
2026 if (sig->
next == NULL) {
2040 de_ctx->
signum = oldsignum;
2051 static void DetectParseDupSigFreeFunc(
void *data)
2069 static uint32_t DetectParseDupSigHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
2088 static char DetectParseDupSigCompareFunc(
void *data1, uint16_t len1,
void *data2,
2094 if (sw1 == NULL || sw2 == NULL ||
2095 sw1->
s == NULL || sw2->
s == NULL)
2099 if (sw1->
s->
id == sw2->
s->
id && sw1->
s->
gid == sw2->
s->
gid)
return 1;
2115 DetectParseDupSigHashFunc,
2116 DetectParseDupSigCompareFunc,
2117 DetectParseDupSigFreeFunc);
2159 static inline int DetectEngineSignatureIsDuplicate(
DetectEngineCtx *de_ctx,
2181 if (sw_dup == NULL) {
2194 (
void *)&sw_tmp, 0);
2206 if (sw->
s->
rev <= sw_dup->
s->
rev) {
2215 if (sw_dup->
s_prev == NULL) {
2223 sw_temp.
s = sw_dup->
s->
next;
2227 if (sw_temp.
s != NULL) {
2229 (
void *)&sw_temp, 0);
2241 sw_temp.
s = sw_dup->
s->
next;
2245 if (sw_temp.
s != NULL) {
2247 (
void *)&sw_temp, 0);
2262 (
void *)&sw_tmp, 0);
2263 if (sw_old->
s != sw_dup->
s) {
2306 int dup_sig = DetectEngineSignatureIsDuplicate(de_ctx, sig);
2312 }
else if (dup_sig == 2) {
2314 " so the older sig replaced by this new signature \"%s\"",
2319 if (sig->
next != NULL) {
2336 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
2359 pcre_free(r->
regex);
2367 g_detect_parse_regex_list = NULL;
2380 r->
next = g_detect_parse_regex_list;
2381 g_detect_parse_regex_list = r;
2386 pcre_extra **parse_regex_study)
2392 *parse_regex = pcre_compile(parse_str, opts, &eb, &eo, NULL);
2393 if (*parse_regex == NULL) {
2395 "offset %" PRId32
": %s", parse_str, eo, eb);
2398 *parse_regex_study = pcre_study(*parse_regex, 0, &eb);
2407 #ifdef AFLFUZZ_RULES 2409 int RuleParseDataFromFile(
char *filename)
2421 #ifdef AFLFUZZ_PERSISTANT_MODE 2422 while (__AFL_LOOP(10000)) {
2424 memset(buffer, 0,
sizeof(buffer));
2427 FILE *fp = fopen(filename,
"r");
2430 size_t result = fread(&buffer, 1,
sizeof(buffer), fp);
2431 if (result <
sizeof(buffer)) {
2432 buffer[result] =
'\0';
2440 #ifdef AFLFUZZ_PERSISTANT_MODE 2456 static int SigParseTest01 (
void)
2465 sig =
SigInit(de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
2470 if (sig != NULL)
SigFree(sig);
2475 static int SigParseTest02 (
void)
2489 sig =
SigInit(de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
2517 static int SigParseTest03 (
void)
2526 sig =
SigInit(de_ctx,
"alert tcp 1.2.3.4 any <- !1.2.3.4 any (msg:\"SigParseTest03\"; sid:1;)");
2529 printf(
"expected NULL got sig ptr %p: ",sig);
2533 if (sig != NULL)
SigFree(sig);
2538 static int SigParseTest04 (
void)
2547 sig =
SigInit(de_ctx,
"alert tcp 1.2.3.4 1024: -> !1.2.3.4 1024: (msg:\"SigParseTest04\"; sid:1;)");
2552 if (sig != NULL)
SigFree(sig);
2558 static int SigParseTest05 (
void)
2567 sig =
SigInit(de_ctx,
"alert tcp 1.2.3.4 1024:65536 -> !1.2.3.4 any (msg:\"SigParseTest05\"; sid:1;)");
2571 printf(
"signature didn't fail to parse as we expected: ");
2575 if (sig != NULL)
SigFree(sig);
2581 static int SigParseTest06 (
void)
2590 sig =
SigInit(de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; nocase; http_method; uricontent:\"/uri/\"; nocase; content:\"Host|3A| abc\"; nocase; sid:1; rev:1;)");
2594 printf(
"signature failed to parse: ");
2608 static int SigParseTest07(
void)
2630 static int SigParseTest08(
void)
2653 static int SigParseTest09(
void)
2704 static int SigParseTest10(
void)
2736 static int SigParseTest11(
void)
2746 s =
DetectEngineAppendSig(de_ctx,
"drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\";) ");
2748 printf(
"sig 1 didn't parse: ");
2752 s =
DetectEngineAppendSig(de_ctx,
"drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\"; sid:1;) ");
2754 printf(
"sig 2 didn't parse: ");
2768 static int SigParseTest12(
void)
2778 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (file_data; content:\"abc\"; rawbytes; sid:1;)");
2780 printf(
"sig 1 should have given an error: ");
2794 static int SigParseTest13(
void)
2806 printf(
"sig 1 invalidated: failure");
2811 printf(
"sig doesn't have stream flag set\n");
2816 printf(
"sig has packet flag set\n");
2831 static int SigParseTest14(
void)
2841 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"abc\"; dsize:>0; sid:1;)");
2843 printf(
"sig 1 invalidated: failure");
2848 printf(
"sig doesn't have packet flag set\n");
2853 printf(
"sig has stream flag set\n");
2868 static int SigParseTest15(
void)
2878 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"abc\"; offset:5; sid:1;)");
2880 printf(
"sig 1 invalidated: failure");
2885 printf(
"sig doesn't have packet flag set\n");
2890 printf(
"sig doesn't have stream flag set\n");
2905 static int SigParseTest16(
void)
2915 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"abc\"; depth:5; sid:1;)");
2917 printf(
"sig 1 invalidated: failure");
2922 printf(
"sig doesn't have packet flag set\n");
2927 printf(
"sig doesn't have stream flag set\n");
2942 static int SigParseTest17(
void)
2952 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"abc\"; offset:1; depth:5; sid:1;)");
2954 printf(
"sig 1 invalidated: failure");
2959 printf(
"sig doesn't have packet flag set\n");
2964 printf(
"sig doesn't have stream flag set\n");
2977 static int SigParseTest18 (
void)
2985 if (
DetectEngineAppendSig(de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:99999999999999999999;)") != NULL)
2996 static int SigParseTest19 (
void)
3004 if (
DetectEngineAppendSig(de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; gid:99999999999999999999;)") != NULL)
3015 static int SigParseTest20 (
void)
3023 if (
DetectEngineAppendSig(de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; rev:99999999999999999999;)") != NULL)
3034 static int SigParseTest21 (
void)
3042 if (
DetectEngineAppendSig(de_ctx,
"alert tcp [1.2.3.4, 1.2.3.5] any -> !1.2.3.4 any (sid:1;)") == NULL)
3053 static int SigParseTest22 (
void)
3061 if (
DetectEngineAppendSig(de_ctx,
"alert tcp [10.10.10.0/24, !10.10.10.247] any -> [10.10.10.0/24, !10.10.10.247] any (sid:1;)") == NULL)
3074 static int SigParseTest23(
void)
3081 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"abc\"; offset:1; depth:5; sid:1;)\r");
3089 static int SigParseBidirecTest06 (
void)
3098 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any - 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3103 if (sig != NULL)
SigFree(sig);
3109 static int SigParseBidirecTest07 (
void)
3118 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any <- 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3123 if (sig != NULL)
SigFree(sig);
3129 static int SigParseBidirecTest08 (
void)
3138 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any < 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3143 if (sig != NULL)
SigFree(sig);
3149 static int SigParseBidirecTest09 (
void)
3158 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any > 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3163 if (sig != NULL)
SigFree(sig);
3169 static int SigParseBidirecTest10 (
void)
3178 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any -< 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3183 if (sig != NULL)
SigFree(sig);
3189 static int SigParseBidirecTest11 (
void)
3198 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any >- 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3203 if (sig != NULL)
SigFree(sig);
3209 static int SigParseBidirecTest12 (
void)
3218 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any >< 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3223 if (sig != NULL)
SigFree(sig);
3229 static int SigParseBidirecTest13 (
void)
3238 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any <> 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3248 static int SigParseBidirecTest14 (
void)
3257 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any -> 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3269 static int SigTestBidirec01 (
void)
3278 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 1.2.3.4 1024:65535 -> !1.2.3.4 any (msg:\"SigTestBidirec01\"; sid:1;)");
3281 if (sig->
next != NULL)
3291 if (de_ctx != NULL) {
3300 static int SigTestBidirec02 (
void)
3312 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 1.2.3.4 1024:65535 <> !1.2.3.4 any (msg:\"SigTestBidirec02\"; sid:1;)");
3319 if (sig->
next == NULL)
3324 if (copy->
next != NULL)
3332 if (de_ctx != NULL) {
3345 static int SigTestBidirec03 (
void)
3357 const char *sigs[3];
3358 sigs[0] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 1\"; sid:1;)";
3359 sigs[1] =
"alert tcp any any <> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)";
3360 sigs[2] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 3\"; sid:3;)";
3367 if (sig->
next == NULL)
3378 uint8_t rawpkt1_ether[] = {
3379 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
3380 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
3381 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
3382 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
3383 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
3384 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
3385 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
3386 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
3387 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
3388 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
3389 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
3390 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
3391 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
3392 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
3393 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
3394 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
3395 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
3396 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
3397 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
3398 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
3399 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
3400 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
3401 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
3402 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
3403 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
3404 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
3405 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
3406 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
3407 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
3408 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
3409 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
3410 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
3411 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
3412 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
3413 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3414 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3415 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
3416 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
3417 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
3418 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
3419 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
3420 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
3421 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
3422 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3423 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
3424 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
3425 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
3426 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
3427 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3428 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
3429 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
3430 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
3431 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
3432 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
3433 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
3443 uint32_t sids[3] = {1, 2, 3};
3444 uint32_t results[3] = {1, 1, 1};
3452 if (de_ctx != NULL) {
3466 static int SigTestBidirec04 (
void)
3478 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any -> any any (msg:\"SigTestBidirec03 sid 1\"; sid:1;)");
3481 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any <> any any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)");
3486 if (sig->
next == NULL)
3495 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any -> any any (msg:\"SigTestBidirec03 sid 3\"; sid:3;)");
3498 if (sig->
next == NULL)
3509 uint8_t rawpkt1_ether[] = {
3510 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
3511 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
3512 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
3513 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
3514 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
3515 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
3516 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
3517 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
3518 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
3519 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
3520 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
3521 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
3522 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
3523 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
3524 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
3525 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
3526 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
3527 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
3528 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
3529 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
3530 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
3531 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
3532 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
3533 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
3534 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
3535 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
3536 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
3537 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
3538 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
3539 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
3540 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
3541 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
3542 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
3543 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
3544 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3545 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3546 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
3547 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
3548 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
3549 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
3550 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
3551 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
3552 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
3553 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3554 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
3555 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
3556 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
3557 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
3558 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3559 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
3560 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
3561 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
3562 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
3563 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
3564 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
3573 memset(&th_v, 0,
sizeof(th_v));
3577 DecodeEthernet(&th_v, &dtv, p, rawpkt1_ether,
sizeof(rawpkt1_ether), NULL);
3600 if (de_ctx != NULL) {
3614 static int SigParseTestNegation01 (
void)
3625 s =
SigInit(de_ctx,
"alert tcp !any any -> any any (msg:\"SigTest41-01 src address is !any \"; classtype:misc-activity; sid:410001; rev:1;)");
3640 static int SigParseTestNegation02 (
void)
3651 s =
SigInit(de_ctx,
"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
3666 static int SigParseTestNegation03 (
void)
3677 s =
SigInit(de_ctx,
"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
3692 static int SigParseTestNegation04 (
void)
3703 s =
SigInit(de_ctx,
"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
3718 static int SigParseTestNegation05 (
void)
3729 s =
SigInit(de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
3744 static int SigParseTestNegation06 (
void)
3755 s =
SigInit(de_ctx,
"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
3771 static int SigParseTestNegation07 (
void)
3782 s =
SigInit(de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (msg:\"SigTest41-06 dst ip [192.168.0.2,!192.168.0.0/24] \"; classtype:misc-activity; sid:410006; rev:1;)");
3798 static int SigParseTestNegation08 (
void)
3809 s =
SigInit(de_ctx,
"alert tcp any any -> [192.168.0.0/16,!192.168.0.0/24] any (sid:410006; rev:1;)");
3824 static int SigParseTestMpm01 (
void)
3833 sig =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; sid:1;)");
3835 printf(
"sig failed to init: ");
3840 printf(
"sig doesn't have content list: ");
3855 static int SigParseTestMpm02 (
void)
3864 sig =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; content:\"abcdef\"; sid:1;)");
3866 printf(
"sig failed to init: ");
3871 printf(
"sig doesn't have content list: ");
3886 static int SigParseTestAppLayerTLS01(
void)
3897 s =
SigInit(de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS01 \"; sid:410006; rev:1;)");
3899 printf(
"parsing sig failed: ");
3904 printf(
"alproto not set: ");
3921 static int SigParseTestAppLayerTLS02(
void)
3932 s =
SigInit(de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS02 \"; tls.version:1.0; sid:410006; rev:1;)");
3934 printf(
"parsing sig failed: ");
3939 printf(
"alproto not set: ");
3955 static int SigParseTestAppLayerTLS03(
void)
3966 s =
SigInit(de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; sid:410006; rev:1;)");
3979 static int SigParseTestUnblanacedQuotes01(
void)
3988 s =
SigInit(de_ctx,
"alert http any any -> any any (msg:\"SigParseTestUnblanacedQuotes01\"; pcre:\"/\\/[a-z]+\\.php\\?[a-z]+?=\\d{7}&[a-z]+?=\\d{7,8}$/U\" flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:5;)");
3994 static int SigParseTestContentGtDsize01(
void)
4001 "alert http any any -> any any (" 4002 "dsize:21; content:\"0123456789001234567890|00 00|\"; " 4009 static int SigParseTestContentGtDsize02(
void)
4016 "alert http any any -> any any (" 4017 "dsize:21; content:\"0123456789|00 00|\"; offset:10; " 4024 static int SigParseBidirWithSameSrcAndDest01(
void)
4031 "alert tcp any any <> any any (sid:1; rev:1;)");
4039 "alert tcp any [80, 81] <> any [81, 80] (sid:1; rev:1;)");
4047 "alert tcp [1.2.3.4, 5.6.7.8] [80, 81] <> [5.6.7.8, 1.2.3.4] [81, 80] (sid:1; rev:1;)");
4057 static int SigParseBidirWithSameSrcAndDest02(
void)
4065 "alert tcp 1.2.3.4 any <> [1.2.3.4, 5.6.7.8, ::1] any (sid:1; rev:1;)");
4074 "alert tcp [1.2.3.4, ::1] [80, 81, 82] <> [1.2.3.4, ::1] [80, 81] (sid:1; rev:1;)");
4083 "alert tcp [1.2.3.4, ::1, ABCD:AAAA::1] [80] <> [1.2.3.4, ::1] [80, 81] (sid:1; rev:1;)");
4125 UtRegisterTest(
"SigParseTest21 -- address with space", SigParseTest21);
4126 UtRegisterTest(
"SigParseTest22 -- address with space", SigParseTest22);
4127 UtRegisterTest(
"SigParseTest23 -- carriage return", SigParseTest23);
4142 UtRegisterTest(
"SigParseTestNegation01", SigParseTestNegation01);
4143 UtRegisterTest(
"SigParseTestNegation02", SigParseTestNegation02);
4144 UtRegisterTest(
"SigParseTestNegation03", SigParseTestNegation03);
4145 UtRegisterTest(
"SigParseTestNegation04", SigParseTestNegation04);
4146 UtRegisterTest(
"SigParseTestNegation05", SigParseTestNegation05);
4147 UtRegisterTest(
"SigParseTestNegation06", SigParseTestNegation06);
4148 UtRegisterTest(
"SigParseTestNegation07", SigParseTestNegation07);
4149 UtRegisterTest(
"SigParseTestNegation08", SigParseTestNegation08);
4152 UtRegisterTest(
"SigParseTestAppLayerTLS01", SigParseTestAppLayerTLS01);
4153 UtRegisterTest(
"SigParseTestAppLayerTLS02", SigParseTestAppLayerTLS02);
4154 UtRegisterTest(
"SigParseTestAppLayerTLS03", SigParseTestAppLayerTLS03);
4156 SigParseTestUnblanacedQuotes01);
4159 SigParseTestContentGtDsize01);
4161 SigParseTestContentGtDsize02);
4164 SigParseBidirWithSameSrcAndDest01);
4166 SigParseBidirWithSameSrcAndDest02);
#define SIG_FLAG_FILESTORE
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
#define DETECT_DEFAULT_PRIO
char dst[DETECT_MAX_RULE_SIZE]
DetectReference * references
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
SignatureInitData * init_data
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define SIGMATCH_INFO_DEPRECATED
void SCReferenceConfInit(void)
DetectMetadata * metadata
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id...
struct HtpBodyChunk_ * next
void SigFree(Signature *s)
size_t strlcpy(char *dst, const char *src, size_t siz)
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
int UTHAppendSigs(DetectEngineCtx *de_ctx, const char *sigs[], int numsigs)
UTHAppendSigs: Add sigs to the detection_engine checking for errors.
int DetectAppLayerEventPrepare(Signature *s)
#define ACTION_REJECT_DST
void DetectParseFreeRegexes(void)
#define PASS
Pass the test.
void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list)
int UTHMatchPackets(DetectEngineCtx *de_ctx, Packet **p, int num_packets)
#define CASE_CODE_STRING(E, S)
address structure for use in the detection engine.
bool DetectBufferRunValidateCallback(const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
int AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
void DetectIPProtoRemoveAllSMs(Signature *s)
#define SIG_FLAG_REQUIRE_STREAM
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define PACKET_RECYCLE(p)
void SigTableApplyStrictCommandlineOption(const char *str)
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
SigMatch * DetectGetLastSM(const Signature *s)
Returns the sm with the largest index (added latest) from this sig.
#define DETECT_CONTENT_DISTANCE
element in sigmatch type table.
#define SIG_FLAG_REQUIRE_PACKET
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
#define DETECT_TRANSFORMS_MAX
#define DETECT_CONTENT_DEPTH
int IPOnlySigParseAddress(const DetectEngineCtx *de_ctx, Signature *s, const char *addrstr, char flag)
Parses an address group sent as a character string and updates the IPOnlyCIDRItem lists src and dst o...
uint16_t addr_src_match6_cnt
SigMatch * DetectGetLastSMFromMpmLists(const DetectEngineCtx *de_ctx, const Signature *s)
get the last SigMatch from lists that support MPM.
#define SIG_FLAG_APPLAYER
int DetectSignatureAddTransform(Signature *s, int transform)
int UTHCheckPacketMatchResults(Packet *p, uint32_t sids[], uint32_t results[], int numsids)
UTHCheckPacketMatches: function to check if a packet match some sids.
bool DetectAddressListsAreEqual(DetectAddress *list1, DetectAddress *list2)
Checks if two address group lists are equal.
void DetectReferenceFree(DetectReference *ref)
Free a Reference object.
DetectMatchAddressIPv6 * addr_dst_match6
main detection engine ctx
uint16_t addr_src_match4_cnt
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int DetectProtoParse(DetectProto *dp, const char *str)
Parses a protocol sent as a string.
#define DETECT_CONTENT_RAWBYTES
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
bool src_contains_negation
void DetectLuaPostSetup(Signature *s)
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
char action[DETECT_MAX_RULE_SIZE]
DetectMatchAddressIPv4 * addr_dst_match4
const DetectAddressHead * DetectParseAddress(DetectEngineCtx *de_ctx, const char *string, bool *contains_negation)
#define SIG_FLAG_INIT_BIDIREC
struct DetectAddress_ * next
void DetectEngineAppInspectionEngineSignatureFree(Signature *s)
free app inspect engines for a signature
SigMatch * DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list,...)
Returns the sm with the largest index (added last) from the list passed to us as a pointer...
DetectMatchAddressIPv6 * addr_src_match6
int transforms[DETECT_TRANSFORMS_MAX]
#define SIG_FLAG_TOCLIENT
#define ACTION_REJECT_BOTH
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
void SCClassConfInit(void)
Data structures and function prototypes for keeping state for the detection engine.
bool DetectPortListsAreEqual(DetectPort *list1, DetectPort *list2)
Checks if two port group lists are equal.
struct DetectEngineAppInspectionEngine_ * next
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
void IPOnlyCIDRListFree(IPOnlyCIDRItem *tmphead)
This function free a IPOnlyCIDRItem list.
DetectMatchAddressIPv4 * addr_src_match4
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
char opts[DETECT_MAX_RULE_SIZE]
#define SIG_FLAG_INIT_FLOW
bool dst_contains_negation
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Structure to hold thread specific data for all decode modules.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SIGMATCH_QUOTES_OPTIONAL
#define SIG_FLAG_TOSERVER
#define SIGMATCH_QUOTES_MANDATORY
struct DetectReference_ * next
int DetectBufferTypeMaxId(void)
#define DETECT_SM_LIST_NOTSET
void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
void DetectParseDupSigHashFree(DetectEngineCtx *de_ctx)
Frees the hash table that is used to cull duplicate sigs.
Packet * UTHBuildPacketFromEth(uint8_t *raw_eth, uint16_t pktsize)
UTHBuildPacketFromEth is a wrapper that build a packet for the rawbytes.
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
uint16_t addr_dst_match6_cnt
_Bool DetectContentPMATCHValidateCallback(const Signature *s)
DetectEngineAppInspectionEngine * app_inspect_engines
char dp[DETECT_MAX_RULE_SIZE]
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
struct SigMatch_ ** smlists_tail
DetectAddress * ipv4_head
bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx, const enum DetectKeywordId id)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
char direction[DETECT_MAX_RULE_SIZE]
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct SigDuplWrapper_ SigDuplWrapper
We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.
struct DetectParseRegex_ DetectParseRegex
const char * DetectListToString(int list)
bool sm_types_silent_error[DETECT_TBLSIZE]
struct SignatureParser_ SignatureParser
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
struct SigMatch_ ** smlists
HashListTable * dup_sig_hash_table
const DetectAddressHead * dst
Signature * SigAlloc(void)
void AppLayerProtoDetectSupportedIpprotos(AppProto alproto, uint8_t *ipprotos)
uint32_t smlists_array_size
char src[DETECT_MAX_RULE_SIZE]
void DetectParseRegexAddToFreeList(pcre *regex, pcre_extra *study)
add regex and/or study to at exit free list
char sp[DETECT_MAX_RULE_SIZE]
int DetectPortCmp(DetectPort *a, DetectPort *b)
Function that compare port groups.
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
#define DETECT_MAX_RULE_SIZE
void DetectParseRegisterTests(void)
this function registers unit tests for DetectParse
#define DETECT_CONTENT_REPLACE
uint16_t addr_dst_match4_cnt
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
void SigParseRegisterTests(void)
bool DetectBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
void FlowShutdown(void)
shutdown the flow engine
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
#define DETECT_PROTO_ONLY_STREAM
void SigMatchFree(SigMatch *sm)
free a SigMatch
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us. ...
We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.
#define FatalError(x,...)
#define SIGMATCH_OPTIONAL_OPT
#define SCReturnPtr(x, type)
void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s)
int DetectParseDupSigHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table that is used to cull duplicate sigs.
struct DetectParseRegex_ * next
#define DETECT_CONTENT_WITHIN
Signature reference list.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void DetectBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
#define SIG_FLAG_INIT_PACKET
const char * DetectListToHumanString(int list)
void HashListTableFree(HashListTable *ht)
int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
#define DETECT_PROTO_ONLY_PKT
#define DETECT_PCRE_RELATIVE_NEXT
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq)
#define DETECT_CONTENT_RELATIVE_NEXT
SigMatch * SigMatchAlloc(void)
Per thread variable structure.
#define SIGMATCH_HANDLE_NEGATION
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
bool DetectBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
void SCClassConfDeinit(void)
const char * DetectBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
void SCReferenceConfDeinit(void)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
const DetectAddressHead * src
char protocol[DETECT_MAX_RULE_SIZE]
#define DETECT_CONTENT_OFFSET
FILE * SCClassConfGenerateValidDummyClassConfigFD01(void)
Creates a dummy classification file, with all valid Classtypes, for testing purposes.
DetectAddress * ipv6_head
Port structure for detection engine.
a single match condition for a signature
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
void DetectPortPrint(DetectPort *dp)
Helper function that print the DetectPort info.
#define SIGMATCH_STRICT_PARSING
DetectEngineCtx * DetectEngineCtxInit(void)
void FlowInitConfig(char quiet)
initialize the configuration