74 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
88 #define CONFIG_PARTS 8 90 #define CONFIG_ACTION 0 91 #define CONFIG_PROTO 1 94 #define CONFIG_DIREC 4 113 #define CASE_CODE_STRING(E, S) case E: return S; break 123 #undef CASE_CODE_STRING 127 #define CASE_CODE(E) case E: return #E 144 Signature *
s,
const char *arg,
int sm_type,
int sm_list,
150 if (arg != NULL && strcmp(arg,
"") != 0) {
158 "with a sticky buffer still set. Reset sticky buffer " 159 "with pkt_data before using the modifier.",
173 "found inside the rule without a content context. " 174 "Please use a \"content\" keyword before using the " 182 "be used with the rawbytes rule keyword",
188 "be used with the replace rule keyword",
221 SigMatchTransferSigMatchAcrossLists(sm,
253 if (sm->
ctx != NULL) {
264 ptrdiff_t
offset = e - table;
278 if (st->
name != NULL) {
279 if (strcasecmp(name,st->
name) == 0)
281 if (st->
alias != NULL && strcasecmp(name,st->
alias) == 0)
311 if (strcmp(str,
"all") == 0) {
323 char *xsaveptr = NULL;
324 char *key = strtok_r(copy,
",", &xsaveptr);
325 while (key != NULL) {
331 "argument '%s' not found", key);
333 key = strtok_r(NULL,
",", &xsaveptr);
351 uint32_t new_size = (uint32_t)list + 1;
360 for (uint32_t i = old_size; i < new_size; i++) {
392 if (sm->
prev != NULL)
394 if (sm->
next != NULL)
412 if (sm->
type == type) {
452 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
482 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
487 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
512 va_start(ap, sm_list);
514 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
516 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
519 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
548 va_start(ap, list_id);
550 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
552 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
555 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
576 for (i = 0; i < nlists; i ++) {
580 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
587 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
593 if (sm->
prev != NULL)
595 if (sm->
next != NULL)
598 if (sm == *src_sm_list)
599 *src_sm_list = sm->
next;
600 if (sm == *src_sm_list_tail)
601 *src_sm_list_tail = sm->
prev;
603 if (*dst_sm_list == NULL) {
605 *dst_sm_list_tail = sm;
613 *dst_sm_list_tail = sm;
624 for (list = 0; list < nlists; list++) {
641 char *optname = NULL;
642 char *optvalue = NULL;
645 while (isblank(*optstr)) {
650 char *optend = optstr;
652 optend = strchr(optend,
';');
653 if (optend == NULL) {
657 else if (optend > optstr && *(optend -1 ) ==
'\\') {
666 char *optvalptr = strchr(optstr,
':');
668 *(optvalptr++) =
'\0';
671 for (
size_t i = strlen(optvalptr); i > 0; i--) {
672 if (isblank(optvalptr[i - 1])) {
673 optvalptr[i - 1] =
'\0';
679 optvalue = optvalptr;
683 for (
size_t i = strlen(optstr); i > 0; i--) {
684 if (isblank(optstr[i - 1])) {
685 optstr[i - 1] =
'\0';
693 st = SigTableGet(optname);
700 if (optvalue == NULL || strlen(optvalue) == 0) {
709 #define URL "https://suricata-ids.org/about/deprecation-policy/" 712 "and will be removed soon. See %s", st->
name,
URL);
715 "and will be removed soon. Use '%s' instead. " 723 if (optvalue != NULL && strlen(optvalue) > 0) {
724 size_t ovlen = strlen(optvalue);
725 char *ptr = optvalue;
761 "value must be double quoted \'%s\'", optname, optstr);
766 && ovlen && *ptr ==
'"')
768 for (; ovlen > 0; ovlen--) {
769 if (isblank(ptr[ovlen - 1])) {
770 ptr[ovlen - 1] =
'\0';
775 if (ovlen && ptr[ovlen - 1] !=
'"') {
777 "bad option value formatting (possible missing semicolon) " 778 "for keyword %s: \'%s\'", optname, optvalue);
785 ptr[ovlen - 1] =
'\0';
791 "for keyword %s: \'%s\'", optname, optvalue);
802 setup_ret = st->
Setup(de_ctx, s, ptr);
805 setup_ret = st->
Setup(de_ctx, s, NULL);
811 if (setup_ret == -2) {
823 if (strlen(optend) > 0) {
824 strlcpy(output, optend, output_size);
839 Signature *s,
const char *addrstr,
char flag)
841 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
845 if (strcasecmp(addrstr,
"any") == 0)
849 (strchr(addrstr,
'!') != NULL);
855 if (strcasecmp(addrstr,
"any") == 0)
859 (strchr(addrstr,
'!') != NULL);
884 static int SigParseProto(
Signature *s,
const char *protostr)
899 "in a signature. Either detection for this protocol " 900 "is not yet supported OR detection has been disabled for " 901 "protocol through the yaml option " 902 "app-layer.protocols.%s.detection-enabled", protostr,
932 Signature *s,
const char *portstr,
char flag)
938 SCLogDebug(
"Port group \"%s\" to be parsed", portstr);
941 if (strcasecmp(portstr,
"any") == 0)
945 }
else if (flag == 1) {
946 if (strcasecmp(portstr,
"any") == 0)
961 static int SigParseActionRejectValidate(
const char *action)
964 #if defined HAVE_LIBCAP_NG && !defined HAVE_LIBNET_CAPABILITIES 967 "incompatible with POSIX based capabilities with privs dropping. " 968 "For rejects to work, run as root/super user.");
974 "required for action \"%s\" but is not compiled into Suricata",
992 static int SigParseAction(
Signature *s,
const char *action)
994 if (strcasecmp(action,
"alert") == 0) {
997 }
else if (strcasecmp(action,
"drop") == 0) {
1000 }
else if (strcasecmp(action,
"pass") == 0) {
1003 }
else if (strcasecmp(action,
"reject") == 0) {
1004 if (!(SigParseActionRejectValidate(action)))
1008 }
else if (strcasecmp(action,
"rejectsrc") == 0) {
1009 if (!(SigParseActionRejectValidate(action)))
1013 }
else if (strcasecmp(action,
"rejectdst") == 0) {
1014 if (!(SigParseActionRejectValidate(action)))
1018 }
else if (strcasecmp(action,
"rejectboth") == 0) {
1019 if (!(SigParseActionRejectValidate(action)))
1040 static inline int SigParseToken(
char **input,
char *output,
1041 const size_t output_size)
1043 size_t len = *input == NULL ? 0 : strlen(*input);
1049 while (len && isblank(**input)) {
1054 char *endptr = strpbrk(*input,
" \t\n\r");
1055 if (endptr != NULL) {
1058 strlcpy(output, *input, output_size);
1075 static inline int SigParseList(
char **input,
char *output,
1076 const size_t output_size)
1079 size_t len = *input != NULL ? strlen(*input) : 0;
1085 while (len && isblank(**input)) {
1091 for (i = 0; i <
len; i++) {
1092 char c = (*input)[i];
1095 }
else if (c ==
']') {
1097 }
else if (c ==
' ') {
1108 strlcpy(output, *input, output_size);
1109 *input = *input + i + 1;
1127 SigParseToken(&index, parser->
action,
sizeof(parser->
action));
1133 SigParseList(&index, parser->
src,
sizeof(parser->
src));
1136 SigParseList(&index, parser->
sp,
sizeof(parser->
sp));
1142 SigParseList(&index, parser->
dst,
sizeof(parser->
dst));
1145 SigParseList(&index, parser->
dp,
sizeof(parser->
dp));
1148 if (index == NULL) {
1152 while (isspace(*index) || *index ==
'(') {
1155 for (
size_t i = strlen(index); i > 0; i--) {
1156 if (isspace(index[i - 1]) || index[i - 1] ==
')') {
1157 index[i - 1] =
'\0';
1165 if (SigParseAction(s, parser->
action) < 0)
1168 if (SigParseProto(s, parser->
protocol) < 0)
1171 if (strcmp(parser->
direction,
"<>") == 0) {
1173 }
else if (strcmp(parser->
direction,
"->") != 0) {
1175 "\"%s\" is not a valid direction modifier, " 1176 "\"->\" and \"<>\" are supported.", parser->
direction);
1181 if (SigParseAddress(de_ctx, s, parser->
src,
SIG_DIREC_SRC ^ addrs_direction) < 0)
1184 if (SigParseAddress(de_ctx, s, parser->
dst,
SIG_DIREC_DST ^ addrs_direction) < 0)
1191 if (SigParsePort(de_ctx, s, parser->
sp,
SIG_DIREC_SRC ^ addrs_direction) < 0)
1193 if (SigParsePort(de_ctx, s, parser->
dp,
SIG_DIREC_DST ^ addrs_direction) < 0)
1223 int ret = SigParseBasics(de_ctx, s, sigstr, parser, addrs_direction);
1230 if (strlen(parser->
opts) > 0) {
1231 size_t buffer_size = strlen(parser->
opts) + 1;
1232 char input[buffer_size];
1233 char output[buffer_size];
1234 memset(input, 0x00, buffer_size);
1235 memcpy(input, parser->
opts, strlen(parser->
opts)+1);
1241 memset(output, 0x00, buffer_size);
1242 ret = SigParseOptions(de_ctx, s, input, output, buffer_size);
1244 memcpy(input, output, buffer_size);
1300 static void SigMetadataFree(
Signature *s)
1313 for (mdata = s->
metadata; mdata != NULL;) {
1314 next_mdata = mdata->
next;
1344 next_ref = ref->
next;
1354 static void SigMatchFreeArrays(
Signature *s,
int ctxs)
1392 for (i = 0; i < nlists; i++) {
1394 while (sm != NULL) {
1401 SigMatchFreeArrays(s, (s->
init_data == NULL));
1409 if (s->
sp != NULL) {
1412 if (s->
dp != NULL) {
1470 "can't set rule app proto to %s: already set to %s",
1486 static void SigBuildAddressMatchArray(
Signature *s)
1492 for ( ; da != NULL; da = da->
next) {
1513 for ( ; da != NULL; da = da->
next) {
1534 for ( ; da != NULL; da = da->
next) {
1561 for ( ; da != NULL; da = da->
next) {
1585 static int SigMatchListLen(
SigMatch *sm)
1588 for (; sm != NULL; sm = sm->
next)
1599 int len = SigMatchListLen(head);
1612 for (; sm != NULL; sm = sm->
next, smd++) {
1632 uint32_t sig_flags = 0;
1654 struct BufferVsDir {
1658 memset(&bufdir, 0, nlists *
sizeof(
struct BufferVsDir));
1661 for (x = 0; x < nlists; x++) {
1664 for ( ; app != NULL; app = app->
next) {
1670 bufdir[x].ts += (app->
dir == 0);
1671 bufdir[x].tc += (app->
dir == 1);
1684 for (x = 0; x < nlists; x++) {
1685 if (bufdir[x].
ts == 0 && bufdir[x].tc == 0)
1687 ts_excl += (bufdir[x].ts > 0 && bufdir[x].tc == 0);
1688 tc_excl += (bufdir[x].ts == 0 && bufdir[x].tc > 0);
1689 dir_amb += (bufdir[x].ts > 0 && bufdir[x].tc > 0);
1692 x, bufdir[x].
ts, bufdir[x].tc);
1694 if (ts_excl && tc_excl) {
1697 }
else if (ts_excl) {
1698 SCLogDebug(
"%u: implied rule direction is toserver", s->
id);
1703 }
else if (tc_excl) {
1704 SCLogDebug(
"%u: implied rule direction is toclient", s->
id);
1709 }
else if (dir_amb) {
1710 SCLogDebug(
"%u: rule direction cannot be deduced from keywords", s->
id);
1716 "tcp-stream or flow:only_stream. Invalidating signature.");
1720 #if 0 // TODO figure out why this is even necessary 1740 "that require inspection in both directions. Atm we only " 1741 "support keywords in one direction within a rule.");
1746 for (
int i = 0; i < nlists; i++) {
1754 "specific matches (like dsize, flags, ttl) with stream / " 1755 "state matching by matching on app layer proto (like using " 1756 "http_* keywords).");
1766 if (s->
proto.
proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
1771 while (sm != NULL) {
1782 while (sm != NULL) {
1796 for (list = 0; list < nlists; list++) {
1809 "cannot be reset after base64_data.");
1822 for (i = 0; i < nlists; i++) {
1857 memset(&parser, 0x00,
sizeof(parser));
1866 int ret = SigParse(de_ctx, sig, sigstr, dir, &parser);
1870 }
else if (ret < 0) {
1875 if (sig->
prio == -1)
1882 int override_needed = 0;
1886 override_needed = 1;
1888 override_needed = 1;
1890 for (s = 0; s <
sizeof(sig->
proto.
proto); s++) {
1892 override_needed = 0;
1901 if (override_needed)
1914 for ( ; sm != NULL; sm = sm->
next) {
1930 SCLogDebug(
"sig %"PRIu32
" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s",
1934 SigBuildAddressMatchArray(sig);
1943 if (SigValidate(de_ctx, sig) == 0) {
1973 static bool SigHasSameSourceAndDestination(
const Signature *s)
2013 uint32_t oldsignum = de_ctx->
signum;
2023 if (SigHasSameSourceAndDestination(sig)) {
2024 SCLogInfo(
"Rule with ID %u is bidirectional, but source and destination are the same, " 2025 "treating the rule as unidirectional", sig->
id);
2030 if (sig->
next == NULL) {
2044 de_ctx->
signum = oldsignum;
2055 static void DetectParseDupSigFreeFunc(
void *data)
2073 static uint32_t DetectParseDupSigHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
2092 static char DetectParseDupSigCompareFunc(
void *data1, uint16_t len1,
void *data2,
2098 if (sw1 == NULL || sw2 == NULL ||
2099 sw1->
s == NULL || sw2->
s == NULL)
2103 if (sw1->
s->
id == sw2->
s->
id && sw1->
s->
gid == sw2->
s->
gid)
return 1;
2119 DetectParseDupSigHashFunc,
2120 DetectParseDupSigCompareFunc,
2121 DetectParseDupSigFreeFunc);
2163 static inline int DetectEngineSignatureIsDuplicate(
DetectEngineCtx *de_ctx,
2185 if (sw_dup == NULL) {
2198 (
void *)&sw_tmp, 0);
2210 if (sw->
s->
rev <= sw_dup->
s->
rev) {
2219 if (sw_dup->
s_prev == NULL) {
2227 sw_temp.
s = sw_dup->
s->
next;
2231 if (sw_temp.
s != NULL) {
2233 (
void *)&sw_temp, 0);
2245 sw_temp.
s = sw_dup->
s->
next;
2249 if (sw_temp.
s != NULL) {
2251 (
void *)&sw_temp, 0);
2266 (
void *)&sw_tmp, 0);
2267 if (sw_old->
s != sw_dup->
s) {
2310 int dup_sig = DetectEngineSignatureIsDuplicate(de_ctx, sig);
2316 }
else if (dup_sig == 2) {
2318 " so the older sig replaced by this new signature \"%s\"",
2323 if (sig->
next != NULL) {
2340 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
2363 pcre_free(r->
regex);
2371 g_detect_parse_regex_list = NULL;
2384 r->
next = g_detect_parse_regex_list;
2385 g_detect_parse_regex_list = r;
2390 pcre_extra **parse_regex_study)
2396 *parse_regex = pcre_compile(parse_str, opts, &eb, &eo, NULL);
2397 if (*parse_regex == NULL) {
2399 "offset %" PRId32
": %s", parse_str, eo, eb);
2402 *parse_regex_study = pcre_study(*parse_regex, 0, &eb);
2411 #ifdef AFLFUZZ_RULES 2413 int RuleParseDataFromFile(
char *filename)
2425 #ifdef AFLFUZZ_PERSISTANT_MODE 2426 while (__AFL_LOOP(10000)) {
2428 memset(buffer, 0,
sizeof(buffer));
2431 FILE *fp = fopen(filename,
"r");
2434 size_t result = fread(&buffer, 1,
sizeof(buffer), fp);
2435 if (result <
sizeof(buffer)) {
2436 buffer[result] =
'\0';
2444 #ifdef AFLFUZZ_PERSISTANT_MODE 2460 static int SigParseTest01 (
void)
2469 sig =
SigInit(de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
2474 if (sig != NULL)
SigFree(sig);
2479 static int SigParseTest02 (
void)
2493 sig =
SigInit(de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
2521 static int SigParseTest03 (
void)
2530 sig =
SigInit(de_ctx,
"alert tcp 1.2.3.4 any <- !1.2.3.4 any (msg:\"SigParseTest03\"; sid:1;)");
2533 printf(
"expected NULL got sig ptr %p: ",sig);
2537 if (sig != NULL)
SigFree(sig);
2542 static int SigParseTest04 (
void)
2551 sig =
SigInit(de_ctx,
"alert tcp 1.2.3.4 1024: -> !1.2.3.4 1024: (msg:\"SigParseTest04\"; sid:1;)");
2556 if (sig != NULL)
SigFree(sig);
2562 static int SigParseTest05 (
void)
2571 sig =
SigInit(de_ctx,
"alert tcp 1.2.3.4 1024:65536 -> !1.2.3.4 any (msg:\"SigParseTest05\"; sid:1;)");
2575 printf(
"signature didn't fail to parse as we expected: ");
2579 if (sig != NULL)
SigFree(sig);
2585 static int SigParseTest06 (
void)
2594 sig =
SigInit(de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; nocase; http_method; uricontent:\"/uri/\"; nocase; content:\"Host|3A| abc\"; nocase; sid:1; rev:1;)");
2598 printf(
"signature failed to parse: ");
2612 static int SigParseTest07(
void)
2634 static int SigParseTest08(
void)
2657 static int SigParseTest09(
void)
2708 static int SigParseTest10(
void)
2740 static int SigParseTest11(
void)
2750 s =
DetectEngineAppendSig(de_ctx,
"drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\";) ");
2752 printf(
"sig 1 didn't parse: ");
2756 s =
DetectEngineAppendSig(de_ctx,
"drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\"; sid:1;) ");
2758 printf(
"sig 2 didn't parse: ");
2772 static int SigParseTest12(
void)
2782 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (file_data; content:\"abc\"; rawbytes; sid:1;)");
2784 printf(
"sig 1 should have given an error: ");
2798 static int SigParseTest13(
void)
2810 printf(
"sig 1 invalidated: failure");
2815 printf(
"sig doesn't have stream flag set\n");
2820 printf(
"sig has packet flag set\n");
2835 static int SigParseTest14(
void)
2845 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"abc\"; dsize:>0; sid:1;)");
2847 printf(
"sig 1 invalidated: failure");
2852 printf(
"sig doesn't have packet flag set\n");
2857 printf(
"sig has stream flag set\n");
2872 static int SigParseTest15(
void)
2882 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"abc\"; offset:5; sid:1;)");
2884 printf(
"sig 1 invalidated: failure");
2889 printf(
"sig doesn't have packet flag set\n");
2894 printf(
"sig doesn't have stream flag set\n");
2909 static int SigParseTest16(
void)
2919 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"abc\"; depth:5; sid:1;)");
2921 printf(
"sig 1 invalidated: failure");
2926 printf(
"sig doesn't have packet flag set\n");
2931 printf(
"sig doesn't have stream flag set\n");
2946 static int SigParseTest17(
void)
2956 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"abc\"; offset:1; depth:5; sid:1;)");
2958 printf(
"sig 1 invalidated: failure");
2963 printf(
"sig doesn't have packet flag set\n");
2968 printf(
"sig doesn't have stream flag set\n");
2981 static int SigParseTest18 (
void)
2989 if (
DetectEngineAppendSig(de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:99999999999999999999;)") != NULL)
3000 static int SigParseTest19 (
void)
3008 if (
DetectEngineAppendSig(de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; gid:99999999999999999999;)") != NULL)
3019 static int SigParseTest20 (
void)
3027 if (
DetectEngineAppendSig(de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; rev:99999999999999999999;)") != NULL)
3038 static int SigParseTest21 (
void)
3046 if (
DetectEngineAppendSig(de_ctx,
"alert tcp [1.2.3.4, 1.2.3.5] any -> !1.2.3.4 any (sid:1;)") == NULL)
3057 static int SigParseTest22 (
void)
3065 if (
DetectEngineAppendSig(de_ctx,
"alert tcp [10.10.10.0/24, !10.10.10.247] any -> [10.10.10.0/24, !10.10.10.247] any (sid:1;)") == NULL)
3078 static int SigParseTest23(
void)
3085 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"abc\"; offset:1; depth:5; sid:1;)\r");
3093 static int SigParseBidirecTest06 (
void)
3102 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any - 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3107 if (sig != NULL)
SigFree(sig);
3113 static int SigParseBidirecTest07 (
void)
3122 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any <- 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3127 if (sig != NULL)
SigFree(sig);
3133 static int SigParseBidirecTest08 (
void)
3142 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any < 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3147 if (sig != NULL)
SigFree(sig);
3153 static int SigParseBidirecTest09 (
void)
3162 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any > 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3167 if (sig != NULL)
SigFree(sig);
3173 static int SigParseBidirecTest10 (
void)
3182 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any -< 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3187 if (sig != NULL)
SigFree(sig);
3193 static int SigParseBidirecTest11 (
void)
3202 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any >- 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3207 if (sig != NULL)
SigFree(sig);
3213 static int SigParseBidirecTest12 (
void)
3222 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any >< 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3227 if (sig != NULL)
SigFree(sig);
3233 static int SigParseBidirecTest13 (
void)
3242 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any <> 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3252 static int SigParseBidirecTest14 (
void)
3261 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any -> 192.168.1.5 any (msg:\"SigParseBidirecTest05\"; sid:1;)");
3273 static int SigTestBidirec01 (
void)
3282 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 1.2.3.4 1024:65535 -> !1.2.3.4 any (msg:\"SigTestBidirec01\"; sid:1;)");
3285 if (sig->
next != NULL)
3295 if (de_ctx != NULL) {
3304 static int SigTestBidirec02 (
void)
3316 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 1.2.3.4 1024:65535 <> !1.2.3.4 any (msg:\"SigTestBidirec02\"; sid:1;)");
3323 if (sig->
next == NULL)
3328 if (copy->
next != NULL)
3336 if (de_ctx != NULL) {
3349 static int SigTestBidirec03 (
void)
3361 const char *sigs[3];
3362 sigs[0] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 1\"; sid:1;)";
3363 sigs[1] =
"alert tcp any any <> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)";
3364 sigs[2] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 3\"; sid:3;)";
3371 if (sig->
next == NULL)
3382 uint8_t rawpkt1_ether[] = {
3383 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
3384 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
3385 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
3386 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
3387 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
3388 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
3389 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
3390 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
3391 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
3392 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
3393 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
3394 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
3395 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
3396 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
3397 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
3398 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
3399 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
3400 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
3401 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
3402 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
3403 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
3404 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
3405 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
3406 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
3407 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
3408 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
3409 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
3410 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
3411 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
3412 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
3413 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
3414 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
3415 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
3416 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
3417 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3418 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3419 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
3420 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
3421 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
3422 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
3423 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
3424 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
3425 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
3426 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3427 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
3428 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
3429 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
3430 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
3431 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3432 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
3433 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
3434 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
3435 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
3436 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
3437 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
3447 uint32_t sids[3] = {1, 2, 3};
3448 uint32_t results[3] = {1, 1, 1};
3456 if (de_ctx != NULL) {
3470 static int SigTestBidirec04 (
void)
3482 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any -> any any (msg:\"SigTestBidirec03 sid 1\"; sid:1;)");
3485 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any <> any any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)");
3490 if (sig->
next == NULL)
3499 sig =
DetectEngineAppendSig(de_ctx,
"alert tcp 192.168.1.1 any -> any any (msg:\"SigTestBidirec03 sid 3\"; sid:3;)");
3502 if (sig->
next == NULL)
3513 uint8_t rawpkt1_ether[] = {
3514 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
3515 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
3516 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
3517 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
3518 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
3519 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
3520 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
3521 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
3522 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
3523 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
3524 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
3525 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
3526 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
3527 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
3528 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
3529 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
3530 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
3531 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
3532 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
3533 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
3534 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
3535 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
3536 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
3537 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
3538 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
3539 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
3540 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
3541 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
3542 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
3543 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
3544 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
3545 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
3546 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
3547 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
3548 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3549 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3550 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
3551 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
3552 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
3553 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
3554 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
3555 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
3556 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
3557 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3558 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
3559 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
3560 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
3561 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
3562 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3563 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
3564 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
3565 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
3566 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
3567 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
3568 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
3577 memset(&th_v, 0,
sizeof(th_v));
3581 DecodeEthernet(&th_v, &dtv, p, rawpkt1_ether,
sizeof(rawpkt1_ether), NULL);
3604 if (de_ctx != NULL) {
3618 static int SigParseTestNegation01 (
void)
3629 s =
SigInit(de_ctx,
"alert tcp !any any -> any any (msg:\"SigTest41-01 src address is !any \"; classtype:misc-activity; sid:410001; rev:1;)");
3644 static int SigParseTestNegation02 (
void)
3655 s =
SigInit(de_ctx,
"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
3670 static int SigParseTestNegation03 (
void)
3681 s =
SigInit(de_ctx,
"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
3696 static int SigParseTestNegation04 (
void)
3707 s =
SigInit(de_ctx,
"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
3722 static int SigParseTestNegation05 (
void)
3733 s =
SigInit(de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
3748 static int SigParseTestNegation06 (
void)
3759 s =
SigInit(de_ctx,
"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
3775 static int SigParseTestNegation07 (
void)
3786 s =
SigInit(de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (msg:\"SigTest41-06 dst ip [192.168.0.2,!192.168.0.0/24] \"; classtype:misc-activity; sid:410006; rev:1;)");
3802 static int SigParseTestNegation08 (
void)
3813 s =
SigInit(de_ctx,
"alert tcp any any -> [192.168.0.0/16,!192.168.0.0/24] any (sid:410006; rev:1;)");
3828 static int SigParseTestMpm01 (
void)
3837 sig =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; sid:1;)");
3839 printf(
"sig failed to init: ");
3844 printf(
"sig doesn't have content list: ");
3859 static int SigParseTestMpm02 (
void)
3868 sig =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; content:\"abcdef\"; sid:1;)");
3870 printf(
"sig failed to init: ");
3875 printf(
"sig doesn't have content list: ");
3890 static int SigParseTestAppLayerTLS01(
void)
3901 s =
SigInit(de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS01 \"; sid:410006; rev:1;)");
3903 printf(
"parsing sig failed: ");
3908 printf(
"alproto not set: ");
3925 static int SigParseTestAppLayerTLS02(
void)
3936 s =
SigInit(de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS02 \"; tls.version:1.0; sid:410006; rev:1;)");
3938 printf(
"parsing sig failed: ");
3943 printf(
"alproto not set: ");
3959 static int SigParseTestAppLayerTLS03(
void)
3970 s =
SigInit(de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; sid:410006; rev:1;)");
3983 static int SigParseTestUnblanacedQuotes01(
void)
3992 s =
SigInit(de_ctx,
"alert http any any -> any any (msg:\"SigParseTestUnblanacedQuotes01\"; pcre:\"/\\/[a-z]+\\.php\\?[a-z]+?=\\d{7}&[a-z]+?=\\d{7,8}$/U\" flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:5;)");
3998 static int SigParseTestContentGtDsize01(
void)
4005 "alert http any any -> any any (" 4006 "dsize:21; content:\"0123456789001234567890|00 00|\"; " 4013 static int SigParseTestContentGtDsize02(
void)
4020 "alert http any any -> any any (" 4021 "dsize:21; content:\"0123456789|00 00|\"; offset:10; " 4028 static int SigParseBidirWithSameSrcAndDest01(
void)
4035 "alert tcp any any <> any any (sid:1; rev:1;)");
4043 "alert tcp any [80, 81] <> any [81, 80] (sid:1; rev:1;)");
4051 "alert tcp [1.2.3.4, 5.6.7.8] [80, 81] <> [5.6.7.8, 1.2.3.4] [81, 80] (sid:1; rev:1;)");
4061 static int SigParseBidirWithSameSrcAndDest02(
void)
4069 "alert tcp 1.2.3.4 any <> [1.2.3.4, 5.6.7.8, ::1] any (sid:1; rev:1;)");
4078 "alert tcp [1.2.3.4, ::1] [80, 81, 82] <> [1.2.3.4, ::1] [80, 81] (sid:1; rev:1;)");
4087 "alert tcp [1.2.3.4, ::1, ABCD:AAAA::1] [80] <> [1.2.3.4, ::1] [80, 81] (sid:1; rev:1;)");
4129 UtRegisterTest(
"SigParseTest21 -- address with space", SigParseTest21);
4130 UtRegisterTest(
"SigParseTest22 -- address with space", SigParseTest22);
4131 UtRegisterTest(
"SigParseTest23 -- carriage return", SigParseTest23);
4146 UtRegisterTest(
"SigParseTestNegation01", SigParseTestNegation01);
4147 UtRegisterTest(
"SigParseTestNegation02", SigParseTestNegation02);
4148 UtRegisterTest(
"SigParseTestNegation03", SigParseTestNegation03);
4149 UtRegisterTest(
"SigParseTestNegation04", SigParseTestNegation04);
4150 UtRegisterTest(
"SigParseTestNegation05", SigParseTestNegation05);
4151 UtRegisterTest(
"SigParseTestNegation06", SigParseTestNegation06);
4152 UtRegisterTest(
"SigParseTestNegation07", SigParseTestNegation07);
4153 UtRegisterTest(
"SigParseTestNegation08", SigParseTestNegation08);
4156 UtRegisterTest(
"SigParseTestAppLayerTLS01", SigParseTestAppLayerTLS01);
4157 UtRegisterTest(
"SigParseTestAppLayerTLS02", SigParseTestAppLayerTLS02);
4158 UtRegisterTest(
"SigParseTestAppLayerTLS03", SigParseTestAppLayerTLS03);
4160 SigParseTestUnblanacedQuotes01);
4163 SigParseTestContentGtDsize01);
4165 SigParseTestContentGtDsize02);
4168 SigParseBidirWithSameSrcAndDest01);
4170 SigParseBidirWithSameSrcAndDest02);
#define SIG_FLAG_FILESTORE
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
#define DETECT_DEFAULT_PRIO
char dst[DETECT_MAX_RULE_SIZE]
DetectReference * references
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
SignatureInitData * init_data
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define SIGMATCH_INFO_DEPRECATED
void SCReferenceConfInit(void)
DetectMetadata * metadata
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id...
struct HtpBodyChunk_ * next
void SigFree(Signature *s)
size_t strlcpy(char *dst, const char *src, size_t siz)
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
int UTHAppendSigs(DetectEngineCtx *de_ctx, const char *sigs[], int numsigs)
UTHAppendSigs: Add sigs to the detection_engine checking for errors.
int DetectAppLayerEventPrepare(Signature *s)
#define ACTION_REJECT_DST
void DetectParseFreeRegexes(void)
const DetectAddressHead * DetectParseAddress(DetectEngineCtx *de_ctx, const char *string)
#define PASS
Pass the test.
void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list)
int UTHMatchPackets(DetectEngineCtx *de_ctx, Packet **p, int num_packets)
#define CASE_CODE_STRING(E, S)
address structure for use in the detection engine.
bool DetectBufferRunValidateCallback(const DetectEngineCtx *de_ctx, const int id, const Signature *s, const char **sigerror)
int AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
void DetectIPProtoRemoveAllSMs(Signature *s)
#define SIG_FLAG_REQUIRE_STREAM
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define PACKET_RECYCLE(p)
void SigTableApplyStrictCommandlineOption(const char *str)
void * HashListTableLookup(HashListTable *ht, void *data, uint16_t datalen)
SigMatch * DetectGetLastSM(const Signature *s)
Returns the sm with the largest index (added latest) from this sig.
#define DETECT_CONTENT_DISTANCE
element in sigmatch type table.
#define SIG_FLAG_REQUIRE_PACKET
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
AppProto AppLayerGetProtoByName(char *alproto_name)
Given a protocol string, returns the corresponding internal protocol id.
#define DETECT_TRANSFORMS_MAX
#define DETECT_CONTENT_DEPTH
int IPOnlySigParseAddress(const DetectEngineCtx *de_ctx, Signature *s, const char *addrstr, char flag)
Parses an address group sent as a character string and updates the IPOnlyCIDRItem lists src and dst o...
uint16_t addr_src_match6_cnt
SigMatch * DetectGetLastSMFromMpmLists(const DetectEngineCtx *de_ctx, const Signature *s)
get the last SigMatch from lists that support MPM.
#define SIG_FLAG_APPLAYER
int DetectSignatureAddTransform(Signature *s, int transform)
int UTHCheckPacketMatchResults(Packet *p, uint32_t sids[], uint32_t results[], int numsids)
UTHCheckPacketMatches: function to check if a packet match some sids.
bool DetectAddressListsAreEqual(DetectAddress *list1, DetectAddress *list2)
Checks if two address group lists are equal.
void DetectReferenceFree(DetectReference *ref)
Free a Reference object.
DetectMatchAddressIPv6 * addr_dst_match6
main detection engine ctx
uint16_t addr_src_match4_cnt
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int DetectProtoParse(DetectProto *dp, const char *str)
Parses a protocol sent as a string.
#define DETECT_CONTENT_RAWBYTES
void AppLayerHtpNeedFileInspection(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request file...
bool src_contains_negation
void DetectLuaPostSetup(Signature *s)
int HashListTableAdd(HashListTable *ht, void *data, uint16_t datalen)
char action[DETECT_MAX_RULE_SIZE]
DetectMatchAddressIPv4 * addr_dst_match4
#define SIG_FLAG_INIT_BIDIREC
struct DetectAddress_ * next
void DetectEngineAppInspectionEngineSignatureFree(Signature *s)
free app inspect engines for a signature
SigMatch * DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list,...)
Returns the sm with the largest index (added last) from the list passed to us as a pointer...
DetectMatchAddressIPv6 * addr_src_match6
int transforms[DETECT_TRANSFORMS_MAX]
#define SIG_FLAG_TOCLIENT
#define ACTION_REJECT_BOTH
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
void SCClassConfInit(void)
Data structures and function prototypes for keeping state for the detection engine.
bool DetectPortListsAreEqual(DetectPort *list1, DetectPort *list2)
Checks if two port group lists are equal.
struct DetectEngineAppInspectionEngine_ * next
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
void IPOnlyCIDRListFree(IPOnlyCIDRItem *tmphead)
This function free a IPOnlyCIDRItem list.
DetectMatchAddressIPv4 * addr_src_match4
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
char opts[DETECT_MAX_RULE_SIZE]
#define SIG_FLAG_INIT_FLOW
bool dst_contains_negation
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Structure to hold thread specific data for all decode modules.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SIGMATCH_QUOTES_OPTIONAL
#define SIG_FLAG_TOSERVER
#define SIGMATCH_QUOTES_MANDATORY
struct DetectReference_ * next
int DetectBufferTypeMaxId(void)
#define DETECT_SM_LIST_NOTSET
void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
void DetectParseDupSigHashFree(DetectEngineCtx *de_ctx)
Frees the hash table that is used to cull duplicate sigs.
Packet * UTHBuildPacketFromEth(uint8_t *raw_eth, uint16_t pktsize)
UTHBuildPacketFromEth is a wrapper that build a packet for the rawbytes.
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
uint16_t addr_dst_match6_cnt
_Bool DetectContentPMATCHValidateCallback(const Signature *s)
DetectEngineAppInspectionEngine * app_inspect_engines
char dp[DETECT_MAX_RULE_SIZE]
HashListTable * HashListTableInit(uint32_t size, uint32_t(*Hash)(struct HashListTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
struct SigMatch_ ** smlists_tail
DetectAddress * ipv4_head
bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx, const enum DetectKeywordId id)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
char direction[DETECT_MAX_RULE_SIZE]
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct SigDuplWrapper_ SigDuplWrapper
We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.
struct DetectParseRegex_ DetectParseRegex
const char * DetectListToString(int list)
bool sm_types_silent_error[DETECT_TBLSIZE]
struct SignatureParser_ SignatureParser
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
struct SigMatch_ ** smlists
HashListTable * dup_sig_hash_table
const DetectAddressHead * dst
Signature * SigAlloc(void)
void AppLayerProtoDetectSupportedIpprotos(AppProto alproto, uint8_t *ipprotos)
uint32_t smlists_array_size
char src[DETECT_MAX_RULE_SIZE]
void DetectParseRegexAddToFreeList(pcre *regex, pcre_extra *study)
add regex and/or study to at exit free list
char sp[DETECT_MAX_RULE_SIZE]
int DetectPortCmp(DetectPort *a, DetectPort *b)
Function that compare port groups.
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
#define DETECT_MAX_RULE_SIZE
void DetectParseRegisterTests(void)
this function registers unit tests for DetectParse
#define DETECT_CONTENT_REPLACE
uint16_t addr_dst_match4_cnt
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
void SigParseRegisterTests(void)
bool DetectBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
void FlowShutdown(void)
shutdown the flow engine
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
#define DETECT_PROTO_ONLY_STREAM
void SigMatchFree(SigMatch *sm)
free a SigMatch
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us. ...
We use this as data to the hash table DetectEngineCtx->dup_sig_hash_table.
#define FatalError(x,...)
#define SIGMATCH_OPTIONAL_OPT
#define SCReturnPtr(x, type)
void SignatureSetType(DetectEngineCtx *de_ctx, Signature *s)
int DetectParseDupSigHashInit(DetectEngineCtx *de_ctx)
Initializes the hash table that is used to cull duplicate sigs.
struct DetectParseRegex_ * next
#define DETECT_CONTENT_WITHIN
Signature reference list.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void DetectBufferRunSetupCallback(const DetectEngineCtx *de_ctx, const int id, Signature *s)
#define SIG_FLAG_INIT_PACKET
const char * DetectListToHumanString(int list)
void HashListTableFree(HashListTable *ht)
int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
#define DETECT_PROTO_ONLY_PKT
#define DETECT_PCRE_RELATIVE_NEXT
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq)
#define DETECT_CONTENT_RELATIVE_NEXT
SigMatch * SigMatchAlloc(void)
Per thread variable structure.
#define SIGMATCH_HANDLE_NEGATION
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
bool DetectBufferTypeSupportsPacketGetById(const DetectEngineCtx *de_ctx, const int id)
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
void SCClassConfDeinit(void)
const char * DetectBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
void SCReferenceConfDeinit(void)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
const DetectAddressHead * src
char protocol[DETECT_MAX_RULE_SIZE]
#define DETECT_CONTENT_OFFSET
FILE * SCClassConfGenerateValidDummyClassConfigFD01(void)
Creates a dummy classification file, with all valid Classtypes, for testing purposes.
DetectAddress * ipv6_head
Port structure for detection engine.
a single match condition for a signature
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
void DetectPortPrint(DetectPort *dp)
Helper function that print the DetectPort info.
#define SIGMATCH_STRICT_PARSING
DetectEngineCtx * DetectEngineCtxInit(void)
void FlowInitConfig(char quiet)
initialize the configuration
1.8.11 
