suricata
detect-rpc.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements RPC keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-rpc.h"
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-siggroup.h"
36 #include "detect-engine-address.h"
37 
38 #include "util-unittest.h"
39 #include "util-unittest-helper.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 
43 /**
44  * \brief Regex for parsing our rpc options
45  */
46 #define PARSE_REGEX "^\\s*([0-9]{0,10})\\s*(?:,\\s*([0-9]{0,10}|[*])\\s*(?:,\\s*([0-9]{0,10}|[*]))?)?\\s*$"
47 
48 static DetectParseRegex parse_regex;
49 
50 static int DetectRpcMatch (DetectEngineThreadCtx *, Packet *,
51  const Signature *, const SigMatchCtx *);
52 static int DetectRpcSetup (DetectEngineCtx *, Signature *, const char *);
53 void DetectRpcRegisterTests(void);
54 void DetectRpcFree(DetectEngineCtx *, void *);
55 
56 /**
57  * \brief Registration function for rpc keyword
58  */
59 void DetectRpcRegister (void)
60 {
62  sigmatch_table[DETECT_RPC].desc = "match RPC procedure numbers and RPC version";
63  sigmatch_table[DETECT_RPC].url = "/rules/payload-keywords.html#rpc";
64  sigmatch_table[DETECT_RPC].Match = DetectRpcMatch;
65  sigmatch_table[DETECT_RPC].Setup = DetectRpcSetup;
68 
69  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
70 }
71 
72 /*
73  * returns 0: no match
74  * 1: match
75  * -1: error
76  */
77 
78 /**
79  * \brief This function is used to match rpc request set on a packet with those passed via rpc
80  *
81  * \param t pointer to thread vars
82  * \param det_ctx pointer to the pattern matcher thread
83  * \param p pointer to the current packet
84  * \param m pointer to the sigmatch that we will cast into DetectRpcData
85  *
86  * \retval 0 no match
87  * \retval 1 match
88  */
89 static int DetectRpcMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
90  const Signature *s, const SigMatchCtx *ctx)
91 {
92  /* PrintRawDataFp(stdout, p->payload, p->payload_len); */
93  const DetectRpcData *rd = (const DetectRpcData *)ctx;
94  char *rpcmsg = (char *)p->payload;
95 
96  if (PKT_IS_TCP(p)) {
97  /* if Rpc msg too small */
98  if (p->payload_len < 28) {
99  SCLogDebug("TCP packet to small for the rpc msg (%u)", p->payload_len);
100  return 0;
101  }
102  rpcmsg += 4;
103  } else if (PKT_IS_UDP(p)) {
104  /* if Rpc msg too small */
105  if (p->payload_len < 24) {
106  SCLogDebug("UDP packet to small for the rpc msg (%u)", p->payload_len);
107  return 0;
108  }
109  } else {
110  SCLogDebug("No valid proto for the rpc message");
111  return 0;
112  }
113 
114  /* Point through the rpc msg structure. Use SCNtohl() to compare values */
115  RpcMsg *msg = (RpcMsg *)rpcmsg;
116 
117  /* If its not a call, no match */
118  if (SCNtohl(msg->type) != 0) {
119  SCLogDebug("RPC message type is not a call");
120  return 0;
121  }
122 
123  if (SCNtohl(msg->prog) != rd->program)
124  return 0;
125 
126  if ((rd->flags & DETECT_RPC_CHECK_VERSION) && SCNtohl(msg->vers) != rd->program_version)
127  return 0;
128 
129  if ((rd->flags & DETECT_RPC_CHECK_PROCEDURE) && SCNtohl(msg->proc) != rd->procedure)
130  return 0;
131 
132  SCLogDebug("prog:%u pver:%u proc:%u matched", SCNtohl(msg->prog), SCNtohl(msg->vers), SCNtohl(msg->proc));
133  return 1;
134 }
135 
136 /**
137  * \brief This function is used to parse rpc options passed via rpc keyword
138  *
139  * \param de_ctx Pointer to the detection engine context
140  * \param rpcstr Pointer to the user provided rpc options
141  *
142  * \retval rd pointer to DetectRpcData on success
143  * \retval NULL on failure
144  */
145 static DetectRpcData *DetectRpcParse (DetectEngineCtx *de_ctx, const char *rpcstr)
146 {
147  DetectRpcData *rd = NULL;
148  char *args[3] = {NULL,NULL,NULL};
149  int ret = 0, res = 0;
150  int ov[MAX_SUBSTRINGS];
151 
152  ret = DetectParsePcreExec(&parse_regex, rpcstr, 0, 0, ov, MAX_SUBSTRINGS);
153  if (ret < 1 || ret > 4) {
154  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, rpcstr);
155  goto error;
156  }
157 
158  if (ret > 1) {
159  const char *str_ptr;
160  res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
161  if (res < 0) {
162  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
163  goto error;
164  }
165  args[0] = (char *)str_ptr;
166 
167  if (ret > 2) {
168  res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
169  if (res < 0) {
170  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
171  goto error;
172  }
173  args[1] = (char *)str_ptr;
174  }
175  if (ret > 3) {
176  res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
177  if (res < 0) {
178  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
179  goto error;
180  }
181  args[2] = (char *)str_ptr;
182  }
183  }
184 
185  rd = SCMalloc(sizeof(DetectRpcData));
186  if (unlikely(rd == NULL))
187  goto error;
188  rd->flags = 0;
189  rd->program = 0;
190  rd->program_version = 0;
191  rd->procedure = 0;
192 
193  int i;
194  for (i = 0; i < (ret - 1); i++) {
195  if (args[i]) {
196  switch (i) {
197  case 0:
198  if (StringParseUint32(&rd->program, 10, strlen(args[i]), args[i]) <= 0) {
199  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc program:\"%s\"", args[i]);
200  goto error;
201  }
203  break;
204  case 1:
205  if (args[i][0] != '*') {
206  if (StringParseUint32(&rd->program_version, 10, strlen(args[i]), args[i]) <= 0) {
207  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc version:\"%s\"", args[i]);
208  goto error;
209  }
211  }
212  break;
213  case 2:
214  if (args[i][0] != '*') {
215  if (StringParseUint32(&rd->procedure, 10, strlen(args[i]), args[i]) <= 0) {
216  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc procedure:\"%s\"", args[i]);
217  goto error;
218  }
220  }
221  break;
222  }
223  } else {
224  SCLogError(SC_ERR_INVALID_VALUE, "invalid rpc option %s",rpcstr);
225  goto error;
226  }
227  }
228  for (i = 0; i < (ret -1); i++){
229  if (args[i] != NULL)
230  SCFree(args[i]);
231  }
232  return rd;
233 
234 error:
235  for (i = 0; i < (ret -1) && i < 3; i++){
236  if (args[i] != NULL)
237  SCFree(args[i]);
238  }
239  if (rd != NULL)
240  DetectRpcFree(de_ctx, rd);
241  return NULL;
242 
243 }
244 
245 /**
246  * \brief this function is used to add the parsed rpcdata into the current signature
247  *
248  * \param de_ctx pointer to the Detection Engine Context
249  * \param s pointer to the Current Signature
250  * \param m pointer to the Current SigMatch
251  * \param rpcstr pointer to the user provided rpc options
252  *
253  * \retval 0 on Success
254  * \retval -1 on Failure
255  */
256 int DetectRpcSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rpcstr)
257 {
258  DetectRpcData *rd = NULL;
259  SigMatch *sm = NULL;
260 
261  rd = DetectRpcParse(de_ctx, rpcstr);
262  if (rd == NULL) goto error;
263 
264  sm = SigMatchAlloc();
265  if (sm == NULL)
266  goto error;
267 
268  sm->type = DETECT_RPC;
269  sm->ctx = (SigMatchCtx *)rd;
270 
273 
274  return 0;
275 
276 error:
277  if (rd != NULL) DetectRpcFree(de_ctx, rd);
278  if (sm != NULL) SCFree(sm);
279  return -1;
280 
281 }
282 
283 /**
284  * \brief this function will free memory associated with DetectRpcData
285  *
286  * \param rd pointer to DetectRpcData
287  */
289 {
290  SCEnter();
291 
292  if (ptr == NULL) {
293  SCReturn;
294  }
295 
296  DetectRpcData *rd = (DetectRpcData *)ptr;
297  SCFree(rd);
298 
299  SCReturn;
300 }
301 
302 #ifdef UNITTESTS
303 /**
304  * \test DetectRpcTestParse01 is a test to make sure that we return "something"
305  * when given valid rpc opt
306  */
307 static int DetectRpcTestParse01 (void)
308 {
309  int result = 0;
310  DetectRpcData *rd = NULL;
311  rd = DetectRpcParse(NULL, "123,444,555");
312  if (rd != NULL) {
313  DetectRpcFree(NULL, rd);
314  result = 1;
315  }
316 
317  return result;
318 }
319 
320 /**
321  * \test DetectRpcTestParse02 is a test for setting the established rpc opt
322  */
323 static int DetectRpcTestParse02 (void)
324 {
325  int result = 0;
326  DetectRpcData *rd = NULL;
327  rd = DetectRpcParse(NULL, "111,222,333");
328  if (rd != NULL) {
329  if (rd->flags & DETECT_RPC_CHECK_PROGRAM &&
332  rd->program == 111 && rd->program_version == 222 &&
333  rd->procedure == 333) {
334  result = 1;
335  } else {
336  SCLogDebug("Error: Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
337  }
338  DetectRpcFree(NULL, rd);
339  }
340 
341  return result;
342 }
343 
344 /**
345  * \test DetectRpcTestParse03 is a test for checking the wildcards
346  * and not specified fields
347  */
348 static int DetectRpcTestParse03 (void)
349 {
350  int result = 1;
351  DetectRpcData *rd = NULL;
352  rd = DetectRpcParse(NULL, "111,*,333");
353  if (rd == NULL)
354  return 0;
355 
356  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
357  !(rd->flags & DETECT_RPC_CHECK_VERSION) &&
359  rd->program == 111 && rd->program_version == 0 &&
360  rd->procedure == 333))
361  result = 0;
362  SCLogDebug("rd1 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
363 
364  DetectRpcFree(NULL, rd);
365 
366  rd = DetectRpcParse(NULL, "111,222,*");
367  if (rd == NULL)
368  return 0;
369 
370  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
373  rd->program == 111 && rd->program_version == 222 &&
374  rd->procedure == 0))
375  result = 0;
376  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
377 
378  DetectRpcFree(NULL, rd);
379 
380  rd = DetectRpcParse(NULL, "111,*,*");
381  if (rd == NULL)
382  return 0;
383 
384  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
385  !(rd->flags & DETECT_RPC_CHECK_VERSION) &&
387  rd->program == 111 && rd->program_version == 0 &&
388  rd->procedure == 0))
389  result = 0;
390  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
391 
392  DetectRpcFree(NULL, rd);
393 
394  rd = DetectRpcParse(NULL, "111,222");
395  if (rd == NULL)
396  return 0;
397 
398  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
401  rd->program == 111 && rd->program_version == 222 &&
402  rd->procedure == 0))
403  result = 0;
404  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
405 
406  DetectRpcFree(NULL, rd);
407 
408  rd = DetectRpcParse(NULL, "111");
409  if (rd == NULL)
410  return 0;
411 
412  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
413  !(rd->flags & DETECT_RPC_CHECK_VERSION) &&
415  rd->program == 111 && rd->program_version == 0 &&
416  rd->procedure == 0))
417  result = 0;
418  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
419 
420  DetectRpcFree(NULL, rd);
421  return result;
422 }
423 
424 /**
425  * \test DetectRpcTestParse04 is a test for check the discarding of empty options
426  */
427 static int DetectRpcTestParse04 (void)
428 {
429  int result = 0;
430  DetectRpcData *rd = NULL;
431  rd = DetectRpcParse(NULL, "");
432  if (rd == NULL) {
433  result = 1;
434  } else {
435  SCLogDebug("Error: Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
436  DetectRpcFree(NULL, rd);
437  }
438 
439  return result;
440 }
441 
442 /**
443  * \test DetectRpcTestParse05 is a test for check invalid values
444  */
445 static int DetectRpcTestParse05 (void)
446 {
447  int result = 0;
448  DetectRpcData *rd = NULL;
449  rd = DetectRpcParse(NULL, "111,aaa,*");
450  if (rd == NULL) {
451  result = 1;
452  } else {
453  SCLogDebug("Error: Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
454  DetectRpcFree(NULL, rd);
455  }
456 
457  return result;
458 }
459 
460 /**
461  * \test DetectRpcTestParse05 is a test to check the match function
462  */
463 static int DetectRpcTestSig01(void)
464 {
465  /* RPC Call */
466  uint8_t buf[] = {
467  /* XID */
468  0x64,0xb2,0xb3,0x75,
469  /* Message type: Call (0) */
470  0x00,0x00,0x00,0x00,
471  /* RPC Version (2) */
472  0x00,0x00,0x00,0x02,
473  /* Program portmap (100000) */
474  0x00,0x01,0x86,0xa0,
475  /* Program version (2) */
476  0x00,0x00,0x00,0x02,
477  /* Program procedure (3) = GETPORT */
478  0x00,0x00,0x00,0x03,
479  /* AUTH_NULL */
480  0x00,0x00,0x00,0x00,
481  /* Length 0 */
482  0x00,0x00,0x00,0x00,
483  /* VERIFIER NULL */
484  0x00,0x00,0x00,0x00,
485  /* Length 0 */
486  0x00,0x00,0x00,0x00,
487  /* Program portmap */
488  0x00,0x01,0x86,0xa2,
489  /* Version 2 */
490  0x00,0x00,0x00,0x02,
491  /* Proto UDP */
492  0x00,0x00,0x00,0x11,
493  /* Port 0 */
494  0x00,0x00,0x00,0x00 };
495  uint16_t buflen = sizeof(buf);
496  Packet *p = NULL;
497  Signature *s = NULL;
498  ThreadVars th_v;
499  DetectEngineThreadCtx *det_ctx;
500  int result = 0;
501 
502  memset(&th_v, 0, sizeof(th_v));
503 
504  p = UTHBuildPacket(buf, buflen, IPPROTO_UDP);
505 
507  if (de_ctx == NULL) {
508  goto end;
509  }
510 
511  de_ctx->flags |= DE_QUIET;
512 
513  s = de_ctx->sig_list = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, 2, 3; sid:1;)");
514  if (s == NULL) {
515  goto end;
516  }
517 
518  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, 2, *; sid:2;)");
519  if (s == NULL) {
520  goto end;
521  }
522 
523  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, *, 3; sid:3;)");
524  if (s == NULL) {
525  goto end;
526  }
527 
528  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, *, *; sid:4;)");
529  if (s == NULL) {
530  goto end;
531  }
532 
533  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get XXX Call.. no match\"; rpc:123456, *, 3; sid:5;)");
534  if (s == NULL) {
535  goto end;
536  }
537 
539  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
540 
541  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
542  if (PacketAlertCheck(p, 1) == 0) {
543  printf("sid 1 didnt alert, but it should have: ");
544  goto cleanup;
545  } else if (PacketAlertCheck(p, 2) == 0) {
546  printf("sid 2 didnt alert, but it should have: ");
547  goto cleanup;
548  } else if (PacketAlertCheck(p, 3) == 0) {
549  printf("sid 3 didnt alert, but it should have: ");
550  goto cleanup;
551  } else if (PacketAlertCheck(p, 4) == 0) {
552  printf("sid 4 didnt alert, but it should have: ");
553  goto cleanup;
554  } else if (PacketAlertCheck(p, 5) > 0) {
555  printf("sid 5 did alert, but should not: ");
556  goto cleanup;
557  }
558 
559  result = 1;
560 
561 cleanup:
564 
565  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
567 
568  UTHFreePackets(&p, 1);
569 end:
570  return result;
571 }
572 #endif /* UNITTESTS */
573 
574 /**
575  * \brief this function registers unit tests for DetectRpc
576  */
578 {
579 #ifdef UNITTESTS
580  UtRegisterTest("DetectRpcTestParse01", DetectRpcTestParse01);
581  UtRegisterTest("DetectRpcTestParse02", DetectRpcTestParse02);
582  UtRegisterTest("DetectRpcTestParse03", DetectRpcTestParse03);
583  UtRegisterTest("DetectRpcTestParse04", DetectRpcTestParse04);
584  UtRegisterTest("DetectRpcTestParse05", DetectRpcTestParse05);
585  UtRegisterTest("DetectRpcTestSig01", DetectRpcTestSig01);
586 #endif /* UNITTESTS */
587 }
PKT_IS_UDP
#define PKT_IS_UDP(p)
Definition: decode.h:257
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1212
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
detect-engine-siggroup.h
SigTableElmt_::name
const char * name
Definition: detect.h:1209
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our rpc options.
Definition: detect-rpc.c:46
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectRpcData_
Definition: detect-rpc.h:47
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectRpcData_::flags
uint8_t flags
Definition: detect-rpc.h:51
DetectRpcData_::procedure
uint32_t procedure
Definition: detect-rpc.h:50
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
RpcMsg_
Definition: detect-rpc.h:35
Packet_::payload
uint8_t * payload
Definition: decode.h:543
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2035
DetectRpcRegister
void DetectRpcRegister(void)
Registration function for rpc keyword.
Definition: detect-rpc.c:59
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectRpcData_::program_version
uint32_t program_version
Definition: detect-rpc.h:49
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2092
DETECT_RPC_CHECK_PROCEDURE
#define DETECT_RPC_CHECK_PROCEDURE
Definition: detect-rpc.h:32
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:544
DETECT_RPC
@ DETECT_RPC
Definition: detect-engine-register.h:81
util-unittest.h
util-unittest-helper.h
detect-rpc.h
Signature_::next
struct Signature_ * next
Definition: detect.h:599
PKT_IS_TCP
#define PKT_IS_TCP(p)
Definition: decode.h:256
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
DetectRpcData_::program
uint32_t program
Definition: detect-rpc.h:48
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2472
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectRpcRegisterTests
void DetectRpcRegisterTests(void)
this function registers unit tests for DetectRpc
Definition: detect-rpc.c:577
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1943
SCReturn
#define SCReturn
Definition: util-debug.h:302
Signature_::flags
uint32_t flags
Definition: detect.h:528
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2402
Packet_
Definition: decode.h:411
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2796
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3004
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
DetectRpcFree
void DetectRpcFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectRpcData
Definition: detect-rpc.c:288
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SCNtohl
#define SCNtohl(x)
Definition: suricata-common.h:397
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2047
DETECT_RPC_CHECK_PROGRAM
#define DETECT_RPC_CHECK_PROGRAM
Definition: detect-rpc.h:30
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
msg
const char * msg
Definition: app-layer-htp.c:571
DETECT_RPC_CHECK_VERSION
#define DETECT_RPC_CHECK_VERSION
Definition: detect-rpc.h:31
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
detect-engine-address.h
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467