suricata
detect-rpc.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements RPC keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-rpc.h"
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-siggroup.h"
36 #include "detect-engine-address.h"
37 
38 #include "util-unittest.h"
39 #include "util-unittest-helper.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 
43 /**
44  * \brief Regex for parsing our rpc options
45  */
46 #define PARSE_REGEX "^\\s*([0-9]{0,10})\\s*(?:,\\s*([0-9]{0,10}|[*])\\s*(?:,\\s*([0-9]{0,10}|[*]))?)?\\s*$"
47 
48 static DetectParseRegex parse_regex;
49 
50 static int DetectRpcMatch (DetectEngineThreadCtx *, Packet *,
51  const Signature *, const SigMatchCtx *);
52 static int DetectRpcSetup (DetectEngineCtx *, Signature *, const char *);
53 #ifdef UNITTESTS
54 static void DetectRpcRegisterTests(void);
55 #endif
56 void DetectRpcFree(DetectEngineCtx *, void *);
57 
58 /**
59  * \brief Registration function for rpc keyword
60  */
61 void DetectRpcRegister (void)
62 {
64  sigmatch_table[DETECT_RPC].desc = "match RPC procedure numbers and RPC version";
65  sigmatch_table[DETECT_RPC].url = "/rules/payload-keywords.html#rpc";
66  sigmatch_table[DETECT_RPC].Match = DetectRpcMatch;
67  sigmatch_table[DETECT_RPC].Setup = DetectRpcSetup;
69 #ifdef UNITTESTS
70  sigmatch_table[DETECT_RPC].RegisterTests = DetectRpcRegisterTests;
71 #endif
72  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
73 }
74 
75 /*
76  * returns 0: no match
77  * 1: match
78  * -1: error
79  */
80 
81 /**
82  * \brief This function is used to match rpc request set on a packet with those passed via rpc
83  *
84  * \param t pointer to thread vars
85  * \param det_ctx pointer to the pattern matcher thread
86  * \param p pointer to the current packet
87  * \param m pointer to the sigmatch that we will cast into DetectRpcData
88  *
89  * \retval 0 no match
90  * \retval 1 match
91  */
92 static int DetectRpcMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
93  const Signature *s, const SigMatchCtx *ctx)
94 {
95  /* PrintRawDataFp(stdout, p->payload, p->payload_len); */
96  const DetectRpcData *rd = (const DetectRpcData *)ctx;
97  char *rpcmsg = (char *)p->payload;
98 
99  if (PKT_IS_TCP(p)) {
100  /* if Rpc msg too small */
101  if (p->payload_len < 28) {
102  SCLogDebug("TCP packet to small for the rpc msg (%u)", p->payload_len);
103  return 0;
104  }
105  rpcmsg += 4;
106  } else if (PKT_IS_UDP(p)) {
107  /* if Rpc msg too small */
108  if (p->payload_len < 24) {
109  SCLogDebug("UDP packet to small for the rpc msg (%u)", p->payload_len);
110  return 0;
111  }
112  } else {
113  SCLogDebug("No valid proto for the rpc message");
114  return 0;
115  }
116 
117  /* Point through the rpc msg structure. Use SCNtohl() to compare values */
118  RpcMsg *msg = (RpcMsg *)rpcmsg;
119 
120  /* If its not a call, no match */
121  if (SCNtohl(msg->type) != 0) {
122  SCLogDebug("RPC message type is not a call");
123  return 0;
124  }
125 
126  if (SCNtohl(msg->prog) != rd->program)
127  return 0;
128 
129  if ((rd->flags & DETECT_RPC_CHECK_VERSION) && SCNtohl(msg->vers) != rd->program_version)
130  return 0;
131 
132  if ((rd->flags & DETECT_RPC_CHECK_PROCEDURE) && SCNtohl(msg->proc) != rd->procedure)
133  return 0;
134 
135  SCLogDebug("prog:%u pver:%u proc:%u matched", SCNtohl(msg->prog), SCNtohl(msg->vers), SCNtohl(msg->proc));
136  return 1;
137 }
138 
139 /**
140  * \brief This function is used to parse rpc options passed via rpc keyword
141  *
142  * \param de_ctx Pointer to the detection engine context
143  * \param rpcstr Pointer to the user provided rpc options
144  *
145  * \retval rd pointer to DetectRpcData on success
146  * \retval NULL on failure
147  */
148 static DetectRpcData *DetectRpcParse (DetectEngineCtx *de_ctx, const char *rpcstr)
149 {
150  DetectRpcData *rd = NULL;
151  char *args[3] = {NULL,NULL,NULL};
152  int ret = 0, res = 0;
153  int ov[MAX_SUBSTRINGS];
154 
155  ret = DetectParsePcreExec(&parse_regex, rpcstr, 0, 0, ov, MAX_SUBSTRINGS);
156  if (ret < 1 || ret > 4) {
157  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, rpcstr);
158  goto error;
159  }
160 
161  if (ret > 1) {
162  const char *str_ptr;
163  res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
164  if (res < 0) {
165  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
166  goto error;
167  }
168  args[0] = (char *)str_ptr;
169 
170  if (ret > 2) {
171  res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
172  if (res < 0) {
173  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
174  goto error;
175  }
176  args[1] = (char *)str_ptr;
177  }
178  if (ret > 3) {
179  res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
180  if (res < 0) {
181  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
182  goto error;
183  }
184  args[2] = (char *)str_ptr;
185  }
186  }
187 
188  rd = SCMalloc(sizeof(DetectRpcData));
189  if (unlikely(rd == NULL))
190  goto error;
191  rd->flags = 0;
192  rd->program = 0;
193  rd->program_version = 0;
194  rd->procedure = 0;
195 
196  int i;
197  for (i = 0; i < (ret - 1); i++) {
198  if (args[i]) {
199  switch (i) {
200  case 0:
201  if (StringParseUint32(&rd->program, 10, strlen(args[i]), args[i]) <= 0) {
202  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc program:\"%s\"", args[i]);
203  goto error;
204  }
206  break;
207  case 1:
208  if (args[i][0] != '*') {
209  if (StringParseUint32(&rd->program_version, 10, strlen(args[i]), args[i]) <= 0) {
210  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc version:\"%s\"", args[i]);
211  goto error;
212  }
214  }
215  break;
216  case 2:
217  if (args[i][0] != '*') {
218  if (StringParseUint32(&rd->procedure, 10, strlen(args[i]), args[i]) <= 0) {
219  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc procedure:\"%s\"", args[i]);
220  goto error;
221  }
223  }
224  break;
225  }
226  } else {
227  SCLogError(SC_ERR_INVALID_VALUE, "invalid rpc option %s",rpcstr);
228  goto error;
229  }
230  }
231  for (i = 0; i < (ret -1); i++){
232  if (args[i] != NULL)
233  SCFree(args[i]);
234  }
235  return rd;
236 
237 error:
238  for (i = 0; i < (ret -1) && i < 3; i++){
239  if (args[i] != NULL)
240  SCFree(args[i]);
241  }
242  if (rd != NULL)
243  DetectRpcFree(de_ctx, rd);
244  return NULL;
245 
246 }
247 
248 /**
249  * \brief this function is used to add the parsed rpcdata into the current signature
250  *
251  * \param de_ctx pointer to the Detection Engine Context
252  * \param s pointer to the Current Signature
253  * \param m pointer to the Current SigMatch
254  * \param rpcstr pointer to the user provided rpc options
255  *
256  * \retval 0 on Success
257  * \retval -1 on Failure
258  */
259 int DetectRpcSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rpcstr)
260 {
261  DetectRpcData *rd = NULL;
262  SigMatch *sm = NULL;
263 
264  rd = DetectRpcParse(de_ctx, rpcstr);
265  if (rd == NULL) goto error;
266 
267  sm = SigMatchAlloc();
268  if (sm == NULL)
269  goto error;
270 
271  sm->type = DETECT_RPC;
272  sm->ctx = (SigMatchCtx *)rd;
273 
276 
277  return 0;
278 
279 error:
280  if (rd != NULL) DetectRpcFree(de_ctx, rd);
281  if (sm != NULL) SCFree(sm);
282  return -1;
283 
284 }
285 
286 /**
287  * \brief this function will free memory associated with DetectRpcData
288  *
289  * \param rd pointer to DetectRpcData
290  */
292 {
293  SCEnter();
294 
295  if (ptr == NULL) {
296  SCReturn;
297  }
298 
299  DetectRpcData *rd = (DetectRpcData *)ptr;
300  SCFree(rd);
301 
302  SCReturn;
303 }
304 
305 #ifdef UNITTESTS
306 /**
307  * \test DetectRpcTestParse01 is a test to make sure that we return "something"
308  * when given valid rpc opt
309  */
310 static int DetectRpcTestParse01 (void)
311 {
312  int result = 0;
313  DetectRpcData *rd = NULL;
314  rd = DetectRpcParse(NULL, "123,444,555");
315  if (rd != NULL) {
316  DetectRpcFree(NULL, rd);
317  result = 1;
318  }
319 
320  return result;
321 }
322 
323 /**
324  * \test DetectRpcTestParse02 is a test for setting the established rpc opt
325  */
326 static int DetectRpcTestParse02 (void)
327 {
328  int result = 0;
329  DetectRpcData *rd = NULL;
330  rd = DetectRpcParse(NULL, "111,222,333");
331  if (rd != NULL) {
332  if (rd->flags & DETECT_RPC_CHECK_PROGRAM &&
335  rd->program == 111 && rd->program_version == 222 &&
336  rd->procedure == 333) {
337  result = 1;
338  } else {
339  SCLogDebug("Error: Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
340  }
341  DetectRpcFree(NULL, rd);
342  }
343 
344  return result;
345 }
346 
347 /**
348  * \test DetectRpcTestParse03 is a test for checking the wildcards
349  * and not specified fields
350  */
351 static int DetectRpcTestParse03 (void)
352 {
353  int result = 1;
354  DetectRpcData *rd = NULL;
355  rd = DetectRpcParse(NULL, "111,*,333");
356  if (rd == NULL)
357  return 0;
358 
359  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
360  !(rd->flags & DETECT_RPC_CHECK_VERSION) &&
362  rd->program == 111 && rd->program_version == 0 &&
363  rd->procedure == 333))
364  result = 0;
365  SCLogDebug("rd1 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
366 
367  DetectRpcFree(NULL, rd);
368 
369  rd = DetectRpcParse(NULL, "111,222,*");
370  if (rd == NULL)
371  return 0;
372 
373  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
376  rd->program == 111 && rd->program_version == 222 &&
377  rd->procedure == 0))
378  result = 0;
379  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
380 
381  DetectRpcFree(NULL, rd);
382 
383  rd = DetectRpcParse(NULL, "111,*,*");
384  if (rd == NULL)
385  return 0;
386 
387  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
388  !(rd->flags & DETECT_RPC_CHECK_VERSION) &&
390  rd->program == 111 && rd->program_version == 0 &&
391  rd->procedure == 0))
392  result = 0;
393  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
394 
395  DetectRpcFree(NULL, rd);
396 
397  rd = DetectRpcParse(NULL, "111,222");
398  if (rd == NULL)
399  return 0;
400 
401  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
404  rd->program == 111 && rd->program_version == 222 &&
405  rd->procedure == 0))
406  result = 0;
407  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
408 
409  DetectRpcFree(NULL, rd);
410 
411  rd = DetectRpcParse(NULL, "111");
412  if (rd == NULL)
413  return 0;
414 
415  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
416  !(rd->flags & DETECT_RPC_CHECK_VERSION) &&
418  rd->program == 111 && rd->program_version == 0 &&
419  rd->procedure == 0))
420  result = 0;
421  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
422 
423  DetectRpcFree(NULL, rd);
424  return result;
425 }
426 
427 /**
428  * \test DetectRpcTestParse04 is a test for check the discarding of empty options
429  */
430 static int DetectRpcTestParse04 (void)
431 {
432  int result = 0;
433  DetectRpcData *rd = NULL;
434  rd = DetectRpcParse(NULL, "");
435  if (rd == NULL) {
436  result = 1;
437  } else {
438  SCLogDebug("Error: Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
439  DetectRpcFree(NULL, rd);
440  }
441 
442  return result;
443 }
444 
445 /**
446  * \test DetectRpcTestParse05 is a test for check invalid values
447  */
448 static int DetectRpcTestParse05 (void)
449 {
450  int result = 0;
451  DetectRpcData *rd = NULL;
452  rd = DetectRpcParse(NULL, "111,aaa,*");
453  if (rd == NULL) {
454  result = 1;
455  } else {
456  SCLogDebug("Error: Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
457  DetectRpcFree(NULL, rd);
458  }
459 
460  return result;
461 }
462 
463 /**
464  * \test DetectRpcTestParse05 is a test to check the match function
465  */
466 static int DetectRpcTestSig01(void)
467 {
468  /* RPC Call */
469  uint8_t buf[] = {
470  /* XID */
471  0x64,0xb2,0xb3,0x75,
472  /* Message type: Call (0) */
473  0x00,0x00,0x00,0x00,
474  /* RPC Version (2) */
475  0x00,0x00,0x00,0x02,
476  /* Program portmap (100000) */
477  0x00,0x01,0x86,0xa0,
478  /* Program version (2) */
479  0x00,0x00,0x00,0x02,
480  /* Program procedure (3) = GETPORT */
481  0x00,0x00,0x00,0x03,
482  /* AUTH_NULL */
483  0x00,0x00,0x00,0x00,
484  /* Length 0 */
485  0x00,0x00,0x00,0x00,
486  /* VERIFIER NULL */
487  0x00,0x00,0x00,0x00,
488  /* Length 0 */
489  0x00,0x00,0x00,0x00,
490  /* Program portmap */
491  0x00,0x01,0x86,0xa2,
492  /* Version 2 */
493  0x00,0x00,0x00,0x02,
494  /* Proto UDP */
495  0x00,0x00,0x00,0x11,
496  /* Port 0 */
497  0x00,0x00,0x00,0x00 };
498  uint16_t buflen = sizeof(buf);
499  Packet *p = NULL;
500  Signature *s = NULL;
501  ThreadVars th_v;
502  DetectEngineThreadCtx *det_ctx;
503  int result = 0;
504 
505  memset(&th_v, 0, sizeof(th_v));
506 
507  p = UTHBuildPacket(buf, buflen, IPPROTO_UDP);
508 
510  if (de_ctx == NULL) {
511  goto end;
512  }
513 
514  de_ctx->flags |= DE_QUIET;
515 
516  s = de_ctx->sig_list = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, 2, 3; sid:1;)");
517  if (s == NULL) {
518  goto end;
519  }
520 
521  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, 2, *; sid:2;)");
522  if (s == NULL) {
523  goto end;
524  }
525 
526  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, *, 3; sid:3;)");
527  if (s == NULL) {
528  goto end;
529  }
530 
531  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, *, *; sid:4;)");
532  if (s == NULL) {
533  goto end;
534  }
535 
536  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get XXX Call.. no match\"; rpc:123456, *, 3; sid:5;)");
537  if (s == NULL) {
538  goto end;
539  }
540 
542  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
543 
544  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
545  if (PacketAlertCheck(p, 1) == 0) {
546  printf("sid 1 didnt alert, but it should have: ");
547  goto cleanup;
548  } else if (PacketAlertCheck(p, 2) == 0) {
549  printf("sid 2 didnt alert, but it should have: ");
550  goto cleanup;
551  } else if (PacketAlertCheck(p, 3) == 0) {
552  printf("sid 3 didnt alert, but it should have: ");
553  goto cleanup;
554  } else if (PacketAlertCheck(p, 4) == 0) {
555  printf("sid 4 didnt alert, but it should have: ");
556  goto cleanup;
557  } else if (PacketAlertCheck(p, 5) > 0) {
558  printf("sid 5 did alert, but should not: ");
559  goto cleanup;
560  }
561 
562  result = 1;
563 
564 cleanup:
567 
568  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
570 
571  UTHFreePackets(&p, 1);
572 end:
573  return result;
574 }
575 
576 /**
577  * \brief this function registers unit tests for DetectRpc
578  */
579 static void DetectRpcRegisterTests(void)
580 {
581  UtRegisterTest("DetectRpcTestParse01", DetectRpcTestParse01);
582  UtRegisterTest("DetectRpcTestParse02", DetectRpcTestParse02);
583  UtRegisterTest("DetectRpcTestParse03", DetectRpcTestParse03);
584  UtRegisterTest("DetectRpcTestParse04", DetectRpcTestParse04);
585  UtRegisterTest("DetectRpcTestParse05", DetectRpcTestParse05);
586  UtRegisterTest("DetectRpcTestSig01", DetectRpcTestSig01);
587 }
588 #endif /* UNITTESTS */
PKT_IS_UDP
#define PKT_IS_UDP(p)
Definition: decode.h:260
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
detect-engine-siggroup.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our rpc options.
Definition: detect-rpc.c:46
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectRpcData_
Definition: detect-rpc.h:47
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectRpcData_::flags
uint8_t flags
Definition: detect-rpc.h:51
DetectRpcData_::procedure
uint32_t procedure
Definition: detect-rpc.h:50
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
RpcMsg_
Definition: detect-rpc.h:35
Packet_::payload
uint8_t * payload
Definition: decode.h:549
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
DetectRpcRegister
void DetectRpcRegister(void)
Registration function for rpc keyword.
Definition: detect-rpc.c:61
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectRpcData_::program_version
uint32_t program_version
Definition: detect-rpc.h:49
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
DETECT_RPC_CHECK_PROCEDURE
#define DETECT_RPC_CHECK_PROCEDURE
Definition: detect-rpc.h:32
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:550
DETECT_RPC
@ DETECT_RPC
Definition: detect-engine-register.h:81
util-unittest.h
util-unittest-helper.h
detect-rpc.h
Signature_::next
struct Signature_ * next
Definition: detect.h:600
PKT_IS_TCP
#define PKT_IS_TCP(p)
Definition: decode.h:259
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
DetectRpcData_::program
uint32_t program
Definition: detect-rpc.h:48
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
SCReturn
#define SCReturn
Definition: util-debug.h:302
Signature_::flags
uint32_t flags
Definition: detect.h:529
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
Packet_
Definition: decode.h:414
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
DetectRpcFree
void DetectRpcFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectRpcData
Definition: detect-rpc.c:291
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SCNtohl
#define SCNtohl(x)
Definition: suricata-common.h:397
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
DETECT_RPC_CHECK_PROGRAM
#define DETECT_RPC_CHECK_PROGRAM
Definition: detect-rpc.h:30
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
msg
const char * msg
Definition: app-layer-htp.c:574
DETECT_RPC_CHECK_VERSION
#define DETECT_RPC_CHECK_VERSION
Definition: detect-rpc.h:31
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
detect-engine-address.h
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468