suricata
detect-rpc.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements RPC keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-rpc.h"
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-siggroup.h"
36 #include "detect-engine-address.h"
37 
38 #include "util-unittest.h"
39 #include "util-unittest-helper.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 
43 /**
44  * \brief Regex for parsing our rpc options
45  */
46 #define PARSE_REGEX "^\\s*([0-9]{0,10})\\s*(?:,\\s*([0-9]{0,10}|[*])\\s*(?:,\\s*([0-9]{0,10}|[*]))?)?\\s*$"
47 
48 static pcre *parse_regex;
49 static pcre_extra *parse_regex_study;
50 
51 static int DetectRpcMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *,
52  const Signature *, const SigMatchCtx *);
53 static int DetectRpcSetup (DetectEngineCtx *, Signature *, const char *);
54 void DetectRpcRegisterTests(void);
55 void DetectRpcFree(void *);
56 
57 /**
58  * \brief Registration function for rpc keyword
59  */
60 void DetectRpcRegister (void)
61 {
63  sigmatch_table[DETECT_RPC].desc = "match RPC procedure numbers and RPC version";
64  sigmatch_table[DETECT_RPC].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#rpc";
65  sigmatch_table[DETECT_RPC].Match = DetectRpcMatch;
66  sigmatch_table[DETECT_RPC].Setup = DetectRpcSetup;
69 
70  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
71 }
72 
73 /*
74  * returns 0: no match
75  * 1: match
76  * -1: error
77  */
78 
79 /**
80  * \brief This function is used to match rpc request set on a packet with those passed via rpc
81  *
82  * \param t pointer to thread vars
83  * \param det_ctx pointer to the pattern matcher thread
84  * \param p pointer to the current packet
85  * \param m pointer to the sigmatch that we will cast into DetectRpcData
86  *
87  * \retval 0 no match
88  * \retval 1 match
89  */
90 static int DetectRpcMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
91  const Signature *s, const SigMatchCtx *ctx)
92 {
93  /* PrintRawDataFp(stdout, p->payload, p->payload_len); */
94  const DetectRpcData *rd = (const DetectRpcData *)ctx;
95  char *rpcmsg = (char *)p->payload;
96 
97  if (PKT_IS_TCP(p)) {
98  /* if Rpc msg too small */
99  if (p->payload_len < 28) {
100  SCLogDebug("TCP packet to small for the rpc msg (%u)", p->payload_len);
101  return 0;
102  }
103  rpcmsg += 4;
104  } else if (PKT_IS_UDP(p)) {
105  /* if Rpc msg too small */
106  if (p->payload_len < 24) {
107  SCLogDebug("UDP packet to small for the rpc msg (%u)", p->payload_len);
108  return 0;
109  }
110  } else {
111  SCLogDebug("No valid proto for the rpc message");
112  return 0;
113  }
114 
115  /* Point through the rpc msg structure. Use SCNtohl() to compare values */
116  RpcMsg *msg = (RpcMsg *)rpcmsg;
117 
118  /* If its not a call, no match */
119  if (SCNtohl(msg->type) != 0) {
120  SCLogDebug("RPC message type is not a call");
121  return 0;
122  }
123 
124  if (SCNtohl(msg->prog) != rd->program)
125  return 0;
126 
127  if ((rd->flags & DETECT_RPC_CHECK_VERSION) && SCNtohl(msg->vers) != rd->program_version)
128  return 0;
129 
130  if ((rd->flags & DETECT_RPC_CHECK_PROCEDURE) && SCNtohl(msg->proc) != rd->procedure)
131  return 0;
132 
133  SCLogDebug("prog:%u pver:%u proc:%u matched", SCNtohl(msg->prog), SCNtohl(msg->vers), SCNtohl(msg->proc));
134  return 1;
135 }
136 
137 /**
138  * \brief This function is used to parse rpc options passed via rpc keyword
139  *
140  * \param rpcstr Pointer to the user provided rpc options
141  *
142  * \retval rd pointer to DetectRpcData on success
143  * \retval NULL on failure
144  */
145 static DetectRpcData *DetectRpcParse (const char *rpcstr)
146 {
147  DetectRpcData *rd = NULL;
148  char *args[3] = {NULL,NULL,NULL};
149 #define MAX_SUBSTRINGS 30
150  int ret = 0, res = 0;
151  int ov[MAX_SUBSTRINGS];
152 
153  ret = pcre_exec(parse_regex, parse_regex_study, rpcstr, strlen(rpcstr), 0, 0, ov, MAX_SUBSTRINGS);
154  if (ret < 1 || ret > 4) {
155  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, rpcstr);
156  goto error;
157  }
158 
159  if (ret > 1) {
160  const char *str_ptr;
161  res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
162  if (res < 0) {
163  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
164  goto error;
165  }
166  args[0] = (char *)str_ptr;
167 
168  if (ret > 2) {
169  res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
170  if (res < 0) {
171  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
172  goto error;
173  }
174  args[1] = (char *)str_ptr;
175  }
176  if (ret > 3) {
177  res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
178  if (res < 0) {
179  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
180  goto error;
181  }
182  args[2] = (char *)str_ptr;
183  }
184  }
185 
186  rd = SCMalloc(sizeof(DetectRpcData));
187  if (unlikely(rd == NULL))
188  goto error;
189  rd->flags = 0;
190  rd->program = 0;
191  rd->program_version = 0;
192  rd->procedure = 0;
193 
194  int i;
195  for (i = 0; i < (ret - 1); i++) {
196  if (args[i]) {
197  switch (i) {
198  case 0:
199  if (ByteExtractStringUint32(&rd->program, 10, strlen(args[i]), args[i]) <= 0) {
200  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc program:\"%s\"", args[i]);
201  goto error;
202  }
204  break;
205  case 1:
206  if (args[i][0] != '*') {
207  if (ByteExtractStringUint32(&rd->program_version, 10, strlen(args[i]), args[i]) <= 0) {
208  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc version:\"%s\"", args[i]);
209  goto error;
210  }
212  }
213  break;
214  case 2:
215  if (args[i][0] != '*') {
216  if (ByteExtractStringUint32(&rd->procedure, 10, strlen(args[i]), args[i]) <= 0) {
217  SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc procedure:\"%s\"", args[i]);
218  goto error;
219  }
221  }
222  break;
223  }
224  } else {
225  SCLogError(SC_ERR_INVALID_VALUE, "invalid rpc option %s",rpcstr);
226  goto error;
227  }
228  }
229  for (i = 0; i < (ret -1); i++){
230  if (args[i] != NULL)
231  SCFree(args[i]);
232  }
233  return rd;
234 
235 error:
236  for (i = 0; i < (ret -1) && i < 3; i++){
237  if (args[i] != NULL)
238  SCFree(args[i]);
239  }
240  if (rd != NULL)
241  DetectRpcFree(rd);
242  return NULL;
243 
244 }
245 
246 /**
247  * \brief this function is used to add the parsed rpcdata into the current signature
248  *
249  * \param de_ctx pointer to the Detection Engine Context
250  * \param s pointer to the Current Signature
251  * \param m pointer to the Current SigMatch
252  * \param rpcstr pointer to the user provided rpc options
253  *
254  * \retval 0 on Success
255  * \retval -1 on Failure
256  */
257 int DetectRpcSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rpcstr)
258 {
259  DetectRpcData *rd = NULL;
260  SigMatch *sm = NULL;
261 
262  rd = DetectRpcParse(rpcstr);
263  if (rd == NULL) goto error;
264 
265  sm = SigMatchAlloc();
266  if (sm == NULL)
267  goto error;
268 
269  sm->type = DETECT_RPC;
270  sm->ctx = (SigMatchCtx *)rd;
271 
274 
275  return 0;
276 
277 error:
278  if (rd != NULL) DetectRpcFree(rd);
279  if (sm != NULL) SCFree(sm);
280  return -1;
281 
282 }
283 
284 /**
285  * \brief this function will free memory associated with DetectRpcData
286  *
287  * \param rd pointer to DetectRpcData
288  */
289 void DetectRpcFree(void *ptr)
290 {
291  SCEnter();
292 
293  if (ptr == NULL) {
294  SCReturn;
295  }
296 
297  DetectRpcData *rd = (DetectRpcData *)ptr;
298  SCFree(rd);
299 
300  SCReturn;
301 }
302 
303 #ifdef UNITTESTS
304 /**
305  * \test DetectRpcTestParse01 is a test to make sure that we return "something"
306  * when given valid rpc opt
307  */
308 static int DetectRpcTestParse01 (void)
309 {
310  int result = 0;
311  DetectRpcData *rd = NULL;
312  rd = DetectRpcParse("123,444,555");
313  if (rd != NULL) {
314  DetectRpcFree(rd);
315  result = 1;
316  }
317 
318  return result;
319 }
320 
321 /**
322  * \test DetectRpcTestParse02 is a test for setting the established rpc opt
323  */
324 static int DetectRpcTestParse02 (void)
325 {
326  int result = 0;
327  DetectRpcData *rd = NULL;
328  rd = DetectRpcParse("111,222,333");
329  if (rd != NULL) {
330  if (rd->flags & DETECT_RPC_CHECK_PROGRAM &&
333  rd->program == 111 && rd->program_version == 222 &&
334  rd->procedure == 333) {
335  result = 1;
336  } else {
337  SCLogDebug("Error: Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
338  }
339  DetectRpcFree(rd);
340  }
341 
342  return result;
343 }
344 
345 /**
346  * \test DetectRpcTestParse03 is a test for checking the wildcards
347  * and not specified fields
348  */
349 static int DetectRpcTestParse03 (void)
350 {
351  int result = 1;
352  DetectRpcData *rd = NULL;
353  rd = DetectRpcParse("111,*,333");
354  if (rd == NULL)
355  return 0;
356 
357  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
358  !(rd->flags & DETECT_RPC_CHECK_VERSION) &&
360  rd->program == 111 && rd->program_version == 0 &&
361  rd->procedure == 333))
362  result = 0;
363  SCLogDebug("rd1 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
364 
365  DetectRpcFree(rd);
366 
367  rd = DetectRpcParse("111,222,*");
368  if (rd == NULL)
369  return 0;
370 
371  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
374  rd->program == 111 && rd->program_version == 222 &&
375  rd->procedure == 0))
376  result = 0;
377  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
378 
379  DetectRpcFree(rd);
380 
381  rd = DetectRpcParse("111,*,*");
382  if (rd == NULL)
383  return 0;
384 
385  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
386  !(rd->flags & DETECT_RPC_CHECK_VERSION) &&
388  rd->program == 111 && rd->program_version == 0 &&
389  rd->procedure == 0))
390  result = 0;
391  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
392 
393  DetectRpcFree(rd);
394 
395  rd = DetectRpcParse("111,222");
396  if (rd == NULL)
397  return 0;
398 
399  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
402  rd->program == 111 && rd->program_version == 222 &&
403  rd->procedure == 0))
404  result = 0;
405  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
406 
407  DetectRpcFree(rd);
408 
409  rd = DetectRpcParse("111");
410  if (rd == NULL)
411  return 0;
412 
413  if ( !(rd->flags & DETECT_RPC_CHECK_PROGRAM &&
414  !(rd->flags & DETECT_RPC_CHECK_VERSION) &&
416  rd->program == 111 && rd->program_version == 0 &&
417  rd->procedure == 0))
418  result = 0;
419  SCLogDebug("rd2 Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
420 
421  DetectRpcFree(rd);
422  return result;
423 }
424 
425 /**
426  * \test DetectRpcTestParse04 is a test for check the discarding of empty options
427  */
428 static int DetectRpcTestParse04 (void)
429 {
430  int result = 0;
431  DetectRpcData *rd = NULL;
432  rd = DetectRpcParse("");
433  if (rd == NULL) {
434  result = 1;
435  } else {
436  SCLogDebug("Error: Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
437  DetectRpcFree(rd);
438  }
439 
440  return result;
441 }
442 
443 /**
444  * \test DetectRpcTestParse05 is a test for check invalid values
445  */
446 static int DetectRpcTestParse05 (void)
447 {
448  int result = 0;
449  DetectRpcData *rd = NULL;
450  rd = DetectRpcParse("111,aaa,*");
451  if (rd == NULL) {
452  result = 1;
453  } else {
454  SCLogDebug("Error: Flags: %d; program: %u, version: %u, procedure: %u", rd->flags, rd->program, rd->program_version, rd->procedure);
455  DetectRpcFree(rd);
456  }
457 
458  return result;
459 }
460 
461 /**
462  * \test DetectRpcTestParse05 is a test to check the match function
463  */
464 static int DetectRpcTestSig01(void)
465 {
466  /* RPC Call */
467  uint8_t buf[] = {
468  /* XID */
469  0x64,0xb2,0xb3,0x75,
470  /* Message type: Call (0) */
471  0x00,0x00,0x00,0x00,
472  /* RPC Version (2) */
473  0x00,0x00,0x00,0x02,
474  /* Program portmap (100000) */
475  0x00,0x01,0x86,0xa0,
476  /* Program version (2) */
477  0x00,0x00,0x00,0x02,
478  /* Program procedure (3) = GETPORT */
479  0x00,0x00,0x00,0x03,
480  /* AUTH_NULL */
481  0x00,0x00,0x00,0x00,
482  /* Length 0 */
483  0x00,0x00,0x00,0x00,
484  /* VERIFIER NULL */
485  0x00,0x00,0x00,0x00,
486  /* Length 0 */
487  0x00,0x00,0x00,0x00,
488  /* Program portmap */
489  0x00,0x01,0x86,0xa2,
490  /* Version 2 */
491  0x00,0x00,0x00,0x02,
492  /* Proto UDP */
493  0x00,0x00,0x00,0x11,
494  /* Port 0 */
495  0x00,0x00,0x00,0x00 };
496  uint16_t buflen = sizeof(buf);
497  Packet *p = NULL;
498  Signature *s = NULL;
499  ThreadVars th_v;
500  DetectEngineThreadCtx *det_ctx;
501  int result = 0;
502 
503  memset(&th_v, 0, sizeof(th_v));
504 
505  p = UTHBuildPacket(buf, buflen, IPPROTO_UDP);
506 
508  if (de_ctx == NULL) {
509  goto end;
510  }
511 
512  de_ctx->flags |= DE_QUIET;
513 
514  s = de_ctx->sig_list = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, 2, 3; sid:1;)");
515  if (s == NULL) {
516  goto end;
517  }
518 
519  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, 2, *; sid:2;)");
520  if (s == NULL) {
521  goto end;
522  }
523 
524  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, *, 3; sid:3;)");
525  if (s == NULL) {
526  goto end;
527  }
528 
529  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, *, *; sid:4;)");
530  if (s == NULL) {
531  goto end;
532  }
533 
534  s = s->next = SigInit(de_ctx,"alert udp any any -> any any (msg:\"RPC Get XXX Call.. no match\"; rpc:123456, *, 3; sid:5;)");
535  if (s == NULL) {
536  goto end;
537  }
538 
539  SigGroupBuild(de_ctx);
540  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
541 
542  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
543  if (PacketAlertCheck(p, 1) == 0) {
544  printf("sid 1 didnt alert, but it should have: ");
545  goto cleanup;
546  } else if (PacketAlertCheck(p, 2) == 0) {
547  printf("sid 2 didnt alert, but it should have: ");
548  goto cleanup;
549  } else if (PacketAlertCheck(p, 3) == 0) {
550  printf("sid 3 didnt alert, but it should have: ");
551  goto cleanup;
552  } else if (PacketAlertCheck(p, 4) == 0) {
553  printf("sid 4 didnt alert, but it should have: ");
554  goto cleanup;
555  } else if (PacketAlertCheck(p, 5) > 0) {
556  printf("sid 5 did alert, but should not: ");
557  goto cleanup;
558  }
559 
560  result = 1;
561 
562 cleanup:
563  SigGroupCleanup(de_ctx);
564  SigCleanSignatures(de_ctx);
565 
566  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
567  DetectEngineCtxFree(de_ctx);
568 
569  UTHFreePackets(&p, 1);
570 end:
571  return result;
572 }
573 #endif /* UNITTESTS */
574 
575 /**
576  * \brief this function registers unit tests for DetectRpc
577  */
579 {
580 #ifdef UNITTESTS
581  UtRegisterTest("DetectRpcTestParse01", DetectRpcTestParse01);
582  UtRegisterTest("DetectRpcTestParse02", DetectRpcTestParse02);
583  UtRegisterTest("DetectRpcTestParse03", DetectRpcTestParse03);
584  UtRegisterTest("DetectRpcTestParse04", DetectRpcTestParse04);
585  UtRegisterTest("DetectRpcTestParse05", DetectRpcTestParse05);
586  UtRegisterTest("DetectRpcTestSig01", DetectRpcTestSig01);
587 #endif /* UNITTESTS */
588 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1409
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1150
uint32_t prog
Definition: detect-rpc.h:39
#define SCLogDebug(...)
Definition: util-debug.h:335
#define MAX_SUBSTRINGS
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define DETECT_RPC_CHECK_PROCEDURE
Definition: detect-rpc.h:32
uint32_t flags
Definition: detect.h:497
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
void DetectRpcRegister(void)
Registration function for rpc keyword.
Definition: detect-rpc.c:60
uint32_t vers
Definition: detect-rpc.h:40
Signature * sig_list
Definition: detect.h:730
void SigCleanSignatures(DetectEngineCtx *de_ctx)
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:244
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:228
void DetectRpcFree(void *)
this function will free memory associated with DetectRpcData
Definition: detect-rpc.c:289
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1164
Signature container.
Definition: detect.h:496
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
main detection engine ctx
Definition: detect.h:724
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define DE_QUIET
Definition: detect.h:296
uint8_t flags
Definition: detect-rpc.h:51
uint8_t flags
Definition: detect.h:725
void(* Free)(void *)
Definition: detect.h:1155
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
uint32_t type
Definition: detect-rpc.h:37
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1742
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
void DetectRpcRegisterTests(void)
this function registers unit tests for DetectRpc
Definition: detect-rpc.c:578
#define SCEnter(...)
Definition: util-debug.h:337
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
uint32_t program_version
Definition: detect-rpc.h:49
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct Signature_ * next
Definition: detect.h:567
uint8_t type
Definition: detect.h:323
#define SCNtohl(x)
const char * desc
Definition: detect.h:1166
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
uint32_t proc
Definition: detect-rpc.h:41
uint32_t procedure
Definition: detect-rpc.h:50
#define SCFree(a)
Definition: util-mem.h:228
PoolThreadReserved res
#define PKT_IS_TCP(p)
Definition: decode.h:251
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1133
const char * url
Definition: detect.h:1167
#define DETECT_RPC_CHECK_VERSION
Definition: detect-rpc.h:31
#define DOC_URL
Definition: suricata.h:86
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
const char * msg
#define SCReturn
Definition: util-debug.h:339
#define PKT_IS_UDP(p)
Definition: decode.h:252
Per thread variable structure.
Definition: threadvars.h:57
#define DETECT_RPC_CHECK_PROGRAM
Definition: detect-rpc.h:30
uint16_t payload_len
Definition: decode.h:541
#define DOC_VERSION
Definition: suricata.h:91
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
uint8_t * payload
Definition: decode.h:540
uint32_t program
Definition: detect-rpc.h:48
void(* RegisterTests)(void)
Definition: detect.h:1156
a single match condition for a signature
Definition: detect.h:322
#define PARSE_REGEX
Regex for parsing our rpc options.
Definition: detect-rpc.c:46
DetectEngineCtx * DetectEngineCtxInit(void)