suricata
detect-ssh-proto-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements the ssh.protoversion keyword
24  * You can specify a concrete version like ssh.protoversion: 1.66
25  * or search for protoversion 2 compat (1.99 is considered as 2) like
26  * ssh.protoversion:2_compat
27  * or just the beginning of the string like ssh.protoversion:"1."
28  */
29 
30 #include "suricata-common.h"
31 #include "threads.h"
32 #include "decode.h"
33 
34 #include "detect.h"
35 #include "detect-parse.h"
36 
37 #include "detect-engine.h"
38 #include "detect-engine-mpm.h"
39 #include "detect-engine-state.h"
40 #include "detect-engine-build.h"
41 
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 
46 #include "util-debug.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 
50 #include "app-layer.h"
51 #include "app-layer-parser.h"
52 #include "app-layer-ssh.h"
54 #include "rust.h"
55 
56 #include "stream-tcp.h"
57 
58 /**
59  * \brief Regex for parsing the protoversion string
60  */
61 #define PARSE_REGEX "^\\s*\"?\\s*([0-9]+([\\.\\-0-9]+)?|2_compat)\\s*\"?\\s*$"
62 
63 static DetectParseRegex parse_regex;
64 
65 static int DetectSshVersionMatch (DetectEngineThreadCtx *,
66  Flow *, uint8_t, void *, void *,
67  const Signature *, const SigMatchCtx *);
68 static int DetectSshVersionSetup (DetectEngineCtx *, Signature *, const char *);
69 #ifdef UNITTESTS
70 static void DetectSshVersionRegisterTests(void);
71 #endif
72 static void DetectSshVersionFree(DetectEngineCtx *, void *);
73 static int g_ssh_banner_list_id = 0;
74 
75 /**
76  * \brief Registration function for keyword: ssh.protoversion
77  */
79 {
80  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion";
81  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].desc = "match SSH protocol version";
82  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].url = "/rules/ssh-keywords.html#ssh-protoversion";
84  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup;
85  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Free = DetectSshVersionFree;
86 #ifdef UNITTESTS
87  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].RegisterTests = DetectSshVersionRegisterTests;
88 #endif
91 
92  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
93 
94  g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
95 }
96 
97 /**
98  * \brief match the specified version on a ssh session
99  *
100  * \param t pointer to thread vars
101  * \param det_ctx pointer to the pattern matcher thread
102  * \param p pointer to the current packet
103  * \param m pointer to the sigmatch that we will cast into DetectSshVersionData
104  *
105  * \retval 0 no match
106  * \retval 1 match
107  */
108 static int DetectSshVersionMatch (DetectEngineThreadCtx *det_ctx,
109  Flow *f, uint8_t flags, void *state, void *txv,
110  const Signature *s, const SigMatchCtx *m)
111 {
112  SCEnter();
113 
114  SCLogDebug("lets see");
115 
117  if (state == NULL) {
118  SCLogDebug("no ssh state, no match");
119  SCReturnInt(0);
120  }
121 
122  int ret = 0;
123  const uint8_t *protocol = NULL;
124  uint32_t b_len = 0;
125 
126  if (rs_ssh_tx_get_protocol(txv, &protocol, &b_len, flags) != 1)
127  SCReturnInt(0);
128  if (protocol == NULL || b_len == 0)
129  SCReturnInt(0);
130 
132  SCLogDebug("looking for ssh protoversion 2 compat");
133  if (protocol[0] == '2') {
134  ret = 1;
135  } else if (b_len >= 4) {
136  if (memcmp(protocol, "1.99", 4) == 0) {
137  ret = 1;
138  }
139  }
140  } else {
141  SCLogDebug("looking for ssh protoversion %s length %"PRIu16"", ssh->ver, ssh->len);
142  if (b_len == ssh->len) {
143  if (memcmp(protocol, ssh->ver, ssh->len) == 0) {
144  ret = 1;
145  }
146  }
147  }
148  SCReturnInt(ret);
149 }
150 
151 /**
152  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
153  *
154  * \param de_ctx Pointer to the detection engine context
155  * \param idstr Pointer to the user provided id option
156  *
157  * \retval id_d pointer to DetectSshVersionData on success
158  * \retval NULL on failure
159  */
160 static DetectSshVersionData *DetectSshVersionParse (DetectEngineCtx *de_ctx, const char *str)
161 {
162  DetectSshVersionData *ssh = NULL;
163  int res = 0;
164  size_t pcre2_len;
165 
166  pcre2_match_data *match = NULL;
167  int ret = DetectParsePcreExec(&parse_regex, &match, str, 0, 0);
168  if (ret < 1 || ret > 3) {
169  SCLogError("invalid ssh.protoversion option");
170  goto error;
171  }
172 
173  if (ret > 1) {
174  const char *str_ptr;
175  res = pcre2_substring_get_bynumber(match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
176  if (res < 0) {
177  SCLogError("pcre2_substring_get_bynumber failed");
178  goto error;
179  }
180 
181  /* We have a correct id option */
182  ssh = SCCalloc(1, sizeof(DetectSshVersionData));
183  if (unlikely(ssh == NULL)) {
184  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
185  goto error;
186  }
187 
188  /* If we expect a protocol version 2 or 1.99 (considered 2, we
189  * will compare it with both strings) */
190  if (strcmp("2_compat", str_ptr) == 0) {
192  SCLogDebug("will look for ssh protocol version 2 (2, 2.0, 1.99 that's considered as 2");
193  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
194  return ssh;
195  }
196 
197  ssh->ver = (uint8_t *)SCStrdup((char*)str_ptr);
198  if (ssh->ver == NULL) {
199  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
200  goto error;
201  }
202  ssh->len = (uint16_t)strlen((char *)ssh->ver);
203  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
204 
205  SCLogDebug("will look for ssh %s", ssh->ver);
206  }
207 
208  pcre2_match_data_free(match);
209  return ssh;
210 
211 error:
212  if (match) {
213  pcre2_match_data_free(match);
214  }
215  if (ssh != NULL)
216  DetectSshVersionFree(de_ctx, ssh);
217  return NULL;
218 
219 }
220 
221 /**
222  * \brief this function is used to add the parsed "id" option
223  * \brief into the current signature
224  *
225  * \param de_ctx pointer to the Detection Engine Context
226  * \param s pointer to the Current Signature
227  * \param idstr pointer to the user provided "id" option
228  *
229  * \retval 0 on Success
230  * \retval -1 on Failure
231  */
232 static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
233 {
234  DetectSshVersionData *ssh = NULL;
235 
237  return -1;
238 
239  ssh = DetectSshVersionParse(de_ctx, str);
240  if (ssh == NULL)
241  goto error;
242 
243  /* Okay so far so good, lets get this into a SigMatch
244  * and put it in the Signature. */
245 
247  g_ssh_banner_list_id) == NULL) {
248  goto error;
249  }
250  return 0;
251 
252 error:
253  if (ssh != NULL)
254  DetectSshVersionFree(de_ctx, ssh);
255  return -1;
256 
257 }
258 
259 /**
260  * \brief this function will free memory associated with DetectSshVersionData
261  *
262  * \param id_d pointer to DetectSshVersionData
263  */
264 void DetectSshVersionFree(DetectEngineCtx *de_ctx, void *ptr)
265 {
267  SCFree(sshd->ver);
268  SCFree(sshd);
269 }
270 
271 #ifdef UNITTESTS /* UNITTESTS */
272 #include "detect-engine-alert.h"
273 
274 /**
275  * \test DetectSshVersionTestParse01 is a test to make sure that we parse
276  * a proto version correctly
277  */
278 static int DetectSshVersionTestParse01 (void)
279 {
280  DetectSshVersionData *ssh = NULL;
281  ssh = DetectSshVersionParse(NULL, "1.0");
282  FAIL_IF_NULL(ssh);
283  FAIL_IF_NOT(strncmp((char *)ssh->ver, "1.0", 3) == 0);
284  DetectSshVersionFree(NULL, ssh);
285 
286  PASS;
287 }
288 
289 /**
290  * \test DetectSshVersionTestParse02 is a test to make sure that we parse
291  * the proto version (compatible with proto version 2) correctly
292  */
293 static int DetectSshVersionTestParse02 (void)
294 {
295  DetectSshVersionData *ssh = NULL;
296  ssh = DetectSshVersionParse(NULL, "2_compat");
298  DetectSshVersionFree(NULL, ssh);
299 
300  PASS;
301 }
302 
303 /**
304  * \test DetectSshVersionTestParse03 is a test to make sure that we
305  * don't return a ssh_data with an invalid value specified
306  */
307 static int DetectSshVersionTestParse03 (void)
308 {
309  DetectSshVersionData *ssh = NULL;
310  ssh = DetectSshVersionParse(NULL, "2_com");
311  FAIL_IF_NOT_NULL(ssh);
312  ssh = DetectSshVersionParse(NULL, "");
313  FAIL_IF_NOT_NULL(ssh);
314  ssh = DetectSshVersionParse(NULL, ".1");
315  FAIL_IF_NOT_NULL(ssh);
316  ssh = DetectSshVersionParse(NULL, "lalala");
317  FAIL_IF_NOT_NULL(ssh);
318 
319  PASS;
320 }
321 
322 
323 #include "stream-tcp-reassemble.h"
324 #include "stream-tcp-util.h"
325 
326 /** \test Send a get request in three chunks + more data. */
327 static int DetectSshVersionTestDetect01(void)
328 {
329  TcpReassemblyThreadCtx *ra_ctx = NULL;
330  ThreadVars tv;
331  TcpSession ssn;
332  Flow *f = NULL;
333  Packet *p = NULL;
334 
335  uint8_t sshbuf1[] = "SSH-1.";
336  uint8_t sshbuf2[] = "10-PuTTY_2.123" ;
337  uint8_t sshbuf3[] = "\n";
338  uint8_t sshbuf4[] = "whatever...";
339 
340  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
341  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
342 
343  memset(&tv, 0x00, sizeof(tv));
344 
345  StreamTcpUTInit(&ra_ctx);
350 
351  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
352  FAIL_IF_NULL(f);
353  f->protoctx = &ssn;
354  f->proto = IPPROTO_TCP;
355  f->alproto = ALPROTO_SSH;
356 
357  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
358  FAIL_IF(unlikely(p == NULL));
359  p->flow = f;
360 
361  Signature *s = NULL;
362  ThreadVars th_v;
363  DetectEngineThreadCtx *det_ctx = NULL;
364 
365  memset(&th_v, 0, sizeof(th_v));
366 
369 
370  de_ctx->flags |= DE_QUIET;
371 
372  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:1.10; sid:1;)");
373  FAIL_IF_NULL(s);
374 
376  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
377 
378  uint32_t seq = 2;
379  for (int i=0; i<4; i++) {
380  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
381  seq += sshlens[i];
382  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
383  }
384 
385  void *ssh_state = f->alstate;
386  FAIL_IF_NULL(ssh_state);
387 
388  /* do detect */
389  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
390 
391  FAIL_IF(PacketAlertCheck(p, 1));
392 
393  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
395 
396  UTHFreePacket(p);
398  StreamTcpUTDeinit(ra_ctx);
399  UTHFreeFlow(f);
400  PASS;
401 }
402 
403 /** \test Send a get request in three chunks + more data. */
404 static int DetectSshVersionTestDetect02(void)
405 {
406  TcpReassemblyThreadCtx *ra_ctx = NULL;
407  ThreadVars tv;
408  TcpSession ssn;
409  Flow *f = NULL;
410  Packet *p = NULL;
411 
412  uint8_t sshbuf1[] = "SSH-1.99-Pu";
413  uint8_t sshbuf2[] = "TTY_2.123" ;
414  uint8_t sshbuf3[] = "\n";
415  uint8_t sshbuf4[] = "whatever...";
416 
417  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
418  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
419 
420  memset(&tv, 0x00, sizeof(tv));
421 
422  StreamTcpUTInit(&ra_ctx);
427 
428  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
429  FAIL_IF_NULL(f);
430  f->protoctx = &ssn;
431  f->proto = IPPROTO_TCP;
432  f->alproto = ALPROTO_SSH;
433 
434  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
435  FAIL_IF(unlikely(p == NULL));
436  p->flow = f;
437 
438  Signature *s = NULL;
439  ThreadVars th_v;
440  DetectEngineThreadCtx *det_ctx = NULL;
441 
442  memset(&th_v, 0, sizeof(th_v));
443 
446 
447  de_ctx->flags |= DE_QUIET;
448 
449  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:2_compat; sid:1;)");
450  FAIL_IF_NULL(s);
451 
453  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
454 
455  uint32_t seq = 2;
456  for (int i=0; i<4; i++) {
457  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
458  seq += sshlens[i];
459  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
460  }
461 
462  void *ssh_state = f->alstate;
463  FAIL_IF_NULL(ssh_state);
464 
465  /* do detect */
466  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
467 
468  FAIL_IF(PacketAlertCheck(p, 1));
469 
470  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
472 
473  UTHFreePacket(p);
475  StreamTcpUTDeinit(ra_ctx);
476  UTHFreeFlow(f);
477  PASS;
478 }
479 
480 /** \test Send a get request in three chunks + more data. */
481 static int DetectSshVersionTestDetect03(void)
482 {
483  TcpReassemblyThreadCtx *ra_ctx = NULL;
484  ThreadVars tv;
485  TcpSession ssn;
486  Flow *f = NULL;
487  Packet *p = NULL;
488 
489  uint8_t sshbuf1[] = "SSH-1.";
490  uint8_t sshbuf2[] = "7-PuTTY_2.123" ;
491  uint8_t sshbuf3[] = "\n";
492  uint8_t sshbuf4[] = "whatever...";
493 
494  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
495  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
496 
497  memset(&tv, 0x00, sizeof(tv));
498 
499  StreamTcpUTInit(&ra_ctx);
504 
505  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
506  FAIL_IF_NULL(f);
507  f->protoctx = &ssn;
508  f->proto = IPPROTO_TCP;
509  f->alproto = ALPROTO_SSH;
510 
511  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
512  FAIL_IF(unlikely(p == NULL));
513  p->flow = f;
514 
515  Signature *s = NULL;
516  ThreadVars th_v;
517  DetectEngineThreadCtx *det_ctx = NULL;
518 
519  memset(&th_v, 0, sizeof(th_v));
520 
523 
524  de_ctx->flags |= DE_QUIET;
525 
526  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:2_compat; sid:1;)");
527  FAIL_IF_NULL(s);
528 
530  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
531 
532  uint32_t seq = 2;
533  for (int i=0; i<4; i++) {
534  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
535  seq += sshlens[i];
536  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
537  }
538 
539  void *ssh_state = f->alstate;
540  FAIL_IF_NULL(ssh_state);
541 
542  /* do detect */
543  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
544 
545  FAIL_IF(PacketAlertCheck(p, 1));
546 
547  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
549 
550  UTHFreePacket(p);
552  StreamTcpUTDeinit(ra_ctx);
553  UTHFreeFlow(f);
554  PASS;
555 }
556 
557 /**
558  * \brief this function registers unit tests for DetectSshVersion
559  */
560 static void DetectSshVersionRegisterTests(void)
561 {
562  UtRegisterTest("DetectSshVersionTestParse01", DetectSshVersionTestParse01);
563  UtRegisterTest("DetectSshVersionTestParse02", DetectSshVersionTestParse02);
564  UtRegisterTest("DetectSshVersionTestParse03", DetectSshVersionTestParse03);
565  UtRegisterTest("DetectSshVersionTestDetect01",
566  DetectSshVersionTestDetect01);
567  UtRegisterTest("DetectSshVersionTestDetect02",
568  DetectSshVersionTestDetect02);
569  UtRegisterTest("DetectSshVersionTestDetect03",
570  DetectSshVersionTestDetect03);
571 }
572 #endif /* UNITTESTS */
DetectSshVersionRegister
void DetectSshVersionRegister(void)
Registration function for keyword: ssh.protoversion.
Definition: detect-ssh-proto-version.c:78
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:56
SigTableElmt_::url
const char * url
Definition: detect.h:1296
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1753
SSH_FLAG_PROTOVERSION_2_COMPAT
#define SSH_FLAG_PROTOVERSION_2_COMPAT
Definition: detect-ssh-proto-version.h:28
detect-engine.h
StreamTcpUTDeinit
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
Definition: stream-tcp-util.c:51
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
app-layer-ssh.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1283
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1293
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectSshVersionData_::len
uint16_t len
Definition: detect-ssh-proto-version.h:32
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1485
seq
uint32_t seq
Definition: stream-tcp-private.h:2
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
DETECT_AL_SSH_PROTOVERSION
@ DETECT_AL_SSH_PROTOVERSION
Definition: detect-engine-register.h:175
threads.h
Flow_
Flow data structure.
Definition: flow.h:351
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1287
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1264
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1884
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2674
m
SCMutex m
Definition: flow-hash.h:6
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
DetectSshVersionData_
Definition: detect-ssh-proto-version.h:30
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
StreamTcpUTInitInline
void StreamTcpUTInitInline(void)
Definition: stream-tcp-util.c:58
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpUTInit
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Definition: stream-tcp-util.c:44
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:463
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1348
protocol
uint16_t protocol
Definition: decode-ppp.h:2
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2791
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
StreamTcpUTSetupStream
void StreamTcpUTSetupStream(TcpStream *s, uint32_t isn)
Definition: stream-tcp-util.c:79
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1291
app-layer-parser.h
Packet_
Definition: decode.h:437
detect-engine-build.h
detect-engine-alert.h
DetectSshVersionData_::flags
uint8_t flags
Definition: detect-ssh-proto-version.h:33
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
DETECT_AL_SSH_PROTOCOL
@ DETECT_AL_SSH_PROTOCOL
Definition: detect-engine-register.h:174
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:468
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:342
StreamTcpUTClearSession
void StreamTcpUTClearSession(TcpSession *ssn)
Definition: stream-tcp-util.c:71
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
detect-ssh-proto-version.h
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1008
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:844
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
StreamTcpUTAddSegmentWithPayload
int StreamTcpUTAddSegmentWithPayload(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t *payload, uint16_t len)
Definition: stream-tcp-util.c:113
StreamTcpUTSetupSession
void StreamTcpUTSetupSession(TcpSession *ssn)
Definition: stream-tcp-util.c:62
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SIGMATCH_INFO_DEPRECATED
#define SIGMATCH_INFO_DEPRECATED
Definition: detect.h:1499
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
Flow_::alstate
void * alstate
Definition: flow.h:476
detect-parse.h
Signature_
Signature container.
Definition: detect.h:593
stream-tcp-util.h
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing the protoversion string.
Definition: detect-ssh-proto-version.c:61
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:61
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DetectSshVersionData_::ver
uint8_t * ver
Definition: detect-ssh-proto-version.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
app-layer.h