suricata
detect-ssh-proto-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements the ssh.protoversion keyword
24  * You can specify a concrete version like ssh.protoversion: 1.66
25  * or search for protoversion 2 compat (1.99 is considered as 2) like
26  * ssh.protoversion:2_compat
27  * or just the beginning of the string like ssh.protoversion:"1."
28  */
29 
30 #include "suricata-common.h"
31 #include "threads.h"
32 #include "debug.h"
33 #include "decode.h"
34 
35 #include "detect.h"
36 #include "detect-parse.h"
37 
38 #include "detect-engine.h"
39 #include "detect-engine-mpm.h"
40 #include "detect-engine-state.h"
41 
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 
46 #include "util-debug.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 
50 #include "app-layer.h"
51 #include "app-layer-parser.h"
52 #include "app-layer-ssh.h"
54 #include "rust.h"
55 
56 #include "stream-tcp.h"
57 
58 /**
59  * \brief Regex for parsing the protoversion string
60  */
61 #define PARSE_REGEX "^\\s*\"?\\s*([0-9]+([\\.\\-0-9]+)?|2_compat)\\s*\"?\\s*$"
62 
63 static DetectParseRegex parse_regex;
64 
65 static int DetectSshVersionMatch (DetectEngineThreadCtx *,
66  Flow *, uint8_t, void *, void *,
67  const Signature *, const SigMatchCtx *);
68 static int DetectSshVersionSetup (DetectEngineCtx *, Signature *, const char *);
69 static void DetectSshVersionRegisterTests(void);
70 static void DetectSshVersionFree(DetectEngineCtx *, void *);
71 static int g_ssh_banner_list_id = 0;
72 
73 /**
74  * \brief Registration function for keyword: ssh.protoversion
75  */
77 {
78  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion";
79  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].desc = "match SSH protocol version";
80  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].url = "/rules/ssh-keywords.html#ssh-protoversion";
82  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup;
83  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Free = DetectSshVersionFree;
84  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].RegisterTests = DetectSshVersionRegisterTests;
87 
88  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
89 
90  g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
91 }
92 
93 /**
94  * \brief match the specified version on a ssh session
95  *
96  * \param t pointer to thread vars
97  * \param det_ctx pointer to the pattern matcher thread
98  * \param p pointer to the current packet
99  * \param m pointer to the sigmatch that we will cast into DetectSshVersionData
100  *
101  * \retval 0 no match
102  * \retval 1 match
103  */
104 static int DetectSshVersionMatch (DetectEngineThreadCtx *det_ctx,
105  Flow *f, uint8_t flags, void *state, void *txv,
106  const Signature *s, const SigMatchCtx *m)
107 {
108  SCEnter();
109 
110  SCLogDebug("lets see");
111 
113  if (state == NULL) {
114  SCLogDebug("no ssh state, no match");
115  SCReturnInt(0);
116  }
117 
118  int ret = 0;
119  const uint8_t *protocol = NULL;
120  uint32_t b_len = 0;
121 
122  if (rs_ssh_tx_get_protocol(txv, &protocol, &b_len, flags) != 1)
123  SCReturnInt(0);
124  if (protocol == NULL || b_len == 0)
125  SCReturnInt(0);
126 
128  SCLogDebug("looking for ssh protoversion 2 compat");
129  if (protocol[0] == '2') {
130  ret = 1;
131  } else if (b_len >= 4) {
132  if (memcmp(protocol, "1.99", 4) == 0) {
133  ret = 1;
134  }
135  }
136  } else {
137  SCLogDebug("looking for ssh protoversion %s length %"PRIu16"", ssh->ver, ssh->len);
138  if (b_len == ssh->len) {
139  if (memcmp(protocol, ssh->ver, ssh->len) == 0) {
140  ret = 1;
141  }
142  }
143  }
144  SCReturnInt(ret);
145 }
146 
147 /**
148  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
149  *
150  * \param de_ctx Pointer to the detection engine context
151  * \param idstr Pointer to the user provided id option
152  *
153  * \retval id_d pointer to DetectSshVersionData on success
154  * \retval NULL on failure
155  */
156 static DetectSshVersionData *DetectSshVersionParse (DetectEngineCtx *de_ctx, const char *str)
157 {
158  DetectSshVersionData *ssh = NULL;
159  int ret = 0, res = 0;
160  int ov[MAX_SUBSTRINGS];
161 
162  ret = DetectParsePcreExec(&parse_regex, str, 0, 0, ov, MAX_SUBSTRINGS);
163  if (ret < 1 || ret > 3) {
164  SCLogError(SC_ERR_PCRE_MATCH, "invalid ssh.protoversion option");
165  goto error;
166  }
167 
168  if (ret > 1) {
169  const char *str_ptr;
170  res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
171  if (res < 0) {
172  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
173  goto error;
174  }
175 
176  /* We have a correct id option */
177  ssh = SCMalloc(sizeof(DetectSshVersionData));
178  if (unlikely(ssh == NULL)) {
179  pcre_free_substring(str_ptr);
180  goto error;
181  }
182  memset(ssh, 0x00, sizeof(DetectSshVersionData));
183 
184  /* If we expect a protocol version 2 or 1.99 (considered 2, we
185  * will compare it with both strings) */
186  if (strcmp("2_compat", str_ptr) == 0) {
188  SCLogDebug("will look for ssh protocol version 2 (2, 2.0, 1.99 that's considered as 2");
189  pcre_free_substring(str_ptr);
190  return ssh;
191  }
192 
193  ssh->ver = (uint8_t *)SCStrdup((char*)str_ptr);
194  if (ssh->ver == NULL) {
195  pcre_free_substring(str_ptr);
196  goto error;
197  }
198  ssh->len = strlen((char *) ssh->ver);
199  pcre_free_substring(str_ptr);
200 
201  SCLogDebug("will look for ssh %s", ssh->ver);
202  }
203 
204  return ssh;
205 
206 error:
207  if (ssh != NULL)
208  DetectSshVersionFree(de_ctx, ssh);
209  return NULL;
210 
211 }
212 
213 /**
214  * \brief this function is used to add the parsed "id" option
215  * \brief into the current signature
216  *
217  * \param de_ctx pointer to the Detection Engine Context
218  * \param s pointer to the Current Signature
219  * \param idstr pointer to the user provided "id" option
220  *
221  * \retval 0 on Success
222  * \retval -1 on Failure
223  */
224 static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
225 {
226  DetectSshVersionData *ssh = NULL;
227  SigMatch *sm = NULL;
228 
230  return -1;
231 
232  ssh = DetectSshVersionParse(de_ctx, str);
233  if (ssh == NULL)
234  goto error;
235 
236  /* Okay so far so good, lets get this into a SigMatch
237  * and put it in the Signature. */
238  sm = SigMatchAlloc();
239  if (sm == NULL)
240  goto error;
241 
243  sm->ctx = (void *)ssh;
244 
245  SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
246  return 0;
247 
248 error:
249  if (ssh != NULL)
250  DetectSshVersionFree(de_ctx, ssh);
251  if (sm != NULL)
252  SCFree(sm);
253  return -1;
254 
255 }
256 
257 /**
258  * \brief this function will free memory associated with DetectSshVersionData
259  *
260  * \param id_d pointer to DetectSshVersionData
261  */
262 void DetectSshVersionFree(DetectEngineCtx *de_ctx, void *ptr)
263 {
265  SCFree(sshd->ver);
266  SCFree(sshd);
267 }
268 
269 #ifdef UNITTESTS /* UNITTESTS */
270 
271 /**
272  * \test DetectSshVersionTestParse01 is a test to make sure that we parse
273  * a proto version correctly
274  */
275 static int DetectSshVersionTestParse01 (void)
276 {
277  DetectSshVersionData *ssh = NULL;
278  ssh = DetectSshVersionParse(NULL, "1.0");
279  if (ssh != NULL && strncmp((char *) ssh->ver, "1.0", 3) == 0) {
280  DetectSshVersionFree(NULL, ssh);
281  return 1;
282  }
283 
284  return 0;
285 }
286 
287 /**
288  * \test DetectSshVersionTestParse02 is a test to make sure that we parse
289  * the proto version (compatible with proto version 2) correctly
290  */
291 static int DetectSshVersionTestParse02 (void)
292 {
293  DetectSshVersionData *ssh = NULL;
294  ssh = DetectSshVersionParse(NULL, "2_compat");
296  DetectSshVersionFree(NULL, ssh);
297  return 1;
298  }
299 
300  return 0;
301 }
302 
303 /**
304  * \test DetectSshVersionTestParse03 is a test to make sure that we
305  * don't return a ssh_data with an invalid value specified
306  */
307 static int DetectSshVersionTestParse03 (void)
308 {
309  DetectSshVersionData *ssh = NULL;
310  ssh = DetectSshVersionParse(NULL, "2_com");
311  if (ssh != NULL) {
312  DetectSshVersionFree(NULL, ssh);
313  return 0;
314  }
315  ssh = DetectSshVersionParse(NULL, "");
316  if (ssh != NULL) {
317  DetectSshVersionFree(NULL, ssh);
318  return 0;
319  }
320  ssh = DetectSshVersionParse(NULL, ".1");
321  if (ssh != NULL) {
322  DetectSshVersionFree(NULL, ssh);
323  return 0;
324  }
325  ssh = DetectSshVersionParse(NULL, "lalala");
326  if (ssh != NULL) {
327  DetectSshVersionFree(NULL, ssh);
328  return 0;
329  }
330 
331  return 1;
332 }
333 
334 
335 #include "stream-tcp-reassemble.h"
336 #include "stream-tcp-util.h"
337 
338 /** \test Send a get request in three chunks + more data. */
339 static int DetectSshVersionTestDetect01(void)
340 {
341  TcpReassemblyThreadCtx *ra_ctx = NULL;
342  ThreadVars tv;
343  TcpSession ssn;
344  Flow *f = NULL;
345  Packet *p = NULL;
346 
347  uint8_t sshbuf1[] = "SSH-1.";
348  uint8_t sshbuf2[] = "10-PuTTY_2.123" ;
349  uint8_t sshbuf3[] = "\n";
350  uint8_t sshbuf4[] = "whatever...";
351 
352  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
353  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
354 
355  memset(&tv, 0x00, sizeof(tv));
356 
357  StreamTcpUTInit(&ra_ctx);
362 
363  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
364  FAIL_IF_NULL(f);
365  f->protoctx = &ssn;
366  f->proto = IPPROTO_TCP;
367  f->alproto = ALPROTO_SSH;
368 
369  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
370  FAIL_IF(unlikely(p == NULL));
371  p->flow = f;
372 
373  Signature *s = NULL;
374  ThreadVars th_v;
375  DetectEngineThreadCtx *det_ctx = NULL;
376 
377  memset(&th_v, 0, sizeof(th_v));
378 
381 
382  de_ctx->flags |= DE_QUIET;
383 
384  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:1.10; sid:1;)");
385  FAIL_IF_NULL(s);
386 
388  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
389 
390  uint32_t seq = 2;
391  for (int i=0; i<4; i++) {
392  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
393  seq += sshlens[i];
394  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
395  }
396 
397  void *ssh_state = f->alstate;
398  FAIL_IF_NULL(ssh_state);
399 
400  /* do detect */
401  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
402 
403  FAIL_IF(PacketAlertCheck(p, 1));
404 
405  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
407 
408  UTHFreePacket(p);
410  StreamTcpUTDeinit(ra_ctx);
411  UTHFreeFlow(f);
412  PASS;
413 }
414 
415 /** \test Send a get request in three chunks + more data. */
416 static int DetectSshVersionTestDetect02(void)
417 {
418  TcpReassemblyThreadCtx *ra_ctx = NULL;
419  ThreadVars tv;
420  TcpSession ssn;
421  Flow *f = NULL;
422  Packet *p = NULL;
423 
424  uint8_t sshbuf1[] = "SSH-1.99-Pu";
425  uint8_t sshbuf2[] = "TTY_2.123" ;
426  uint8_t sshbuf3[] = "\n";
427  uint8_t sshbuf4[] = "whatever...";
428 
429  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
430  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
431 
432  memset(&tv, 0x00, sizeof(tv));
433 
434  StreamTcpUTInit(&ra_ctx);
439 
440  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
441  FAIL_IF_NULL(f);
442  f->protoctx = &ssn;
443  f->proto = IPPROTO_TCP;
444  f->alproto = ALPROTO_SSH;
445 
446  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
447  FAIL_IF(unlikely(p == NULL));
448  p->flow = f;
449 
450  Signature *s = NULL;
451  ThreadVars th_v;
452  DetectEngineThreadCtx *det_ctx = NULL;
453 
454  memset(&th_v, 0, sizeof(th_v));
455 
458 
459  de_ctx->flags |= DE_QUIET;
460 
461  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:2_compat; sid:1;)");
462  FAIL_IF_NULL(s);
463 
465  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
466 
467  uint32_t seq = 2;
468  for (int i=0; i<4; i++) {
469  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
470  seq += sshlens[i];
471  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
472  }
473 
474  void *ssh_state = f->alstate;
475  FAIL_IF_NULL(ssh_state);
476 
477  /* do detect */
478  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
479 
480  FAIL_IF(PacketAlertCheck(p, 1));
481 
482  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
484 
485  UTHFreePacket(p);
487  StreamTcpUTDeinit(ra_ctx);
488  UTHFreeFlow(f);
489  PASS;
490 }
491 
492 /** \test Send a get request in three chunks + more data. */
493 static int DetectSshVersionTestDetect03(void)
494 {
495  TcpReassemblyThreadCtx *ra_ctx = NULL;
496  ThreadVars tv;
497  TcpSession ssn;
498  Flow *f = NULL;
499  Packet *p = NULL;
500 
501  uint8_t sshbuf1[] = "SSH-1.";
502  uint8_t sshbuf2[] = "7-PuTTY_2.123" ;
503  uint8_t sshbuf3[] = "\n";
504  uint8_t sshbuf4[] = "whatever...";
505 
506  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
507  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
508 
509  memset(&tv, 0x00, sizeof(tv));
510 
511  StreamTcpUTInit(&ra_ctx);
516 
517  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
518  FAIL_IF_NULL(f);
519  f->protoctx = &ssn;
520  f->proto = IPPROTO_TCP;
521  f->alproto = ALPROTO_SSH;
522 
523  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
524  FAIL_IF(unlikely(p == NULL));
525  p->flow = f;
526 
527  Signature *s = NULL;
528  ThreadVars th_v;
529  DetectEngineThreadCtx *det_ctx = NULL;
530 
531  memset(&th_v, 0, sizeof(th_v));
532 
535 
536  de_ctx->flags |= DE_QUIET;
537 
538  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:2_compat; sid:1;)");
539  FAIL_IF_NULL(s);
540 
542  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
543 
544  uint32_t seq = 2;
545  for (int i=0; i<4; i++) {
546  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
547  seq += sshlens[i];
548  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
549  }
550 
551  void *ssh_state = f->alstate;
552  FAIL_IF_NULL(ssh_state);
553 
554  /* do detect */
555  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
556 
557  FAIL_IF(PacketAlertCheck(p, 1));
558 
559  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
561 
562  UTHFreePacket(p);
564  StreamTcpUTDeinit(ra_ctx);
565  UTHFreeFlow(f);
566  PASS;
567 }
568 
569 #endif /* UNITTESTS */
570 
571 /**
572  * \brief this function registers unit tests for DetectSshVersion
573  */
574 void DetectSshVersionRegisterTests(void)
575 {
576 #ifdef UNITTESTS /* UNITTESTS */
577  UtRegisterTest("DetectSshVersionTestParse01", DetectSshVersionTestParse01);
578  UtRegisterTest("DetectSshVersionTestParse02", DetectSshVersionTestParse02);
579  UtRegisterTest("DetectSshVersionTestParse03", DetectSshVersionTestParse03);
580  UtRegisterTest("DetectSshVersionTestDetect01",
581  DetectSshVersionTestDetect01);
582  UtRegisterTest("DetectSshVersionTestDetect02",
583  DetectSshVersionTestDetect02);
584  UtRegisterTest("DetectSshVersionTestDetect03",
585  DetectSshVersionTestDetect03);
586 #endif /* UNITTESTS */
587 }
588 
DetectSshVersionRegister
void DetectSshVersionRegister(void)
Registration function for keyword: ssh.protoversion.
Definition: detect-ssh-proto-version.c:76
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
SigTableElmt_::url
const char * url
Definition: detect.h:1212
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1468
SSH_FLAG_PROTOVERSION_2_COMPAT
#define SSH_FLAG_PROTOVERSION_2_COMPAT
Definition: detect-ssh-proto-version.h:28
detect-engine.h
StreamTcpUTDeinit
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
Definition: stream-tcp-util.c:51
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
app-layer-ssh.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1209
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectSshVersionData_::len
uint16_t len
Definition: detect-ssh-proto-version.h:32
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1390
seq
uint32_t seq
Definition: stream-tcp-private.h:2
Flow_::proto
uint8_t proto
Definition: flow.h:361
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
DETECT_AL_SSH_PROTOVERSION
@ DETECT_AL_SSH_PROTOVERSION
Definition: detect-engine-register.h:160
threads.h
Flow_
Flow data structure.
Definition: flow.h:343
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2033
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1203
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1181
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
m
SCMutex m
Definition: flow-hash.h:3
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
DetectSshVersionData_
Definition: detect-ssh-proto-version.h:30
Flow_::protoctx
void * protoctx
Definition: flow.h:416
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
StreamTcpUTInitInline
void StreamTcpUTInitInline(void)
Definition: stream-tcp-util.c:58
util-unittest.h
util-unittest-helper.h
StreamTcpUTInit
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Definition: stream-tcp-util.c:44
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:520
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1118
protocol
uint16_t protocol
Definition: decode-ppp.h:2
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2456
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
StreamTcpUTSetupStream
void StreamTcpUTSetupStream(TcpStream *s, uint32_t isn)
Definition: stream-tcp-util.c:79
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1207
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2388
Packet_
Definition: decode.h:411
DetectSshVersionData_::flags
uint8_t flags
Definition: detect-ssh-proto-version.h:33
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:320
DETECT_AL_SSH_PROTOCOL
@ DETECT_AL_SSH_PROTOCOL
Definition: detect-engine-register.h:159
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:525
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
StreamTcpUTClearSession
void StreamTcpUTClearSession(TcpSession *ssn)
Definition: stream-tcp-util.c:71
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
detect-ssh-proto-version.h
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:832
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3001
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
StreamTcpUTAddSegmentWithPayload
int StreamTcpUTAddSegmentWithPayload(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t *payload, uint16_t len)
Definition: stream-tcp-util.c:113
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
StreamTcpUTSetupSession
void StreamTcpUTSetupSession(TcpSession *ssn)
Definition: stream-tcp-util.c:62
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SIGMATCH_INFO_DEPRECATED
#define SIGMATCH_INFO_DEPRECATED
Definition: detect.h:1404
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:484
Flow_::alstate
void * alstate
Definition: flow.h:454
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
stream-tcp-util.h
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing the protoversion string.
Definition: detect-ssh-proto-version.c:61
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
DetectSshVersionData_::ver
uint8_t * ver
Definition: detect-ssh-proto-version.h:31
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
app-layer.h