suricata
detect-ssh-software-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements the ssh.softwareversion keyword
24  * You can match over the software version string of ssh, and it will
25  * be compared from the beginning of the string so you can say for
26  * example ssh.softwareversion:"PuTTY" and it can match, or you can
27  * also specify the version, something like
28  * ssh.softwareversion:"PuTTY-Release-0.55"
29  * I find this useful to match over a known vulnerable server/client
30  * software version in combination to other checks, so you can know
31  * that the risk is higher
32  */
33 
34 #include "suricata-common.h"
35 #include "threads.h"
36 #include "decode.h"
37 
38 #include "detect.h"
39 #include "detect-parse.h"
40 
41 #include "detect-engine.h"
42 #include "detect-engine-mpm.h"
43 #include "detect-engine-state.h"
44 #include "detect-engine-build.h"
45 
46 #include "flow.h"
47 #include "flow-var.h"
48 #include "flow-util.h"
49 
50 #include "util-debug.h"
51 #include "util-unittest.h"
52 #include "util-unittest-helper.h"
53 
54 #include "app-layer.h"
55 #include "app-layer-parser.h"
56 #include "app-layer-ssh.h"
58 #include "rust.h"
59 
60 #include "stream-tcp.h"
61 
62 /**
63  * \brief Regex for parsing the softwareversion string
64  */
65 #define PARSE_REGEX "^\\s*\"?\\s*?([0-9a-zA-Z\\:\\.\\-\\_\\+\\s+]+)\\s*\"?\\s*$"
66 
67 static DetectParseRegex parse_regex;
68 
69 static int DetectSshSoftwareVersionMatch (DetectEngineThreadCtx *,
70  Flow *, uint8_t, void *, void *,
71  const Signature *, const SigMatchCtx *);
72 static int DetectSshSoftwareVersionSetup (DetectEngineCtx *, Signature *, const char *);
73 #ifdef UNITTESTS
74 static void DetectSshSoftwareVersionRegisterTests(void);
75 #endif
76 static void DetectSshSoftwareVersionFree(DetectEngineCtx *de_ctx, void *);
77 static int g_ssh_banner_list_id = 0;
78 
79 
80 /**
81  * \brief Registration function for keyword: ssh.softwareversion
82  */
84 {
85  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion";
86  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].desc = "match SSH software string";
87  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].url = "/rules/ssh-keywords.html#ssh-softwareversion";
88  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerTxMatch = DetectSshSoftwareVersionMatch;
89  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup;
90  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Free = DetectSshSoftwareVersionFree;
91 #ifdef UNITTESTS
92  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].RegisterTests = DetectSshSoftwareVersionRegisterTests;
93 #endif
96 
97  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
98 
99  g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
100 
102  SshStateBannerDone, DetectEngineInspectGenericList, NULL);
104  SshStateBannerDone, DetectEngineInspectGenericList, NULL);
105 }
106 
107 /**
108  * \brief match the specified version on a ssh session
109  *
110  * \param t pointer to thread vars
111  * \param det_ctx pointer to the pattern matcher thread
112  * \param p pointer to the current packet
113  * \param m pointer to the sigmatch that we will cast into DetectSshSoftwareVersionData
114  *
115  * \retval 0 no match
116  * \retval 1 match
117  */
118 static int DetectSshSoftwareVersionMatch (DetectEngineThreadCtx *det_ctx,
119  Flow *f, uint8_t flags, void *state, void *txv,
120  const Signature *s, const SigMatchCtx *m)
121 {
122  SCEnter();
123 
125  if (state == NULL) {
126  SCLogDebug("no ssh state, no match");
127  SCReturnInt(0);
128  }
129 
130  int ret = 0;
131  const uint8_t *software = NULL;
132  uint32_t b_len = 0;
133 
134  if (rs_ssh_tx_get_software(txv, &software, &b_len, flags) != 1)
135  SCReturnInt(0);
136  if (software == NULL || b_len == 0)
137  SCReturnInt(0);
138  if (b_len == ssh->len) {
139  if (memcmp(software, ssh->software_ver, ssh->len) == 0) {
140  ret = 1;
141  }
142  }
143 
144  SCReturnInt(ret);
145 }
146 
147 /**
148  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
149  *
150  * \param de_ctx Pointer to the detection engine context
151  * \param idstr Pointer to the user provided id option
152  *
153  * \retval id_d pointer to DetectSshSoftwareVersionData on success
154  * \retval NULL on failure
155  */
156 static DetectSshSoftwareVersionData *DetectSshSoftwareVersionParse (DetectEngineCtx *de_ctx, const char *str)
157 {
158  DetectSshSoftwareVersionData *ssh = NULL;
159  int res = 0;
160  size_t pcre2_len;
161 
162  pcre2_match_data *match = NULL;
163  int ret = DetectParsePcreExec(&parse_regex, &match, str, 0, 0);
164 
165  if (ret < 1 || ret > 3) {
166  SCLogError("invalid ssh.softwareversion option");
167  goto error;
168  }
169 
170  if (ret > 1) {
171  const char *str_ptr = NULL;
172  res = pcre2_substring_get_bynumber(match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
173  if (res < 0) {
174  SCLogError("pcre2_substring_get_bynumber failed");
175  goto error;
176  }
177 
178  /* We have a correct id option */
179  ssh = SCMalloc(sizeof(DetectSshSoftwareVersionData));
180  if (unlikely(ssh == NULL)) {
181  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
182  goto error;
183  }
184  ssh->software_ver = (uint8_t *)SCStrdup((char *)str_ptr);
185  if (ssh->software_ver == NULL) {
186  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
187  goto error;
188  }
189  pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
190 
191  ssh->len = (uint16_t)strlen((char *)ssh->software_ver);
192 
193  SCLogDebug("will look for ssh %s", ssh->software_ver);
194  }
195 
196  pcre2_match_data_free(match);
197  return ssh;
198 
199 error:
200  if (match) {
201  pcre2_match_data_free(match);
202  }
203  if (ssh != NULL)
204  DetectSshSoftwareVersionFree(de_ctx, ssh);
205  return NULL;
206 
207 }
208 
209 /**
210  * \brief this function is used to add the parsed "id" option
211  * \brief into the current signature
212  *
213  * \param de_ctx pointer to the Detection Engine Context
214  * \param s pointer to the Current Signature
215  * \param idstr pointer to the user provided "id" option
216  *
217  * \retval 0 on Success
218  * \retval -1 on Failure
219  */
220 static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
221 {
222  DetectSshSoftwareVersionData *ssh = NULL;
223 
225  return -1;
226 
227  ssh = DetectSshSoftwareVersionParse(NULL, str);
228  if (ssh == NULL)
229  goto error;
230 
231  /* Okay so far so good, lets get this into a SigMatch
232  * and put it in the Signature. */
233 
235  g_ssh_banner_list_id) == NULL) {
236  goto error;
237  }
238  return 0;
239 
240 error:
241  if (ssh != NULL)
242  DetectSshSoftwareVersionFree(de_ctx, ssh);
243  return -1;
244 
245 }
246 
247 /**
248  * \brief this function will free memory associated with DetectSshSoftwareVersionData
249  *
250  * \param id_d pointer to DetectSshSoftwareVersionData
251  */
252 static void DetectSshSoftwareVersionFree(DetectEngineCtx *de_ctx, void *ptr)
253 {
254  if (ptr == NULL)
255  return;
256 
258  if (ssh->software_ver != NULL)
259  SCFree(ssh->software_ver);
260  SCFree(ssh);
261 }
262 
263 #ifdef UNITTESTS /* UNITTESTS */
264 #include "detect-engine-alert.h"
265 
266 /**
267  * \test DetectSshSoftwareVersionTestParse01 is a test to make sure that we parse
268  * a software version correctly
269  */
270 static int DetectSshSoftwareVersionTestParse01 (void)
271 {
272  DetectSshSoftwareVersionData *ssh = NULL;
273  ssh = DetectSshSoftwareVersionParse(NULL, "PuTTY_1.0");
274  if (ssh != NULL && strncmp((char *) ssh->software_ver, "PuTTY_1.0", 9) == 0) {
275  DetectSshSoftwareVersionFree(NULL, ssh);
276  return 1;
277  }
278 
279  return 0;
280 }
281 
282 /**
283  * \test DetectSshSoftwareVersionTestParse02 is a test to make sure that we parse
284  * the software version correctly
285  */
286 static int DetectSshSoftwareVersionTestParse02 (void)
287 {
288  DetectSshSoftwareVersionData *ssh = NULL;
289  ssh = DetectSshSoftwareVersionParse(NULL, "\"SecureCRT-4.0\"");
290  if (ssh != NULL && strncmp((char *) ssh->software_ver, "SecureCRT-4.0", 13) == 0) {
291  DetectSshSoftwareVersionFree(NULL, ssh);
292  return 1;
293  }
294 
295  return 0;
296 }
297 
298 /**
299  * \test DetectSshSoftwareVersionTestParse03 is a test to make sure that we
300  * don't return a ssh_data with an empty value specified
301  */
302 static int DetectSshSoftwareVersionTestParse03 (void)
303 {
304  DetectSshSoftwareVersionData *ssh = NULL;
305  ssh = DetectSshSoftwareVersionParse(NULL, "");
306  if (ssh != NULL) {
307  DetectSshSoftwareVersionFree(NULL, ssh);
308  return 0;
309  }
310 
311  return 1;
312 }
313 
314 
315 #include "stream-tcp-reassemble.h"
316 #include "stream-tcp-util.h"
317 
318 /** \test Send a get request in three chunks + more data. */
319 static int DetectSshSoftwareVersionTestDetect01(void)
320 {
321  TcpReassemblyThreadCtx *ra_ctx = NULL;
322  ThreadVars tv;
323  TcpSession ssn;
324  Flow *f = NULL;
325  Packet *p = NULL;
326 
327  uint8_t sshbuf1[] = "SSH-1.";
328  uint8_t sshbuf2[] = "10-PuTTY_2.123" ;
329  uint8_t sshbuf3[] = "\n";
330  uint8_t sshbuf4[] = "whatever...";
331 
332  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
333  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
334 
335  memset(&tv, 0x00, sizeof(tv));
336 
337  StreamTcpUTInit(&ra_ctx);
342 
343  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
344  FAIL_IF_NULL(f);
345  f->protoctx = &ssn;
346  f->proto = IPPROTO_TCP;
347  f->alproto = ALPROTO_SSH;
348 
349  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
350  FAIL_IF(unlikely(p == NULL));
351  p->flow = f;
352 
353  Signature *s = NULL;
354  ThreadVars th_v;
355  DetectEngineThreadCtx *det_ctx = NULL;
356 
357  memset(&th_v, 0, sizeof(th_v));
358 
361 
362  de_ctx->flags |= DE_QUIET;
363 
364  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.softwareversion:PuTTY_2.123; sid:1;)");
365  FAIL_IF_NULL(s);
366 
368  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
369 
370  uint32_t seq = 2;
371  for (int i=0; i<4; i++) {
372  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
373  seq += sshlens[i];
374  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
375  }
376 
377  void *ssh_state = f->alstate;
378  FAIL_IF_NULL(ssh_state);
379 
380  /* do detect */
381  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
382 
383  FAIL_IF(PacketAlertCheck(p, 1));
384 
385  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
387 
388  UTHFreePacket(p);
390  StreamTcpUTDeinit(ra_ctx);
391  UTHFreeFlow(f);
392  PASS;
393 }
394 
395 /** \test Send a get request in three chunks + more data. */
396 static int DetectSshSoftwareVersionTestDetect02(void)
397 {
398  TcpReassemblyThreadCtx *ra_ctx = NULL;
399  ThreadVars tv;
400  TcpSession ssn;
401  Flow *f = NULL;
402  Packet *p = NULL;
403 
404  uint8_t sshbuf1[] = "SSH-1.99-Pu";
405  uint8_t sshbuf2[] = "TTY_2.123" ;
406  uint8_t sshbuf3[] = "\n";
407  uint8_t sshbuf4[] = "whatever...";
408 
409  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
410  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
411 
412  memset(&tv, 0x00, sizeof(tv));
413 
414  StreamTcpUTInit(&ra_ctx);
419 
420  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
421  FAIL_IF_NULL(f);
422  f->protoctx = &ssn;
423  f->proto = IPPROTO_TCP;
424  f->alproto = ALPROTO_SSH;
425 
426  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
427  FAIL_IF(unlikely(p == NULL));
428  p->flow = f;
429 
430  Signature *s = NULL;
431  ThreadVars th_v;
432  DetectEngineThreadCtx *det_ctx = NULL;
433 
434  memset(&th_v, 0, sizeof(th_v));
435 
438 
439  de_ctx->flags |= DE_QUIET;
440 
441  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.softwareversion:PuTTY_2.123; sid:1;)");
442  FAIL_IF_NULL(s);
443 
445  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
446 
447  uint32_t seq = 2;
448  for (int i=0; i<4; i++) {
449  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
450  seq += sshlens[i];
451  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
452  }
453 
454  void *ssh_state = f->alstate;
455  FAIL_IF_NULL(ssh_state);
456 
457  /* do detect */
458  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
459 
460  FAIL_IF(PacketAlertCheck(p, 1));
461 
462  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
464 
465  UTHFreePacket(p);
467  StreamTcpUTDeinit(ra_ctx);
468  UTHFreeFlow(f);
469  PASS;
470 }
471 
472 /** \test Send a get request in three chunks + more data. */
473 static int DetectSshSoftwareVersionTestDetect03(void)
474 {
475  TcpReassemblyThreadCtx *ra_ctx = NULL;
476  ThreadVars tv;
477  TcpSession ssn;
478  Flow *f = NULL;
479  Packet *p = NULL;
480 
481  uint8_t sshbuf1[] = "SSH-1.";
482  uint8_t sshbuf2[] = "7-PuTTY_2.123" ;
483  uint8_t sshbuf3[] = "\n";
484  uint8_t sshbuf4[] = "whatever...";
485 
486  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
487  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
488 
489  memset(&tv, 0x00, sizeof(tv));
490 
491  StreamTcpUTInit(&ra_ctx);
496 
497  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
498  FAIL_IF_NULL(f);
499  f->protoctx = &ssn;
500  f->proto = IPPROTO_TCP;
501  f->alproto = ALPROTO_SSH;
502 
503  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
504  FAIL_IF(unlikely(p == NULL));
505  p->flow = f;
506 
507  Signature *s = NULL;
508  ThreadVars th_v;
509  DetectEngineThreadCtx *det_ctx = NULL;
510 
511  memset(&th_v, 0, sizeof(th_v));
512 
515 
516  de_ctx->flags |= DE_QUIET;
517 
518  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.softwareversion:lalala-3.1.4; sid:1;)");
519  FAIL_IF_NULL(s);
520 
522  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
523 
524  uint32_t seq = 2;
525  for (int i=0; i<4; i++) {
526  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
527  seq += sshlens[i];
528  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
529  }
530 
531  void *ssh_state = f->alstate;
532  FAIL_IF_NULL(ssh_state);
533 
534  /* do detect */
535  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
536 
537  FAIL_IF(PacketAlertCheck(p, 1));
538 
539  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
541 
542  UTHFreePacket(p);
544  StreamTcpUTDeinit(ra_ctx);
545  UTHFreeFlow(f);
546  PASS;
547 }
548 
549 /**
550  * \brief this function registers unit tests for DetectSshSoftwareVersion
551  */
552 static void DetectSshSoftwareVersionRegisterTests(void)
553 {
554  UtRegisterTest("DetectSshSoftwareVersionTestParse01",
555  DetectSshSoftwareVersionTestParse01);
556  UtRegisterTest("DetectSshSoftwareVersionTestParse02",
557  DetectSshSoftwareVersionTestParse02);
558  UtRegisterTest("DetectSshSoftwareVersionTestParse03",
559  DetectSshSoftwareVersionTestParse03);
560  UtRegisterTest("DetectSshSoftwareVersionTestDetect01",
561  DetectSshSoftwareVersionTestDetect01);
562  UtRegisterTest("DetectSshSoftwareVersionTestDetect02",
563  DetectSshSoftwareVersionTestDetect02);
564  UtRegisterTest("DetectSshSoftwareVersionTestDetect03",
565  DetectSshSoftwareVersionTestDetect03);
566 }
567 #endif /* UNITTESTS */
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
SigTableElmt_::url
const char * url
Definition: detect.h:1296
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1753
detect-engine.h
StreamTcpUTDeinit
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
Definition: stream-tcp-util.c:51
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
app-layer-ssh.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1283
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
DetectSshSoftwareVersionData_
Definition: detect-ssh-software-version.h:27
SigTableElmt_::name
const char * name
Definition: detect.h:1293
DetectSshSoftwareVersionRegister
void DetectSshSoftwareVersionRegister(void)
Registration function for keyword: ssh.softwareversion.
Definition: detect-ssh-software-version.c:83
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1485
seq
uint32_t seq
Definition: stream-tcp-private.h:2
Flow_::proto
uint8_t proto
Definition: flow.h:372
DetectSshSoftwareVersionData_::len
uint16_t len
Definition: detect-ssh-software-version.h:29
DETECT_AL_SSH_SOFTWAREVERSION
@ DETECT_AL_SSH_SOFTWAREVERSION
Definition: detect-engine-register.h:177
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
threads.h
Flow_
Flow data structure.
Definition: flow.h:350
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1287
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2580
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1264
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:338
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1884
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2674
m
SCMutex m
Definition: flow-hash.h:6
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:264
Flow_::protoctx
void * protoctx
Definition: flow.h:440
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
StreamTcpUTInitInline
void StreamTcpUTInitInline(void)
Definition: stream-tcp-util.c:58
util-unittest.h
util-unittest-helper.h
DetectSshSoftwareVersionData_::software_ver
uint8_t * software_ver
Definition: detect-ssh-software-version.h:28
StreamTcpUTInit
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Definition: stream-tcp-util.c:44
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:501
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1353
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:263
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2791
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DETECT_AL_SSH_SOFTWARE
@ DETECT_AL_SSH_SOFTWARE
Definition: detect-engine-register.h:176
StreamTcpUTSetupStream
void StreamTcpUTSetupStream(TcpStream *s, uint32_t isn)
Definition: stream-tcp-util.c:79
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1291
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing the softwareversion string.
Definition: detect-ssh-software-version.c:65
app-layer-parser.h
Packet_
Definition: decode.h:436
detect-engine-build.h
detect-engine-alert.h
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:506
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:342
StreamTcpUTClearSession
void StreamTcpUTClearSession(TcpSession *ssn)
Definition: stream-tcp-util.c:71
detect-ssh-software-version.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:475
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3291
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1055
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3501
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:844
DetectEngineInspectGenericList
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:2126
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:295
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
StreamTcpUTAddSegmentWithPayload
int StreamTcpUTAddSegmentWithPayload(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t *payload, uint16_t len)
Definition: stream-tcp-util.c:113
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
StreamTcpUTSetupSession
void StreamTcpUTSetupSession(TcpSession *ssn)
Definition: stream-tcp-util.c:62
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:294
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SIGMATCH_INFO_DEPRECATED
#define SIGMATCH_INFO_DEPRECATED
Definition: detect.h:1499
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:486
Flow_::alstate
void * alstate
Definition: flow.h:475
detect-parse.h
Signature_
Signature container.
Definition: detect.h:593
stream-tcp-util.h
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2541
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:216
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
TcpSession_
Definition: stream-tcp-private.h:283
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:449
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
app-layer.h