suricata
detect-ssh-software-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements the ssh.softwareversion keyword
24  * You can match over the software version string of ssh, and it will
25  * be compared from the beginning of the string so you can say for
26  * example ssh.softwareversion:"PuTTY" and it can match, or you can
27  * also specify the version, something like
28  * ssh.softwareversion:"PuTTY-Release-0.55"
29  * I find this useful to match over a known vulnerable server/client
30  * software version incombination to other checks, so you can know
31  * that the risk is higher
32  */
33 
34 #include "suricata-common.h"
35 #include "threads.h"
36 #include "debug.h"
37 #include "decode.h"
38 
39 #include "detect.h"
40 #include "detect-parse.h"
41 
42 #include "detect-engine.h"
43 #include "detect-engine-mpm.h"
44 #include "detect-engine-state.h"
45 
46 #include "flow.h"
47 #include "flow-var.h"
48 #include "flow-util.h"
49 
50 #include "util-debug.h"
51 #include "util-unittest.h"
52 #include "util-unittest-helper.h"
53 
54 #include "app-layer.h"
55 #include "app-layer-parser.h"
56 #include "app-layer-ssh.h"
58 #include "rust.h"
59 
60 #include "stream-tcp.h"
61 
62 /**
63  * \brief Regex for parsing the softwareversion string
64  */
65 #define PARSE_REGEX "^\\s*\"?\\s*?([0-9a-zA-Z\\:\\.\\-\\_\\+\\s+]+)\\s*\"?\\s*$"
66 
67 static DetectParseRegex parse_regex;
68 
69 static int DetectSshSoftwareVersionMatch (DetectEngineThreadCtx *,
70  Flow *, uint8_t, void *, void *,
71  const Signature *, const SigMatchCtx *);
72 static int DetectSshSoftwareVersionSetup (DetectEngineCtx *, Signature *, const char *);
73 #ifdef UNITTESTS
74 static void DetectSshSoftwareVersionRegisterTests(void);
75 #endif
76 static void DetectSshSoftwareVersionFree(DetectEngineCtx *de_ctx, void *);
77 static int g_ssh_banner_list_id = 0;
78 
79 static int InspectSshBanner(ThreadVars *tv,
81  const Signature *s, const SigMatchData *smd,
82  Flow *f, uint8_t flags, void *alstate,
83  void *txv, uint64_t tx_id)
84 {
85  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
86  f, flags, alstate, txv, tx_id);
87 }
88 
89 /**
90  * \brief Registration function for keyword: ssh.softwareversion
91  */
93 {
94  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion";
95  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].desc = "match SSH software string";
96  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].url = "/rules/ssh-keywords.html#ssh-softwareversion";
97  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerTxMatch = DetectSshSoftwareVersionMatch;
98  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup;
99  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Free = DetectSshSoftwareVersionFree;
100 #ifdef UNITTESTS
101  sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].RegisterTests = DetectSshSoftwareVersionRegisterTests;
102 #endif
105 
106  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
107 
108  g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
109 
111  ALPROTO_SSH, SIG_FLAG_TOSERVER, SshStateBannerDone,
112  InspectSshBanner);
114  ALPROTO_SSH, SIG_FLAG_TOCLIENT, SshStateBannerDone,
115  InspectSshBanner);
116 }
117 
118 /**
119  * \brief match the specified version on a ssh session
120  *
121  * \param t pointer to thread vars
122  * \param det_ctx pointer to the pattern matcher thread
123  * \param p pointer to the current packet
124  * \param m pointer to the sigmatch that we will cast into DetectSshSoftwareVersionData
125  *
126  * \retval 0 no match
127  * \retval 1 match
128  */
129 static int DetectSshSoftwareVersionMatch (DetectEngineThreadCtx *det_ctx,
130  Flow *f, uint8_t flags, void *state, void *txv,
131  const Signature *s, const SigMatchCtx *m)
132 {
133  SCEnter();
134 
136  if (state == NULL) {
137  SCLogDebug("no ssh state, no match");
138  SCReturnInt(0);
139  }
140 
141  int ret = 0;
142  const uint8_t *software = NULL;
143  uint32_t b_len = 0;
144 
145  if (rs_ssh_tx_get_software(txv, &software, &b_len, flags) != 1)
146  SCReturnInt(0);
147  if (software == NULL || b_len == 0)
148  SCReturnInt(0);
149  if (b_len == ssh->len) {
150  if (memcmp(software, ssh->software_ver, ssh->len) == 0) {
151  ret = 1;
152  }
153  }
154 
155  SCReturnInt(ret);
156 }
157 
158 /**
159  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
160  *
161  * \param de_ctx Pointer to the detection engine context
162  * \param idstr Pointer to the user provided id option
163  *
164  * \retval id_d pointer to DetectSshSoftwareVersionData on success
165  * \retval NULL on failure
166  */
167 static DetectSshSoftwareVersionData *DetectSshSoftwareVersionParse (DetectEngineCtx *de_ctx, const char *str)
168 {
169  DetectSshSoftwareVersionData *ssh = NULL;
170  int ret = 0, res = 0;
171  int ov[MAX_SUBSTRINGS];
172 
173  ret = DetectParsePcreExec(&parse_regex, str, 0, 0, ov, MAX_SUBSTRINGS);
174 
175  if (ret < 1 || ret > 3) {
176  SCLogError(SC_ERR_PCRE_MATCH, "invalid ssh.softwareversion option");
177  goto error;
178  }
179 
180  if (ret > 1) {
181  const char *str_ptr = NULL;
182  res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
183  if (res < 0) {
184  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
185  goto error;
186  }
187 
188  /* We have a correct id option */
189  ssh = SCMalloc(sizeof(DetectSshSoftwareVersionData));
190  if (unlikely(ssh == NULL))
191  goto error;
192 
193  ssh->software_ver = (uint8_t *)SCStrdup((char *)str_ptr);
194  if (ssh->software_ver == NULL) {
195  goto error;
196  }
197  pcre_free_substring(str_ptr);
198 
199  ssh->len = strlen((char *)ssh->software_ver);
200 
201  SCLogDebug("will look for ssh %s", ssh->software_ver);
202  }
203 
204  return ssh;
205 
206 error:
207  if (ssh != NULL)
208  DetectSshSoftwareVersionFree(de_ctx, ssh);
209  return NULL;
210 
211 }
212 
213 /**
214  * \brief this function is used to add the parsed "id" option
215  * \brief into the current signature
216  *
217  * \param de_ctx pointer to the Detection Engine Context
218  * \param s pointer to the Current Signature
219  * \param idstr pointer to the user provided "id" option
220  *
221  * \retval 0 on Success
222  * \retval -1 on Failure
223  */
224 static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
225 {
226  DetectSshSoftwareVersionData *ssh = NULL;
227  SigMatch *sm = NULL;
228 
230  return -1;
231 
232  ssh = DetectSshSoftwareVersionParse(NULL, str);
233  if (ssh == NULL)
234  goto error;
235 
236  /* Okay so far so good, lets get this into a SigMatch
237  * and put it in the Signature. */
238  sm = SigMatchAlloc();
239  if (sm == NULL)
240  goto error;
241 
243  sm->ctx = (void *)ssh;
244 
245  SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
246  return 0;
247 
248 error:
249  if (ssh != NULL)
250  DetectSshSoftwareVersionFree(de_ctx, ssh);
251  if (sm != NULL)
252  SCFree(sm);
253  return -1;
254 
255 }
256 
257 /**
258  * \brief this function will free memory associated with DetectSshSoftwareVersionData
259  *
260  * \param id_d pointer to DetectSshSoftwareVersionData
261  */
262 static void DetectSshSoftwareVersionFree(DetectEngineCtx *de_ctx, void *ptr)
263 {
264  if (ptr == NULL)
265  return;
266 
268  if (ssh->software_ver != NULL)
269  SCFree(ssh->software_ver);
270  SCFree(ssh);
271 }
272 
273 #ifdef UNITTESTS /* UNITTESTS */
274 
275 /**
276  * \test DetectSshSoftwareVersionTestParse01 is a test to make sure that we parse
277  * a software version correctly
278  */
279 static int DetectSshSoftwareVersionTestParse01 (void)
280 {
281  DetectSshSoftwareVersionData *ssh = NULL;
282  ssh = DetectSshSoftwareVersionParse(NULL, "PuTTY_1.0");
283  if (ssh != NULL && strncmp((char *) ssh->software_ver, "PuTTY_1.0", 9) == 0) {
284  DetectSshSoftwareVersionFree(NULL, ssh);
285  return 1;
286  }
287 
288  return 0;
289 }
290 
291 /**
292  * \test DetectSshSoftwareVersionTestParse02 is a test to make sure that we parse
293  * the software version correctly
294  */
295 static int DetectSshSoftwareVersionTestParse02 (void)
296 {
297  DetectSshSoftwareVersionData *ssh = NULL;
298  ssh = DetectSshSoftwareVersionParse(NULL, "\"SecureCRT-4.0\"");
299  if (ssh != NULL && strncmp((char *) ssh->software_ver, "SecureCRT-4.0", 13) == 0) {
300  DetectSshSoftwareVersionFree(NULL, ssh);
301  return 1;
302  }
303 
304  return 0;
305 }
306 
307 /**
308  * \test DetectSshSoftwareVersionTestParse03 is a test to make sure that we
309  * don't return a ssh_data with an empty value specified
310  */
311 static int DetectSshSoftwareVersionTestParse03 (void)
312 {
313  DetectSshSoftwareVersionData *ssh = NULL;
314  ssh = DetectSshSoftwareVersionParse(NULL, "");
315  if (ssh != NULL) {
316  DetectSshSoftwareVersionFree(NULL, ssh);
317  return 0;
318  }
319 
320  return 1;
321 }
322 
323 
324 #include "stream-tcp-reassemble.h"
325 #include "stream-tcp-util.h"
326 
327 /** \test Send a get request in three chunks + more data. */
328 static int DetectSshSoftwareVersionTestDetect01(void)
329 {
330  TcpReassemblyThreadCtx *ra_ctx = NULL;
331  ThreadVars tv;
332  TcpSession ssn;
333  Flow *f = NULL;
334  Packet *p = NULL;
335 
336  uint8_t sshbuf1[] = "SSH-1.";
337  uint8_t sshbuf2[] = "10-PuTTY_2.123" ;
338  uint8_t sshbuf3[] = "\n";
339  uint8_t sshbuf4[] = "whatever...";
340 
341  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
342  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
343 
344  memset(&tv, 0x00, sizeof(tv));
345 
346  StreamTcpUTInit(&ra_ctx);
351 
352  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
353  FAIL_IF_NULL(f);
354  f->protoctx = &ssn;
355  f->proto = IPPROTO_TCP;
356  f->alproto = ALPROTO_SSH;
357 
358  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
359  FAIL_IF(unlikely(p == NULL));
360  p->flow = f;
361 
362  Signature *s = NULL;
363  ThreadVars th_v;
364  DetectEngineThreadCtx *det_ctx = NULL;
365 
366  memset(&th_v, 0, sizeof(th_v));
367 
370 
371  de_ctx->flags |= DE_QUIET;
372 
373  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.softwareversion:PuTTY_2.123; sid:1;)");
374  FAIL_IF_NULL(s);
375 
377  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
378 
379  uint32_t seq = 2;
380  for (int i=0; i<4; i++) {
381  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
382  seq += sshlens[i];
383  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
384  }
385 
386  void *ssh_state = f->alstate;
387  FAIL_IF_NULL(ssh_state);
388 
389  /* do detect */
390  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
391 
392  FAIL_IF(PacketAlertCheck(p, 1));
393 
394  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
396 
397  UTHFreePacket(p);
399  StreamTcpUTDeinit(ra_ctx);
400  UTHFreeFlow(f);
401  PASS;
402 }
403 
404 /** \test Send a get request in three chunks + more data. */
405 static int DetectSshSoftwareVersionTestDetect02(void)
406 {
407  TcpReassemblyThreadCtx *ra_ctx = NULL;
408  ThreadVars tv;
409  TcpSession ssn;
410  Flow *f = NULL;
411  Packet *p = NULL;
412 
413  uint8_t sshbuf1[] = "SSH-1.99-Pu";
414  uint8_t sshbuf2[] = "TTY_2.123" ;
415  uint8_t sshbuf3[] = "\n";
416  uint8_t sshbuf4[] = "whatever...";
417 
418  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
419  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
420 
421  memset(&tv, 0x00, sizeof(tv));
422 
423  StreamTcpUTInit(&ra_ctx);
428 
429  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
430  FAIL_IF_NULL(f);
431  f->protoctx = &ssn;
432  f->proto = IPPROTO_TCP;
433  f->alproto = ALPROTO_SSH;
434 
435  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
436  FAIL_IF(unlikely(p == NULL));
437  p->flow = f;
438 
439  Signature *s = NULL;
440  ThreadVars th_v;
441  DetectEngineThreadCtx *det_ctx = NULL;
442 
443  memset(&th_v, 0, sizeof(th_v));
444 
447 
448  de_ctx->flags |= DE_QUIET;
449 
450  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.softwareversion:PuTTY_2.123; sid:1;)");
451  FAIL_IF_NULL(s);
452 
454  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
455 
456  uint32_t seq = 2;
457  for (int i=0; i<4; i++) {
458  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
459  seq += sshlens[i];
460  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
461  }
462 
463  void *ssh_state = f->alstate;
464  FAIL_IF_NULL(ssh_state);
465 
466  /* do detect */
467  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
468 
469  FAIL_IF(PacketAlertCheck(p, 1));
470 
471  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
473 
474  UTHFreePacket(p);
476  StreamTcpUTDeinit(ra_ctx);
477  UTHFreeFlow(f);
478  PASS;
479 }
480 
481 /** \test Send a get request in three chunks + more data. */
482 static int DetectSshSoftwareVersionTestDetect03(void)
483 {
484  TcpReassemblyThreadCtx *ra_ctx = NULL;
485  ThreadVars tv;
486  TcpSession ssn;
487  Flow *f = NULL;
488  Packet *p = NULL;
489 
490  uint8_t sshbuf1[] = "SSH-1.";
491  uint8_t sshbuf2[] = "7-PuTTY_2.123" ;
492  uint8_t sshbuf3[] = "\n";
493  uint8_t sshbuf4[] = "whatever...";
494 
495  uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
496  uint32_t sshlens[4] = {sizeof(sshbuf1) - 1, sizeof(sshbuf2) - 1, sizeof(sshbuf3) - 1, sizeof(sshbuf4) - 1};
497 
498  memset(&tv, 0x00, sizeof(tv));
499 
500  StreamTcpUTInit(&ra_ctx);
505 
506  f = UTHBuildFlow(AF_INET, "1.1.1.1", "2.2.2.2", 1234, 2222);
507  FAIL_IF_NULL(f);
508  f->protoctx = &ssn;
509  f->proto = IPPROTO_TCP;
510  f->alproto = ALPROTO_SSH;
511 
512  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
513  FAIL_IF(unlikely(p == NULL));
514  p->flow = f;
515 
516  Signature *s = NULL;
517  ThreadVars th_v;
518  DetectEngineThreadCtx *det_ctx = NULL;
519 
520  memset(&th_v, 0, sizeof(th_v));
521 
524 
525  de_ctx->flags |= DE_QUIET;
526 
527  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.softwareversion:lalala-3.1.4; sid:1;)");
528  FAIL_IF_NULL(s);
529 
531  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
532 
533  uint32_t seq = 2;
534  for (int i=0; i<4; i++) {
535  FAIL_IF(StreamTcpUTAddSegmentWithPayload(&tv, ra_ctx, &ssn.server, seq, sshbufs[i], sshlens[i]) == -1);
536  seq += sshlens[i];
537  FAIL_IF(StreamTcpReassembleAppLayer(&tv, ra_ctx, &ssn, &ssn.server, p, UPDATE_DIR_PACKET) < 0);
538  }
539 
540  void *ssh_state = f->alstate;
541  FAIL_IF_NULL(ssh_state);
542 
543  /* do detect */
544  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
545 
546  FAIL_IF(PacketAlertCheck(p, 1));
547 
548  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
550 
551  UTHFreePacket(p);
553  StreamTcpUTDeinit(ra_ctx);
554  UTHFreeFlow(f);
555  PASS;
556 }
557 
558 /**
559  * \brief this function registers unit tests for DetectSshSoftwareVersion
560  */
561 static void DetectSshSoftwareVersionRegisterTests(void)
562 {
563  UtRegisterTest("DetectSshSoftwareVersionTestParse01",
564  DetectSshSoftwareVersionTestParse01);
565  UtRegisterTest("DetectSshSoftwareVersionTestParse02",
566  DetectSshSoftwareVersionTestParse02);
567  UtRegisterTest("DetectSshSoftwareVersionTestParse03",
568  DetectSshSoftwareVersionTestParse03);
569  UtRegisterTest("DetectSshSoftwareVersionTestDetect01",
570  DetectSshSoftwareVersionTestDetect01);
571  UtRegisterTest("DetectSshSoftwareVersionTestDetect02",
572  DetectSshSoftwareVersionTestDetect02);
573  UtRegisterTest("DetectSshSoftwareVersionTestDetect03",
574  DetectSshSoftwareVersionTestDetect03);
575 }
576 #endif /* UNITTESTS */
UPDATE_DIR_PACKET
@ UPDATE_DIR_PACKET
Definition: stream-tcp-reassemble.h:55
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
detect-engine.h
StreamTcpUTDeinit
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
Definition: stream-tcp-util.c:51
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
app-layer-ssh.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
DetectSshSoftwareVersionData_
Definition: detect-ssh-software-version.h:27
SigTableElmt_::name
const char * name
Definition: detect.h:1211
DetectSshSoftwareVersionRegister
void DetectSshSoftwareVersionRegister(void)
Registration function for keyword: ssh.softwareversion.
Definition: detect-ssh-software-version.c:92
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1392
seq
uint32_t seq
Definition: stream-tcp-private.h:2
Flow_::proto
uint8_t proto
Definition: flow.h:365
DetectSshSoftwareVersionData_::len
uint16_t len
Definition: detect-ssh-software-version.h:29
DETECT_AL_SSH_SOFTWAREVERSION
@ DETECT_AL_SSH_SOFTWAREVERSION
Definition: detect-engine-register.h:163
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1182
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
m
SCMutex m
Definition: flow-hash.h:6
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
ALPROTO_SSH
@ ALPROTO_SSH
Definition: app-layer-protos.h:34
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
StreamTcpUTInitInline
void StreamTcpUTInitInline(void)
Definition: stream-tcp-util.c:58
util-unittest.h
util-unittest-helper.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1596
DetectSshSoftwareVersionData_::software_ver
uint8_t * software_ver
Definition: detect-ssh-software-version.h:28
StreamTcpUTInit
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Definition: stream-tcp-util.c:44
UTHBuildFlow
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
Definition: util-unittest-helper.c:521
StreamTcpReassembleAppLayer
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
Definition: stream-tcp-reassemble.c:1194
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_AL_SSH_SOFTWARE
@ DETECT_AL_SSH_SOFTWARE
Definition: detect-engine-register.h:162
StreamTcpUTSetupStream
void StreamTcpUTSetupStream(TcpStream *s, uint32_t isn)
Definition: stream-tcp-util.c:79
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1209
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing the softwareversion string.
Definition: detect-ssh-software-version.c:65
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
Packet_
Definition: decode.h:414
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
SigMatch_::type
uint8_t type
Definition: detect.h:321
UTHFreeFlow
void UTHFreeFlow(Flow *flow)
Definition: util-unittest-helper.c:526
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
StreamTcpUTClearSession
void StreamTcpUTClearSession(TcpSession *ssn)
Definition: stream-tcp-util.c:71
detect-ssh-software-version.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:836
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
StreamTcpUTAddSegmentWithPayload
int StreamTcpUTAddSegmentWithPayload(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t *payload, uint16_t len)
Definition: stream-tcp-util.c:113
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
StreamTcpUTSetupSession
void StreamTcpUTSetupSession(TcpSession *ssn)
Definition: stream-tcp-util.c:62
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SIGMATCH_INFO_DEPRECATED
#define SIGMATCH_INFO_DEPRECATED
Definition: detect.h:1406
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:476
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
stream-tcp-util.h
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
TcpReassemblyThreadCtx_
Definition: stream-tcp-reassemble.h:60
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:171
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
app-layer.h