suricata
detect-ssl-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file detect-ssl-version.c
20  *
21  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
22  *
23  * Implements the ssl_version keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-parse.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 #include "app-layer.h"
47 #include "app-layer-parser.h"
48 
49 #include "detect-ssl-version.h"
50 
51 #include "stream-tcp.h"
52 #include "app-layer-ssl.h"
53 
54 /**
55  * \brief Regex for parsing "id" option, matching number or "number"
56  */
57 #define PARSE_REGEX "^\\s*(!?[A-z0-9.]+)\\s*,?\\s*(!?[A-z0-9.]+)?\\s*\\,?\\s*" \
58  "(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*,?\\s*(!?[A-z0-9.]+)?\\s*$"
59 
60 static pcre *parse_regex;
61 static pcre_extra *parse_regex_study;
62 
63 static int DetectSslVersionMatch(ThreadVars *, DetectEngineThreadCtx *,
64  Flow *, uint8_t, void *, void *,
65  const Signature *, const SigMatchCtx *);
66 static int DetectSslVersionSetup(DetectEngineCtx *, Signature *, const char *);
67 static void DetectSslVersionRegisterTests(void);
68 static void DetectSslVersionFree(void *);
69 static int g_tls_generic_list_id = 0;
70 
71 /**
72  * \brief Registration function for keyword: ssl_version
73  */
74 void DetectSslVersionRegister(void)
75 {
76  sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version";
77  sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch;
78  sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup;
79  sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree;
80  sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests;
81 
82  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
83 
84  g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
85 }
86 
87 /**
88  * \brief match the specified version on a ssl session
89  *
90  * \param t pointer to thread vars
91  * \param det_ctx pointer to the pattern matcher thread
92  * \param p pointer to the current packet
93  * \param m pointer to the sigmatch that we will cast into DetectSslVersionData
94  *
95  * \retval 0 no match
96  * \retval 1 match
97  */
98 static int DetectSslVersionMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
99  Flow *f, uint8_t flags, void *state, void *txv,
100  const Signature *s, const SigMatchCtx *m)
101 {
102  SCEnter();
103 
104  int ret = 0;
105  uint16_t ver = 0;
106  uint8_t sig_ver = TLS_UNKNOWN;
107 
108  const DetectSslVersionData *ssl = (const DetectSslVersionData *)m;
109  SSLState *app_state = (SSLState *)state;
110  if (app_state == NULL) {
111  SCLogDebug("no app state, no match");
112  SCReturnInt(0);
113  }
114 
115  if (flags & STREAM_TOCLIENT) {
116  SCLogDebug("server (toclient) version is 0x%02X",
117  app_state->server_connp.version);
118  ver = app_state->server_connp.version;
119  } else if (flags & STREAM_TOSERVER) {
120  SCLogDebug("client (toserver) version is 0x%02X",
121  app_state->client_connp.version);
122  ver = app_state->client_connp.version;
123  }
124 
125  switch (ver) {
126  case SSL_VERSION_2:
127  if (ver == ssl->data[SSLv2].ver)
128  ret = 1;
129  sig_ver = SSLv2;
130  break;
131  case SSL_VERSION_3:
132  if (ver == ssl->data[SSLv3].ver)
133  ret = 1;
134  sig_ver = SSLv3;
135  break;
136  case TLS_VERSION_10:
137  if (ver == ssl->data[TLS10].ver)
138  ret = 1;
139  sig_ver = TLS10;
140  break;
141  case TLS_VERSION_11:
142  if (ver == ssl->data[TLS11].ver)
143  ret = 1;
144  sig_ver = TLS11;
145  break;
146  case TLS_VERSION_12:
147  if (ver == ssl->data[TLS12].ver)
148  ret = 1;
149  sig_ver = TLS12;
150  break;
151  case TLS_VERSION_13_DRAFT28:
152  case TLS_VERSION_13_DRAFT27:
153  case TLS_VERSION_13_DRAFT26:
154  case TLS_VERSION_13_DRAFT25:
155  case TLS_VERSION_13_DRAFT24:
156  case TLS_VERSION_13_DRAFT23:
157  case TLS_VERSION_13_DRAFT22:
158  case TLS_VERSION_13_DRAFT21:
159  case TLS_VERSION_13_DRAFT20:
160  case TLS_VERSION_13_DRAFT19:
161  case TLS_VERSION_13_DRAFT18:
162  case TLS_VERSION_13_DRAFT17:
163  case TLS_VERSION_13_DRAFT16:
164  case TLS_VERSION_13_PRE_DRAFT16:
165  if (((ver >> 8) & 0xff) == 0x7f)
166  ver = TLS_VERSION_13;
167  /* fall through */
168  case TLS_VERSION_13:
169  if (ver == ssl->data[TLS13].ver)
170  ret = 1;
171  sig_ver = TLS13;
172  break;
173  }
174 
175  if (sig_ver == TLS_UNKNOWN)
176  SCReturnInt(0);
177 
178  SCReturnInt(ret ^ ((ssl->data[sig_ver].flags & DETECT_SSL_VERSION_NEGATED) ? 1 : 0));
179 }
180 
181 /**
182  * \brief This function is used to parse ssl_version data passed via
183  * keyword: "ssl_version"
184  *
185  * \param str Pointer to the user provided options
186  *
187  * \retval ssl pointer to DetectSslVersionData on success
188  * \retval NULL on failure
189  */
190 static DetectSslVersionData *DetectSslVersionParse(const char *str)
191 {
192  DetectSslVersionData *ssl = NULL;
193  #define MAX_SUBSTRINGS 30
194  int ret = 0, res = 0;
195  int ov[MAX_SUBSTRINGS];
196 
197  ret = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), 0, 0,
198  ov, MAX_SUBSTRINGS);
199 
200  if (ret < 1 || ret > 5) {
201  SCLogError(SC_ERR_PCRE_MATCH, "invalid ssl_version option");
202  goto error;
203  }
204 
205  if (ret > 1) {
206  const char *str_ptr;
207  char *orig;
208  uint8_t found = 0, neg = 0;
209  char *tmp_str;
210 
211  /* We have a correct ssl_version options */
212  ssl = SCCalloc(1, sizeof (DetectSslVersionData));
213  if (unlikely(ssl == NULL))
214  goto error;
215 
216  int i;
217  for (i = 1; i < ret; i++) {
218  res = pcre_get_substring((char *) str, ov, MAX_SUBSTRINGS, i, &str_ptr);
219  if (res < 0) {
220  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
221  if (found == 0)
222  goto error;
223  break;
224  }
225 
226  orig = SCStrdup((char*) str_ptr);
227  if (unlikely(orig == NULL)) {
228  goto error;
229  }
230  tmp_str = orig;
231 
232  /* Let's see if we need to scape "'s */
233  if (tmp_str[0] == '"') {
234  tmp_str[strlen(tmp_str) - 1] = '\0';
235  tmp_str += 1;
236  }
237 
238 
239  if (tmp_str[0] == '!') {
240  neg = 1;
241  tmp_str++;
242  }
243 
244  if (strcasecmp("sslv2", tmp_str) == 0) {
245  ssl->data[SSLv2].ver = SSL_VERSION_2;
246  if (neg == 1)
247  ssl->data[SSLv2].flags |= DETECT_SSL_VERSION_NEGATED;
248  } else if (strcasecmp("sslv3", tmp_str) == 0) {
249  ssl->data[SSLv3].ver = SSL_VERSION_3;
250  if (neg == 1)
251  ssl->data[SSLv3].flags |= DETECT_SSL_VERSION_NEGATED;
252  } else if (strcasecmp("tls1.0", tmp_str) == 0) {
253  ssl->data[TLS10].ver = TLS_VERSION_10;
254  if (neg == 1)
255  ssl->data[TLS10].flags |= DETECT_SSL_VERSION_NEGATED;
256  } else if (strcasecmp("tls1.1", tmp_str) == 0) {
257  ssl->data[TLS11].ver = TLS_VERSION_11;
258  if (neg == 1)
259  ssl->data[TLS11].flags |= DETECT_SSL_VERSION_NEGATED;
260  } else if (strcasecmp("tls1.2", tmp_str) == 0) {
261  ssl->data[TLS12].ver = TLS_VERSION_12;
262  if (neg == 1)
263  ssl->data[TLS12].flags |= DETECT_SSL_VERSION_NEGATED;
264  } else if (strcasecmp("tls1.3", tmp_str) == 0) {
265  ssl->data[TLS13].ver = TLS_VERSION_13;
266  if (neg == 1)
267  ssl->data[TLS13].flags |= DETECT_SSL_VERSION_NEGATED;
268  } else if (strcmp(tmp_str, "") == 0) {
269  SCFree(orig);
270  if (found == 0)
271  goto error;
272  break;
273  } else {
274  SCLogError(SC_ERR_INVALID_VALUE, "Invalid value");
275  SCFree(orig);
276  goto error;
277  }
278 
279  found = 1;
280  neg = 0;
281  SCFree(orig);
282  pcre_free_substring(str_ptr);
283  }
284  }
285 
286  return ssl;
287 
288 error:
289  if (ssl != NULL)
290  DetectSslVersionFree(ssl);
291  return NULL;
292 
293 }
294 
295 /**
296  * \brief this function is used to add the parsed "id" option
297  * \brief into the current signature
298  *
299  * \param de_ctx pointer to the Detection Engine Context
300  * \param s pointer to the Current Signature
301  * \param idstr pointer to the user provided "id" option
302  *
303  * \retval 0 on Success
304  * \retval -1 on Failure
305  */
306 static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
307 {
308  DetectSslVersionData *ssl = NULL;
309  SigMatch *sm = NULL;
310 
311  if (DetectSignatureSetAppProto(s, ALPROTO_TLS) != 0)
312  return -1;
313 
314  ssl = DetectSslVersionParse(str);
315  if (ssl == NULL)
316  goto error;
317 
318  /* Okay so far so good, lets get this into a SigMatch
319  * and put it in the Signature. */
320  sm = SigMatchAlloc();
321  if (sm == NULL)
322  goto error;
323 
324  sm->type = DETECT_AL_SSL_VERSION;
325  sm->ctx = (void *)ssl;
326 
327  SigMatchAppendSMToList(s, sm, g_tls_generic_list_id);
328  return 0;
329 
330 error:
331  if (ssl != NULL)
332  DetectSslVersionFree(ssl);
333  if (sm != NULL)
334  SCFree(sm);
335  return -1;
336 }
337 
338 /**
339  * \brief this function will free memory associated with DetectSslVersionData
340  *
341  * \param id_d pointer to DetectSslVersionData
342  */
343 void DetectSslVersionFree(void *ptr)
344 {
345  if (ptr != NULL)
346  SCFree(ptr);
347 }
348 
349 /**********************************Unittests***********************************/
350 
351 #ifdef UNITTESTS /* UNITTESTS */
352 
353 /**
354  * \test DetectSslVersionTestParse01 is a test to make sure that we parse the
355  * "ssl_version" option correctly when given valid ssl_version option
356  */
357 static int DetectSslVersionTestParse01(void)
358 {
359  DetectSslVersionData *ssl = NULL;
360  ssl = DetectSslVersionParse("SSlv3");
361  FAIL_IF_NULL(ssl);
362  FAIL_IF_NOT(ssl->data[SSLv3].ver == SSL_VERSION_3);
363  DetectSslVersionFree(ssl);
364  PASS;
365 }
366 
367 /**
368  * \test DetectSslVersionTestParse02 is a test to make sure that we parse the
369  * "ssl_version" option correctly when given an invalid ssl_version option
370  * it should return ssl = NULL
371  */
372 static int DetectSslVersionTestParse02(void)
373 {
374  DetectSslVersionData *ssl = NULL;
375  ssl = DetectSslVersionParse("2.5");
376  FAIL_IF_NOT_NULL(ssl);
377  DetectSslVersionFree(ssl);
378  PASS;
379 }
380 
381 /**
382  * \test DetectSslVersionTestParse03 is a test to make sure that we parse the
383  * "ssl_version" options correctly when given valid ssl_version options
384  */
385 static int DetectSslVersionTestParse03(void)
386 {
387  DetectSslVersionData *ssl = NULL;
388  ssl = DetectSslVersionParse("SSlv3,tls1.0, !tls1.2");
389  FAIL_IF_NULL(ssl);
390  FAIL_IF_NOT(ssl->data[SSLv3].ver == SSL_VERSION_3);
391  FAIL_IF_NOT(ssl->data[TLS10].ver == TLS_VERSION_10);
392  FAIL_IF_NOT(ssl->data[TLS12].ver == TLS_VERSION_12);
393  FAIL_IF_NOT(ssl->data[TLS12].flags & DETECT_SSL_VERSION_NEGATED);
394  DetectSslVersionFree(ssl);
395  PASS;
396 }
397 
398 #include "stream-tcp-reassemble.h"
399 
400 /** \test Send a get request in three chunks + more data. */
401 static int DetectSslVersionTestDetect01(void)
402 {
403  Flow f;
404  uint8_t sslbuf1[] = { 0x16 };
405  uint32_t ssllen1 = sizeof(sslbuf1);
406  uint8_t sslbuf2[] = { 0x03 };
407  uint32_t ssllen2 = sizeof(sslbuf2);
408  uint8_t sslbuf3[] = { 0x01 };
409  uint32_t ssllen3 = sizeof(sslbuf3);
410  uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 };
411  uint32_t ssllen4 = sizeof(sslbuf4);
412  TcpSession ssn;
413  Packet *p = NULL;
414  Signature *s = NULL;
415  ThreadVars th_v;
416  DetectEngineThreadCtx *det_ctx = NULL;
417  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
418 
419  memset(&th_v, 0, sizeof(th_v));
420  memset(&f, 0, sizeof(f));
421  memset(&ssn, 0, sizeof(ssn));
422 
423  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
424 
425  FLOW_INITIALIZE(&f);
426  f.protoctx = (void *)&ssn;
427  f.proto = IPPROTO_TCP;
428  p->flow = &f;
429  p->flowflags |= FLOW_PKT_TOSERVER;
430  p->flowflags |= FLOW_PKT_ESTABLISHED;
431  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
432  f.alproto = ALPROTO_TLS;
433 
434  StreamTcpInitConfig(TRUE);
435 
436  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
437  FAIL_IF_NULL(de_ctx);
438 
439  de_ctx->flags |= DE_QUIET;
440 
441  s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)");
442  FAIL_IF_NULL(s);
443 
444  SigGroupBuild(de_ctx);
445  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
446 
447  FLOWLOCK_WRLOCK(&f);
448  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
449  STREAM_TOSERVER, sslbuf1, ssllen1);
450  FAIL_IF(r != 0);
451 
452  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
453  sslbuf2, ssllen2);
454  FAIL_IF(r != 0);
455 
456  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
457  sslbuf3, ssllen3);
458  FAIL_IF(r != 0);
459 
460  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
461  sslbuf4, ssllen4);
462  FAIL_IF(r != 0);
463  FLOWLOCK_UNLOCK(&f);
464 
465  SSLState *app_state = f.alstate;
466  FAIL_IF_NULL(app_state);
467 
468  FAIL_IF(app_state->client_connp.content_type != 0x16);
469 
470  FAIL_IF(app_state->client_connp.version != TLS_VERSION_10);
471 
472  SCLogDebug("app_state is at %p, app_state->server_connp.version 0x%02X app_state->client_connp.version 0x%02X",
473  app_state, app_state->server_connp.version, app_state->client_connp.version);
474 
475  /* do detect */
476  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
477 
478  FAIL_IF_NOT(PacketAlertCheck(p, 1));
479 
480  AppLayerParserThreadCtxFree(alp_tctx);
481  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
482  DetectEngineCtxFree(de_ctx);
483 
484  StreamTcpFreeConfig(TRUE);
485  FLOW_DESTROY(&f);
486 
487  UTHFreePackets(&p, 1);
488 
489  PASS;
490 }
491 
492 static int DetectSslVersionTestDetect02(void)
493 {
494  Flow f;
495  uint8_t sslbuf1[] = { 0x16 };
496  uint32_t ssllen1 = sizeof(sslbuf1);
497  uint8_t sslbuf2[] = { 0x03 };
498  uint32_t ssllen2 = sizeof(sslbuf2);
499  uint8_t sslbuf3[] = { 0x01 };
500  uint32_t ssllen3 = sizeof(sslbuf3);
501  uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 };
502  uint32_t ssllen4 = sizeof(sslbuf4);
503  TcpSession ssn;
504  Packet *p = NULL;
505  Signature *s = NULL;
506  ThreadVars th_v;
507  DetectEngineThreadCtx *det_ctx = NULL;
508  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
509 
510  memset(&th_v, 0, sizeof(th_v));
511  memset(&f, 0, sizeof(f));
512  memset(&ssn, 0, sizeof(ssn));
513 
514  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
515 
516  FLOW_INITIALIZE(&f);
517  f.protoctx = (void *)&ssn;
518  f.proto = IPPROTO_TCP;
519  p->flow = &f;
520  p->flowflags |= FLOW_PKT_TOSERVER;
521  p->flowflags |= FLOW_PKT_ESTABLISHED;
522  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
523  f.alproto = ALPROTO_TLS;
524 
525  StreamTcpInitConfig(TRUE);
526 
527  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
528  FAIL_IF_NULL(de_ctx);
529 
530  de_ctx->flags |= DE_QUIET;
531 
532  s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)");
533  FAIL_IF_NULL(s);
534 
535  SigGroupBuild(de_ctx);
536  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
537 
538  FLOWLOCK_WRLOCK(&f);
539  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
540  STREAM_TOSERVER, sslbuf1, ssllen1);
541  FAIL_IF(r != 0);
542 
543  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
544  sslbuf2, ssllen2);
545  FAIL_IF(r != 0);
546 
547  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
548  sslbuf3, ssllen3);
549  FAIL_IF(r != 0);
550 
551  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
552  sslbuf4, ssllen4);
553  FAIL_IF(r != 0);
554  FLOWLOCK_UNLOCK(&f);
555 
556  SSLState *app_state = f.alstate;
557  FAIL_IF_NULL(app_state);
558 
559  FAIL_IF(app_state->client_connp.content_type != 0x16);
560 
561  FAIL_IF(app_state->client_connp.version != TLS_VERSION_10);
562 
563  /* do detect */
564  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
565 
566  FAIL_IF_NOT(PacketAlertCheck(p, 1));
567 
568  AppLayerParserThreadCtxFree(alp_tctx);
569  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
570  DetectEngineCtxFree(de_ctx);
571  StreamTcpFreeConfig(TRUE);
572  FLOW_DESTROY(&f);
573  UTHFreePackets(&p, 1);
574 
575  PASS;
576 }
577 
578 #endif /* UNITTESTS */
579 
580 /**
581  * \brief this function registers unit tests for DetectSslVersion
582  */
583 static void DetectSslVersionRegisterTests(void)
584 {
585 #ifdef UNITTESTS /* UNITTESTS */
586  UtRegisterTest("DetectSslVersionTestParse01", DetectSslVersionTestParse01);
587  UtRegisterTest("DetectSslVersionTestParse02", DetectSslVersionTestParse02);
588  UtRegisterTest("DetectSslVersionTestParse03", DetectSslVersionTestParse03);
589  UtRegisterTest("DetectSslVersionTestDetect01",
590  DetectSslVersionTestDetect01);
591  UtRegisterTest("DetectSslVersionTestDetect02",
592  DetectSslVersionTestDetect02);
593 #endif /* UNITTESTS */
594 
595  return;
596 }
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
flags
uint16_t flags
Definition: app-layer-dns-common.h:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
TcpSession_
Definition: stream-tcp-private.h:257
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1373
Packet_::flow
struct Flow_ * flow
Definition: decode.h:444
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing "id" option, matching number or "number".
Definition: detect-ssl-version.c:57
SSLVersionData_::ver
uint16_t ver
Definition: detect-ssl-version.h:43
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:346
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:182
SSLVersionData_::flags
uint8_t flags
Definition: detect-ssl-version.h:44
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:235
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1910
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:726
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:249
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:272
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:195
DetectSslVersionRegister
void DetectSslVersionRegister(void)
Registration function for keyword: ssl_version.
Definition: detect-ssl-version.c:74
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:83
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:232
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
SigTableElmt_::name
const char * name
Definition: detect.h:1160
Signature_
Signature container.
Definition: detect.h:492
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
Flow_::protoctx
void * protoctx
Definition: flow.h:398
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:720
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:223
Flow_::alstate
void * alstate
Definition: flow.h:436
DE_QUIET
#define DE_QUIET
Definition: detect.h:298
str
#define str(s)
Definition: suricata-common.h:258
SCCalloc
#define SCCalloc(nm, a)
Definition: util-mem.h:205
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:721
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1151
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1893
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2276
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:438
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
STREAM_TOCLIENT
#define STREAM_TOCLIENT
Definition: stream.h:32
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:246
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
SigMatch_::type
uint8_t type
Definition: detect.h:325
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
DETECT_SSL_VERSION_NEGATED
#define DETECT_SSL_VERSION_NEGATED
Definition: detect-ssl-version.h:28
Packet_
Definition: decode.h:406
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:654
DetectSslVersionData_::data
SSLVersionData data[TLS_SIZE]
Definition: detect-ssl-version.h:48
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:327
SCFree
#define SCFree(a)
Definition: util-mem.h:236
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
m
SCMutex m
Definition: flow-hash.h:105
DetectSslVersionData_
Definition: detect-ssl-version.h:47
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1101
SSLStateConnp_::content_type
uint8_t content_type
Definition: app-layer-ssl.h:183
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:220
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:962
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:407
Packet_::flags
uint32_t flags
Definition: decode.h:442
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:327
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:248
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1099
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1152
SigMatch_
a single match condition for a signature
Definition: detect.h:324
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1131
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640