suricata
detect-stream_size.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
22  *
23  * Stream size for the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "stream-tcp.h"
28 #include "util-unittest.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 
33 #include "flow.h"
34 #include "detect-stream_size.h"
35 #include "stream-tcp-private.h"
36 #include "util-debug.h"
37 #include "util-byte.h"
38 
39 /**
40  * \brief Regex for parsing our flow options
41  */
42 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*,\\s*([<=>!]+)\\s*,\\s*([0-9]+)\\s*$"
43 
44 static DetectParseRegex parse_regex;
45 
46 /*prototypes*/
47 static int DetectStreamSizeMatch (DetectEngineThreadCtx *, Packet *,
48  const Signature *, const SigMatchCtx *);
49 static int DetectStreamSizeSetup (DetectEngineCtx *, Signature *, const char *);
51 #ifdef UNITTESTS
52 static void DetectStreamSizeRegisterTests(void);
53 #endif
54 
55 /**
56  * \brief Registration function for stream_size: keyword
57  */
58 
60 {
61  sigmatch_table[DETECT_STREAM_SIZE].name = "stream_size";
62  sigmatch_table[DETECT_STREAM_SIZE].desc = "match on amount of bytes of a stream";
63  sigmatch_table[DETECT_STREAM_SIZE].url = "/rules/flow-keywords.html#stream-size";
64  sigmatch_table[DETECT_STREAM_SIZE].Match = DetectStreamSizeMatch;
65  sigmatch_table[DETECT_STREAM_SIZE].Setup = DetectStreamSizeSetup;
67 #ifdef UNITTESTS
68  sigmatch_table[DETECT_STREAM_SIZE].RegisterTests = DetectStreamSizeRegisterTests;
69 #endif
70  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
71 }
72 
73 /**
74  * \brief Function to comapre the stream size against defined size in the user
75  * options.
76  *
77  * \param diff The stream size of server or client stream.
78  * \param stream_size User defined stream size
79  * \param mode The mode defined by user.
80  *
81  * \retval 1 on success and 0 on failure.
82  */
83 
84 static int DetectStreamSizeCompare (uint32_t diff, uint32_t stream_size, uint8_t mode)
85 {
86  SCLogDebug("diff %u stream_size %u mode %u", diff, stream_size, mode);
87 
88  int ret = 0;
89  switch (mode) {
90  case DETECTSSIZE_LT:
91  if (diff < stream_size)
92  ret = 1;
93  break;
94  case DETECTSSIZE_LEQ:
95  if (diff <= stream_size)
96  ret = 1;
97  break;
98  case DETECTSSIZE_EQ:
99  if (diff == stream_size)
100  ret = 1;
101  break;
102  case DETECTSSIZE_NEQ:
103  if (diff != stream_size)
104  ret = 1;
105  break;
106  case DETECTSSIZE_GEQ:
107  if (diff >= stream_size)
108  ret = 1;
109  break;
110  case DETECTSSIZE_GT:
111  if (diff > stream_size)
112  ret = 1;
113  break;
114  }
115 
116  SCReturnInt(ret);
117 }
118 
119 /**
120  * \brief This function is used to match Stream size rule option on a packet with those passed via stream_size:
121  *
122  * \param t pointer to thread vars
123  * \param det_ctx pointer to the pattern matcher thread
124  * \param p pointer to the current packet
125  * \param m pointer to the sigmatch that we will cast into DetectStreamSizeData
126  *
127  * \retval 0 no match
128  * \retval 1 match
129  */
130 static int DetectStreamSizeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
131  const Signature *s, const SigMatchCtx *ctx)
132 {
133 
134  const DetectStreamSizeData *sd = (const DetectStreamSizeData *)ctx;
135 
136  if (!(PKT_IS_TCP(p)))
137  return 0;
138  if (p->flow == NULL || p->flow->protoctx == NULL)
139  return 0;
140 
141  const TcpSession *ssn = (TcpSession *)p->flow->protoctx;
142  int ret = 0;
143  uint32_t csdiff = 0;
144  uint32_t ssdiff = 0;
145 
146  if (sd->flags & STREAM_SIZE_SERVER) {
147  /* get the server stream size */
148  ssdiff = ssn->server.next_seq - ssn->server.isn;
149  ret = DetectStreamSizeCompare(ssdiff, sd->ssize, sd->mode);
150 
151  } else if (sd->flags & STREAM_SIZE_CLIENT) {
152  /* get the client stream size */
153  csdiff = ssn->client.next_seq - ssn->client.isn;
154  ret = DetectStreamSizeCompare(csdiff, sd->ssize, sd->mode);
155 
156  } else if (sd->flags & STREAM_SIZE_BOTH) {
157  ssdiff = ssn->server.next_seq - ssn->server.isn;
158  csdiff = ssn->client.next_seq - ssn->client.isn;
159 
160  if (DetectStreamSizeCompare(ssdiff, sd->ssize, sd->mode) &&
161  DetectStreamSizeCompare(csdiff, sd->ssize, sd->mode))
162  ret = 1;
163 
164  } else if (sd->flags & STREAM_SIZE_EITHER) {
165  ssdiff = ssn->server.next_seq - ssn->server.isn;
166  csdiff = ssn->client.next_seq - ssn->client.isn;
167 
168  if (DetectStreamSizeCompare(ssdiff, sd->ssize, sd->mode) ||
169  DetectStreamSizeCompare(csdiff, sd->ssize, sd->mode))
170  ret = 1;
171  }
172 
173  SCReturnInt(ret);
174 }
175 
176 /**
177  * \brief This function is used to parse stream options passed via stream_size: keyword
178  *
179  * \param de_ctx Pointer to the detection engine context
180  * \param streamstr Pointer to the user provided stream_size options
181  *
182  * \retval sd pointer to DetectStreamSizeData on success
183  * \retval NULL on failure
184  */
185 static DetectStreamSizeData *DetectStreamSizeParse (DetectEngineCtx *de_ctx, const char *streamstr)
186 {
187  DetectStreamSizeData *sd = NULL;
188  char *arg = NULL;
189  char *value = NULL;
190  char *mode = NULL;
191  int res = 0;
192  int ov[MAX_SUBSTRINGS];
193 
194  int ret = DetectParsePcreExec(&parse_regex, streamstr, 0, 0, ov, MAX_SUBSTRINGS);
195  if (ret != 4) {
196  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, streamstr);
197  goto error;
198  }
199 
200  const char *str_ptr;
201  res = pcre_get_substring((char *)streamstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
202  if (res < 0) {
203  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
204  goto error;
205  }
206  arg = (char *)str_ptr;
207 
208  res = pcre_get_substring((char *)streamstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
209  if (res < 0) {
210  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
211  goto error;
212  }
213  mode = (char *)str_ptr;
214 
215  res = pcre_get_substring((char *)streamstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
216  if (res < 0) {
217  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
218  goto error;
219  }
220  value = (char *)str_ptr;
221 
222  sd = SCMalloc(sizeof(DetectStreamSizeData));
223  if (unlikely(sd == NULL))
224  goto error;
225  sd->ssize = 0;
226  sd->flags = 0;
227 
228  if (strlen(mode) == 0)
229  goto error;
230 
231  if (mode[0] == '=') {
232  sd->mode = DETECTSSIZE_EQ;
233  } else if (mode[0] == '<') {
234  sd->mode = DETECTSSIZE_LT;
235  if (strcmp("<=", mode) == 0)
236  sd->mode = DETECTSSIZE_LEQ;
237  } else if (mode[0] == '>') {
238  sd->mode = DETECTSSIZE_GT;
239  if (strcmp(">=", mode) == 0)
240  sd->mode = DETECTSSIZE_GEQ;
241  } else if (strcmp("!=", mode) == 0) {
242  sd->mode = DETECTSSIZE_NEQ;
243  } else {
244  SCLogError(SC_ERR_INVALID_OPERATOR, "Invalid operator");
245  goto error;
246  }
247 
248  /* set the value */
249  if (StringParseUint32(&sd->ssize, 10, 0, (const char *)value) < 0) {
250  SCLogError(SC_ERR_INVALID_VALUE, "Invalid value for stream size: %s", value);
251  goto error;
252  }
253  /* inspect our options and set the flags */
254  if (strcmp(arg, "server") == 0) {
255  sd->flags |= STREAM_SIZE_SERVER;
256  } else if (strcmp(arg, "client") == 0) {
257  sd->flags |= STREAM_SIZE_CLIENT;
258  } else if ((strcmp(arg, "both") == 0)) {
259  sd->flags |= STREAM_SIZE_BOTH;
260  } else if (strcmp(arg, "either") == 0) {
261  sd->flags |= STREAM_SIZE_EITHER;
262  } else {
263  goto error;
264  }
265 
266  SCFree(mode);
267  SCFree(arg);
268  SCFree(value);
269  return sd;
270 
271 error:
272  if (mode != NULL)
273  SCFree(mode);
274  if (arg != NULL)
275  SCFree(arg);
276  if (value != NULL)
277  SCFree(value);
278  if (sd != NULL)
280  return NULL;
281 }
282 
283 /**
284  * \brief this function is used to add the parsed stream size data into the current signature
285  *
286  * \param de_ctx pointer to the Detection Engine Context
287  * \param s pointer to the Current Signature
288  * \param streamstr pointer to the user provided stream size options
289  *
290  * \retval 0 on Success
291  * \retval -1 on Failure
292  */
293 static int DetectStreamSizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *streamstr)
294 {
295  DetectStreamSizeData *sd = DetectStreamSizeParse(de_ctx, streamstr);
296  if (sd == NULL)
297  return -1;
298 
299  SigMatch *sm = SigMatchAlloc();
300  if (sm == NULL) {
302  return -1;
303  }
304 
305  sm->type = DETECT_STREAM_SIZE;
306  sm->ctx = (SigMatchCtx *)sd;
307 
309  return 0;
310 }
311 
312 /**
313  * \brief this function will free memory associated with DetectStreamSizeData
314  *
315  * \param ptr pointer to DetectStreamSizeData
316  */
318 {
320  SCFree(sd);
321 }
322 
323 #ifdef UNITTESTS
324 /**
325  * \test DetectStreamSizeParseTest01 is a test to make sure that we parse the
326  * user options correctly, when given valid stream_size options.
327  */
328 
329 static int DetectStreamSizeParseTest01 (void)
330 {
331  int result = 0;
332  DetectStreamSizeData *sd = NULL;
333  sd = DetectStreamSizeParse(NULL, "server,<,6");
334  if (sd != NULL) {
335  if (sd->flags & STREAM_SIZE_SERVER && sd->mode == DETECTSSIZE_LT && sd->ssize == 6)
336  result = 1;
337  DetectStreamSizeFree(NULL, sd);
338  }
339 
340  return result;
341 }
342 
343 /**
344  * \test DetectStreamSizeParseTest02 is a test to make sure that we detect the
345  * invalid stream_size options.
346  */
347 
348 static int DetectStreamSizeParseTest02 (void)
349 {
350  int result = 1;
351  DetectStreamSizeData *sd = NULL;
352  sd = DetectStreamSizeParse(NULL, "invalidoption,<,6");
353  if (sd != NULL) {
354  printf("expected: NULL got 0x%02X %" PRIu32 ": ",sd->flags, sd->ssize);
355  result = 0;
356  DetectStreamSizeFree(NULL, sd);
357  }
358 
359  return result;
360 }
361 
362 /**
363  * \test DetectStreamSizeParseTest03 is a test to make sure that we match the
364  * packet correctly provided valid stream size.
365  */
366 
367 static int DetectStreamSizeParseTest03 (void)
368 {
369 
370  int result = 0;
371  DetectStreamSizeData *sd = NULL;
372  TcpSession ssn;
373  ThreadVars tv;
375  Packet *p = PacketGetFromAlloc();
376  if (unlikely(p == NULL))
377  return 0;
378  Signature s;
379  SigMatch sm;
380  TcpStream client;
381  Flow f;
382  TCPHdr tcph;
383 
384  memset(&ssn, 0, sizeof(TcpSession));
385  memset(&tv, 0, sizeof(ThreadVars));
386  memset(&dtx, 0, sizeof(DetectEngineThreadCtx));
387  memset(&s, 0, sizeof(Signature));
388  memset(&sm, 0, sizeof(SigMatch));
389  memset(&client, 0, sizeof(TcpStream));
390  memset(&f, 0, sizeof(Flow));
391  memset(&tcph, 0, sizeof(TCPHdr));
392 
393  sd = DetectStreamSizeParse(NULL, "client,>,8");
394  if (sd != NULL) {
395  if (!(sd->flags & STREAM_SIZE_CLIENT)) {
396  printf("sd->flags not STREAM_SIZE_CLIENT: ");
397  DetectStreamSizeFree(NULL, sd);
398  SCFree(p);
399  return 0;
400  }
401 
402  if (sd->mode != DETECTSSIZE_GT) {
403  printf("sd->mode not DETECTSSIZE_GT: ");
404  DetectStreamSizeFree(NULL, sd);
405  SCFree(p);
406  return 0;
407  }
408 
409  if (sd->ssize != 8) {
410  printf("sd->ssize is %"PRIu32", not 8: ", sd->ssize);
411  DetectStreamSizeFree(NULL, sd);
412  SCFree(p);
413  return 0;
414  }
415  } else {
416  printf("sd == NULL: ");
417  SCFree(p);
418  return 0;
419  }
420 
421  client.next_seq = 20;
422  client.isn = 10;
423  ssn.client = client;
424  f.protoctx = &ssn;
425  p->flow = &f;
426  p->tcph = &tcph;
427  sm.ctx = (SigMatchCtx*)sd;
428 
429  result = DetectStreamSizeMatch(&dtx, p, &s, sm.ctx);
430  if (result == 0) {
431  printf("result 0 != 1: ");
432  }
433  DetectStreamSizeFree(NULL, sd);
434  SCFree(p);
435  return result;
436 }
437 
438 /**
439  * \test DetectStreamSizeParseTest04 is a test to make sure that we match the
440  * stream_size against invalid packet parameters.
441  */
442 
443 static int DetectStreamSizeParseTest04 (void)
444 {
445 
446  int result = 0;
447  DetectStreamSizeData *sd = NULL;
448  TcpSession ssn;
449  ThreadVars tv;
451  Packet *p = PacketGetFromAlloc();
452  if (unlikely(p == NULL))
453  return 0;
454  Signature s;
455  SigMatch sm;
456  TcpStream client;
457  Flow f;
458  IPV4Hdr ip4h;
459 
460  memset(&ssn, 0, sizeof(TcpSession));
461  memset(&tv, 0, sizeof(ThreadVars));
462  memset(&dtx, 0, sizeof(DetectEngineThreadCtx));
463  memset(&s, 0, sizeof(Signature));
464  memset(&sm, 0, sizeof(SigMatch));
465  memset(&client, 0, sizeof(TcpStream));
466  memset(&f, 0, sizeof(Flow));
467  memset(&ip4h, 0, sizeof(IPV4Hdr));
468 
469  sd = DetectStreamSizeParse(NULL, " client , > , 8 ");
470  if (sd != NULL) {
471  if (!(sd->flags & STREAM_SIZE_CLIENT) && sd->mode != DETECTSSIZE_GT && sd->ssize != 8) {
472  SCFree(p);
473  return 0;
474  }
475  } else
476  {
477  SCFree(p);
478  return 0;
479  }
480 
481  client.next_seq = 20;
482  client.isn = 12;
483  ssn.client = client;
484  f.protoctx = &ssn;
485  p->flow = &f;
486  p->ip4h = &ip4h;
487  sm.ctx = (SigMatchCtx*)sd;
488 
489  if (!DetectStreamSizeMatch(&dtx, p, &s, sm.ctx))
490  result = 1;
491 
492  SCFree(p);
493  return result;
494 }
495 
496 /**
497  * \brief this function registers unit tests for DetectStreamSize
498  */
499 void DetectStreamSizeRegisterTests(void)
500 {
501  UtRegisterTest("DetectStreamSizeParseTest01", DetectStreamSizeParseTest01);
502  UtRegisterTest("DetectStreamSizeParseTest02", DetectStreamSizeParseTest02);
503  UtRegisterTest("DetectStreamSizeParseTest03", DetectStreamSizeParseTest03);
504  UtRegisterTest("DetectStreamSizeParseTest04", DetectStreamSizeParseTest04);
505 }
506 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
TcpStream_
Definition: stream-tcp-private.h:94
TcpStream_::isn
uint32_t isn
Definition: stream-tcp-private.h:101
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
STREAM_SIZE_BOTH
#define STREAM_SIZE_BOTH
Definition: detect-stream_size.h:36
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
SigTableElmt_::name
const char * name
Definition: detect.h:1211
stream-tcp.h
DETECTSSIZE_GT
#define DETECTSSIZE_GT
Definition: detect-stream_size.h:31
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DETECT_STREAM_SIZE
@ DETECT_STREAM_SIZE
Definition: detect-engine-register.h:96
STREAM_SIZE_SERVER
#define STREAM_SIZE_SERVER
Definition: detect-stream_size.h:34
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
util-unittest.h
detect-stream_size.h
PKT_IS_TCP
#define PKT_IS_TCP(p)
Definition: decode.h:259
DETECTSSIZE_EQ
#define DETECTSSIZE_EQ
Definition: detect-stream_size.h:29
DetectStreamSizeData_::mode
uint8_t mode
Definition: detect-stream_size.h:41
DETECTSSIZE_GEQ
#define DETECTSSIZE_GEQ
Definition: detect-stream_size.h:32
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
STREAM_SIZE_EITHER
#define STREAM_SIZE_EITHER
Definition: detect-stream_size.h:37
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
STREAM_SIZE_CLIENT
#define STREAM_SIZE_CLIENT
Definition: detect-stream_size.h:35
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
Packet_
Definition: decode.h:414
DetectStreamSizeData_::ssize
uint32_t ssize
Definition: detect-stream_size.h:42
stream-tcp-private.h
DetectStreamSizeFree
void DetectStreamSizeFree(DetectEngineCtx *de_ctx, void *)
this function will free memory associated with DetectStreamSizeData
Definition: detect-stream_size.c:317
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:509
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECTSSIZE_NEQ
#define DETECTSSIZE_NEQ
Definition: detect-stream_size.h:30
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
IPV4Hdr_
Definition: decode-ipv4.h:71
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
DETECTSSIZE_LEQ
#define DETECTSSIZE_LEQ
Definition: detect-stream_size.h:28
SC_ERR_INVALID_OPERATOR
@ SC_ERR_INVALID_OPERATOR
Definition: util-error.h:162
suricata-common.h
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:531
DetectStreamSizeData_
Definition: detect-stream_size.h:39
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
TcpStream_::next_seq
uint32_t next_seq
Definition: stream-tcp-private.h:102
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:144
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DETECTSSIZE_LT
#define DETECTSSIZE_LT
Definition: detect-stream_size.h:27
DetectStreamSizeRegister
void DetectStreamSizeRegister(void)
Registration function for stream_size: keyword.
Definition: detect-stream_size.c:59
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our flow options.
Definition: detect-stream_size.c:42
TcpSession_
Definition: stream-tcp-private.h:260
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
DetectStreamSizeData_::flags
uint8_t flags
Definition: detect-stream_size.h:40
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203