suricata
detect-tls-cert-validity.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements tls certificate validity keywords
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-content.h"
36 #include "detect-pcre.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "stream-tcp.h"
44 
45 #include "app-layer.h"
46 #include "app-layer-ssl.h"
47 
48 #include "util-time.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 /**
53  * [tls_notbefore|tls_notafter]:[<|>]<date string>[<><date string>];
54  */
55 #define PARSE_REGEX "^\\s*(<|>)?\\s*([ -:TW0-9]+)\\s*(?:(<>)\\s*([ -:TW0-9]+))?\\s*$"
56 static pcre *parse_regex;
57 static pcre_extra *parse_regex_study;
58 
59 static int DetectTlsValidityMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
60  uint8_t, void *, void *, const Signature *,
61  const SigMatchCtx *);
62 
63 static time_t DateStringToEpoch (char *);
64 static DetectTlsValidityData *DetectTlsValidityParse (const char *);
65 static int DetectTlsExpiredSetup (DetectEngineCtx *, Signature *s, const char *str);
66 static int DetectTlsValidSetup (DetectEngineCtx *, Signature *s, const char *str);
67 static int DetectTlsNotBeforeSetup (DetectEngineCtx *, Signature *s, const char *str);
68 static int DetectTlsNotAfterSetup (DetectEngineCtx *, Signature *s, const char *str);
69 static int DetectTlsValiditySetup (DetectEngineCtx *, Signature *s, const char *str, uint8_t);
70 #ifdef UNITTESTS
71 static void TlsNotBeforeRegisterTests(void);
72 static void TlsNotAfterRegisterTests(void);
73 static void TlsExpiredRegisterTests(void);
74 static void TlsValidRegisterTests(void);
75 #endif /* UNITTESTS */
76 static void DetectTlsValidityFree(void *);
77 static int g_tls_validity_buffer_id = 0;
78 
79 static int DetectEngineInspectTlsValidity(ThreadVars *tv,
80  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
81  const Signature *s, const SigMatchData *smd,
82  Flow *f, uint8_t flags, void *alstate,
83  void *txv, uint64_t tx_id);
84 
85 /**
86  * \brief Registration function for tls validity keywords.
87  */
89 {
90  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].name = "tls_cert_notbefore";
91  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field";
92  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-notbefore";
93  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch;
94  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup;
95  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Free = DetectTlsValidityFree;
96 #ifdef UNITTESTS
98 #endif
99 
100  sigmatch_table[DETECT_AL_TLS_NOTAFTER].name = "tls_cert_notafter";
101  sigmatch_table[DETECT_AL_TLS_NOTAFTER].desc = "match TLS certificate notAfter field";
102  sigmatch_table[DETECT_AL_TLS_NOTAFTER].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-notafter";
103  sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch;
104  sigmatch_table[DETECT_AL_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup;
105  sigmatch_table[DETECT_AL_TLS_NOTAFTER].Free = DetectTlsValidityFree;
106 #ifdef UNITTESTS
108 #endif
109 
110  sigmatch_table[DETECT_AL_TLS_EXPIRED].name = "tls_cert_expired";
111  sigmatch_table[DETECT_AL_TLS_EXPIRED].desc = "match expired TLS certificates";
112  sigmatch_table[DETECT_AL_TLS_EXPIRED].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-expired";
113  sigmatch_table[DETECT_AL_TLS_EXPIRED].AppLayerTxMatch = DetectTlsValidityMatch;
114  sigmatch_table[DETECT_AL_TLS_EXPIRED].Setup = DetectTlsExpiredSetup;
115  sigmatch_table[DETECT_AL_TLS_EXPIRED].Free = DetectTlsValidityFree;
117 #ifdef UNITTESTS
119 #endif
120 
121  sigmatch_table[DETECT_AL_TLS_VALID].name = "tls_cert_valid";
122  sigmatch_table[DETECT_AL_TLS_VALID].desc = "match valid TLS certificates";
123  sigmatch_table[DETECT_AL_TLS_VALID].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-valid";
124  sigmatch_table[DETECT_AL_TLS_VALID].AppLayerTxMatch = DetectTlsValidityMatch;
125  sigmatch_table[DETECT_AL_TLS_VALID].Setup = DetectTlsValidSetup;
126  sigmatch_table[DETECT_AL_TLS_VALID].Free = DetectTlsValidityFree;
128 #ifdef UNITTESTS
130 #endif
131 
132  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
133 
136  DetectEngineInspectTlsValidity);
137 
138  g_tls_validity_buffer_id = DetectBufferTypeGetByName("tls_validity");
139 }
140 
141 static int DetectEngineInspectTlsValidity(ThreadVars *tv,
142  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
143  const Signature *s, const SigMatchData *smd,
144  Flow *f, uint8_t flags, void *alstate,
145  void *txv, uint64_t tx_id)
146 {
147  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
148  f, flags, alstate, txv, tx_id);
149 }
150 /**
151  * \internal
152  * \brief Function to match validity field in a tls certificate.
153  *
154  * \param t Pointer to thread vars.
155  * \param det_ctx Pointer to the pattern matcher thread.
156  * \param f Pointer to the current flow.
157  * \param flags Flags.
158  * \param state App layer state.
159  * \param s Pointer to the Signature.
160  * \param m Pointer to the sigmatch that we will cast into
161  * DetectTlsValidityData.
162  *
163  * \retval 0 no match.
164  * \retval 1 match.
165  */
166 static int DetectTlsValidityMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
167  Flow *f, uint8_t flags, void *state,
168  void *txv, const Signature *s,
169  const SigMatchCtx *ctx)
170 {
171  SCEnter();
172 
173  SSLState *ssl_state = (SSLState *)state;
174  if (ssl_state == NULL) {
175  SCLogDebug("no tls state, no match");
176  SCReturnInt(0);
177  }
178 
179  int ret = 0;
180 
181  SSLStateConnp *connp = NULL;
182  if (flags & STREAM_TOSERVER)
183  connp = &ssl_state->client_connp;
184  else
185  connp = &ssl_state->server_connp;
186 
187  const DetectTlsValidityData *dd = (const DetectTlsValidityData *)ctx;
188 
189  time_t cert_epoch = 0;
190  if (dd->type == DETECT_TLS_TYPE_NOTBEFORE)
191  cert_epoch = connp->cert0_not_before;
192  else if (dd->type == DETECT_TLS_TYPE_NOTAFTER)
193  cert_epoch = connp->cert0_not_after;
194 
195  if (cert_epoch == 0)
196  SCReturnInt(0);
197 
198  if ((dd->mode & DETECT_TLS_VALIDITY_EQ) && cert_epoch == dd->epoch)
199  ret = 1;
200  else if ((dd->mode & DETECT_TLS_VALIDITY_LT) && cert_epoch <= dd->epoch)
201  ret = 1;
202  else if ((dd->mode & DETECT_TLS_VALIDITY_GT) && cert_epoch >= dd->epoch)
203  ret = 1;
204  else if ((dd->mode & DETECT_TLS_VALIDITY_RA) &&
205  cert_epoch >= dd->epoch && cert_epoch <= dd->epoch2)
206  ret = 1;
207  else if ((dd->mode & DETECT_TLS_VALIDITY_EX) &&
208  f->lastts.tv_sec > cert_epoch)
209  ret = 1;
210  else if ((dd->mode & DETECT_TLS_VALIDITY_VA) &&
211  f->lastts.tv_sec <= cert_epoch)
212  ret = 1;
213 
214  SCReturnInt(ret);
215 }
216 
217 /**
218  * \internal
219  * \brief Function to check if string is epoch.
220  *
221  * \param string Date string.
222  *
223  * \retval epoch time on success.
224  * \retval 0 on failure.
225  */
226 static time_t StringIsEpoch (char *string)
227 {
228  if (strlen(string) == 0)
229  return -1;
230 
231  /* We assume that the date string is epoch if it consists of only
232  digits. */
233  char *sp = string;
234  while (*sp) {
235  if (isdigit(*sp++) == 0)
236  return -1;
237  }
238 
239  return strtol(string, NULL, 10);
240 }
241 
242 /**
243  * \internal
244  * \brief Function to convert date string to epoch.
245  *
246  * \param string Date string.
247  *
248  * \retval epoch on success.
249  * \retval 0 on failure.
250  */
251 static time_t DateStringToEpoch (char *string)
252 {
253  int r = 0;
254  struct tm tm;
255  const char *patterns[] = {
256  /* ISO 8601 */
257  "%Y-%m",
258  "%Y-%m-%d",
259  "%Y-%m-%d %H",
260  "%Y-%m-%d %H:%M",
261  "%Y-%m-%d %H:%M:%S",
262  "%Y-%m-%dT%H",
263  "%Y-%m-%dT%H:%M",
264  "%Y-%m-%dT%H:%M:%S",
265  "%H:%M",
266  "%H:%M:%S",
267  };
268 
269  /* Skip leading whitespace. */
270  while (isspace(*string))
271  string++;
272 
273  size_t inlen, oldlen;
274 
275  oldlen = inlen = strlen(string);
276 
277  /* Skip trailing whitespace */
278  while (inlen > 0 && isspace(string[inlen - 1]))
279  inlen--;
280 
281  char tmp[inlen + 1];
282 
283  if (inlen < oldlen) {
284  strlcpy(tmp, string, inlen + 1);
285  string = tmp;
286  }
287 
288  time_t epoch = StringIsEpoch(string);
289  if (epoch != -1) {
290  return epoch;;
291  }
292 
293  r = SCStringPatternToTime(string, patterns, 10, &tm);
294 
295  if (r != 0)
296  return -1;
297 
298  return SCMkTimeUtc(&tm);
299 }
300 
301 /**
302  * \internal
303  * \brief Function to parse options passed via tls validity keywords.
304  *
305  * \param rawstr Pointer to the user provided options.
306  *
307  * \retval dd pointer to DetectTlsValidityData on success.
308  * \retval NULL on failure.
309  */
310 static DetectTlsValidityData *DetectTlsValidityParse (const char *rawstr)
311 {
312  DetectTlsValidityData *dd = NULL;
313 #define MAX_SUBSTRINGS 30
314  int ret = 0, res = 0;
315  int ov[MAX_SUBSTRINGS];
316  char mode[2] = "";
317  char value1[20] = "";
318  char value2[20] = "";
319  char range[3] = "";
320 
321  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0,
322  0, ov, MAX_SUBSTRINGS);
323  if (ret < 3 || ret > 5) {
324  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", rawstr);
325  goto error;
326  }
327 
328  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, mode,
329  sizeof(mode));
330  if (res < 0) {
331  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
332  goto error;
333  }
334  SCLogDebug("mode \"%s\"", mode);
335 
336  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, value1,
337  sizeof(value1));
338  if (res < 0) {
339  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
340  goto error;
341  }
342  SCLogDebug("value1 \"%s\"", value1);
343 
344  if (ret > 3) {
345  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3,
346  range, sizeof(range));
347  if (res < 0) {
348  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
349  goto error;
350  }
351  SCLogDebug("range \"%s\"", range);
352 
353  if (ret > 4) {
354  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4,
355  value2, sizeof(value2));
356  if (res < 0) {
358  "pcre_copy_substring failed");
359  goto error;
360  }
361  SCLogDebug("value2 \"%s\"", value2);
362  }
363  }
364 
365  dd = SCMalloc(sizeof(DetectTlsValidityData));
366  if (unlikely(dd == NULL))
367  goto error;
368 
369  dd->epoch = 0;
370  dd->epoch2 = 0;
371  dd->mode = 0;
372 
373  if (strlen(mode) > 0) {
374  if (mode[0] == '<')
376  else if (mode[0] == '>')
378  }
379 
380  if (strlen(range) > 0) {
381  if (strcmp("<>", range) == 0)
383  }
384 
385  if (strlen(range) != 0 && strlen(mode) != 0) {
387  "Range specified but mode also set");
388  goto error;
389  }
390 
391  if (dd->mode == 0) {
393  }
394 
395  /* set the first value */
396  dd->epoch = DateStringToEpoch(value1);
397  if (dd->epoch == -1)
398  goto error;
399 
400  /* set the second value if specified */
401  if (strlen(value2) > 0) {
402  if (!(dd->mode & DETECT_TLS_VALIDITY_RA)) {
404  "Multiple tls validity values specified but mode is not range");
405  goto error;
406  }
407 
408  dd->epoch2 = DateStringToEpoch(value2);
409  if (dd->epoch2 == -1)
410  goto error;
411 
412  if (dd->epoch2 <= dd->epoch) {
414  "Second value in range must not be smaller than the first");
415  goto error;
416  }
417  }
418  return dd;
419 
420 error:
421  if (dd)
422  SCFree(dd);
423  return NULL;
424 }
425 
426 /**
427  * \brief Function to add the parsed tls_cert_expired into the current signature.
428  *
429  * \param de_ctx Pointer to the Detection Engine Context.
430  * \param s Pointer to the Current Signature.
431  * \param rawstr Pointer to the user provided flags options.
432  *
433  * \retval 0 on Success.
434  * \retval -1 on Failure.
435  */
436 static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s,
437  const char *rawstr)
438 {
439  DetectTlsValidityData *dd = NULL;
440  SigMatch *sm = NULL;
441 
442  SCLogDebug("\'%s\'", rawstr);
443 
445  return -1;
446 
447  dd = SCCalloc(1, sizeof(DetectTlsValidityData));
448  if (dd == NULL) {
449  SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
450  goto error;
451  }
452 
453  /* okay so far so good, lets get this into a SigMatch
454  * and put it in the Signature. */
455  sm = SigMatchAlloc();
456  if (sm == NULL)
457  goto error;
458 
461  dd->epoch = 0;
462  dd->epoch2 = 0;
463 
465  sm->ctx = (void *)dd;
466 
467  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
468  return 0;
469 
470 error:
471  DetectTlsValidityFree(dd);
472  if (sm)
473  SCFree(sm);
474  return -1;
475 }
476 
477 /**
478  * \brief Function to add the parsed tls_cert_valid into the current signature.
479  *
480  * \param de_ctx Pointer to the Detection Engine Context.
481  * \param s Pointer to the Current Signature.
482  * \param rawstr Pointer to the user provided flags options.
483  *
484  * \retval 0 on Success.
485  * \retval -1 on Failure.
486  */
487 static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s,
488  const char *rawstr)
489 {
490  DetectTlsValidityData *dd = NULL;
491  SigMatch *sm = NULL;
492 
493  SCLogDebug("\'%s\'", rawstr);
494 
496  return -1;
497 
498  dd = SCCalloc(1, sizeof(DetectTlsValidityData));
499  if (dd == NULL) {
500  SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
501  goto error;
502  }
503 
504  /* okay so far so good, lets get this into a SigMatch
505  * and put it in the Signature. */
506  sm = SigMatchAlloc();
507  if (sm == NULL)
508  goto error;
509 
512  dd->epoch = 0;
513  dd->epoch2 = 0;
514 
516  sm->ctx = (void *)dd;
517 
518  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
519  return 0;
520 
521 error:
522  DetectTlsValidityFree(dd);
523  if (sm)
524  SCFree(sm);
525  return -1;
526 }
527 
528 /**
529  * \brief Function to add the parsed tls_notbefore into the current signature.
530  *
531  * \param de_ctx Pointer to the Detection Engine Context.
532  * \param s Pointer to the Current Signature.
533  * \param rawstr Pointer to the user provided flags options.
534  *
535  * \retval 0 on Success.
536  * \retval -1 on Failure.
537  */
538 static int DetectTlsNotBeforeSetup (DetectEngineCtx *de_ctx, Signature *s,
539  const char *rawstr)
540 {
542  int r = DetectTlsValiditySetup(de_ctx, s, rawstr, type);
543 
544  SCReturnInt(r);
545 }
546 
547 /**
548  * \brief Function to add the parsed tls_notafter into the current signature.
549  *
550  * \param de_ctx Pointer to the Detection Engine Context.
551  * \param s Pointer to the Current Signature.
552  * \param rawstr Pointer to the user provided flags options.
553  *
554  * \retval 0 on Success.
555  * \retval -1 on Failure.
556  */
557 static int DetectTlsNotAfterSetup (DetectEngineCtx *de_ctx, Signature *s,
558  const char *rawstr)
559 {
560  uint8_t type = DETECT_TLS_TYPE_NOTAFTER;
561  int r = DetectTlsValiditySetup(de_ctx, s, rawstr, type);
562 
563  SCReturnInt(r);
564 }
565 
566 /**
567  * \brief Function to add the parsed tls validity field into the current signature.
568  *
569  * \param de_ctx Pointer to the Detection Engine Context.
570  * \param s Pointer to the Current Signature.
571  * \param rawstr Pointer to the user provided flags options.
572  * \param type Defines if this is notBefore or notAfter.
573  *
574  * \retval 0 on Success.
575  * \retval -1 on Failure.
576  */
577 static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s,
578  const char *rawstr, uint8_t type)
579 {
580  DetectTlsValidityData *dd = NULL;
581  SigMatch *sm = NULL;
582 
583  SCLogDebug("\'%s\'", rawstr);
584 
586  return -1;
587 
588  dd = DetectTlsValidityParse(rawstr);
589  if (dd == NULL) {
590  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
591  goto error;
592  }
593 
594  /* okay so far so good, lets get this into a SigMatch
595  * and put it in the Signature. */
596  sm = SigMatchAlloc();
597  if (sm == NULL)
598  goto error;
599 
600  if (type == DETECT_TLS_TYPE_NOTBEFORE) {
603  }
604  else if (type == DETECT_TLS_TYPE_NOTAFTER) {
607  }
608  else {
609  goto error;
610  }
611 
612  sm->ctx = (void *)dd;
613 
614  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
615  return 0;
616 
617 error:
618  DetectTlsValidityFree(dd);
619  if (sm)
620  SCFree(sm);
621  return -1;
622 }
623 
624 /**
625  * \internal
626  * \brief Function to free memory associated with DetectTlsValidityData.
627  *
628  * \param de_ptr Pointer to DetectTlsValidityData.
629  */
630 void DetectTlsValidityFree(void *de_ptr)
631 {
633  if (dd)
634  SCFree(dd);
635 }
636 
637 #ifdef UNITTESTS
639 #endif
void TlsValidRegisterTests(void)
Register unit tests for tls_cert_valid.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1409
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1150
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1136
time_t cert0_not_before
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
void TlsExpiredRegisterTests(void)
Register unit tests for tls_cert_expired.
#define unlikely(expr)
Definition: util-optimize.h:35
#define DETECT_TLS_VALIDITY_RA
SSLStateConnp server_connp
#define DETECT_TLS_TYPE_NOTAFTER
Data needed for Match()
Definition: detect.h:331
time_t cert0_not_after
const char * name
Definition: detect.h:1164
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Signature container.
Definition: detect.h:496
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
void TlsNotBeforeRegisterTests(void)
Register unit tests for tls_cert_notbefore.
#define PARSE_REGEX
main detection engine ctx
Definition: detect.h:724
#define MAX_SUBSTRINGS
void DetectTlsValidityRegister(void)
Registration function for tls validity keywords.
time_t SCMkTimeUtc(struct tm *tp)
Convert broken-down time to seconds since Unix epoch.
Definition: util-time.c:410
SSLv[2.0|3.[0|1|2|3]] state structure.
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SCCalloc(nm, a)
Definition: util-mem.h:197
#define SIG_FLAG_TOCLIENT
Definition: detect.h:242
void(* Free)(void *)
Definition: detect.h:1155
uint8_t type
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SCEnter(...)
Definition: util-debug.h:337
#define DETECT_TLS_VALIDITY_LT
#define DETECT_TLS_VALIDITY_VA
uint8_t type
Definition: detect.h:323
#define SCReturnInt(x)
Definition: util-debug.h:341
struct timeval lastts
Definition: flow.h:358
#define DETECT_TLS_VALIDITY_EX
const char * desc
Definition: detect.h:1166
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
#define DETECT_TLS_VALIDITY_GT
#define SCFree(a)
Definition: util-mem.h:228
PoolThreadReserved res
uint16_t tx_id
#define DETECT_TLS_TYPE_NOTBEFORE
int SCStringPatternToTime(char *string, const char **patterns, int num_patterns, struct tm *tp)
Parse a date string based on specified patterns.
Definition: util-time.c:453
#define SIGMATCH_NOOPT
Definition: detect.h:1332
const char * url
Definition: detect.h:1167
#define STREAM_TOSERVER
Definition: stream.h:31
#define DOC_URL
Definition: suricata.h:86
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Per thread variable structure.
Definition: threadvars.h:57
void TlsNotAfterRegisterTests(void)
Register unit tests for tls_cert_notafter.
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1158
Flow data structure.
Definition: flow.h:325
#define DETECT_TLS_VALIDITY_EQ
SSLStateConnp client_connp
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
Definition: detect.h:1156
a single match condition for a signature
Definition: detect.h:322