suricata
detect-tls-ja3-hash.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements support for ja3_hash keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
36 #include "detect-content.h"
37 #include "detect-pcre.h"
38 #include "detect-tls-ja3-hash.h"
39 
40 #include "flow.h"
41 #include "flow-util.h"
42 #include "flow-var.h"
43 
44 #include "conf.h"
45 #include "conf-yaml-loader.h"
46 
47 #include "util-debug.h"
48 #include "util-unittest.h"
49 #include "util-spm.h"
50 #include "util-print.h"
51 #include "util-ja3.h"
52 
53 #include "stream-tcp.h"
54 
55 #include "app-layer.h"
56 #include "app-layer-ssl.h"
57 
58 #include "util-unittest.h"
59 #include "util-unittest-helper.h"
60 
61 static int DetectTlsJa3HashSetup(DetectEngineCtx *, Signature *, const char *);
62 static void DetectTlsJa3HashRegisterTests(void);
63 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
64  const DetectEngineTransforms *transforms,
65  Flow *_f, const uint8_t _flow_flags,
66  void *txv, const int list_id);
67 static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
68  Signature *s);
69 static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
70  const char **sigerror);
71 static int g_tls_ja3_hash_buffer_id = 0;
72 
73 /**
74  * \brief Registration function for keyword: ja3_hash
75  */
77 {
79  sigmatch_table[DETECT_AL_TLS_JA3_HASH].desc = "content modifier to match the JA3 hash buffer";
80  sigmatch_table[DETECT_AL_TLS_JA3_HASH].url = DOC_URL DOC_VERSION "/rules/ja3-keywords.html#ja3-hash";
82  sigmatch_table[DETECT_AL_TLS_JA3_HASH].Setup = DetectTlsJa3HashSetup;
84  sigmatch_table[DETECT_AL_TLS_JA3_HASH].RegisterTests = DetectTlsJa3HashRegisterTests;
85 
87 
90 
93 
94  DetectBufferTypeSetDescriptionByName("ja3_hash", "TLS JA3 hash");
95 
97  DetectTlsJa3HashSetupCallback);
98 
100  DetectTlsJa3HashValidateCallback);
101 
102  g_tls_ja3_hash_buffer_id = DetectBufferTypeGetByName("ja3_hash");
103 }
104 
105 /**
106  * \brief this function setup the ja3_hash modifier keyword used in the rule
107  *
108  * \param de_ctx Pointer to the Detection Engine Context
109  * \param s Pointer to the Signature to which the current keyword belongs
110  * \param str Should hold an empty string always
111  *
112  * \retval 0 On success
113  */
114 static int DetectTlsJa3HashSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
115 {
116  DetectBufferSetActiveList(s, g_tls_ja3_hash_buffer_id);
117  s->alproto = ALPROTO_TLS;
118 
119  if (RunmodeIsUnittests())
120  return 0;
121 
122  /* Check if JA3 is disabled */
123  if (Ja3IsDisabled("rule"))
124  return -1;
125 
126  return 0;
127 }
128 
129 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
130  const DetectEngineTransforms *transforms, Flow *_f,
131  const uint8_t _flow_flags, void *txv, const int list_id)
132 {
133  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
134  if (buffer->inspect == NULL) {
135  SSLState *ssl_state = (SSLState *)_f->alstate;
136 
137  if (ssl_state->ja3_hash == NULL) {
138  return NULL;
139  }
140 
141  const uint32_t data_len = strlen(ssl_state->ja3_hash);
142  const uint8_t *data = (uint8_t *)ssl_state->ja3_hash;
143 
144  InspectionBufferSetup(buffer, data, data_len);
145  InspectionBufferApplyTransforms(buffer, transforms);
146  }
147 
148  return buffer;
149 }
150 
151 static _Bool DetectTlsJa3HashValidateCallback(const Signature *s,
152  const char **sigerror)
153 {
154  const SigMatch *sm = s->init_data->smlists[g_tls_ja3_hash_buffer_id];
155  for ( ; sm != NULL; sm = sm->next)
156  {
157  if (sm->type != DETECT_CONTENT)
158  continue;
159 
160  const DetectContentData *cd = (DetectContentData *)sm->ctx;
161 
162  if (cd->flags & DETECT_CONTENT_NOCASE) {
163  *sigerror = "ja3_hash should not be used together with "
164  "nocase, since the rule is automatically "
165  "lowercased anyway which makes nocase redundant.";
166  SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
167  }
168 
169  if (cd->content_len == 32)
170  return TRUE;
171 
172  *sigerror = "Invalid length of the specified JA3 hash (should "
173  "be 32 characters long). This rule will therefore "
174  "never match.";
175  SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
176  return FALSE;
177  }
178 
179  return TRUE;
180 }
181 
182 static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
183  Signature *s)
184 {
185  SigMatch *sm = s->init_data->smlists[g_tls_ja3_hash_buffer_id];
186  for ( ; sm != NULL; sm = sm->next)
187  {
188  if (sm->type != DETECT_CONTENT)
189  continue;
190 
192 
193  _Bool changed = FALSE;
194  uint32_t u;
195  for (u = 0; u < cd->content_len; u++)
196  {
197  if (isupper(cd->content[u])) {
198  cd->content[u] = tolower(cd->content[u]);
199  changed = TRUE;
200  }
201  }
202 
203  /* recreate the context if changes were made */
204  if (changed) {
205  SpmDestroyCtx(cd->spm_ctx);
206  cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
207  de_ctx->spm_global_thread_ctx);
208  }
209  }
210 }
211 
212 #ifndef HAVE_NSS
213 
214 static void DetectTlsJa3HashRegisterTests(void)
215 {
216  /* Don't register any tests */
217 }
218 
219 #else /* HAVE_NSS */
220 
221 #ifdef UNITTESTS
222 
223 /**
224  * \test Test matching on a simple client hello packet
225  */
226 static int DetectTlsJa3HashTest01(void)
227 {
228  /* Client hello */
229  uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E,
230  0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87,
231  0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31,
232  0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC,
233  0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00,
234  0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D,
235  0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00,
236  0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35,
237  0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00,
238  0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40,
239  0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00,
240  0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B,
241  0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00,
242  0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00,
243  0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63,
244  0x6F, 0x6D, };
245 
246 
247  Flow f;
248  SSLState *ssl_state = NULL;
249  Packet *p = NULL;
250  Signature *s = NULL;
251  ThreadVars tv;
252  DetectEngineThreadCtx *det_ctx = NULL;
253  TcpSession ssn;
255 
256  memset(&tv, 0, sizeof(ThreadVars));
257  memset(&f, 0, sizeof(Flow));
258  memset(&ssn, 0, sizeof(TcpSession));
259 
260  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
261  "192.168.1.5", "192.168.1.1",
262  41424, 443);
263 
264  FLOW_INITIALIZE(&f);
265  f.protoctx = (void *)&ssn;
266  f.flags |= FLOW_IPV4;
267  f.proto = IPPROTO_TCP;
269 
270  p->flow = &f;
273  f.alproto = ALPROTO_TLS;
274 
276 
278  FAIL_IF_NULL(de_ctx);
279 
281  de_ctx->flags |= DE_QUIET;
282 
283  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
284  "(msg:\"Test ja3_hash\"; ja3_hash; "
285  "content:\"e7eca2baf4458d095b7f45da28c16c34\"; "
286  "sid:1;)");
287  FAIL_IF_NULL(s);
288 
289  SigGroupBuild(de_ctx);
290  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
291 
292  FLOWLOCK_WRLOCK(&f);
293  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
294  STREAM_TOSERVER, buf, sizeof(buf));
295  FLOWLOCK_UNLOCK(&f);
296  FAIL_IF(r != 0);
297 
298  ssl_state = f.alstate;
299  FAIL_IF_NULL(ssl_state);
300 
301  FAIL_IF_NULL(ssl_state->ja3_hash);
302 
303  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
304 
306 
307  AppLayerParserThreadCtxFree(alp_tctx);
308  DetectEngineThreadCtxDeinit(&tv, det_ctx);
309  DetectEngineCtxFree(de_ctx);
310 
312  FLOW_DESTROY(&f);
313  UTHFreePacket(p);
314 
315  PASS;
316 }
317 
318 /**
319  * \test Test matching on a simple client hello packet
320  */
321 static int DetectTlsJa3HashTest02(void)
322 {
323  /* Client hello */
324  uint8_t buf[] = { 0x16, 0x03, 0x01, 0x00, 0xc0, 0x01, 0x00, 0x00, 0xbc,
325  0x03, 0x03, 0x03, 0xb7, 0x16, 0x16, 0x5a, 0xe7, 0xc1,
326  0xbd, 0x46, 0x2f, 0xff, 0xf3, 0x68, 0xb8, 0x6f, 0x6e,
327  0x93, 0xdf, 0x06, 0x6a, 0xa7, 0x2d, 0xa0, 0xea, 0x9f,
328  0x48, 0xb5, 0xe7, 0x91, 0x20, 0xd7, 0x25, 0x00, 0x00,
329  0x1c, 0x0a, 0x0a, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c,
330  0xc0, 0x30, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x13, 0xc0,
331  0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35,
332  0x00, 0x0a, 0x01, 0x00, 0x00, 0x77, 0x1a, 0x1a, 0x00,
333  0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
334  0x12, 0x00, 0x10, 0x00, 0x00, 0x0d, 0x77, 0x77, 0x77,
335  0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e,
336  0x6f, 0x00, 0x17, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00,
337  0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08,
338  0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01,
339  0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x05, 0x00,
340  0x05, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00,
341  0x00, 0x00, 0x10, 0x00, 0x0e, 0x00, 0x0c, 0x02, 0x68,
342  0x32, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e,
343  0x31, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a,
344  0x00, 0x0a, 0x00, 0x08, 0xba, 0xba, 0x00, 0x1d, 0x00,
345  0x17, 0x00, 0x18, 0x0a, 0x0a, 0x00, 0x01, 0x00 };
346 
347  Flow f;
348  SSLState *ssl_state = NULL;
349  Packet *p = NULL;
350  Signature *s = NULL;
351  ThreadVars tv;
352  DetectEngineThreadCtx *det_ctx = NULL;
353  TcpSession ssn;
355 
356  memset(&tv, 0, sizeof(ThreadVars));
357  memset(&f, 0, sizeof(Flow));
358  memset(&ssn, 0, sizeof(TcpSession));
359 
360  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP,
361  "192.168.1.5", "192.168.1.1",
362  41424, 443);
363 
364  FLOW_INITIALIZE(&f);
365  f.protoctx = (void *)&ssn;
366  f.flags |= FLOW_IPV4;
367  f.proto = IPPROTO_TCP;
369 
370  p->flow = &f;
373  f.alproto = ALPROTO_TLS;
374 
376 
378  FAIL_IF_NULL(de_ctx);
379 
381  de_ctx->flags |= DE_QUIET;
382 
383  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
384  "(msg:\"Test ja3_hash\"; ja3_hash; "
385  "content:\"bc6c386f480ee97b9d9e52d472b772d8\"; "
386  "sid:1;)");
387  FAIL_IF_NULL(s);
388 
389  SigGroupBuild(de_ctx);
390  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
391 
392  FLOWLOCK_WRLOCK(&f);
393  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
394  STREAM_TOSERVER, buf, sizeof(buf));
395  FLOWLOCK_UNLOCK(&f);
396  FAIL_IF(r != 0);
397 
398  ssl_state = f.alstate;
399  FAIL_IF_NULL(ssl_state);
400 
401  FAIL_IF_NULL(ssl_state->ja3_hash);
402 
403  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
404 
406 
407  AppLayerParserThreadCtxFree(alp_tctx);
408  DetectEngineThreadCtxDeinit(&tv, det_ctx);
409  DetectEngineCtxFree(de_ctx);
410 
412  FLOW_DESTROY(&f);
413  UTHFreePacket(p);
414 
415  PASS;
416 }
417 #endif /* UNITTESTS */
418 
419 static void DetectTlsJa3HashRegisterTests(void)
420 {
421 #ifdef UNITTESTS
422  UtRegisterTest("DetectTlsJa3HashTest01", DetectTlsJa3HashTest01);
423  UtRegisterTest("DetectTlsJa3HashTest02", DetectTlsJa3HashTest02);
424 #endif /* UNITTESTS */
425 }
426 
427 #endif /* HAVE_NSS */
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
SignatureInitData * init_data
Definition: detect.h:563
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:777
struct Flow_ * flow
Definition: decode.h:443
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:343
uint32_t id
Definition: detect.h:528
#define FALSE
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:242
#define PASS
Pass the test.
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:202
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:239
int Ja3IsDisabled(const char *type)
Check if JA3 is disabled.
Definition: util-ja3.c:262
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
const char * name
Definition: detect.h:1163
Signature container.
Definition: detect.h:495
#define TRUE
void * protoctx
Definition: flow.h:395
struct SigMatch_ * next
Definition: detect.h:326
main detection engine ctx
Definition: detect.h:723
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:433
#define DE_QUIET
Definition: detect.h:296
int DetectBufferTypeGetByName(const char *name)
#define str(s)
SpmCtx * SpmInitCtx(const uint8_t *needle, uint16_t needle_len, int nocase, SpmGlobalThreadCtx *global_thread_ctx)
Definition: util-spm.c:166
uint8_t flags
Definition: detect.h:724
void(* Free)(void *)
Definition: detect.h:1154
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint16_t mpm_matcher
Definition: detect.h:772
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
#define SIG_FLAG_TOSERVER
Definition: detect.h:241
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
uint8_t flowflags
Definition: decode.h:437
#define FLOW_PKT_TOSERVER
Definition: flow.h:200
AppProto alproto
Definition: detect.h:499
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int RunmodeIsUnittests(void)
Definition: suricata.c:259
uint8_t type
Definition: detect.h:323
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
const char * desc
Definition: detect.h:1165
struct SigMatch_ ** smlists
Definition: detect.h:489
SigMatchCtx * ctx
Definition: detect.h:325
int mpm_default_matcher
Definition: util-mpm.h:170
char * ja3_hash
void DetectTlsJa3HashRegister(void)
Registration function for keyword: ja3_hash.
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define SIGMATCH_NOOPT
Definition: detect.h:1331
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
void SpmDestroyCtx(SpmCtx *ctx)
Definition: util-spm.c:176
const char * url
Definition: detect.h:1166
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define PKT_HAS_FLOW
Definition: decode.h:1092
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
int DetectBufferSetActiveList(Signature *s, const int list)
const uint8_t * inspect
Definition: detect.h:347
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
#define DETECT_CONTENT_NOCASE
Per thread variable structure.
Definition: threadvars.h:57
void DetectBufferTypeRegisterValidateCallback(const char *name, _Bool(*ValidateCallback)(const Signature *, const char **sigerror))
AppProto alproto
application level protocol
Definition: flow.h:404
uint32_t flags
Definition: decode.h:441
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1157
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
uint8_t protomap
Definition: flow.h:399
Flow data structure.
Definition: flow.h:324
#define FLOW_IPV4
Definition: flow.h:93
uint32_t flags
Definition: flow.h:374
#define PKT_STREAM_EST
Definition: decode.h:1090
void(* RegisterTests)(void)
Definition: detect.h:1155
a single match condition for a signature
Definition: detect.h:322
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine