suricata
detect-urilen.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersighdahiya@gmail.com>
22  *
23  * Implements the urilen keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "app-layer.h"
28 #include "app-layer-protos.h"
29 #include "app-layer-htp.h"
30 #include "util-unittest.h"
31 #include "util-unittest-helper.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-build.h"
38 #include "detect-content.h"
39 #include "detect-engine-uint.h"
40 
41 #include "detect-urilen.h"
42 #include "util-debug.h"
43 #include "util-byte.h"
44 #include "flow-util.h"
45 #include "stream-tcp.h"
46 
47 
48 /*prototypes*/
49 static int DetectUrilenSetup (DetectEngineCtx *, Signature *, const char *);
50 static void DetectUrilenFree (DetectEngineCtx *, void *);
51 #ifdef UNITTESTS
52 static void DetectUrilenRegisterTests (void);
53 #endif
54 static int g_http_uri_buffer_id = 0;
55 static int g_http_raw_uri_buffer_id = 0;
56 
57 /**
58  * \brief Registration function for urilen: keyword
59  */
60 
62 {
64  sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri";
65  sigmatch_table[DETECT_AL_URILEN].url = "/rules/http-keywords.html#urilen";
67  sigmatch_table[DETECT_AL_URILEN].Setup = DetectUrilenSetup;
68  sigmatch_table[DETECT_AL_URILEN].Free = DetectUrilenFree;
69 #ifdef UNITTESTS
70  sigmatch_table[DETECT_AL_URILEN].RegisterTests = DetectUrilenRegisterTests;
71 #endif
72 
73  g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
74  g_http_raw_uri_buffer_id = DetectBufferTypeRegister("http_raw_uri");
75 }
76 
77 /**
78  * \brief This function is used to parse urilen options passed via urilen: keyword
79  *
80  * \param urilenstr Pointer to the user provided urilen options
81  *
82  * \retval urilend pointer to DetectUrilenData on success
83  * \retval NULL on failure
84  */
85 
86 static DetectUrilenData *DetectUrilenParse (const char *urilenstr)
87 {
88  return rs_detect_urilen_parse(urilenstr);
89 }
90 
91 /**
92  * \brief this function is used to parse urilen data into the current signature
93  *
94  * \param de_ctx pointer to the Detection Engine Context
95  * \param s pointer to the Current Signature
96  * \param urilenstr pointer to the user provided urilen options
97  *
98  * \retval 0 on Success
99  * \retval -1 on Failure
100  */
101 static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, const char *urilenstr)
102 {
103  SCEnter();
104  DetectUrilenData *urilend = NULL;
105  SigMatch *sm = NULL;
106 
108  return -1;
109 
110  urilend = DetectUrilenParse(urilenstr);
111  if (urilend == NULL)
112  goto error;
113  sm = SigMatchAlloc();
114  if (sm == NULL)
115  goto error;
116  sm->type = DETECT_AL_URILEN;
117  sm->ctx = (void *)urilend;
118 
119  if (urilend->raw_buffer)
120  SigMatchAppendSMToList(s, sm, g_http_raw_uri_buffer_id);
121  else
122  SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id);
123 
124  SCReturnInt(0);
125 
126 error:
127  DetectUrilenFree(de_ctx, urilend);
128  SCReturnInt(-1);
129 }
130 
131 /**
132  * \brief this function will free memory associated with DetectUrilenData
133  *
134  * \param ptr pointer to DetectUrilenData
135  */
136 static void DetectUrilenFree(DetectEngineCtx *de_ctx, void *ptr)
137 {
138  if (ptr == NULL)
139  return;
140 
141  DetectUrilenData *urilend = (DetectUrilenData *)ptr;
142  rs_detect_urilen_free(urilend);
143 }
144 
145 /** \brief set prefilter dsize pair
146  * \param s signature to get dsize value from
147  */
149 {
150  uint16_t high = UINT16_MAX;
151  bool found = false;
152 
153  SigMatch *sm = s->init_data->smlists[list];
154  for ( ; sm != NULL; sm = sm->next) {
155  if (sm->type != DETECT_AL_URILEN)
156  continue;
157 
158  DetectUrilenData *dd = (DetectUrilenData *)sm->ctx;
159 
160  switch (dd->du16.mode) {
161  case DETECT_UINT_LT:
162  if (dd->du16.arg1 < UINT16_MAX) {
163  high = dd->du16.arg1 + 1;
164  }
165  break;
166  case DETECT_UINT_LTE:
167  // fallthrough
168  case DETECT_UINT_EQ:
169  high = dd->du16.arg1;
170  break;
171  case DETECT_UINT_RA:
172  if (dd->du16.arg2 < UINT16_MAX) {
173  high = dd->du16.arg2 + 1;
174  }
175  break;
176  case DETECT_UINT_NE:
177  // fallthrough
178  case DETECT_UINT_GTE:
179  // fallthrough
180  case DETECT_UINT_GT:
181  high = UINT16_MAX;
182  break;
183  }
184  found = true;
185  }
186 
187  // skip 65535 to avoid mismatch on uri > 64k
188  if (!found || high == UINT16_MAX)
189  return;
190 
191  SCLogDebug("high %u", high);
192 
193  sm = s->init_data->smlists[list];
194  for ( ; sm != NULL; sm = sm->next) {
195  if (sm->type != DETECT_CONTENT) {
196  continue;
197  }
199  if (cd == NULL) {
200  continue;
201  }
202 
203  if (cd->depth == 0 || cd->depth > high) {
204  cd->depth = high;
206  SCLogDebug("updated %u, content %u to have depth %u "
207  "because of urilen.", s->id, cd->id, cd->depth);
208  }
209  }
210 }
211 
212 bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
213 {
214  const SigMatch *sm = s->init_data->smlists[list];
215  for ( ; sm != NULL; sm = sm->next) {
216  if (sm->type != DETECT_CONTENT) {
217  continue;
218  }
220  if (cd == NULL) {
221  continue;
222  }
223 
224  if (cd->depth && cd->depth < cd->content_len) {
225  *sigerror = "depth or urilen smaller than content len";
226  SCLogError("depth or urilen %u smaller "
227  "than content len %u",
228  cd->depth, cd->content_len);
229  return false;
230  }
231  }
232  return true;
233 }
234 
235 #ifdef UNITTESTS
236 
237 #include "stream.h"
238 #include "stream-tcp-private.h"
239 #include "stream-tcp-reassemble.h"
240 #include "detect-engine-mpm.h"
241 #include "app-layer-parser.h"
242 #include "detect-engine-alert.h"
243 
244 /** \test Test the Urilen keyword setup */
245 static int DetectUrilenParseTest01(void)
246 {
247  int ret = 0;
248  DetectUrilenData *urilend = NULL;
249 
250  urilend = DetectUrilenParse("10");
251  if (urilend != NULL) {
252  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_EQ &&
253  !urilend->raw_buffer)
254  ret = 1;
255 
256  DetectUrilenFree(NULL, urilend);
257  }
258  return ret;
259 }
260 
261 /** \test Test the Urilen keyword setup */
262 static int DetectUrilenParseTest02(void)
263 {
264  int ret = 0;
265  DetectUrilenData *urilend = NULL;
266 
267  urilend = DetectUrilenParse(" < 10 ");
268  if (urilend != NULL) {
269  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_LT &&
270  !urilend->raw_buffer)
271  ret = 1;
272 
273  DetectUrilenFree(NULL, urilend);
274  }
275  return ret;
276 }
277 
278 /** \test Test the Urilen keyword setup */
279 static int DetectUrilenParseTest03(void)
280 {
281  int ret = 0;
282  DetectUrilenData *urilend = NULL;
283 
284  urilend = DetectUrilenParse(" > 10 ");
285  if (urilend != NULL) {
286  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_GT &&
287  !urilend->raw_buffer)
288  ret = 1;
289 
290  DetectUrilenFree(NULL, urilend);
291  }
292  return ret;
293 }
294 
295 /** \test Test the Urilen keyword setup */
296 static int DetectUrilenParseTest04(void)
297 {
298  int ret = 0;
299  DetectUrilenData *urilend = NULL;
300 
301  urilend = DetectUrilenParse(" 5 <> 10 ");
302  if (urilend != NULL) {
303  if (urilend->du16.arg1 == 5 && urilend->du16.arg2 == 10 &&
304  urilend->du16.mode == DETECT_UINT_RA && !urilend->raw_buffer)
305  ret = 1;
306 
307  DetectUrilenFree(NULL, urilend);
308  }
309  return ret;
310 }
311 
312 /** \test Test the Urilen keyword setup */
313 static int DetectUrilenParseTest05(void)
314 {
315  int ret = 0;
316  DetectUrilenData *urilend = NULL;
317 
318  urilend = DetectUrilenParse("5<>10,norm");
319  if (urilend != NULL) {
320  if (urilend->du16.arg1 == 5 && urilend->du16.arg2 == 10 &&
321  urilend->du16.mode == DETECT_UINT_RA && !urilend->raw_buffer)
322  ret = 1;
323 
324  DetectUrilenFree(NULL, urilend);
325  }
326  return ret;
327 }
328 
329 /** \test Test the Urilen keyword setup */
330 static int DetectUrilenParseTest06(void)
331 {
332  int ret = 0;
333  DetectUrilenData *urilend = NULL;
334 
335  urilend = DetectUrilenParse("5<>10,raw");
336  if (urilend != NULL) {
337  if (urilend->du16.arg1 == 5 && urilend->du16.arg2 == 10 &&
338  urilend->du16.mode == DETECT_UINT_RA && urilend->raw_buffer)
339  ret = 1;
340 
341  DetectUrilenFree(NULL, urilend);
342  }
343  return ret;
344 }
345 
346 /** \test Test the Urilen keyword setup */
347 static int DetectUrilenParseTest07(void)
348 {
349  int ret = 0;
350  DetectUrilenData *urilend = NULL;
351 
352  urilend = DetectUrilenParse(">10, norm ");
353  if (urilend != NULL) {
354  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_GT &&
355  !urilend->raw_buffer)
356  ret = 1;
357 
358  DetectUrilenFree(NULL, urilend);
359  }
360  return ret;
361 }
362 
363 /** \test Test the Urilen keyword setup */
364 static int DetectUrilenParseTest08(void)
365 {
366  int ret = 0;
367  DetectUrilenData *urilend = NULL;
368 
369  urilend = DetectUrilenParse("<10, norm ");
370  if (urilend != NULL) {
371  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_LT &&
372  !urilend->raw_buffer)
373  ret = 1;
374 
375  DetectUrilenFree(NULL, urilend);
376  }
377  return ret;
378 }
379 
380 /** \test Test the Urilen keyword setup */
381 static int DetectUrilenParseTest09(void)
382 {
383  int ret = 0;
384  DetectUrilenData *urilend = NULL;
385 
386  urilend = DetectUrilenParse(">10, raw ");
387  if (urilend != NULL) {
388  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_GT && urilend->raw_buffer)
389  ret = 1;
390 
391  DetectUrilenFree(NULL, urilend);
392  }
393  return ret;
394 }
395 
396 /** \test Test the Urilen keyword setup */
397 static int DetectUrilenParseTest10(void)
398 {
399  int ret = 0;
400  DetectUrilenData *urilend = NULL;
401 
402  urilend = DetectUrilenParse("<10, raw ");
403  if (urilend != NULL) {
404  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_LT && urilend->raw_buffer)
405  ret = 1;
406 
407  DetectUrilenFree(NULL, urilend);
408  }
409  return ret;
410 }
411 
412 /**
413  * \brief this function is used to initialize the detection engine context and
414  * setup the signature with passed values.
415  *
416  */
417 
418 static int DetectUrilenInitTest(DetectEngineCtx **de_ctx, Signature **sig,
419  DetectUrilenData **urilend, const char *str)
420 {
421  char fullstr[1024];
422  int result = 0;
423 
424  *de_ctx = NULL;
425  *sig = NULL;
426 
427  if (snprintf(fullstr, 1024, "alert ip any any -> any any (msg:\"Urilen "
428  "test\"; urilen:%s; sid:1;)", str) >= 1024) {
429  goto end;
430  }
431 
433  if (*de_ctx == NULL) {
434  goto end;
435  }
436 
437  (*de_ctx)->flags |= DE_QUIET;
438 
439  (*de_ctx)->sig_list = SigInit(*de_ctx, fullstr);
440  if ((*de_ctx)->sig_list == NULL) {
441  goto end;
442  }
443 
444  *sig = (*de_ctx)->sig_list;
445 
446  *urilend = DetectUrilenParse(str);
447 
448  result = 1;
449 
450 end:
451  return result;
452 }
453 
454 /**
455  * \test DetectUrilenSetpTest01 is a test for setting up an valid urilen values
456  * with valid "<>" operator and include spaces arround the given values.
457  * In the test the values are setup with initializing the detection engine
458  * context and setting up the signature itself.
459  */
460 
461 static int DetectUrilenSetpTest01(void)
462 {
463 
464  DetectUrilenData *urilend = NULL;
465  uint8_t res = 0;
466  Signature *sig = NULL;
467  DetectEngineCtx *de_ctx = NULL;
468 
469  res = DetectUrilenInitTest(&de_ctx, &sig, &urilend, "1 <> 2 ");
470  if (res == 0) {
471  goto end;
472  }
473 
474  if(urilend == NULL)
475  goto cleanup;
476 
477  if (urilend != NULL) {
478  if (urilend->du16.arg1 == 1 && urilend->du16.arg2 == 2 &&
479  urilend->du16.mode == DETECT_UINT_RA)
480  res = 1;
481  }
482 
483 cleanup:
484  if (urilend)
485  DetectUrilenFree(NULL, urilend);
489 end:
490  return res;
491 }
492 
493 /** \test Check a signature with gievn urilen */
494 static int DetectUrilenSigTest01(void)
495 {
496  int result = 0;
497  Flow f;
498  uint8_t httpbuf1[] = "POST /suricata HTTP/1.0\r\n"
499  "Host: foo.bar.tld\r\n"
500  "\r\n";
501  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
502  TcpSession ssn;
503  Packet *p = NULL;
504  Signature *s = NULL;
505  ThreadVars th_v;
506  DetectEngineThreadCtx *det_ctx;
508 
509  memset(&th_v, 0, sizeof(th_v));
510  memset(&f, 0, sizeof(f));
511  memset(&ssn, 0, sizeof(ssn));
512 
513  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
514 
515  FLOW_INITIALIZE(&f);
516  f.protoctx = (void *)&ssn;
517  f.proto = IPPROTO_TCP;
518  f.flags |= FLOW_IPV4;
519 
520  p->flow = &f;
525 
526  StreamTcpInitConfig(true);
527 
529  if (de_ctx == NULL) {
530  goto end;
531  }
532 
533  de_ctx->flags |= DE_QUIET;
534 
535  s = de_ctx->sig_list = SigInit(de_ctx,
536  "alert tcp any any -> any any "
537  "(msg:\"Testing urilen\"; "
538  "urilen: <5; sid:1;)");
539  if (s == NULL) {
540  goto end;
541  }
542 
543  s = s->next = SigInit(de_ctx,
544  "alert tcp any any -> any any "
545  "(msg:\"Testing http_method\"; "
546  "urilen: >5; sid:2;)");
547  if (s == NULL) {
548  goto end;
549  }
550 
552  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
553 
554  int r = AppLayerParserParse(
555  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
556  if (r != 0) {
557  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
558  goto end;
559  }
560 
561  HtpState *htp_state = f.alstate;
562  if (htp_state == NULL) {
563  SCLogDebug("no http state: ");
564  goto end;
565  }
566 
567  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
568 
569  if ((PacketAlertCheck(p, 1))) {
570  printf("sid 1 alerted, but should not have: \n");
571  goto end;
572  }
573  if (!PacketAlertCheck(p, 2)) {
574  printf("sid 2 did not alerted, but should have: \n");
575  goto end;
576  }
577 
578  result = 1;
579 
580 end:
581  if (alp_tctx != NULL)
583  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
584  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
585  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
586 
587  StreamTcpFreeConfig(true);
588  FLOW_DESTROY(&f);
589  UTHFreePackets(&p, 1);
590  return result;
591 }
592 
593 /**
594  * \brief this function registers unit tests for DetectUrilen
595  */
596 void DetectUrilenRegisterTests(void)
597 {
598  UtRegisterTest("DetectUrilenParseTest01", DetectUrilenParseTest01);
599  UtRegisterTest("DetectUrilenParseTest02", DetectUrilenParseTest02);
600  UtRegisterTest("DetectUrilenParseTest03", DetectUrilenParseTest03);
601  UtRegisterTest("DetectUrilenParseTest04", DetectUrilenParseTest04);
602  UtRegisterTest("DetectUrilenParseTest05", DetectUrilenParseTest05);
603  UtRegisterTest("DetectUrilenParseTest06", DetectUrilenParseTest06);
604  UtRegisterTest("DetectUrilenParseTest07", DetectUrilenParseTest07);
605  UtRegisterTest("DetectUrilenParseTest08", DetectUrilenParseTest08);
606  UtRegisterTest("DetectUrilenParseTest09", DetectUrilenParseTest09);
607  UtRegisterTest("DetectUrilenParseTest10", DetectUrilenParseTest10);
608  UtRegisterTest("DetectUrilenSetpTest01", DetectUrilenSetpTest01);
609  UtRegisterTest("DetectUrilenSigTest01", DetectUrilenSigTest01);
610 }
611 #endif /* UNITTESTS */
util-byte.h
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1243
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1500
detect-content.h
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1242
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1003
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1230
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1240
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
Flow_::proto
uint8_t proto
Definition: flow.h:379
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:463
Flow_
Flow data structure.
Definition: flow.h:357
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:787
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2455
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
DE_QUIET
#define DE_QUIET
Definition: detect.h:289
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
DetectContentData_
Definition: detect-content.h:88
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
Flow_::protoctx
void * protoctx
Definition: flow.h:447
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1225
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
DetectUrilenApplyToContent
void DetectUrilenApplyToContent(Signature *s, int list)
set prefilter dsize pair
Definition: detect-urilen.c:148
util-unittest.h
HtpState_
Definition: app-layer-htp.h:244
util-unittest-helper.h
Signature_::next
struct Signature_ * next
Definition: detect.h:616
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:359
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
app-layer-htp.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1027
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:319
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2118
DetectContentData_::id
PatIntId id
Definition: detect-content.h:100
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:318
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2019
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:101
stream.h
Packet_
Definition: decode.h:428
detect-engine-build.h
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
stream-tcp-private.h
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:99
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:613
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1208
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:536
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:241
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3166
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1025
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:695
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1323
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:316
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectUrilenRegister
void DetectUrilenRegister(void)
Registration function for urilen: keyword.
Definition: detect-urilen.c:61
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:793
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:280
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
Flow_::alstate
void * alstate
Definition: flow.h:482
Signature_::id
uint32_t id
Definition: detect.h:576
Flow_::flags
uint32_t flags
Definition: flow.h:427
detect-parse.h
Signature_
Signature container.
Definition: detect.h:542
SigMatch_
a single match condition for a signature
Definition: detect.h:315
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:66
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:229
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2416
app-layer-protos.h
detect-urilen.h
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:90
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:788
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
TcpSession_
Definition: stream-tcp-private.h:279
DetectUrilenValidateContent
bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
Definition: detect-urilen.c:212
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
DETECT_AL_URILEN
@ DETECT_AL_URILEN
Definition: detect-engine-register.h:131
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:356
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:129
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1000
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1232
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468