suricata
detect-urilen.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersighdahiya@gmail.com>
22  *
23  * Implements the urilen keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "app-layer.h"
28 #include "app-layer-protos.h"
29 #include "app-layer-htp.h"
30 #include "util-unittest.h"
31 #include "util-unittest-helper.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-build.h"
38 #include "detect-content.h"
39 #include "detect-engine-uint.h"
40 
41 #include "detect-urilen.h"
42 #include "util-debug.h"
43 #include "util-byte.h"
44 #include "flow-util.h"
45 #include "stream-tcp.h"
46 
47 
48 /*prototypes*/
49 static int DetectUrilenSetup (DetectEngineCtx *, Signature *, const char *);
50 static void DetectUrilenFree (DetectEngineCtx *, void *);
51 #ifdef UNITTESTS
52 static void DetectUrilenRegisterTests (void);
53 #endif
54 static int g_http_uri_buffer_id = 0;
55 static int g_http_raw_uri_buffer_id = 0;
56 
57 /**
58  * \brief Registration function for urilen: keyword
59  */
60 
62 {
64  sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri";
65  sigmatch_table[DETECT_AL_URILEN].url = "/rules/http-keywords.html#urilen";
67  sigmatch_table[DETECT_AL_URILEN].Setup = DetectUrilenSetup;
68  sigmatch_table[DETECT_AL_URILEN].Free = DetectUrilenFree;
69 #ifdef UNITTESTS
70  sigmatch_table[DETECT_AL_URILEN].RegisterTests = DetectUrilenRegisterTests;
71 #endif
72 
73  g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
74  g_http_raw_uri_buffer_id = DetectBufferTypeRegister("http_raw_uri");
75 }
76 
77 /**
78  * \brief This function is used to parse urilen options passed via urilen: keyword
79  *
80  * \param urilenstr Pointer to the user provided urilen options
81  *
82  * \retval urilend pointer to DetectUrilenData on success
83  * \retval NULL on failure
84  */
85 
86 static DetectUrilenData *DetectUrilenParse (const char *urilenstr)
87 {
88  return rs_detect_urilen_parse(urilenstr);
89 }
90 
91 /**
92  * \brief this function is used to parse urilen data into the current signature
93  *
94  * \param de_ctx pointer to the Detection Engine Context
95  * \param s pointer to the Current Signature
96  * \param urilenstr pointer to the user provided urilen options
97  *
98  * \retval 0 on Success
99  * \retval -1 on Failure
100  */
101 static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, const char *urilenstr)
102 {
103  SCEnter();
104  DetectUrilenData *urilend = NULL;
105 
107  return -1;
108 
109  urilend = DetectUrilenParse(urilenstr);
110  if (urilend == NULL)
111  goto error;
112 
113  if (urilend->raw_buffer) {
115  g_http_raw_uri_buffer_id) == NULL) {
116  goto error;
117  }
118  } else {
120  g_http_uri_buffer_id) == NULL) {
121  goto error;
122  }
123  }
124 
125  SCReturnInt(0);
126 
127 error:
128  DetectUrilenFree(de_ctx, urilend);
129  SCReturnInt(-1);
130 }
131 
132 /**
133  * \brief this function will free memory associated with DetectUrilenData
134  *
135  * \param ptr pointer to DetectUrilenData
136  */
137 static void DetectUrilenFree(DetectEngineCtx *de_ctx, void *ptr)
138 {
139  if (ptr == NULL)
140  return;
141 
142  DetectUrilenData *urilend = (DetectUrilenData *)ptr;
143  rs_detect_urilen_free(urilend);
144 }
145 
146 /** \brief set prefilter dsize pair
147  * \param s signature to get dsize value from
148  */
150 {
151  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
152  if (s->init_data->buffers[x].id != (uint32_t)list)
153  continue;
154 
155  uint16_t high = UINT16_MAX;
156  bool found = false;
157 
158  for (SigMatch *sm = s->init_data->buffers[x].head; sm != NULL; sm = sm->next) {
159  if (sm->type != DETECT_AL_URILEN)
160  continue;
161 
162  DetectUrilenData *dd = (DetectUrilenData *)sm->ctx;
163 
164  switch (dd->du16.mode) {
165  case DETECT_UINT_LT:
166  if (dd->du16.arg1 < UINT16_MAX) {
167  high = dd->du16.arg1 + 1;
168  }
169  break;
170  case DETECT_UINT_LTE:
171  // fallthrough
172  case DETECT_UINT_EQ:
173  high = dd->du16.arg1;
174  break;
175  case DETECT_UINT_RA:
176  if (dd->du16.arg2 < UINT16_MAX) {
177  high = dd->du16.arg2 + 1;
178  }
179  break;
180  case DETECT_UINT_NE:
181  // fallthrough
182  case DETECT_UINT_GTE:
183  // fallthrough
184  case DETECT_UINT_GT:
185  high = UINT16_MAX;
186  break;
187  }
188  found = true;
189  }
190 
191  // skip 65535 to avoid mismatch on uri > 64k
192  if (!found || high == UINT16_MAX)
193  return;
194 
195  SCLogDebug("high %u", high);
196 
197  for (SigMatch *sm = s->init_data->buffers[x].head; sm != NULL; sm = sm->next) {
198  if (sm->type != DETECT_CONTENT) {
199  continue;
200  }
201  DetectContentData *cd = (DetectContentData *)sm->ctx;
202  if (cd == NULL) {
203  continue;
204  }
205 
206  if (cd->depth == 0 || cd->depth > high) {
207  cd->depth = high;
209  SCLogDebug("updated %u, content %u to have depth %u "
210  "because of urilen.",
211  s->id, cd->id, cd->depth);
212  }
213  }
214  }
215 }
216 
217 bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
218 {
219  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
220  if (s->init_data->buffers[x].id != (uint32_t)list)
221  continue;
222  for (const SigMatch *sm = s->init_data->buffers[x].head; sm != NULL; sm = sm->next) {
223  if (sm->type != DETECT_CONTENT) {
224  continue;
225  }
226  DetectContentData *cd = (DetectContentData *)sm->ctx;
227  if (cd == NULL) {
228  continue;
229  }
230 
231  if (cd->depth && cd->depth < cd->content_len) {
232  *sigerror = "depth or urilen smaller than content len";
233  SCLogError("depth or urilen %u smaller "
234  "than content len %u",
235  cd->depth, cd->content_len);
236  return false;
237  }
238  }
239  }
240  return true;
241 }
242 
243 #ifdef UNITTESTS
244 
245 #include "stream.h"
246 #include "stream-tcp-private.h"
247 #include "stream-tcp-reassemble.h"
248 #include "detect-engine-mpm.h"
249 #include "app-layer-parser.h"
250 #include "detect-engine-alert.h"
251 
252 /** \test Test the Urilen keyword setup */
253 static int DetectUrilenParseTest01(void)
254 {
255  int ret = 0;
256  DetectUrilenData *urilend = NULL;
257 
258  urilend = DetectUrilenParse("10");
259  if (urilend != NULL) {
260  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_EQ &&
261  !urilend->raw_buffer)
262  ret = 1;
263 
264  DetectUrilenFree(NULL, urilend);
265  }
266  return ret;
267 }
268 
269 /** \test Test the Urilen keyword setup */
270 static int DetectUrilenParseTest02(void)
271 {
272  int ret = 0;
273  DetectUrilenData *urilend = NULL;
274 
275  urilend = DetectUrilenParse(" < 10 ");
276  if (urilend != NULL) {
277  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_LT &&
278  !urilend->raw_buffer)
279  ret = 1;
280 
281  DetectUrilenFree(NULL, urilend);
282  }
283  return ret;
284 }
285 
286 /** \test Test the Urilen keyword setup */
287 static int DetectUrilenParseTest03(void)
288 {
289  int ret = 0;
290  DetectUrilenData *urilend = NULL;
291 
292  urilend = DetectUrilenParse(" > 10 ");
293  if (urilend != NULL) {
294  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_GT &&
295  !urilend->raw_buffer)
296  ret = 1;
297 
298  DetectUrilenFree(NULL, urilend);
299  }
300  return ret;
301 }
302 
303 /** \test Test the Urilen keyword setup */
304 static int DetectUrilenParseTest04(void)
305 {
306  int ret = 0;
307  DetectUrilenData *urilend = NULL;
308 
309  urilend = DetectUrilenParse(" 5 <> 10 ");
310  if (urilend != NULL) {
311  if (urilend->du16.arg1 == 5 && urilend->du16.arg2 == 10 &&
312  urilend->du16.mode == DETECT_UINT_RA && !urilend->raw_buffer)
313  ret = 1;
314 
315  DetectUrilenFree(NULL, urilend);
316  }
317  return ret;
318 }
319 
320 /** \test Test the Urilen keyword setup */
321 static int DetectUrilenParseTest05(void)
322 {
323  int ret = 0;
324  DetectUrilenData *urilend = NULL;
325 
326  urilend = DetectUrilenParse("5<>10,norm");
327  if (urilend != NULL) {
328  if (urilend->du16.arg1 == 5 && urilend->du16.arg2 == 10 &&
329  urilend->du16.mode == DETECT_UINT_RA && !urilend->raw_buffer)
330  ret = 1;
331 
332  DetectUrilenFree(NULL, urilend);
333  }
334  return ret;
335 }
336 
337 /** \test Test the Urilen keyword setup */
338 static int DetectUrilenParseTest06(void)
339 {
340  int ret = 0;
341  DetectUrilenData *urilend = NULL;
342 
343  urilend = DetectUrilenParse("5<>10,raw");
344  if (urilend != NULL) {
345  if (urilend->du16.arg1 == 5 && urilend->du16.arg2 == 10 &&
346  urilend->du16.mode == DETECT_UINT_RA && urilend->raw_buffer)
347  ret = 1;
348 
349  DetectUrilenFree(NULL, urilend);
350  }
351  return ret;
352 }
353 
354 /** \test Test the Urilen keyword setup */
355 static int DetectUrilenParseTest07(void)
356 {
357  int ret = 0;
358  DetectUrilenData *urilend = NULL;
359 
360  urilend = DetectUrilenParse(">10, norm ");
361  if (urilend != NULL) {
362  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_GT &&
363  !urilend->raw_buffer)
364  ret = 1;
365 
366  DetectUrilenFree(NULL, urilend);
367  }
368  return ret;
369 }
370 
371 /** \test Test the Urilen keyword setup */
372 static int DetectUrilenParseTest08(void)
373 {
374  int ret = 0;
375  DetectUrilenData *urilend = NULL;
376 
377  urilend = DetectUrilenParse("<10, norm ");
378  if (urilend != NULL) {
379  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_LT &&
380  !urilend->raw_buffer)
381  ret = 1;
382 
383  DetectUrilenFree(NULL, urilend);
384  }
385  return ret;
386 }
387 
388 /** \test Test the Urilen keyword setup */
389 static int DetectUrilenParseTest09(void)
390 {
391  int ret = 0;
392  DetectUrilenData *urilend = NULL;
393 
394  urilend = DetectUrilenParse(">10, raw ");
395  if (urilend != NULL) {
396  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_GT && urilend->raw_buffer)
397  ret = 1;
398 
399  DetectUrilenFree(NULL, urilend);
400  }
401  return ret;
402 }
403 
404 /** \test Test the Urilen keyword setup */
405 static int DetectUrilenParseTest10(void)
406 {
407  int ret = 0;
408  DetectUrilenData *urilend = NULL;
409 
410  urilend = DetectUrilenParse("<10, raw ");
411  if (urilend != NULL) {
412  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_LT && urilend->raw_buffer)
413  ret = 1;
414 
415  DetectUrilenFree(NULL, urilend);
416  }
417  return ret;
418 }
419 
420 /**
421  * \brief this function is used to initialize the detection engine context and
422  * setup the signature with passed values.
423  *
424  */
425 
426 static int DetectUrilenInitTest(DetectEngineCtx **de_ctx, Signature **sig,
427  DetectUrilenData **urilend, const char *str)
428 {
429  char fullstr[1024];
430  int result = 0;
431 
432  *de_ctx = NULL;
433  *sig = NULL;
434 
435  if (snprintf(fullstr, 1024, "alert ip any any -> any any (msg:\"Urilen "
436  "test\"; urilen:%s; sid:1;)", str) >= 1024) {
437  goto end;
438  }
439 
441  if (*de_ctx == NULL) {
442  goto end;
443  }
444 
445  (*de_ctx)->flags |= DE_QUIET;
446 
447  (*de_ctx)->sig_list = SigInit(*de_ctx, fullstr);
448  if ((*de_ctx)->sig_list == NULL) {
449  goto end;
450  }
451 
452  *sig = (*de_ctx)->sig_list;
453 
454  *urilend = DetectUrilenParse(str);
455 
456  result = 1;
457 
458 end:
459  return result;
460 }
461 
462 /**
463  * \test DetectUrilenSetpTest01 is a test for setting up an valid urilen values
464  * with valid "<>" operator and include spaces arround the given values.
465  * In the test the values are setup with initializing the detection engine
466  * context and setting up the signature itself.
467  */
468 
469 static int DetectUrilenSetpTest01(void)
470 {
471 
472  DetectUrilenData *urilend = NULL;
473  uint8_t res = 0;
474  Signature *sig = NULL;
475  DetectEngineCtx *de_ctx = NULL;
476 
477  res = DetectUrilenInitTest(&de_ctx, &sig, &urilend, "1 <> 2 ");
478  if (res == 0) {
479  goto end;
480  }
481 
482  if(urilend == NULL)
483  goto cleanup;
484 
485  if (urilend != NULL) {
486  if (urilend->du16.arg1 == 1 && urilend->du16.arg2 == 2 &&
487  urilend->du16.mode == DETECT_UINT_RA)
488  res = 1;
489  }
490 
491 cleanup:
492  if (urilend)
493  DetectUrilenFree(NULL, urilend);
497 end:
498  return res;
499 }
500 
501 /** \test Check a signature with given urilen */
502 static int DetectUrilenSigTest01(void)
503 {
504  int result = 0;
505  Flow f;
506  uint8_t httpbuf1[] = "POST /suricata HTTP/1.0\r\n"
507  "Host: foo.bar.tld\r\n"
508  "\r\n";
509  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
510  TcpSession ssn;
511  Packet *p = NULL;
512  Signature *s = NULL;
513  ThreadVars th_v;
514  DetectEngineThreadCtx *det_ctx;
516 
517  memset(&th_v, 0, sizeof(th_v));
518  memset(&f, 0, sizeof(f));
519  memset(&ssn, 0, sizeof(ssn));
520 
521  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
522 
523  FLOW_INITIALIZE(&f);
524  f.protoctx = (void *)&ssn;
525  f.proto = IPPROTO_TCP;
526  f.flags |= FLOW_IPV4;
527 
528  p->flow = &f;
533 
534  StreamTcpInitConfig(true);
535 
537  if (de_ctx == NULL) {
538  goto end;
539  }
540 
541  de_ctx->flags |= DE_QUIET;
542 
543  s = de_ctx->sig_list = SigInit(de_ctx,
544  "alert tcp any any -> any any "
545  "(msg:\"Testing urilen\"; "
546  "urilen: <5; sid:1;)");
547  if (s == NULL) {
548  goto end;
549  }
550 
551  s = s->next = SigInit(de_ctx,
552  "alert tcp any any -> any any "
553  "(msg:\"Testing http_method\"; "
554  "urilen: >5; sid:2;)");
555  if (s == NULL) {
556  goto end;
557  }
558 
560  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
561 
562  int r = AppLayerParserParse(
563  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
564  if (r != 0) {
565  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
566  goto end;
567  }
568 
569  HtpState *htp_state = f.alstate;
570  if (htp_state == NULL) {
571  SCLogDebug("no http state: ");
572  goto end;
573  }
574 
575  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
576 
577  if ((PacketAlertCheck(p, 1))) {
578  printf("sid 1 alerted, but should not have: \n");
579  goto end;
580  }
581  if (!PacketAlertCheck(p, 2)) {
582  printf("sid 2 did not alerted, but should have: \n");
583  goto end;
584  }
585 
586  result = 1;
587 
588 end:
589  if (alp_tctx != NULL)
591  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
592  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
593  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
594 
595  StreamTcpFreeConfig(true);
596  FLOW_DESTROY(&f);
597  UTHFreePackets(&p, 1);
598  return result;
599 }
600 
601 /**
602  * \brief this function registers unit tests for DetectUrilen
603  */
604 void DetectUrilenRegisterTests(void)
605 {
606  UtRegisterTest("DetectUrilenParseTest01", DetectUrilenParseTest01);
607  UtRegisterTest("DetectUrilenParseTest02", DetectUrilenParseTest02);
608  UtRegisterTest("DetectUrilenParseTest03", DetectUrilenParseTest03);
609  UtRegisterTest("DetectUrilenParseTest04", DetectUrilenParseTest04);
610  UtRegisterTest("DetectUrilenParseTest05", DetectUrilenParseTest05);
611  UtRegisterTest("DetectUrilenParseTest06", DetectUrilenParseTest06);
612  UtRegisterTest("DetectUrilenParseTest07", DetectUrilenParseTest07);
613  UtRegisterTest("DetectUrilenParseTest08", DetectUrilenParseTest08);
614  UtRegisterTest("DetectUrilenParseTest09", DetectUrilenParseTest09);
615  UtRegisterTest("DetectUrilenParseTest10", DetectUrilenParseTest10);
616  UtRegisterTest("DetectUrilenSetpTest01", DetectUrilenSetpTest01);
617  UtRegisterTest("DetectUrilenSigTest01", DetectUrilenSigTest01);
618 }
619 #endif /* UNITTESTS */
util-byte.h
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1296
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1753
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:527
detect-content.h
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1283
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1293
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1884
DetectContentData_
Definition: detect-content.h:93
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:54
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
DetectUrilenApplyToContent
void DetectUrilenApplyToContent(Signature *s, int list)
set prefilter dsize pair
Definition: detect-urilen.c:149
util-unittest.h
HtpState_
Definition: app-layer-htp.h:244
util-unittest-helper.h
Signature_::next
struct Signature_ * next
Definition: detect.h:665
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:351
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
DetectContentData_::id
PatIntId id
Definition: detect-content.h:105
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2218
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
stream.h
Packet_
Definition: decode.h:437
detect-engine-build.h
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
stream-tcp-private.h
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:662
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1261
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:342
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1008
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1292
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
DetectUrilenRegister
void DetectUrilenRegister(void)
Registration function for urilen: keyword.
Definition: detect-urilen.c:61
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:844
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:583
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
Flow_::alstate
void * alstate
Definition: flow.h:476
Signature_::id
uint32_t id
Definition: detect.h:628
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
SignatureInitDataBuffer_::id
uint32_t id
Definition: detect.h:520
Signature_
Signature container.
Definition: detect.h:593
SigMatch_
a single match condition for a signature
Definition: detect.h:347
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:67
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
app-layer-protos.h
detect-urilen.h
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
TcpSession_
Definition: stream-tcp-private.h:283
DetectUrilenValidateContent
bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
Definition: detect-urilen.c:217
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:584
DETECT_AL_URILEN
@ DETECT_AL_URILEN
Definition: detect-engine-register.h:137
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1019
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:431