suricata
detect-urilen.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersighdahiya@gmail.com>
22  *
23  * Implements the urilen keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "app-layer.h"
28 #include "app-layer-protos.h"
29 #include "app-layer-htp.h"
30 #include "util-unittest.h"
31 #include "util-unittest-helper.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-build.h"
38 #include "detect-content.h"
39 #include "detect-engine-uint.h"
40 
41 #include "detect-urilen.h"
42 #include "util-debug.h"
43 #include "util-byte.h"
44 #include "flow-util.h"
45 #include "stream-tcp.h"
46 
47 
48 /*prototypes*/
49 static int DetectUrilenSetup (DetectEngineCtx *, Signature *, const char *);
50 static void DetectUrilenFree (DetectEngineCtx *, void *);
51 #ifdef UNITTESTS
52 static void DetectUrilenRegisterTests (void);
53 #endif
54 static int g_http_uri_buffer_id = 0;
55 static int g_http_raw_uri_buffer_id = 0;
56 
57 /**
58  * \brief Registration function for urilen: keyword
59  */
60 
62 {
64  sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri";
65  sigmatch_table[DETECT_AL_URILEN].url = "/rules/http-keywords.html#urilen";
67  sigmatch_table[DETECT_AL_URILEN].Setup = DetectUrilenSetup;
68  sigmatch_table[DETECT_AL_URILEN].Free = DetectUrilenFree;
69 #ifdef UNITTESTS
70  sigmatch_table[DETECT_AL_URILEN].RegisterTests = DetectUrilenRegisterTests;
71 #endif
72 
73  g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
74  g_http_raw_uri_buffer_id = DetectBufferTypeRegister("http_raw_uri");
75 }
76 
77 /**
78  * \brief This function is used to parse urilen options passed via urilen: keyword
79  *
80  * \param urilenstr Pointer to the user provided urilen options
81  *
82  * \retval urilend pointer to DetectUrilenData on success
83  * \retval NULL on failure
84  */
85 
86 static DetectUrilenData *DetectUrilenParse (const char *urilenstr)
87 {
88  return rs_detect_urilen_parse(urilenstr);
89 }
90 
91 /**
92  * \brief this function is used to parse urilen data into the current signature
93  *
94  * \param de_ctx pointer to the Detection Engine Context
95  * \param s pointer to the Current Signature
96  * \param urilenstr pointer to the user provided urilen options
97  *
98  * \retval 0 on Success
99  * \retval -1 on Failure
100  */
101 static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, const char *urilenstr)
102 {
103  SCEnter();
104  DetectUrilenData *urilend = NULL;
105  SigMatch *sm = NULL;
106 
108  return -1;
109 
110  urilend = DetectUrilenParse(urilenstr);
111  if (urilend == NULL)
112  goto error;
113  sm = SigMatchAlloc();
114  if (sm == NULL)
115  goto error;
116  sm->type = DETECT_AL_URILEN;
117  sm->ctx = (void *)urilend;
118 
119  if (urilend->raw_buffer)
120  SigMatchAppendSMToList(s, sm, g_http_raw_uri_buffer_id);
121  else
122  SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id);
123 
124  SCReturnInt(0);
125 
126 error:
127  DetectUrilenFree(de_ctx, urilend);
128  SCReturnInt(-1);
129 }
130 
131 /**
132  * \brief this function will free memory associated with DetectUrilenData
133  *
134  * \param ptr pointer to DetectUrilenData
135  */
136 static void DetectUrilenFree(DetectEngineCtx *de_ctx, void *ptr)
137 {
138  if (ptr == NULL)
139  return;
140 
141  DetectUrilenData *urilend = (DetectUrilenData *)ptr;
142  rs_detect_urilen_free(urilend);
143 }
144 
145 /** \brief set prefilter dsize pair
146  * \param s signature to get dsize value from
147  */
149 {
150  uint16_t high = UINT16_MAX;
151  bool found = false;
152 
153  SigMatch *sm = s->init_data->smlists[list];
154  for ( ; sm != NULL; sm = sm->next) {
155  if (sm->type != DETECT_AL_URILEN)
156  continue;
157 
158  DetectUrilenData *dd = (DetectUrilenData *)sm->ctx;
159 
160  switch (dd->du16.mode) {
161  case DETECT_UINT_LT:
162  if (dd->du16.arg1 < UINT16_MAX) {
163  high = dd->du16.arg1 + 1;
164  }
165  break;
166  case DETECT_UINT_LTE:
167  // fallthrough
168  case DETECT_UINT_EQ:
169  high = dd->du16.arg1;
170  break;
171  case DETECT_UINT_RA:
172  if (dd->du16.arg2 < UINT16_MAX) {
173  high = dd->du16.arg2 + 1;
174  }
175  break;
176  case DETECT_UINT_NE:
177  // fallthrough
178  case DETECT_UINT_GTE:
179  // fallthrough
180  case DETECT_UINT_GT:
181  high = UINT16_MAX;
182  break;
183  }
184  found = true;
185  }
186 
187  // skip 65535 to avoid mismatch on uri > 64k
188  if (!found || high == UINT16_MAX)
189  return;
190 
191  SCLogDebug("high %u", high);
192 
193  sm = s->init_data->smlists[list];
194  for ( ; sm != NULL; sm = sm->next) {
195  if (sm->type != DETECT_CONTENT) {
196  continue;
197  }
199  if (cd == NULL) {
200  continue;
201  }
202 
203  if (cd->depth == 0 || cd->depth > high) {
204  cd->depth = high;
205  SCLogDebug("updated %u, content %u to have depth %u "
206  "because of urilen.", s->id, cd->id, cd->depth);
207  }
208  }
209 }
210 
211 bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
212 {
213  const SigMatch *sm = s->init_data->smlists[list];
214  for ( ; sm != NULL; sm = sm->next) {
215  if (sm->type != DETECT_CONTENT) {
216  continue;
217  }
219  if (cd == NULL) {
220  continue;
221  }
222 
223  if (cd->depth && cd->depth < cd->content_len) {
224  *sigerror = "depth or urilen smaller than content len";
225  SCLogError(SC_ERR_INVALID_SIGNATURE, "depth or urilen %u smaller "
226  "than content len %u", cd->depth, cd->content_len);
227  return false;
228  }
229  }
230  return true;
231 }
232 
233 #ifdef UNITTESTS
234 
235 #include "stream.h"
236 #include "stream-tcp-private.h"
237 #include "stream-tcp-reassemble.h"
238 #include "detect-engine-mpm.h"
239 #include "app-layer-parser.h"
240 #include "detect-engine-alert.h"
241 
242 /** \test Test the Urilen keyword setup */
243 static int DetectUrilenParseTest01(void)
244 {
245  int ret = 0;
246  DetectUrilenData *urilend = NULL;
247 
248  urilend = DetectUrilenParse("10");
249  if (urilend != NULL) {
250  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_EQ &&
251  !urilend->raw_buffer)
252  ret = 1;
253 
254  DetectUrilenFree(NULL, urilend);
255  }
256  return ret;
257 }
258 
259 /** \test Test the Urilen keyword setup */
260 static int DetectUrilenParseTest02(void)
261 {
262  int ret = 0;
263  DetectUrilenData *urilend = NULL;
264 
265  urilend = DetectUrilenParse(" < 10 ");
266  if (urilend != NULL) {
267  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_LT &&
268  !urilend->raw_buffer)
269  ret = 1;
270 
271  DetectUrilenFree(NULL, urilend);
272  }
273  return ret;
274 }
275 
276 /** \test Test the Urilen keyword setup */
277 static int DetectUrilenParseTest03(void)
278 {
279  int ret = 0;
280  DetectUrilenData *urilend = NULL;
281 
282  urilend = DetectUrilenParse(" > 10 ");
283  if (urilend != NULL) {
284  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_GT &&
285  !urilend->raw_buffer)
286  ret = 1;
287 
288  DetectUrilenFree(NULL, urilend);
289  }
290  return ret;
291 }
292 
293 /** \test Test the Urilen keyword setup */
294 static int DetectUrilenParseTest04(void)
295 {
296  int ret = 0;
297  DetectUrilenData *urilend = NULL;
298 
299  urilend = DetectUrilenParse(" 5 <> 10 ");
300  if (urilend != NULL) {
301  if (urilend->du16.arg1 == 5 && urilend->du16.arg2 == 10 &&
302  urilend->du16.mode == DETECT_UINT_RA && !urilend->raw_buffer)
303  ret = 1;
304 
305  DetectUrilenFree(NULL, urilend);
306  }
307  return ret;
308 }
309 
310 /** \test Test the Urilen keyword setup */
311 static int DetectUrilenParseTest05(void)
312 {
313  int ret = 0;
314  DetectUrilenData *urilend = NULL;
315 
316  urilend = DetectUrilenParse("5<>10,norm");
317  if (urilend != NULL) {
318  if (urilend->du16.arg1 == 5 && urilend->du16.arg2 == 10 &&
319  urilend->du16.mode == DETECT_UINT_RA && !urilend->raw_buffer)
320  ret = 1;
321 
322  DetectUrilenFree(NULL, urilend);
323  }
324  return ret;
325 }
326 
327 /** \test Test the Urilen keyword setup */
328 static int DetectUrilenParseTest06(void)
329 {
330  int ret = 0;
331  DetectUrilenData *urilend = NULL;
332 
333  urilend = DetectUrilenParse("5<>10,raw");
334  if (urilend != NULL) {
335  if (urilend->du16.arg1 == 5 && urilend->du16.arg2 == 10 &&
336  urilend->du16.mode == DETECT_UINT_RA && urilend->raw_buffer)
337  ret = 1;
338 
339  DetectUrilenFree(NULL, urilend);
340  }
341  return ret;
342 }
343 
344 /** \test Test the Urilen keyword setup */
345 static int DetectUrilenParseTest07(void)
346 {
347  int ret = 0;
348  DetectUrilenData *urilend = NULL;
349 
350  urilend = DetectUrilenParse(">10, norm ");
351  if (urilend != NULL) {
352  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_GT &&
353  !urilend->raw_buffer)
354  ret = 1;
355 
356  DetectUrilenFree(NULL, urilend);
357  }
358  return ret;
359 }
360 
361 /** \test Test the Urilen keyword setup */
362 static int DetectUrilenParseTest08(void)
363 {
364  int ret = 0;
365  DetectUrilenData *urilend = NULL;
366 
367  urilend = DetectUrilenParse("<10, norm ");
368  if (urilend != NULL) {
369  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_LT &&
370  !urilend->raw_buffer)
371  ret = 1;
372 
373  DetectUrilenFree(NULL, urilend);
374  }
375  return ret;
376 }
377 
378 /** \test Test the Urilen keyword setup */
379 static int DetectUrilenParseTest09(void)
380 {
381  int ret = 0;
382  DetectUrilenData *urilend = NULL;
383 
384  urilend = DetectUrilenParse(">10, raw ");
385  if (urilend != NULL) {
386  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_GT && urilend->raw_buffer)
387  ret = 1;
388 
389  DetectUrilenFree(NULL, urilend);
390  }
391  return ret;
392 }
393 
394 /** \test Test the Urilen keyword setup */
395 static int DetectUrilenParseTest10(void)
396 {
397  int ret = 0;
398  DetectUrilenData *urilend = NULL;
399 
400  urilend = DetectUrilenParse("<10, raw ");
401  if (urilend != NULL) {
402  if (urilend->du16.arg1 == 10 && urilend->du16.mode == DETECT_UINT_LT && urilend->raw_buffer)
403  ret = 1;
404 
405  DetectUrilenFree(NULL, urilend);
406  }
407  return ret;
408 }
409 
410 /**
411  * \brief this function is used to initialize the detection engine context and
412  * setup the signature with passed values.
413  *
414  */
415 
416 static int DetectUrilenInitTest(DetectEngineCtx **de_ctx, Signature **sig,
417  DetectUrilenData **urilend, const char *str)
418 {
419  char fullstr[1024];
420  int result = 0;
421 
422  *de_ctx = NULL;
423  *sig = NULL;
424 
425  if (snprintf(fullstr, 1024, "alert ip any any -> any any (msg:\"Urilen "
426  "test\"; urilen:%s; sid:1;)", str) >= 1024) {
427  goto end;
428  }
429 
431  if (*de_ctx == NULL) {
432  goto end;
433  }
434 
435  (*de_ctx)->flags |= DE_QUIET;
436 
437  (*de_ctx)->sig_list = SigInit(*de_ctx, fullstr);
438  if ((*de_ctx)->sig_list == NULL) {
439  goto end;
440  }
441 
442  *sig = (*de_ctx)->sig_list;
443 
444  *urilend = DetectUrilenParse(str);
445 
446  result = 1;
447 
448 end:
449  return result;
450 }
451 
452 /**
453  * \test DetectUrilenSetpTest01 is a test for setting up an valid urilen values
454  * with valid "<>" operator and include spaces arround the given values.
455  * In the test the values are setup with initializing the detection engine
456  * context and setting up the signature itself.
457  */
458 
459 static int DetectUrilenSetpTest01(void)
460 {
461 
462  DetectUrilenData *urilend = NULL;
463  uint8_t res = 0;
464  Signature *sig = NULL;
465  DetectEngineCtx *de_ctx = NULL;
466 
467  res = DetectUrilenInitTest(&de_ctx, &sig, &urilend, "1 <> 2 ");
468  if (res == 0) {
469  goto end;
470  }
471 
472  if(urilend == NULL)
473  goto cleanup;
474 
475  if (urilend != NULL) {
476  if (urilend->du16.arg1 == 1 && urilend->du16.arg2 == 2 &&
477  urilend->du16.mode == DETECT_UINT_RA)
478  res = 1;
479  }
480 
481 cleanup:
482  if (urilend)
483  DetectUrilenFree(NULL, urilend);
487 end:
488  return res;
489 }
490 
491 /** \test Check a signature with gievn urilen */
492 static int DetectUrilenSigTest01(void)
493 {
494  int result = 0;
495  Flow f;
496  uint8_t httpbuf1[] = "POST /suricata HTTP/1.0\r\n"
497  "Host: foo.bar.tld\r\n"
498  "\r\n";
499  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
500  TcpSession ssn;
501  Packet *p = NULL;
502  Signature *s = NULL;
503  ThreadVars th_v;
504  DetectEngineThreadCtx *det_ctx;
506 
507  memset(&th_v, 0, sizeof(th_v));
508  memset(&f, 0, sizeof(f));
509  memset(&ssn, 0, sizeof(ssn));
510 
511  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
512 
513  FLOW_INITIALIZE(&f);
514  f.protoctx = (void *)&ssn;
515  f.proto = IPPROTO_TCP;
516  f.flags |= FLOW_IPV4;
517 
518  p->flow = &f;
523 
524  StreamTcpInitConfig(true);
525 
527  if (de_ctx == NULL) {
528  goto end;
529  }
530 
531  de_ctx->flags |= DE_QUIET;
532 
533  s = de_ctx->sig_list = SigInit(de_ctx,
534  "alert tcp any any -> any any "
535  "(msg:\"Testing urilen\"; "
536  "urilen: <5; sid:1;)");
537  if (s == NULL) {
538  goto end;
539  }
540 
541  s = s->next = SigInit(de_ctx,
542  "alert tcp any any -> any any "
543  "(msg:\"Testing http_method\"; "
544  "urilen: >5; sid:2;)");
545  if (s == NULL) {
546  goto end;
547  }
548 
550  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
551 
552  int r = AppLayerParserParse(
553  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
554  if (r != 0) {
555  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
556  goto end;
557  }
558 
559  HtpState *htp_state = f.alstate;
560  if (htp_state == NULL) {
561  SCLogDebug("no http state: ");
562  goto end;
563  }
564 
565  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
566 
567  if ((PacketAlertCheck(p, 1))) {
568  printf("sid 1 alerted, but should not have: \n");
569  goto end;
570  }
571  if (!PacketAlertCheck(p, 2)) {
572  printf("sid 2 did not alerted, but should have: \n");
573  goto end;
574  }
575 
576  result = 1;
577 
578 end:
579  if (alp_tctx != NULL)
581  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
582  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
583  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
584 
585  StreamTcpFreeConfig(true);
586  FLOW_DESTROY(&f);
587  UTHFreePackets(&p, 1);
588  return result;
589 }
590 
591 /**
592  * \brief this function registers unit tests for DetectUrilen
593  */
594 void DetectUrilenRegisterTests(void)
595 {
596  UtRegisterTest("DetectUrilenParseTest01", DetectUrilenParseTest01);
597  UtRegisterTest("DetectUrilenParseTest02", DetectUrilenParseTest02);
598  UtRegisterTest("DetectUrilenParseTest03", DetectUrilenParseTest03);
599  UtRegisterTest("DetectUrilenParseTest04", DetectUrilenParseTest04);
600  UtRegisterTest("DetectUrilenParseTest05", DetectUrilenParseTest05);
601  UtRegisterTest("DetectUrilenParseTest06", DetectUrilenParseTest06);
602  UtRegisterTest("DetectUrilenParseTest07", DetectUrilenParseTest07);
603  UtRegisterTest("DetectUrilenParseTest08", DetectUrilenParseTest08);
604  UtRegisterTest("DetectUrilenParseTest09", DetectUrilenParseTest09);
605  UtRegisterTest("DetectUrilenParseTest10", DetectUrilenParseTest10);
606  UtRegisterTest("DetectUrilenSetpTest01", DetectUrilenSetpTest01);
607  UtRegisterTest("DetectUrilenSigTest01", DetectUrilenSigTest01);
608 }
609 #endif /* UNITTESTS */
util-byte.h
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1238
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1493
detect-content.h
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:996
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1225
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1235
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:460
Flow_
Flow data structure.
Definition: flow.h:356
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:316
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:226
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:339
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1788
DetectContentData_
Definition: detect-content.h:86
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:456
Flow_::protoctx
void * protoctx
Definition: flow.h:454
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:96
DetectUrilenApplyToContent
void DetectUrilenApplyToContent(Signature *s, int list)
set prefilter dsize pair
Definition: detect-urilen.c:148
util-unittest.h
HtpState_
Definition: app-layer-htp.h:245
util-unittest-helper.h
Signature_::next
struct Signature_ * next
Definition: detect.h:613
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:361
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
app-layer-htp.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1024
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
DetectContentData_::id
PatIntId id
Definition: detect-content.h:98
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2022
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:99
stream.h
Packet_
Definition: decode.h:425
detect-engine-build.h
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
stream-tcp-private.h
detect-engine-alert.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:610
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1203
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:533
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:238
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:295
Packet_::flow
struct Flow_ * flow
Definition: decode.h:462
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3154
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1032
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:669
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1280
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
DetectUrilenRegister
void DetectUrilenRegister(void)
Registration function for urilen: keyword.
Definition: detect-urilen.c:61
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:790
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:280
Flow_::alstate
void * alstate
Definition: flow.h:489
Signature_::id
uint32_t id
Definition: detect.h:573
Flow_::flags
uint32_t flags
Definition: flow.h:434
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:228
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
app-layer-protos.h
detect-urilen.h
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:785
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:68
TcpSession_
Definition: stream-tcp-private.h:272
DetectUrilenValidateContent
bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
Definition: detect-urilen.c:211
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:463
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
DETECT_AL_URILEN
@ DETECT_AL_URILEN
Definition: detect-engine-register.h:131
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:352
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:993
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:470