/**
* \brief Registration function for keyword: ssl_version
*/
void DetectSslVersionRegister(void)
{
sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version";
sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch;
sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup;
sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree;
sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
}
/**
* \brief Registration function for keyword: tls.version
*/
void DetectTlsRegister (void)
{
sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject";
sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field";
sigmatch_table[DETECT_AL_TLS_SUBJECT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlssubject";
sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch;
sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup;
sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree;
sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
sigmatch_table[DETECT_AL_TLS_SUBJECT].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn";
sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field";
sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsissuerdn";
sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint";
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint";
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsfingerprint";
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerTxMatch = DetectTlsFingerprintMatch;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].RegisterTests = NULL;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION;
sigmatch_table[DETECT_AL_TLS_STORE].name = "tls_store";
sigmatch_table[DETECT_AL_TLS_STORE].alias = "tls.store";
sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk";
sigmatch_table[DETECT_AL_TLS_STORE].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsstore";
sigmatch_table[DETECT_AL_TLS_STORE].Match = DetectTlsStorePostMatch;
sigmatch_table[DETECT_AL_TLS_STORE].Setup = DetectTlsStoreSetup;
sigmatch_table[DETECT_AL_TLS_STORE].Free = NULL;
sigmatch_table[DETECT_AL_TLS_STORE].RegisterTests = NULL;
sigmatch_table[DETECT_AL_TLS_STORE].flags |= SIGMATCH_NOOPT;
DetectSetupParseRegexes(PARSE_REGEX,
&subject_parse_regex, &subject_parse_regex_study);
DetectSetupParseRegexes(PARSE_REGEX,
&issuerdn_parse_regex, &issuerdn_parse_regex_study);
DetectSetupParseRegexes(PARSE_REGEX_FINGERPRINT,
&fingerprint_parse_regex, &fingerprint_parse_regex_study);
g_tls_cert_list_id = DetectBufferTypeRegister("tls_cert");
DetectAppLayerInspectEngineRegister("tls_cert",
ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
InspectTlsCert);
}
/**
* \brief Registration function for keyword: ssh.protoversion
*/
void DetectSshVersionRegister(void)
{
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion";
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].AppLayerTxMatch = DetectSshVersionMatch;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Free = DetectSshVersionFree;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].RegisterTests = DetectSshVersionRegisterTests;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].flags = SIGMATCH_QUOTES_OPTIONAL;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
}
/**
* \brief Registration function for ftpbounce: keyword
* \todo add support for no_stream and stream_only
*/
void DetectFtpbounceRegister(void)
{
sigmatch_table[DETECT_FTPBOUNCE].name = "ftpbounce";
sigmatch_table[DETECT_FTPBOUNCE].Setup = DetectFtpbounceSetup;
sigmatch_table[DETECT_FTPBOUNCE].AppLayerTxMatch = DetectFtpbounceALMatch;
sigmatch_table[DETECT_FTPBOUNCE].RegisterTests = DetectFtpbounceRegisterTests;
sigmatch_table[DETECT_FTPBOUNCE].url = DOC_URL DOC_VERSION "/rules/ftp-keywords#ftpbounce";
sigmatch_table[DETECT_FTPBOUNCE].flags = SIGMATCH_NOOPT;
g_ftp_request_list_id = DetectBufferTypeRegister("ftp_request");
DetectAppLayerInspectEngineRegister("ftp_request",
ALPROTO_FTP, SIG_FLAG_TOSERVER, 0,
InspectFtpRequest);
}
/**
* \brief Registration function for keyword: fileext
*/
void DetectFileextRegister(void)
{
sigmatch_table[DETECT_FILEEXT].name = "fileext";
sigmatch_table[DETECT_FILEEXT].desc = "match on the extension of a file name";
sigmatch_table[DETECT_FILEEXT].url = DOC_URL DOC_VERSION "/rules/file-keywords.html#fileext";
sigmatch_table[DETECT_FILEEXT].FileMatch = DetectFileextMatch;
sigmatch_table[DETECT_FILEEXT].Setup = DetectFileextSetup;
sigmatch_table[DETECT_FILEEXT].Free = DetectFileextFree;
sigmatch_table[DETECT_FILEEXT].RegisterTests = DetectFileextRegisterTests;
sigmatch_table[DETECT_FILEEXT].flags = SIGMATCH_QUOTES_OPTIONAL|SIGMATCH_HANDLE_NEGATION;
g_file_match_list_id = DetectBufferTypeRegister("files");
SCLogDebug("registering fileext rule option");
return;
}
/**
* \brief Registration function for keyword: filestore
*/
void DetectFilestoreRegister(void)
{
sigmatch_table[DETECT_FILESTORE].name = "filestore";
sigmatch_table[DETECT_FILESTORE].desc = "stores files to disk if the rule matched";
sigmatch_table[DETECT_FILESTORE].url = DOC_URL DOC_VERSION "/rules/file-keywords.html#filestore";
sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch;
sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup;
sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree;
sigmatch_table[DETECT_FILESTORE].RegisterTests = DetectFilestoreRegisterTests;
sigmatch_table[DETECT_FILESTORE].flags = SIGMATCH_OPTIONAL_OPT;
sigmatch_table[DETECT_FILESTORE_POSTMATCH].name = "__filestore__postmatch__";
sigmatch_table[DETECT_FILESTORE_POSTMATCH].Match = DetectFilestorePostMatch;
sigmatch_table[DETECT_FILESTORE_POSTMATCH].Free = DetectFilestoreFree;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_file_match_list_id = DetectBufferTypeRegister("files");
}
/**
* \brief Registration function for keyword: ssh.softwareversion
*/
void DetectSshSoftwareVersionRegister(void)
{
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion";
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerTxMatch = DetectSshSoftwareVersionMatch;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Free = DetectSshSoftwareVersionFree;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].RegisterTests = DetectSshSoftwareVersionRegisterTests;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].flags = SIGMATCH_QUOTES_OPTIONAL;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
DetectAppLayerInspectEngineRegister("ssh_banner",
ALPROTO_SSH, SIG_FLAG_TOSERVER, SSH_STATE_BANNER_DONE,
InspectSshBanner);
DetectAppLayerInspectEngineRegister("ssh_banner",
ALPROTO_SSH, SIG_FLAG_TOCLIENT, SSH_STATE_BANNER_DONE,
InspectSshBanner);
}
/**
* \brief Registration function for krb5_err_code: keyword
*
* This function is called once in the 'lifetime' of the engine.
*/
void DetectKrb5ErrCodeRegister(void) {
sigmatch_table[DETECT_AL_KRB5_ERRCODE].name = "krb5_err_code";
sigmatch_table[DETECT_AL_KRB5_ERRCODE].desc = "match Kerberos 5 message type";
sigmatch_table[DETECT_AL_KRB5_ERRCODE].url = DOC_URL DOC_VERSION "/rules/kerberos-keywords.html#krb5_err_code";
sigmatch_table[DETECT_AL_KRB5_ERRCODE].Match = NULL;
sigmatch_table[DETECT_AL_KRB5_ERRCODE].AppLayerTxMatch = DetectKrb5ErrCodeMatch;
sigmatch_table[DETECT_AL_KRB5_ERRCODE].Setup = DetectKrb5ErrCodeSetup;
sigmatch_table[DETECT_AL_KRB5_ERRCODE].Free = DetectKrb5ErrCodeFree;
sigmatch_table[DETECT_AL_KRB5_ERRCODE].RegisterTests = DetectKrb5ErrCodeRegisterTests;
DetectAppLayerInspectEngineRegister("krb5_err_code",
ALPROTO_KRB5, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectKRB5Generic);
DetectAppLayerInspectEngineRegister("krb5_err_code",
ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0,
DetectEngineInspectKRB5Generic);
/* set up the PCRE for keyword parsing */
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_krb5_err_code_list_id = DetectBufferTypeRegister("krb5_err_code");
SCLogDebug("g_krb5_err_code_list_id %d", g_krb5_err_code_list_id);
}
