static DetectAppLayerEventData *DetectAppLayerEventParseAppP1(const char *arg)
{
/* period index */
DetectAppLayerEventData *aled;
AppProto alproto;
const char *p_idx;
char alproto_name[50];
p_idx = strchr(arg, '.');
/* + 1 for trailing \0 */
strlcpy(alproto_name, arg, p_idx - arg + 1);
alproto = AppLayerGetProtoByName(alproto_name);
if (alproto == ALPROTO_UNKNOWN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword "
"supplied with unknown protocol \"%s\"",
alproto_name);
return NULL;
}
aled = SCMalloc(sizeof(*aled));
if (unlikely(aled == NULL))
return NULL;
memset(aled, 0x00, sizeof(*aled));
aled->alproto = alproto;
aled->arg = SCStrdup(arg);
if (aled->arg == NULL) {
SCFree(aled);
return NULL;
}
return aled;
}
static DetectAppLayerEventData *DetectAppLayerEventParseApp(const char *arg,
AppLayerEventType *event_type)
{
/* period index */
DetectAppLayerEventData *aled;
uint16_t alproto;
int event_id = 0;
const char *p_idx;
char alproto_name[50];
int r = 0;
p_idx = strchr(arg, '.');
/* + 1 for trailing \0 */
strlcpy(alproto_name, arg, p_idx - arg + 1);
/* XXX HACK to support "dns" we use this trick */
if (strcasecmp(alproto_name, "dns") == 0)
strlcpy(alproto_name, "dnsudp", sizeof(alproto_name));
alproto = AppLayerGetProtoByName(alproto_name);
if (alproto == ALPROTO_UNKNOWN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword "
"supplied with unknown protocol \"%s\"",
alproto_name);
return NULL;
}
r = AppLayerGetEventInfo(alproto, p_idx + 1, &event_id, event_type);
if (r < 0) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword's "
"protocol \"%s\" doesn't have event \"%s\" registered",
alproto_name, p_idx + 1);
return NULL;
}
aled = SCMalloc(sizeof(DetectAppLayerEventData));
if (unlikely(aled == NULL))
return NULL;
memset(aled,0x00,sizeof(*aled));
aled->alproto = alproto;
aled->event_id = event_id;
return aled;
}
static DetectAppLayerProtocolData *DetectAppLayerProtocolParse(const char *arg)
{
DetectAppLayerProtocolData *data;
AppProto alproto = ALPROTO_UNKNOWN;
uint8_t negated = 0;
if (arg == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-protocol keyword "
"supplied with no arguments. This keyword needs "
"an argument.");
return NULL;
}
while (*arg != '\0' && isspace((unsigned char)*arg))
arg++;
if (arg[0] == '!') {
negated = 1;
arg++;
}
while (*arg != '\0' && isspace((unsigned char)*arg))
arg++;
alproto = AppLayerGetProtoByName((char *)arg);
if (alproto == ALPROTO_UNKNOWN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-protocol "
"keyword supplied with unknown protocol \"%s\"", arg);
return NULL;
}
data = SCMalloc(sizeof(DetectAppLayerProtocolData));
if (unlikely(data == NULL))
return NULL;
data->alproto = alproto;
data->negated = negated;
return data;
}
static DetectAppLayerProtocolData *DetectAppLayerProtocolParse(const char *arg, bool negate)
{
DetectAppLayerProtocolData *data;
AppProto alproto = ALPROTO_UNKNOWN;
if (strcmp(arg, "failed") == 0) {
alproto = ALPROTO_FAILED;
} else {
alproto = AppLayerGetProtoByName((char *)arg);
if (alproto == ALPROTO_UNKNOWN) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-protocol "
"keyword supplied with unknown protocol \"%s\"", arg);
return NULL;
}
}
data = SCMalloc(sizeof(DetectAppLayerProtocolData));
if (unlikely(data == NULL))
return NULL;
data->alproto = alproto;
data->negated = negate;
return data;
}
uint16_t AppLayerDecoderEventsModuleGetAlproto(const char *alproto)
{
return AppLayerGetProtoByName(alproto);
}