/** * \brief Registration function for keyword: ssl_version */ void DetectSslVersionRegister(void) { sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version"; sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch; sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup; sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree; sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic"); }
/** * \brief Registration function for keyword: tls.version */ void DetectTlsRegister (void) { sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject"; sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field"; sigmatch_table[DETECT_AL_TLS_SUBJECT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlssubject"; sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch; sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup; sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree; sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests; sigmatch_table[DETECT_AL_TLS_SUBJECT].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION; sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn"; sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field"; sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsissuerdn"; sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch; sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup; sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree; sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests; sigmatch_table[DETECT_AL_TLS_ISSUERDN].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint"; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint"; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsfingerprint"; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerTxMatch = DetectTlsFingerprintMatch; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].RegisterTests = NULL; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION; sigmatch_table[DETECT_AL_TLS_STORE].name = "tls_store"; sigmatch_table[DETECT_AL_TLS_STORE].alias = "tls.store"; sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk"; sigmatch_table[DETECT_AL_TLS_STORE].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsstore"; sigmatch_table[DETECT_AL_TLS_STORE].Match = DetectTlsStorePostMatch; sigmatch_table[DETECT_AL_TLS_STORE].Setup = DetectTlsStoreSetup; sigmatch_table[DETECT_AL_TLS_STORE].Free = NULL; sigmatch_table[DETECT_AL_TLS_STORE].RegisterTests = NULL; sigmatch_table[DETECT_AL_TLS_STORE].flags |= SIGMATCH_NOOPT; DetectSetupParseRegexes(PARSE_REGEX, &subject_parse_regex, &subject_parse_regex_study); DetectSetupParseRegexes(PARSE_REGEX, &issuerdn_parse_regex, &issuerdn_parse_regex_study); DetectSetupParseRegexes(PARSE_REGEX_FINGERPRINT, &fingerprint_parse_regex, &fingerprint_parse_regex_study); g_tls_cert_list_id = DetectBufferTypeRegister("tls_cert"); DetectAppLayerInspectEngineRegister("tls_cert", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, InspectTlsCert); }
/** * \brief Registration function for keyword: ssh.protoversion */ void DetectSshVersionRegister(void) { sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion"; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].AppLayerTxMatch = DetectSshVersionMatch; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Free = DetectSshVersionFree; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].RegisterTests = DetectSshVersionRegisterTests; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].flags = SIGMATCH_QUOTES_OPTIONAL; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner"); }
/** * \brief Registration function for ftpbounce: keyword * \todo add support for no_stream and stream_only */ void DetectFtpbounceRegister(void) { sigmatch_table[DETECT_FTPBOUNCE].name = "ftpbounce"; sigmatch_table[DETECT_FTPBOUNCE].Setup = DetectFtpbounceSetup; sigmatch_table[DETECT_FTPBOUNCE].AppLayerTxMatch = DetectFtpbounceALMatch; sigmatch_table[DETECT_FTPBOUNCE].RegisterTests = DetectFtpbounceRegisterTests; sigmatch_table[DETECT_FTPBOUNCE].url = DOC_URL DOC_VERSION "/rules/ftp-keywords#ftpbounce"; sigmatch_table[DETECT_FTPBOUNCE].flags = SIGMATCH_NOOPT; g_ftp_request_list_id = DetectBufferTypeRegister("ftp_request"); DetectAppLayerInspectEngineRegister("ftp_request", ALPROTO_FTP, SIG_FLAG_TOSERVER, 0, InspectFtpRequest); }
/** * \brief Registration function for keyword: fileext */ void DetectFileextRegister(void) { sigmatch_table[DETECT_FILEEXT].name = "fileext"; sigmatch_table[DETECT_FILEEXT].desc = "match on the extension of a file name"; sigmatch_table[DETECT_FILEEXT].url = DOC_URL DOC_VERSION "/rules/file-keywords.html#fileext"; sigmatch_table[DETECT_FILEEXT].FileMatch = DetectFileextMatch; sigmatch_table[DETECT_FILEEXT].Setup = DetectFileextSetup; sigmatch_table[DETECT_FILEEXT].Free = DetectFileextFree; sigmatch_table[DETECT_FILEEXT].RegisterTests = DetectFileextRegisterTests; sigmatch_table[DETECT_FILEEXT].flags = SIGMATCH_QUOTES_OPTIONAL|SIGMATCH_HANDLE_NEGATION; g_file_match_list_id = DetectBufferTypeRegister("files"); SCLogDebug("registering fileext rule option"); return; }
/** * \brief Registration function for keyword: filestore */ void DetectFilestoreRegister(void) { sigmatch_table[DETECT_FILESTORE].name = "filestore"; sigmatch_table[DETECT_FILESTORE].desc = "stores files to disk if the rule matched"; sigmatch_table[DETECT_FILESTORE].url = DOC_URL DOC_VERSION "/rules/file-keywords.html#filestore"; sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch; sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup; sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree; sigmatch_table[DETECT_FILESTORE].RegisterTests = DetectFilestoreRegisterTests; sigmatch_table[DETECT_FILESTORE].flags = SIGMATCH_OPTIONAL_OPT; sigmatch_table[DETECT_FILESTORE_POSTMATCH].name = "__filestore__postmatch__"; sigmatch_table[DETECT_FILESTORE_POSTMATCH].Match = DetectFilestorePostMatch; sigmatch_table[DETECT_FILESTORE_POSTMATCH].Free = DetectFilestoreFree; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); g_file_match_list_id = DetectBufferTypeRegister("files"); }
/** * \brief Registration function for keyword: ssh.softwareversion */ void DetectSshSoftwareVersionRegister(void) { sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion"; sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerTxMatch = DetectSshSoftwareVersionMatch; sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup; sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Free = DetectSshSoftwareVersionFree; sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].RegisterTests = DetectSshSoftwareVersionRegisterTests; sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].flags = SIGMATCH_QUOTES_OPTIONAL; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner"); DetectAppLayerInspectEngineRegister("ssh_banner", ALPROTO_SSH, SIG_FLAG_TOSERVER, SSH_STATE_BANNER_DONE, InspectSshBanner); DetectAppLayerInspectEngineRegister("ssh_banner", ALPROTO_SSH, SIG_FLAG_TOCLIENT, SSH_STATE_BANNER_DONE, InspectSshBanner); }
/** * \brief Registration function for krb5_err_code: keyword * * This function is called once in the 'lifetime' of the engine. */ void DetectKrb5ErrCodeRegister(void) { sigmatch_table[DETECT_AL_KRB5_ERRCODE].name = "krb5_err_code"; sigmatch_table[DETECT_AL_KRB5_ERRCODE].desc = "match Kerberos 5 message type"; sigmatch_table[DETECT_AL_KRB5_ERRCODE].url = DOC_URL DOC_VERSION "/rules/kerberos-keywords.html#krb5_err_code"; sigmatch_table[DETECT_AL_KRB5_ERRCODE].Match = NULL; sigmatch_table[DETECT_AL_KRB5_ERRCODE].AppLayerTxMatch = DetectKrb5ErrCodeMatch; sigmatch_table[DETECT_AL_KRB5_ERRCODE].Setup = DetectKrb5ErrCodeSetup; sigmatch_table[DETECT_AL_KRB5_ERRCODE].Free = DetectKrb5ErrCodeFree; sigmatch_table[DETECT_AL_KRB5_ERRCODE].RegisterTests = DetectKrb5ErrCodeRegisterTests; DetectAppLayerInspectEngineRegister("krb5_err_code", ALPROTO_KRB5, SIG_FLAG_TOSERVER, 0, DetectEngineInspectKRB5Generic); DetectAppLayerInspectEngineRegister("krb5_err_code", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectKRB5Generic); /* set up the PCRE for keyword parsing */ DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); g_krb5_err_code_list_id = DetectBufferTypeRegister("krb5_err_code"); SCLogDebug("g_krb5_err_code_list_id %d", g_krb5_err_code_list_id); }