Esempi in C++ (Cpp) per DetectBufferTypeGetByName

Esempio n. 1

File: detect-bytejump.c Progetto: norg/suricata

/**
 * \brief this function registers unit tests for DetectBytejump
 */
static void DetectBytejumpRegisterTests(void)
{
#ifdef UNITTESTS
    g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
    g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");

    UtRegisterTest("DetectBytejumpTestParse01", DetectBytejumpTestParse01);
    UtRegisterTest("DetectBytejumpTestParse02", DetectBytejumpTestParse02);
    UtRegisterTest("DetectBytejumpTestParse03", DetectBytejumpTestParse03);
    UtRegisterTest("DetectBytejumpTestParse04", DetectBytejumpTestParse04);
    UtRegisterTest("DetectBytejumpTestParse05", DetectBytejumpTestParse05);
    UtRegisterTest("DetectBytejumpTestParse06", DetectBytejumpTestParse06);
    UtRegisterTest("DetectBytejumpTestParse07", DetectBytejumpTestParse07);
    UtRegisterTest("DetectBytejumpTestParse08", DetectBytejumpTestParse08);
    UtRegisterTest("DetectBytejumpTestParse09", DetectBytejumpTestParse09);
    UtRegisterTest("DetectBytejumpTestParse10", DetectBytejumpTestParse10);
    UtRegisterTest("DetectBytejumpTestParse11", DetectBytejumpTestParse11);
    UtRegisterTest("DetectBytejumpTestParse12", DetectBytejumpTestParse12);

    UtRegisterTest("DetectByteJumpTestPacket01", DetectByteJumpTestPacket01);
    UtRegisterTest("DetectByteJumpTestPacket02", DetectByteJumpTestPacket02);
    UtRegisterTest("DetectByteJumpTestPacket03", DetectByteJumpTestPacket03);
    UtRegisterTest("DetectByteJumpTestPacket04", DetectByteJumpTestPacket04);
    UtRegisterTest("DetectByteJumpTestPacket05", DetectByteJumpTestPacket05);
    UtRegisterTest("DetectByteJumpTestPacket06", DetectByteJumpTestPacket06);
    UtRegisterTest("DetectByteJumpTestPacket07", DetectByteJumpTestPacket07);
#endif /* UNITTESTS */
}

Esempio n. 2

File: detect-http-uri.c Progetto: bmeeks8/suricata

/**
 * \brief Registration function for keyword: http_uri
 */
void DetectHttpUriRegister (void)
{
    sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri";
    sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer";
    sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-uri-and-http-raw-uri";
    sigmatch_table[DETECT_AL_HTTP_URI].Match = NULL;
    sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup;
    sigmatch_table[DETECT_AL_HTTP_URI].Free  = NULL;
    sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests;

    sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT;

    DetectAppLayerMpmRegister("http_uri", SIG_FLAG_TOSERVER, 2,
            PrefilterTxUriRegister);

    DetectAppLayerInspectEngineRegister("http_uri",
            ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
            DetectEngineInspectHttpUri);

    DetectBufferTypeSetDescriptionByName("http_uri",
            "http request uri");

    DetectBufferTypeRegisterSetupCallback("http_uri",
            DetectHttpUriSetupCallback);

    DetectBufferTypeRegisterValidateCallback("http_uri",
            DetectHttpUriValidateCallback);

    g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
}

Esempio n. 3

File: detect-http-stat-msg.c Progetto: norg/suricata

/**
 * \brief Registration function for keyword: http_stat_msg
 */
void DetectHttpStatMsgRegister (void)
{
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].name = "http_stat_msg";
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "content modifier to match on HTTP stat-msg-buffer";
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_stat-msg";
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Match = NULL;
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetup;
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Free  = NULL;
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].RegisterTests = DetectHttpStatMsgRegisterTests;

    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT;

    DetectAppLayerMpmRegister("http_stat_msg", SIG_FLAG_TOCLIENT, 3,
            PrefilterTxHttpStatMsgRegister);

    DetectAppLayerInspectEngineRegister("http_stat_msg",
            ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_LINE,
            DetectEngineInspectHttpStatMsg);

    DetectBufferTypeSetDescriptionByName("http_stat_msg",
            "http response status message");

    DetectBufferTypeRegisterSetupCallback("http_stat_msg",
            DetectHttpStatMsgSetupCallback);

    g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg");
}

Esempio n. 4

File: detect-tls-cert-issuer.c Progetto: bmeeks8/suricata

/**
 * \brief Registration function for keyword: tls_cert_issuer
 */
void DetectTlsIssuerRegister(void)
{
    sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls_cert_issuer";
    sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].desc = "content modifier to match specifically and only on the TLS cert issuer buffer";
    sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-issuer";
    sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Match = NULL;
    sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Setup = DetectTlsIssuerSetup;
    sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Free  = NULL;
    sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests;

    sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT;

    DetectAppLayerInspectEngineRegister2("tls_cert_issuer", ALPROTO_TLS,
            SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
            DetectEngineInspectBufferGeneric, GetData);

    DetectAppLayerMpmRegister2("tls_cert_issuer", SIG_FLAG_TOCLIENT, 2,
            PrefilterGenericMpmRegister, GetData, ALPROTO_TLS,
            TLS_STATE_CERT_READY);

    DetectBufferTypeSetDescriptionByName("tls_cert_issuer",
            "TLS certificate issuer");

    g_tls_cert_issuer_buffer_id = DetectBufferTypeGetByName("tls_cert_issuer");
}

Esempio n. 5

File: detect-http-request-line.c Progetto: gozzy/suricata

/**
 * \brief Registers the keyword handlers for the "http_request_line" keyword.
 */
void DetectHttpRequestLineRegister(void)
{
    sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].name = "http.request_line";
    sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].alias = "http_request_line";
    sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].desc = "sticky buffer to match on the HTTP request line";
    sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-request-line";
    sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].Match = NULL;
    sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].Setup = DetectHttpRequestLineSetup;
    sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].RegisterTests = DetectHttpRequestLineRegisterTests;

    sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister2("http_request_line",
            ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
            DetectEngineInspectBufferGeneric,
            GetData);

    DetectAppLayerMpmRegister2("http_request_line", SIG_FLAG_TOSERVER, 2,
            PrefilterGenericMpmRegister, GetData,
            ALPROTO_HTTP, HTP_REQUEST_LINE);

    DetectBufferTypeSetDescriptionByName("http_request_line",
            "http request line");

    g_http_request_line_buffer_id = DetectBufferTypeGetByName("http_request_line");
}

Esempio n. 6

File: detect-file-data.c Progetto: norg/suricata

/**
 * \brief Registration function for keyword: file_data
 */
void DetectFiledataRegister(void)
{
    sigmatch_table[DETECT_FILE_DATA].name = "file_data";
    sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on HTTP response body";
    sigmatch_table[DETECT_FILE_DATA].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#file-data";
    sigmatch_table[DETECT_FILE_DATA].Match = NULL;
    sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup;
    sigmatch_table[DETECT_FILE_DATA].Free  = NULL;
    sigmatch_table[DETECT_FILE_DATA].RegisterTests = DetectFiledataRegisterTests;
    sigmatch_table[DETECT_FILE_DATA].flags = SIGMATCH_NOOPT;

    DetectAppLayerMpmRegister("file_data", SIG_FLAG_TOSERVER, 2,
            PrefilterTxSmtpFiledataRegister);
    DetectAppLayerMpmRegister("file_data", SIG_FLAG_TOCLIENT, 2,
            PrefilterTxHttpResponseBodyRegister);

    DetectAppLayerInspectEngineRegister("file_data",
            ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_BODY,
            DetectEngineInspectHttpServerBody);
    DetectAppLayerInspectEngineRegister("file_data",
            ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0,
            DetectEngineInspectSMTPFiledata);

    DetectBufferTypeRegisterSetupCallback("file_data",
            DetectFiledataSetupCallback);

    DetectBufferTypeSetDescriptionByName("file_data",
            "http response body or smtp attachments data");

    g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
}

Esempio n. 7

File: detect-file-data.c Progetto: norg/suricata

/**
 * \brief this function is used to parse filedata options
 * \brief into the current signature
 *
 * \param de_ctx pointer to the Detection Engine Context
 * \param s pointer to the Current Signature
 * \param str pointer to the user provided "filestore" option
 *
 * \retval 0 on Success
 * \retval -1 on Failure
 */
static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    SCEnter();

    if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP) ||
        (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP &&
        s->alproto != ALPROTO_SMTP)) {
        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
        return -1;
    }

    if (s->alproto == ALPROTO_HTTP && (s->init_data->init_flags & SIG_FLAG_INIT_FLOW) &&
        (s->flags & SIG_FLAG_TOSERVER) && !(s->flags & SIG_FLAG_TOCLIENT)) {
        SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with "
                "flow:to_server or flow:from_client with http.");
        return -1;
    }

    if (s->alproto == ALPROTO_SMTP && (s->init_data->init_flags & SIG_FLAG_INIT_FLOW) &&
        !(s->flags & SIG_FLAG_TOSERVER) && (s->flags & SIG_FLAG_TOCLIENT)) {
        SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with "
                "flow:to_client or flow:from_server with smtp.");
        return -1;
    }

    s->init_data->list = DetectBufferTypeGetByName("file_data");
    return 0;
}

Esempio n. 8

File: detect-http-method.c Progetto: bmeeks8/suricata

/**
 * \brief Registration function for keyword: http_method
 */
void DetectHttpMethodRegister(void)
{
    sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method";
    sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer";
    sigmatch_table[DETECT_AL_HTTP_METHOD].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-method";
    sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL;
    sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup;
    sigmatch_table[DETECT_AL_HTTP_METHOD].Free  = DetectHttpMethodFree;
    sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests;
    sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT;

    DetectAppLayerMpmRegister("http_method", SIG_FLAG_TOSERVER, 4,
            PrefilterTxMethodRegister);

    DetectAppLayerInspectEngineRegister("http_method",
            ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
            DetectEngineInspectHttpMethod);

    DetectBufferTypeSetDescriptionByName("http_method",
            "http request method");

    DetectBufferTypeRegisterValidateCallback("http_method",
            DetectHttpMethodValidateCallback);

    g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");

    SCLogDebug("registering http_method rule option");
}

Esempio n. 9

File: detect-ftpdata.c Progetto: bmeeks8/suricata

/**
 * \brief Registration function for ftpcommand: keyword
 *
 * This function is called once in the 'lifetime' of the engine.
 */
void DetectFtpdataRegister(void) {
    /* keyword name: this is how the keyword is used in a rule */
    sigmatch_table[DETECT_FTPDATA].name = "ftpdata_command";
    /* description: listed in "suricata --list-keywords=all" */
    sigmatch_table[DETECT_FTPDATA].desc = "match FTP command triggering a FTP data channel";
    sigmatch_table[DETECT_FTPDATA].url = DOC_URL DOC_VERSION "/rules/ftp-keywords.html#ftpdata-command";
    sigmatch_table[DETECT_FTPDATA].AppLayerTxMatch = DetectFtpdataMatch;
    /* setup function is called during signature parsing, when the ftpcommand
     * keyword is encountered in the rule */
    sigmatch_table[DETECT_FTPDATA].Setup = DetectFtpdataSetup;
    /* free function is called when the detect engine is freed. Normally at
     * shutdown, but also during rule reloads. */
    sigmatch_table[DETECT_FTPDATA].Free = DetectFtpdataFree;
    /* registers unittests into the system */
    sigmatch_table[DETECT_FTPDATA].RegisterTests = DetectFtpdataRegisterTests;

    DetectAppLayerInspectEngineRegister("ftpdata_command",
            ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0,
            DetectEngineInspectFtpdataGeneric);

    DetectAppLayerInspectEngineRegister("ftpdata_command",
            ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0,
            DetectEngineInspectFtpdataGeneric);
    g_ftpdata_buffer_id = DetectBufferTypeGetByName("ftpdata_command");

    /* set up the PCRE for keyword parsing */
    DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
}

Esempio n. 10

File: detect-pkt-data.c Progetto: bmeeks8/suricata

static void DetectPktDataTestRegister(void)
{
#ifdef UNITTESTS
    g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");

    UtRegisterTest("DetectPktDataTest01", DetectPktDataTest01);
#endif
}

Esempio n. 11

File: detect-bytetest.c Progetto: glongo/suricata

/**
 * \brief this function registers unit tests for DetectBytetest
 */
static void DetectBytetestRegisterTests(void)
{
#ifdef UNITTESTS
    g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
    g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");

    UtRegisterTest("DetectBytetestTestParse01", DetectBytetestTestParse01);
    UtRegisterTest("DetectBytetestTestParse02", DetectBytetestTestParse02);
    UtRegisterTest("DetectBytetestTestParse03", DetectBytetestTestParse03);
    UtRegisterTest("DetectBytetestTestParse04", DetectBytetestTestParse04);
    UtRegisterTest("DetectBytetestTestParse05", DetectBytetestTestParse05);
    UtRegisterTest("DetectBytetestTestParse06", DetectBytetestTestParse06);
    UtRegisterTest("DetectBytetestTestParse07", DetectBytetestTestParse07);
    UtRegisterTest("DetectBytetestTestParse08", DetectBytetestTestParse08);
    UtRegisterTest("DetectBytetestTestParse09", DetectBytetestTestParse09);
    UtRegisterTest("DetectBytetestTestParse10", DetectBytetestTestParse10);
    UtRegisterTest("DetectBytetestTestParse11", DetectBytetestTestParse11);
    UtRegisterTest("DetectBytetestTestParse12", DetectBytetestTestParse12);
    UtRegisterTest("DetectBytetestTestParse13", DetectBytetestTestParse13);
    UtRegisterTest("DetectBytetestTestParse14", DetectBytetestTestParse14);
    UtRegisterTest("DetectBytetestTestParse15", DetectBytetestTestParse15);
    UtRegisterTest("DetectBytetestTestParse16", DetectBytetestTestParse16);
    UtRegisterTest("DetectBytetestTestParse17", DetectBytetestTestParse17);
    UtRegisterTest("DetectBytetestTestParse18", DetectBytetestTestParse18);
    UtRegisterTest("DetectBytetestTestParse19", DetectBytetestTestParse19);
    UtRegisterTest("DetectBytetestTestParse20", DetectBytetestTestParse20);
    UtRegisterTest("DetectBytetestTestParse21", DetectBytetestTestParse21);
    UtRegisterTest("DetectBytetestTestParse22", DetectBytetestTestParse22);

    UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01);
    UtRegisterTest("DetectByteTestTestPacket02", DetectByteTestTestPacket02);
    UtRegisterTest("DetectByteTestTestPacket03", DetectByteTestTestPacket03);
    UtRegisterTest("DetectByteTestTestPacket04", DetectByteTestTestPacket04);
    UtRegisterTest("DetectByteTestTestPacket05", DetectByteTestTestPacket05);
#endif /* UNITTESTS */
}

Esempio n. 12

File: detect-smb-share.c Progetto: gozzy/suricata

void DetectSmbNamedPipeRegister(void)
{
    sigmatch_table[KEYWORD_ID].name = KEYWORD_NAME;
    sigmatch_table[KEYWORD_ID].alias = KEYWORD_NAME_LEGACY;
    sigmatch_table[KEYWORD_ID].Setup = DetectSmbNamedPipeSetup;
    sigmatch_table[KEYWORD_ID].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
    sigmatch_table[KEYWORD_ID].desc = "sticky buffer to match on SMB named pipe in tree connect";

    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
            PrefilterGenericMpmRegister, GetNamedPipeData,
            ALPROTO_SMB, 1);

    DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
            ALPROTO_SMB, SIG_FLAG_TOSERVER, 0,
            DetectEngineInspectBufferGeneric, GetNamedPipeData);

    g_smb_named_pipe_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
}

Esempio n. 13

File: detect-http-raw-header.c Progetto: chifflier/suricata

/**
 * \brief Registers the keyword handlers for the "http_raw_header" keyword.
 */
void DetectHttpRawHeaderRegister(void)
{
    /* http_raw_header content modifier */
    sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].name = "http_raw_header";
    sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetup;
#ifdef UNITTESTS
    sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].RegisterTests = DetectHttpRawHeaderRegisterTests;
#endif
    sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].alternative = DETECT_HTTP_RAW_HEADER;

    /* http.header.raw sticky buffer */
    sigmatch_table[DETECT_HTTP_RAW_HEADER].name = "http.header.raw";
    sigmatch_table[DETECT_HTTP_RAW_HEADER].desc = "sticky buffer to match the raw HTTP header buffer";
    sigmatch_table[DETECT_HTTP_RAW_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-raw-header";
    sigmatch_table[DETECT_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetupSticky;
    sigmatch_table[DETECT_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_HTTP_RAW_HEADER].flags |= SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister2("http_raw_header", ALPROTO_HTTP,
            SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS+1,
            DetectEngineInspectBufferGeneric, GetData);
    DetectAppLayerInspectEngineRegister2("http_raw_header", ALPROTO_HTTP,
            SIG_FLAG_TOCLIENT, HTP_RESPONSE_HEADERS+1,
            DetectEngineInspectBufferGeneric, GetData);

    DetectAppLayerMpmRegister2("http_raw_header", SIG_FLAG_TOSERVER, 2,
            PrefilterMpmHttpHeaderRawRequestRegister, NULL, ALPROTO_HTTP,
            0); /* progress handled in register */
    DetectAppLayerMpmRegister2("http_raw_header", SIG_FLAG_TOCLIENT, 2,
            PrefilterMpmHttpHeaderRawResponseRegister, NULL, ALPROTO_HTTP,
            0); /* progress handled in register */

    DetectBufferTypeSetDescriptionByName("http_raw_header",
            "raw http headers");

    DetectBufferTypeRegisterValidateCallback("http_raw_header",
            DetectHttpRawHeaderValidateCallback);

    g_http_raw_header_buffer_id = DetectBufferTypeGetByName("http_raw_header");
}

Esempio n. 14

File: detect-nfs-version.c Progetto: bmeeks8/suricata

/**
 * \brief Registration function for nfs_procedure keyword.
 */
void DetectNfsVersionRegister (void)
{
    sigmatch_table[DETECT_AL_NFS_VERSION].name = "nfs_version";
    sigmatch_table[DETECT_AL_NFS_VERSION].desc = "match NFS version";
    sigmatch_table[DETECT_AL_NFS_VERSION].url = DOC_URL DOC_VERSION "/rules/nfs-keywords.html#version";
    sigmatch_table[DETECT_AL_NFS_VERSION].Match = NULL;
    sigmatch_table[DETECT_AL_NFS_VERSION].AppLayerTxMatch = DetectNfsVersionMatch;
    sigmatch_table[DETECT_AL_NFS_VERSION].Setup = DetectNfsVersionSetup;
    sigmatch_table[DETECT_AL_NFS_VERSION].Free = DetectNfsVersionFree;
    sigmatch_table[DETECT_AL_NFS_VERSION].RegisterTests = DetectNfsVersionRegisterTests;


    DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);

    DetectAppLayerInspectEngineRegister("nfs_request",
            ALPROTO_NFS, SIG_FLAG_TOSERVER, 0,
            DetectEngineInspectNfsRequestGeneric);

    g_nfs_request_buffer_id = DetectBufferTypeGetByName("nfs_request");

    SCLogDebug("g_nfs_request_buffer_id %d", g_nfs_request_buffer_id);
}

Esempio n. 15

File: detect-http-method.c Progetto: gozzy/suricata

/**
 * \brief Registration function for keyword: http_method
 */
void DetectHttpMethodRegister(void)
{
    /* http_method content modifier */
    sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method";
    sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer";
    sigmatch_table[DETECT_AL_HTTP_METHOD].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-method";
    sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL;
    sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup;
#ifdef UNITTESTS
    sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests;
#endif
    sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
    sigmatch_table[DETECT_AL_HTTP_METHOD].alternative = DETECT_HTTP_METHOD;

    /* http.method sticky buffer */
    sigmatch_table[DETECT_HTTP_METHOD].name = "http.method";
    sigmatch_table[DETECT_HTTP_METHOD].desc = "sticky buffer to match specifically and only on the HTTP method buffer";
    sigmatch_table[DETECT_HTTP_METHOD].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-method";
    sigmatch_table[DETECT_HTTP_METHOD].Setup = DetectHttpMethodSetupSticky;
    sigmatch_table[DETECT_HTTP_METHOD].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerInspectEngineRegister2("http_method", ALPROTO_HTTP,
            SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
            DetectEngineInspectBufferGeneric, GetData);

    DetectAppLayerMpmRegister2("http_method", SIG_FLAG_TOSERVER, 4,
            PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP,
            HTP_REQUEST_LINE);

    DetectBufferTypeSetDescriptionByName("http_method",
            "http request method");

    DetectBufferTypeRegisterValidateCallback("http_method",
            DetectHttpMethodValidateCallback);

    g_http_method_buffer_id = DetectBufferTypeGetByName("http_method");

    SCLogDebug("registering http_method rule option");
}

Esempio n. 16

File: detect-dns-query.c Progetto: gozzy/suricata

/**
 * \brief Registration function for keyword: dns_query
 */
void DetectDnsQueryRegister (void)
{
    sigmatch_table[DETECT_AL_DNS_QUERY].name = "dns.query";
    sigmatch_table[DETECT_AL_DNS_QUERY].alias = "dns_query";
    sigmatch_table[DETECT_AL_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer";
    sigmatch_table[DETECT_AL_DNS_QUERY].Setup = DetectDnsQuerySetup;
    sigmatch_table[DETECT_AL_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests;
    sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerMpmRegister2("dns_query", SIG_FLAG_TOSERVER, 2,
            PrefilterMpmDnsQueryRegister, NULL,
            ALPROTO_DNS, 1);

    DetectAppLayerInspectEngineRegister2("dns_query",
            ALPROTO_DNS, SIG_FLAG_TOSERVER, 1,
            DetectEngineInspectDnsQuery, NULL);

    DetectBufferTypeSetDescriptionByName("dns_query",
            "dns request query");

    g_dns_query_buffer_id = DetectBufferTypeGetByName("dns_query");

    /* register these generic engines from here for now */
    DetectAppLayerInspectEngineRegister("dns_request",
            ALPROTO_DNS, SIG_FLAG_TOSERVER, 1,
            DetectEngineInspectDnsRequest);
    DetectAppLayerInspectEngineRegister("dns_response",
            ALPROTO_DNS, SIG_FLAG_TOCLIENT, 1,
            DetectEngineInspectDnsResponse);

    DetectBufferTypeSetDescriptionByName("dns_request",
            "dns requests");
    DetectBufferTypeSetDescriptionByName("dns_response",
            "dns responses");
}

Esempio n. 17

File: detect-http-start.c Progetto: gozzy/suricata

/**
 * \brief Registers the keyword handlers for the "http_header" keyword.
 */
void DetectHttpStartRegister(void)
{
    sigmatch_table[DETECT_AL_HTTP_START].name = KEYWORD_NAME;
    sigmatch_table[DETECT_AL_HTTP_START].alias = KEYWORD_NAME_LEGACY;
    sigmatch_table[DETECT_AL_HTTP_START].desc = BUFFER_NAME " sticky buffer";
    sigmatch_table[DETECT_AL_HTTP_START].url = DOC_URL DOC_VERSION "/rules/" KEYWORD_DOC;
    sigmatch_table[DETECT_AL_HTTP_START].Setup = DetectHttpStartSetup;
    sigmatch_table[DETECT_AL_HTTP_START].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;

    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
            PrefilterTxHttpRequestStartRegister, NULL, ALPROTO_HTTP,
            HTP_REQUEST_HEADERS);
    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
            PrefilterTxHttpResponseStartRegister, NULL, ALPROTO_HTTP,
            HTP_RESPONSE_HEADERS);

    DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
            ALPROTO_HTTP, SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS,
            InspectEngineHttpStart, NULL);
    DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
            ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_HEADERS,
            InspectEngineHttpStart, NULL);

    DetectBufferTypeSetDescriptionByName(BUFFER_NAME,
            BUFFER_DESC);

    g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);

    g_keyword_thread_id = DetectRegisterThreadCtxGlobalFuncs(KEYWORD_NAME,
            HttpHeaderThreadDataInit, &g_td_config, HttpHeaderThreadDataFree);

    SCLogDebug("keyword %s registered. Thread id %d. "
            "Buffer %s registered. Buffer id %d",
            KEYWORD_NAME, g_keyword_thread_id,
            BUFFER_NAME, g_buffer_id);
}

Esempio n. 18

File: detect-http-uri.c Progetto: chifflier/suricata

/**
 * \brief Registration function for keywords: http_uri and http.uri
 */
void DetectHttpUriRegister (void)
{
    /* http_uri content modifier */
    sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri";
    sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer";
    sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-uri-and-http-raw-uri";
    sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup;
#ifdef UNITTESTS
    sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests;
#endif
    sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT;

    /* http.uri sticky buffer */
    sigmatch_table[DETECT_HTTP_URI].name = "http.uri";
    sigmatch_table[DETECT_HTTP_URI].alias = "http.uri.normalized";
    sigmatch_table[DETECT_HTTP_URI].desc = "sticky buffer to match specifically and only on the normalized HTTP URI buffer";
    sigmatch_table[DETECT_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#http-uri";
    sigmatch_table[DETECT_HTTP_URI].Setup = DetectHttpUriSetupSticky;
    sigmatch_table[DETECT_HTTP_URI].flags |= SIGMATCH_NOOPT;

    DetectAppLayerInspectEngineRegister2("http_uri", ALPROTO_HTTP,
            SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
            DetectEngineInspectBufferGeneric, GetData);

    DetectAppLayerMpmRegister2("http_uri", SIG_FLAG_TOSERVER, 2,
            PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP,
            HTP_REQUEST_LINE);

    DetectBufferTypeSetDescriptionByName("http_uri",
            "http request uri");

    DetectBufferTypeRegisterSetupCallback("http_uri",
            DetectHttpUriSetupCallback);

    DetectBufferTypeRegisterValidateCallback("http_uri",
            DetectHttpUriValidateCallback);

    g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");

    /* http_raw_uri content modifier */
    sigmatch_table[DETECT_AL_HTTP_RAW_URI].name = "http_raw_uri";
    sigmatch_table[DETECT_AL_HTTP_RAW_URI].desc = "content modifier to match on the raw HTTP uri";
    sigmatch_table[DETECT_AL_HTTP_RAW_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_uri-and-http_raw-uri";
    sigmatch_table[DETECT_AL_HTTP_RAW_URI].Setup = DetectHttpRawUriSetup;
    sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT;

    /* http.uri.raw sticky buffer */
    sigmatch_table[DETECT_HTTP_URI_RAW].name = "http.uri.raw";
    sigmatch_table[DETECT_HTTP_URI_RAW].desc = "sticky buffer to match specifically and only on the raw HTTP URI buffer";
    sigmatch_table[DETECT_HTTP_URI_RAW].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#http-uri";
    sigmatch_table[DETECT_HTTP_URI_RAW].Setup = DetectHttpRawUriSetupSticky;
    sigmatch_table[DETECT_HTTP_URI_RAW].flags |= SIGMATCH_NOOPT;

    DetectAppLayerInspectEngineRegister2("http_raw_uri", ALPROTO_HTTP,
            SIG_FLAG_TOSERVER, HTP_REQUEST_LINE,
            DetectEngineInspectBufferGeneric, GetRawData);

    DetectAppLayerMpmRegister2("http_raw_uri", SIG_FLAG_TOSERVER, 2,
            PrefilterGenericMpmRegister, GetRawData, ALPROTO_HTTP,
            HTP_REQUEST_LINE);

    DetectBufferTypeSetDescriptionByName("http_raw_uri",
            "raw http uri");

    DetectBufferTypeRegisterSetupCallback("http_raw_uri",
            DetectHttpRawUriSetupCallback);

    DetectBufferTypeRegisterValidateCallback("http_raw_uri",
            DetectHttpRawUriValidateCallback);

    g_http_raw_uri_buffer_id = DetectBufferTypeGetByName("http_raw_uri");
}