/** * \brief Registers the keyword handlers for the "ssl_state" keyword. */ void DetectSslStateRegister(void) { sigmatch_table[DETECT_AL_SSL_STATE].name = "ssl_state"; sigmatch_table[DETECT_AL_SSL_STATE].Match = NULL; sigmatch_table[DETECT_AL_SSL_STATE].AppLayerMatch = DetectSslStateMatch; sigmatch_table[DETECT_AL_SSL_STATE].Setup = DetectSslStateSetup; sigmatch_table[DETECT_AL_SSL_STATE].Free = DetectSslStateFree; sigmatch_table[DETECT_AL_SSL_STATE].RegisterTests = DetectSslStateRegisterTests; DetectSetupParseRegexes(PARSE_REGEX1, &parse_regex1, &parse_regex1_study); DetectSetupParseRegexes(PARSE_REGEX2, &parse_regex2, &parse_regex2_study); }
/** * \brief Registration function for keyword: tls.version */ void DetectTlsRegister (void) { sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject"; sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field"; sigmatch_table[DETECT_AL_TLS_SUBJECT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlssubject"; sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch; sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup; sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree; sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests; sigmatch_table[DETECT_AL_TLS_SUBJECT].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION; sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn"; sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field"; sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsissuerdn"; sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch; sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup; sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree; sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests; sigmatch_table[DETECT_AL_TLS_ISSUERDN].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint"; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint"; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsfingerprint"; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerTxMatch = DetectTlsFingerprintMatch; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].RegisterTests = NULL; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION; sigmatch_table[DETECT_AL_TLS_STORE].name = "tls_store"; sigmatch_table[DETECT_AL_TLS_STORE].alias = "tls.store"; sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk"; sigmatch_table[DETECT_AL_TLS_STORE].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tlsstore"; sigmatch_table[DETECT_AL_TLS_STORE].Match = DetectTlsStorePostMatch; sigmatch_table[DETECT_AL_TLS_STORE].Setup = DetectTlsStoreSetup; sigmatch_table[DETECT_AL_TLS_STORE].Free = NULL; sigmatch_table[DETECT_AL_TLS_STORE].RegisterTests = NULL; sigmatch_table[DETECT_AL_TLS_STORE].flags |= SIGMATCH_NOOPT; DetectSetupParseRegexes(PARSE_REGEX, &subject_parse_regex, &subject_parse_regex_study); DetectSetupParseRegexes(PARSE_REGEX, &issuerdn_parse_regex, &issuerdn_parse_regex_study); DetectSetupParseRegexes(PARSE_REGEX_FINGERPRINT, &fingerprint_parse_regex, &fingerprint_parse_regex_study); g_tls_cert_list_id = DetectBufferTypeRegister("tls_cert"); DetectAppLayerInspectEngineRegister("tls_cert", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, InspectTlsCert); }
/** * \brief Registration function for keyword: tls.version */ void DetectTlsRegister (void) { sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject"; sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field"; sigmatch_table[DETECT_AL_TLS_SUBJECT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlssubject"; sigmatch_table[DETECT_AL_TLS_SUBJECT].Match = NULL; sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerMatch = DetectTlsSubjectMatch; sigmatch_table[DETECT_AL_TLS_SUBJECT].alproto = ALPROTO_TLS; sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup; sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree; sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests; sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn"; sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field"; sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsissuerdn"; sigmatch_table[DETECT_AL_TLS_ISSUERDN].Match = NULL; sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerMatch = DetectTlsIssuerDNMatch; sigmatch_table[DETECT_AL_TLS_ISSUERDN].alproto = ALPROTO_TLS; sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup; sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree; sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint"; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint"; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsfingerprint"; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Match = NULL; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerMatch = DetectTlsFingerprintMatch; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].alproto = ALPROTO_TLS; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree; sigmatch_table[DETECT_AL_TLS_FINGERPRINT].RegisterTests = NULL; sigmatch_table[DETECT_AL_TLS_STORE].name = "tls.store"; sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk"; sigmatch_table[DETECT_AL_TLS_STORE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsstore"; sigmatch_table[DETECT_AL_TLS_STORE].Match = NULL; sigmatch_table[DETECT_AL_TLS_STORE].AppLayerMatch = DetectTlsStoreMatch; sigmatch_table[DETECT_AL_TLS_STORE].alproto = ALPROTO_TLS; sigmatch_table[DETECT_AL_TLS_STORE].Setup = DetectTlsStoreSetup; sigmatch_table[DETECT_AL_TLS_STORE].Free = NULL; sigmatch_table[DETECT_AL_TLS_STORE].RegisterTests = NULL; sigmatch_table[DETECT_AL_TLS_STORE].flags |= SIGMATCH_NOOPT; DetectSetupParseRegexes(PARSE_REGEX, &subject_parse_regex, &subject_parse_regex_study); DetectSetupParseRegexes(PARSE_REGEX, &issuerdn_parse_regex, &issuerdn_parse_regex_study); DetectSetupParseRegexes(PARSE_REGEX_FINGERPRINT, &fingerprint_parse_regex, &fingerprint_parse_regex_study); }
/** * \brief Registration function for Modbus keyword */ void DetectModbusRegister(void) { SCEnter(); sigmatch_table[DETECT_AL_MODBUS].name = "modbus"; sigmatch_table[DETECT_AL_MODBUS].Match = NULL; sigmatch_table[DETECT_AL_MODBUS].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_MODBUS].alproto = ALPROTO_MODBUS; sigmatch_table[DETECT_AL_MODBUS].Setup = DetectModbusSetup; sigmatch_table[DETECT_AL_MODBUS].Free = DetectModbusFree; sigmatch_table[DETECT_AL_MODBUS].RegisterTests = DetectModbusRegisterTests; DetectSetupParseRegexes(PARSE_REGEX_FUNCTION, &function_parse_regex, &function_parse_regex_study); DetectSetupParseRegexes(PARSE_REGEX_ACCESS, &access_parse_regex, &access_parse_regex_study); }
/** * \brief Registration function for ftpcommand: keyword * * This function is called once in the 'lifetime' of the engine. */ void DetectFtpdataRegister(void) { /* keyword name: this is how the keyword is used in a rule */ sigmatch_table[DETECT_FTPDATA].name = "ftpdata_command"; /* description: listed in "suricata --list-keywords=all" */ sigmatch_table[DETECT_FTPDATA].desc = "match FTP command triggering a FTP data channel"; sigmatch_table[DETECT_FTPDATA].url = DOC_URL DOC_VERSION "/rules/ftp-keywords.html#ftpdata-command"; sigmatch_table[DETECT_FTPDATA].AppLayerTxMatch = DetectFtpdataMatch; /* setup function is called during signature parsing, when the ftpcommand * keyword is encountered in the rule */ sigmatch_table[DETECT_FTPDATA].Setup = DetectFtpdataSetup; /* free function is called when the detect engine is freed. Normally at * shutdown, but also during rule reloads. */ sigmatch_table[DETECT_FTPDATA].Free = DetectFtpdataFree; /* registers unittests into the system */ sigmatch_table[DETECT_FTPDATA].RegisterTests = DetectFtpdataRegisterTests; DetectAppLayerInspectEngineRegister("ftpdata_command", ALPROTO_FTPDATA, SIG_FLAG_TOSERVER, 0, DetectEngineInspectFtpdataGeneric); DetectAppLayerInspectEngineRegister("ftpdata_command", ALPROTO_FTPDATA, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectFtpdataGeneric); g_ftpdata_buffer_id = DetectBufferTypeGetByName("ftpdata_command"); /* set up the PCRE for keyword parsing */ DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectBytejumpRegister (void) { sigmatch_table[DETECT_BYTEJUMP].name = "byte_jump"; sigmatch_table[DETECT_BYTEJUMP].Match = DetectBytejumpMatch; sigmatch_table[DETECT_BYTEJUMP].Setup = DetectBytejumpSetup; sigmatch_table[DETECT_BYTEJUMP].Free = DetectBytejumpFree; sigmatch_table[DETECT_BYTEJUMP].RegisterTests = DetectBytejumpRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectMarkRegister (void) { sigmatch_table[DETECT_MARK].name = "nfq_set_mark"; sigmatch_table[DETECT_MARK].Match = DetectMarkPacket; sigmatch_table[DETECT_MARK].Setup = DetectMarkSetup; sigmatch_table[DETECT_MARK].Free = DetectMarkDataFree; sigmatch_table[DETECT_MARK].RegisterTests = MarkRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectBytetestRegister (void) { sigmatch_table[DETECT_BYTETEST].name = "byte_test"; sigmatch_table[DETECT_BYTETEST].Match = DetectBytetestMatch; sigmatch_table[DETECT_BYTETEST].Setup = DetectBytetestSetup; sigmatch_table[DETECT_BYTETEST].Free = DetectBytetestFree; sigmatch_table[DETECT_BYTETEST].RegisterTests = DetectBytetestRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectPktvarRegister (void) { sigmatch_table[DETECT_PKTVAR].name = "pktvar"; sigmatch_table[DETECT_PKTVAR].Match = DetectPktvarMatch; sigmatch_table[DETECT_PKTVAR].Setup = DetectPktvarSetup; sigmatch_table[DETECT_PKTVAR].Free = NULL; sigmatch_table[DETECT_PKTVAR].RegisterTests = NULL; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Registration function for keyword: ssh.protoversion */ void DetectSshVersionRegister(void) { sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion"; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Match = NULL; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].AppLayerMatch = DetectSshVersionMatch; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Free = DetectSshVersionFree; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].RegisterTests = DetectSshVersionRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Registration function for dsize: keyword */ void DetectDsizeRegister (void) { sigmatch_table[DETECT_DSIZE].name = "dsize"; sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload"; sigmatch_table[DETECT_DSIZE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Dsize"; sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch; sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup; sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree; sigmatch_table[DETECT_DSIZE].RegisterTests = DsizeRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectFlowintRegister(void) { sigmatch_table[DETECT_FLOWINT].name = "flowint"; sigmatch_table[DETECT_FLOWINT].desc = "operate on a per-flow integer"; sigmatch_table[DETECT_FLOWINT].url = DOC_URL DOC_VERSION "/rules/flowint.html"; sigmatch_table[DETECT_FLOWINT].Match = DetectFlowintMatch; sigmatch_table[DETECT_FLOWINT].Setup = DetectFlowintSetup; sigmatch_table[DETECT_FLOWINT].Free = DetectFlowintFree; sigmatch_table[DETECT_FLOWINT].RegisterTests = DetectFlowintRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Registration function for fragoffset */ void DetectFragOffsetRegister (void) { sigmatch_table[DETECT_FRAGOFFSET].name = "fragoffset"; sigmatch_table[DETECT_FRAGOFFSET].desc = "match on specific decimal values of the IP fragment offset field"; sigmatch_table[DETECT_FRAGOFFSET].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Fragoffset"; sigmatch_table[DETECT_FRAGOFFSET].Match = DetectFragOffsetMatch; sigmatch_table[DETECT_FRAGOFFSET].Setup = DetectFragOffsetSetup; sigmatch_table[DETECT_FRAGOFFSET].Free = DetectFragOffsetFree; sigmatch_table[DETECT_FRAGOFFSET].RegisterTests = DetectFragOffsetRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Registration function for rpc keyword */ void DetectRpcRegister (void) { sigmatch_table[DETECT_RPC].name = "rpc"; sigmatch_table[DETECT_RPC].desc = "match RPC procedure numbers and RPC version"; sigmatch_table[DETECT_RPC].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#rpc"; sigmatch_table[DETECT_RPC].Match = DetectRpcMatch; sigmatch_table[DETECT_RPC].Setup = DetectRpcSetup; sigmatch_table[DETECT_RPC].Free = DetectRpcFree; sigmatch_table[DETECT_RPC].RegisterTests = DetectRpcRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Registration function for keyword: ssl_version */ void DetectSslVersionRegister(void) { sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version"; sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch; sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup; sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree; sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic"); }
/** * \brief Registration function for keyword: filestore */ void DetectFilestoreRegister(void) { sigmatch_table[DETECT_FILESTORE].name = "filestore"; sigmatch_table[DETECT_FILESTORE].desc = "stores files to disk if the rule matched"; sigmatch_table[DETECT_FILESTORE].url = DOC_URL DOC_VERSION "/rules/file-keywords.html#filestore"; sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch; sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup; sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree; sigmatch_table[DETECT_FILESTORE].RegisterTests = DetectFilestoreRegisterTests; sigmatch_table[DETECT_FILESTORE].flags = SIGMATCH_OPTIONAL_OPT; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectFlagsRegister (void) { sigmatch_table[DETECT_FLAGS].name = "flags"; sigmatch_table[DETECT_FLAGS].Match = DetectFlagsMatch; sigmatch_table[DETECT_FLAGS].Setup = DetectFlagsSetup; sigmatch_table[DETECT_FLAGS].Free = DetectFlagsFree; sigmatch_table[DETECT_FLAGS].RegisterTests = FlagsRegisterTests; sigmatch_table[DETECT_FLAGS].SupportsPrefilter = PrefilterTcpFlagsIsPrefilterable; sigmatch_table[DETECT_FLAGS].SetupPrefilter = PrefilterSetupTcpFlags; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectFilesizeRegister(void) { sigmatch_table[DETECT_FILESIZE].name = "filesize"; sigmatch_table[DETECT_FILESIZE].desc = "match on the size of the file as it is being transferred"; sigmatch_table[DETECT_FILESIZE].url = DOC_URL DOC_VERSION "/rules/file-keywords.html#filesize"; sigmatch_table[DETECT_FILESIZE].FileMatch = DetectFilesizeMatch; sigmatch_table[DETECT_FILESIZE].Setup = DetectFilesizeSetup; sigmatch_table[DETECT_FILESIZE].Free = DetectFilesizeFree; sigmatch_table[DETECT_FILESIZE].RegisterTests = DetectFilesizeRegisterTests; sigmatch_table[DETECT_FILESIZE].flags |= SIGMATCH_PAYLOAD; /** XXX necessary? */ DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Registration function for keyword: ssh.protoversion */ void DetectSshVersionRegister(void) { sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion"; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].AppLayerTxMatch = DetectSshVersionMatch; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Free = DetectSshVersionFree; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].RegisterTests = DetectSshVersionRegisterTests; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].flags = SIGMATCH_QUOTES_OPTIONAL; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner"); }
/** * \brief Registration function for keyword: filestore */ void DetectFilestoreRegister(void) { sigmatch_table[DETECT_FILESTORE].name = "filestore"; sigmatch_table[DETECT_FILESTORE].desc = "stores files to disk if the rule matched"; sigmatch_table[DETECT_FILESTORE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filestore"; sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch; sigmatch_table[DETECT_FILESTORE].alproto = ALPROTO_HTTP; sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup; sigmatch_table[DETECT_FILESTORE].Free = DetectFilestoreFree; sigmatch_table[DETECT_FILESTORE].RegisterTests = NULL; sigmatch_table[DETECT_FILESTORE].flags = SIGMATCH_OPTIONAL_OPT; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Register Tos keyword. */ void DetectTosRegister(void) { sigmatch_table[DETECT_TOS].name = "tos"; sigmatch_table[DETECT_TOS].Match = DetectTosMatch; sigmatch_table[DETECT_TOS].Setup = DetectTosSetup; sigmatch_table[DETECT_TOS].Free = DetectTosFree; sigmatch_table[DETECT_TOS].RegisterTests = DetectTosRegisterTests; sigmatch_table[DETECT_TOS].flags = (SIGMATCH_QUOTES_OPTIONAL|SIGMATCH_HANDLE_NEGATION); sigmatch_table[DETECT_TOS].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#tos"; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectFlowbitsRegister (void) { sigmatch_table[DETECT_FLOWBITS].name = "flowbits"; sigmatch_table[DETECT_FLOWBITS].desc = "operate on flow flag"; sigmatch_table[DETECT_FLOWBITS].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords#Flowbits"; sigmatch_table[DETECT_FLOWBITS].Match = DetectFlowbitMatch; sigmatch_table[DETECT_FLOWBITS].Setup = DetectFlowbitSetup; sigmatch_table[DETECT_FLOWBITS].Free = DetectFlowbitFree; sigmatch_table[DETECT_FLOWBITS].RegisterTests = FlowBitsRegisterTests; /* this is compatible to ip-only signatures */ sigmatch_table[DETECT_FLOWBITS].flags |= SIGMATCH_IPONLY_COMPAT; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectUrilenRegister(void) { sigmatch_table[DETECT_AL_URILEN].name = "urilen"; sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri"; sigmatch_table[DETECT_AL_URILEN].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#urilen"; sigmatch_table[DETECT_AL_URILEN].Match = NULL; sigmatch_table[DETECT_AL_URILEN].AppLayerMatch = NULL /**< We handle this at detect-engine-uri.c now */; sigmatch_table[DETECT_AL_URILEN].Setup = DetectUrilenSetup; sigmatch_table[DETECT_AL_URILEN].Free = DetectUrilenFree; sigmatch_table[DETECT_AL_URILEN].RegisterTests = DetectUrilenRegisterTests; sigmatch_table[DETECT_AL_URILEN].flags |= SIGMATCH_PAYLOAD; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Registration function for keyword: tls.version */ void DetectTlsVersionRegister (void) { sigmatch_table[DETECT_AL_TLS_VERSION].name = "tls.version"; sigmatch_table[DETECT_AL_TLS_VERSION].desc = "match on TLS/SSL version"; sigmatch_table[DETECT_AL_TLS_VERSION].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsversion"; sigmatch_table[DETECT_AL_TLS_VERSION].Match = NULL; sigmatch_table[DETECT_AL_TLS_VERSION].AppLayerMatch = DetectTlsVersionMatch; sigmatch_table[DETECT_AL_TLS_VERSION].alproto = ALPROTO_TLS; sigmatch_table[DETECT_AL_TLS_VERSION].Setup = DetectTlsVersionSetup; sigmatch_table[DETECT_AL_TLS_VERSION].Free = DetectTlsVersionFree; sigmatch_table[DETECT_AL_TLS_VERSION].RegisterTests = DetectTlsVersionRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectFlowbitsRegister (void) { sigmatch_table[DETECT_FLOWBITS].name = "flowbits"; sigmatch_table[DETECT_FLOWBITS].desc = "operate on flow flag"; sigmatch_table[DETECT_FLOWBITS].url = DOC_URL DOC_VERSION "/rules/flow-keywords.html#flowbits"; sigmatch_table[DETECT_FLOWBITS].Match = DetectFlowbitMatch; sigmatch_table[DETECT_FLOWBITS].Setup = DetectFlowbitSetup; sigmatch_table[DETECT_FLOWBITS].Free = DetectFlowbitFree; sigmatch_table[DETECT_FLOWBITS].RegisterTests = FlowBitsRegisterTests; /* this is compatible to ip-only signatures */ sigmatch_table[DETECT_FLOWBITS].flags |= SIGMATCH_IPONLY_COMPAT; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Registration function for dsize: keyword */ void DetectDsizeRegister (void) { sigmatch_table[DETECT_DSIZE].name = "dsize"; sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload"; sigmatch_table[DETECT_DSIZE].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#dsize"; sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch; sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup; sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree; sigmatch_table[DETECT_DSIZE].RegisterTests = DsizeRegisterTests; sigmatch_table[DETECT_DSIZE].SupportsPrefilter = PrefilterDsizeIsPrefilterable; sigmatch_table[DETECT_DSIZE].SetupPrefilter = PrefilterSetupDsize; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Registration function for icode: icmp_id */ void DetectIcmpIdRegister (void) { sigmatch_table[DETECT_ICMP_ID].name = "icmp_id"; sigmatch_table[DETECT_ICMP_ID].desc = "check for a ICMP id"; sigmatch_table[DETECT_ICMP_ID].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#icmp-id"; sigmatch_table[DETECT_ICMP_ID].Match = DetectIcmpIdMatch; sigmatch_table[DETECT_ICMP_ID].Setup = DetectIcmpIdSetup; sigmatch_table[DETECT_ICMP_ID].Free = DetectIcmpIdFree; sigmatch_table[DETECT_ICMP_ID].RegisterTests = DetectIcmpIdRegisterTests; sigmatch_table[DETECT_ICMP_ID].SupportsPrefilter = PrefilterIcmpIdIsPrefilterable; sigmatch_table[DETECT_ICMP_ID].SetupPrefilter = PrefilterSetupIcmpId; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
/** * \brief Registration function for flow: keyword */ void DetectFlowRegister (void) { sigmatch_table[DETECT_FLOW].name = "flow"; sigmatch_table[DETECT_FLOW].desc = "match on direction and state of the flow"; sigmatch_table[DETECT_FLOW].url = DOC_URL DOC_VERSION "/rules/flow-keywords.html#flow"; sigmatch_table[DETECT_FLOW].Match = DetectFlowMatch; sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup; sigmatch_table[DETECT_FLOW].Free = DetectFlowFree; sigmatch_table[DETECT_FLOW].RegisterTests = DetectFlowRegisterTests; sigmatch_table[DETECT_FLOW].SupportsPrefilter = PrefilterFlowIsPrefilterable; sigmatch_table[DETECT_FLOW].SetupPrefilter = PrefilterSetupFlow; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); }
void DetectTtlRegister(void) { sigmatch_table[DETECT_TTL].name = "ttl"; sigmatch_table[DETECT_TTL].desc = "check for a specific IP time-to-live value"; sigmatch_table[DETECT_TTL].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#ttl"; sigmatch_table[DETECT_TTL].Match = DetectTtlMatch; sigmatch_table[DETECT_TTL].Setup = DetectTtlSetup; sigmatch_table[DETECT_TTL].Free = DetectTtlFree; sigmatch_table[DETECT_TTL].RegisterTests = DetectTtlRegisterTests; sigmatch_table[DETECT_TTL].SupportsPrefilter = PrefilterTtlIsPrefilterable; sigmatch_table[DETECT_TTL].SetupPrefilter = PrefilterSetupTtl; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); return; }
void DetectBase64DecodeRegister(void) { sigmatch_table[DETECT_BASE64_DECODE].name = "base64_decode"; sigmatch_table[DETECT_BASE64_DECODE].desc = "Decodes base64 encoded data."; sigmatch_table[DETECT_BASE64_DECODE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#base64_decode"; sigmatch_table[DETECT_BASE64_DECODE].Setup = DetectBase64DecodeSetup; sigmatch_table[DETECT_BASE64_DECODE].Free = DetectBase64DecodeFree; sigmatch_table[DETECT_BASE64_DECODE].RegisterTests = DetectBase64DecodeRegisterTests; sigmatch_table[DETECT_BASE64_DECODE].flags |= SIGMATCH_PAYLOAD; sigmatch_table[DETECT_BASE64_DECODE].flags |= SIGMATCH_OPTIONAL_OPT; DetectSetupParseRegexes(decode_pattern, &decode_pcre, &decode_pcre_study); }