/** * \brief Registration function for keyword: file_data */ void DetectFiledataRegister(void) { sigmatch_table[DETECT_FILE_DATA].name = "file_data"; sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on HTTP response body"; sigmatch_table[DETECT_FILE_DATA].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#file_data"; sigmatch_table[DETECT_FILE_DATA].Match = NULL; sigmatch_table[DETECT_FILE_DATA].AppLayerMatch = NULL; sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup; sigmatch_table[DETECT_FILE_DATA].Free = NULL; sigmatch_table[DETECT_FILE_DATA].RegisterTests = DetectFiledataRegisterTests; sigmatch_table[DETECT_FILE_DATA].flags = SIGMATCH_NOOPT; DetectMpmAppLayerRegister("file_data", SIG_FLAG_TOSERVER, DETECT_SM_LIST_FILEDATA, 2, PrefilterTxSmtpFiledataRegister); DetectMpmAppLayerRegister("file_data", SIG_FLAG_TOCLIENT, DETECT_SM_LIST_FILEDATA, 2, PrefilterTxHttpResponseBodyRegister); DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_FILEDATA, DetectEngineInspectHttpServerBody); DetectAppLayerInspectEngineRegister(ALPROTO_SMTP, SIG_FLAG_TOSERVER, DETECT_SM_LIST_FILEDATA, DetectEngineInspectSMTPFiledata); }
/** * \brief Registration function for keyword: tls_cert_issuer */ void DetectTlsIssuerRegister(void) { sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls_cert_issuer"; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].desc = "content modifier to match specifically and only on the TLS cert issuer buffer"; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Match = NULL; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Setup = DetectTlsIssuerSetup; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Free = NULL; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_PAYLOAD; DetectMpmAppLayerRegister("tls_cert_issuer", SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, 2, PrefilterTxTlsIssuerRegister); DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_TLSISSUER_MATCH, DetectEngineInspectTlsIssuer); }
/** * \brief Registration function for keyword: tls_sni */ void DetectTlsSniRegister(void) { sigmatch_table[DETECT_AL_TLS_SNI].name = "tls_sni"; sigmatch_table[DETECT_AL_TLS_SNI].desc = "content modifier to match specifically and only on the TLS SNI buffer"; sigmatch_table[DETECT_AL_TLS_SNI].Match = NULL; sigmatch_table[DETECT_AL_TLS_SNI].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_TLS_SNI].Setup = DetectTlsSniSetup; sigmatch_table[DETECT_AL_TLS_SNI].Free = NULL; sigmatch_table[DETECT_AL_TLS_SNI].RegisterTests = DetectTlsSniRegisterTests; sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_PAYLOAD; DetectMpmAppLayerRegister("tls_sni", SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, 2, PrefilterTxTlsSniRegister); DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOSERVER, DETECT_SM_LIST_TLSSNI_MATCH, DetectEngineInspectTlsSni); }
/** * \brief Registration function for keyword: http_uri */ void DetectHttpUriRegister (void) { sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri"; sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer"; sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_uri-and-http_raw-uri"; sigmatch_table[DETECT_AL_HTTP_URI].Match = NULL; sigmatch_table[DETECT_AL_HTTP_URI].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup; sigmatch_table[DETECT_AL_HTTP_URI].Free = NULL; sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests; sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_PAYLOAD; DetectMpmAppLayerRegister("http_uri", SIG_FLAG_TOSERVER, DETECT_SM_LIST_UMATCH, 2, PrefilterTxUriRegister); DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER, DETECT_SM_LIST_UMATCH, DetectEngineInspectHttpUri); }
/** * \brief Registration function for keyword: http_method */ void DetectHttpMethodRegister(void) { sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method"; sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer"; sigmatch_table[DETECT_AL_HTTP_METHOD].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_method"; sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL; sigmatch_table[DETECT_AL_HTTP_METHOD].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup; sigmatch_table[DETECT_AL_HTTP_METHOD].Free = DetectHttpMethodFree; sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests; sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_PAYLOAD; DetectMpmAppLayerRegister("http_method", SIG_FLAG_TOSERVER, DETECT_SM_LIST_HMDMATCH, 4, PrefilterTxMethodRegister); DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER, DETECT_SM_LIST_HMDMATCH, DetectEngineInspectHttpMethod); SCLogDebug("registering http_method rule option"); }
/** * \brief Registers the keyword handlers for the "http_response_line" keyword. */ void DetectHttpResponseLineRegister(void) { sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].name = "http_response_line"; sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].desc = "content modifier to match only on the HTTP response line"; sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_response-line"; sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Match = NULL; sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].AppLayerMatch = NULL; sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Setup = DetectHttpResponseLineSetup; sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].RegisterTests = DetectHttpResponseLineRegisterTests; sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_PAYLOAD ; DetectMpmAppLayerRegister("http_response_line", SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HTTP_RESLINEMATCH, 2, PrefilterTxHttpResponseLineRegister); DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT, DETECT_SM_LIST_HTTP_RESLINEMATCH, DetectEngineInspectHttpResponseLine); return; }