/**
* \brief Registration function for keyword: file_data
*/
void DetectFiledataRegister(void)
{
sigmatch_table[DETECT_FILE_DATA].name = "file_data";
sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on HTTP response body";
sigmatch_table[DETECT_FILE_DATA].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#file_data";
sigmatch_table[DETECT_FILE_DATA].Match = NULL;
sigmatch_table[DETECT_FILE_DATA].AppLayerMatch = NULL;
sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup;
sigmatch_table[DETECT_FILE_DATA].Free = NULL;
sigmatch_table[DETECT_FILE_DATA].RegisterTests = DetectFiledataRegisterTests;
sigmatch_table[DETECT_FILE_DATA].flags = SIGMATCH_NOOPT;
DetectMpmAppLayerRegister("file_data", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_FILEDATA, 2,
PrefilterTxSmtpFiledataRegister);
DetectMpmAppLayerRegister("file_data", SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_FILEDATA, 2,
PrefilterTxHttpResponseBodyRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_FILEDATA,
DetectEngineInspectHttpServerBody);
DetectAppLayerInspectEngineRegister(ALPROTO_SMTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_FILEDATA,
DetectEngineInspectSMTPFiledata);
}
/**
* \brief Registration function for keyword: tls_cert_issuer
*/
void DetectTlsIssuerRegister(void)
{
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls_cert_issuer";
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].desc = "content modifier to match specifically and only on the TLS cert issuer buffer";
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Match = NULL;
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Setup = DetectTlsIssuerSetup;
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Free = NULL;
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests;
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("tls_cert_issuer", SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_TLSISSUER_MATCH, 2,
PrefilterTxTlsIssuerRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_TLSISSUER_MATCH,
DetectEngineInspectTlsIssuer);
}
/**
* \brief Registration function for keyword: tls_sni
*/
void DetectTlsSniRegister(void)
{
sigmatch_table[DETECT_AL_TLS_SNI].name = "tls_sni";
sigmatch_table[DETECT_AL_TLS_SNI].desc = "content modifier to match specifically and only on the TLS SNI buffer";
sigmatch_table[DETECT_AL_TLS_SNI].Match = NULL;
sigmatch_table[DETECT_AL_TLS_SNI].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_TLS_SNI].Setup = DetectTlsSniSetup;
sigmatch_table[DETECT_AL_TLS_SNI].Free = NULL;
sigmatch_table[DETECT_AL_TLS_SNI].RegisterTests = DetectTlsSniRegisterTests;
sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("tls_sni", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_TLSSNI_MATCH, 2,
PrefilterTxTlsSniRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_TLSSNI_MATCH,
DetectEngineInspectTlsSni);
}
/**
* \brief Registration function for keyword: http_uri
*/
void DetectHttpUriRegister (void)
{
sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri";
sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer";
sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_uri-and-http_raw-uri";
sigmatch_table[DETECT_AL_HTTP_URI].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_URI].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup;
sigmatch_table[DETECT_AL_HTTP_URI].Free = NULL;
sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests;
sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("http_uri", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_UMATCH, 2,
PrefilterTxUriRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_UMATCH,
DetectEngineInspectHttpUri);
}
/**
* \brief Registration function for keyword: http_method
*/
void DetectHttpMethodRegister(void)
{
sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method";
sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer";
sigmatch_table[DETECT_AL_HTTP_METHOD].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_method";
sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_METHOD].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup;
sigmatch_table[DETECT_AL_HTTP_METHOD].Free = DetectHttpMethodFree;
sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests;
sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("http_method", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HMDMATCH, 4,
PrefilterTxMethodRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HMDMATCH,
DetectEngineInspectHttpMethod);
SCLogDebug("registering http_method rule option");
}
/**
* \brief Registers the keyword handlers for the "http_response_line" keyword.
*/
void DetectHttpResponseLineRegister(void)
{
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].name = "http_response_line";
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].desc = "content modifier to match only on the HTTP response line";
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_response-line";
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Setup = DetectHttpResponseLineSetup;
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].RegisterTests = DetectHttpResponseLineRegisterTests;
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_PAYLOAD ;
DetectMpmAppLayerRegister("http_response_line", SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_HTTP_RESLINEMATCH, 2,
PrefilterTxHttpResponseLineRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_HTTP_RESLINEMATCH,
DetectEngineInspectHttpResponseLine);
return;
}
