示例#1
0
/**
 * \brief Registration function for keyword: tls_sni
 */
void DetectTlsSniRegister(void)
{
    sigmatch_table[DETECT_AL_TLS_SNI].name = "tls_sni";
    sigmatch_table[DETECT_AL_TLS_SNI].desc = "content modifier to match specifically and only on the TLS SNI buffer";
    sigmatch_table[DETECT_AL_TLS_SNI].Match = NULL;
    sigmatch_table[DETECT_AL_TLS_SNI].AppLayerMatch = NULL;
    sigmatch_table[DETECT_AL_TLS_SNI].Setup = DetectTlsSniSetup;
    sigmatch_table[DETECT_AL_TLS_SNI].Free  = NULL;
    sigmatch_table[DETECT_AL_TLS_SNI].RegisterTests = DetectTlsSniRegisterTests;

    sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_PAYLOAD;

    DetectMpmAppLayerRegister("tls_sni", SIG_FLAG_TOSERVER,
            DETECT_SM_LIST_TLSSNI_MATCH, 2,
            PrefilterTxTlsSniRegister);

    DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOSERVER,
            DETECT_SM_LIST_TLSSNI_MATCH,
            DetectEngineInspectTlsSni);
}
示例#2
0
/**
 * \brief Registration function for keyword: http_uri
 */
void DetectHttpUriRegister (void)
{
    sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri";
    sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer";
    sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_uri-and-http_raw-uri";
    sigmatch_table[DETECT_AL_HTTP_URI].Match = NULL;
    sigmatch_table[DETECT_AL_HTTP_URI].AppLayerMatch = NULL;
    sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup;
    sigmatch_table[DETECT_AL_HTTP_URI].Free  = NULL;
    sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests;

    sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_PAYLOAD;

    DetectMpmAppLayerRegister("http_uri", SIG_FLAG_TOSERVER,
            DETECT_SM_LIST_UMATCH, 2,
            PrefilterTxUriRegister);

    DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
            DETECT_SM_LIST_UMATCH,
            DetectEngineInspectHttpUri);
}
示例#3
0
/**
 * \brief Registration function for nfs_procedure keyword.
 */
void DetectNfsVersionRegister (void)
{
    sigmatch_table[DETECT_AL_NFS_VERSION].name = "nfs_version";
    sigmatch_table[DETECT_AL_NFS_VERSION].desc = "match NFS version";
    sigmatch_table[DETECT_AL_NFS_VERSION].url = DOC_URL DOC_VERSION "/rules/nfs-keywords.html#version";
    sigmatch_table[DETECT_AL_NFS_VERSION].Match = NULL;
    sigmatch_table[DETECT_AL_NFS_VERSION].AppLayerTxMatch = DetectNfsVersionMatch;
    sigmatch_table[DETECT_AL_NFS_VERSION].Setup = DetectNfsVersionSetup;
    sigmatch_table[DETECT_AL_NFS_VERSION].Free = DetectNfsVersionFree;
    sigmatch_table[DETECT_AL_NFS_VERSION].RegisterTests = DetectNfsVersionRegisterTests;


    DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);

    DetectAppLayerInspectEngineRegister("nfs_request",
            ALPROTO_NFS, SIG_FLAG_TOSERVER, 0,
            DetectEngineInspectNfsRequestGeneric);

    g_nfs_request_buffer_id = DetectBufferTypeGetByName("nfs_request");

    SCLogDebug("g_nfs_request_buffer_id %d", g_nfs_request_buffer_id);
}
示例#4
0
/**
 * \brief Registration function for keyword: http_method
 */
void DetectHttpMethodRegister(void)
{
    sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method";
    sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer";
    sigmatch_table[DETECT_AL_HTTP_METHOD].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_method";
    sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL;
    sigmatch_table[DETECT_AL_HTTP_METHOD].AppLayerMatch = NULL;
    sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup;
    sigmatch_table[DETECT_AL_HTTP_METHOD].Free  = DetectHttpMethodFree;
    sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests;
    sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_PAYLOAD;

    DetectMpmAppLayerRegister("http_method", SIG_FLAG_TOSERVER,
            DETECT_SM_LIST_HMDMATCH, 4,
            PrefilterTxMethodRegister);

    DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
            DETECT_SM_LIST_HMDMATCH,
            DetectEngineInspectHttpMethod);

    SCLogDebug("registering http_method rule option");
}
示例#5
0
/**
 * \brief Registers the keyword handlers for the "http_response_line" keyword.
 */
void DetectHttpResponseLineRegister(void)
{
    sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].name = "http_response_line";
    sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].desc = "content modifier to match only on the HTTP response line";
    sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_response-line";
    sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Match = NULL;
    sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].AppLayerMatch = NULL;
    sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Setup = DetectHttpResponseLineSetup;
    sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].RegisterTests = DetectHttpResponseLineRegisterTests;

    sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_NOOPT;
    sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_PAYLOAD ;

    DetectMpmAppLayerRegister("http_response_line", SIG_FLAG_TOCLIENT,
            DETECT_SM_LIST_HTTP_RESLINEMATCH, 2,
            PrefilterTxHttpResponseLineRegister);

    DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
            DETECT_SM_LIST_HTTP_RESLINEMATCH,
            DetectEngineInspectHttpResponseLine);

    return;
}
示例#6
0
/**
 * \brief Registration function for keyword: http_stat_msg
 */
void DetectHttpStatMsgRegister (void)
{
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].name = "http_stat_msg";
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "content modifier to match on HTTP stat-msg-buffer";
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_stat-msg";
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Match = NULL;
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetup;
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Free  = NULL;
    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].RegisterTests = DetectHttpStatMsgRegisterTests;

    sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT;

    DetectAppLayerMpmRegister("http_stat_msg", SIG_FLAG_TOCLIENT, 3,
            PrefilterTxHttpStatMsgRegister);

    DetectAppLayerInspectEngineRegister("http_stat_msg",
            ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_LINE,
            DetectEngineInspectHttpStatMsg);

    DetectBufferTypeSetDescriptionByName("http_stat_msg",
            "http response status message");

    g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg");
}