/**
* \brief Registration function for keyword: tls_sni
*/
void DetectTlsSniRegister(void)
{
sigmatch_table[DETECT_AL_TLS_SNI].name = "tls_sni";
sigmatch_table[DETECT_AL_TLS_SNI].desc = "content modifier to match specifically and only on the TLS SNI buffer";
sigmatch_table[DETECT_AL_TLS_SNI].Match = NULL;
sigmatch_table[DETECT_AL_TLS_SNI].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_TLS_SNI].Setup = DetectTlsSniSetup;
sigmatch_table[DETECT_AL_TLS_SNI].Free = NULL;
sigmatch_table[DETECT_AL_TLS_SNI].RegisterTests = DetectTlsSniRegisterTests;
sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("tls_sni", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_TLSSNI_MATCH, 2,
PrefilterTxTlsSniRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_TLSSNI_MATCH,
DetectEngineInspectTlsSni);
}
/**
* \brief Registration function for keyword: http_uri
*/
void DetectHttpUriRegister (void)
{
sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri";
sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer";
sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_uri-and-http_raw-uri";
sigmatch_table[DETECT_AL_HTTP_URI].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_URI].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup;
sigmatch_table[DETECT_AL_HTTP_URI].Free = NULL;
sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests;
sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("http_uri", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_UMATCH, 2,
PrefilterTxUriRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_UMATCH,
DetectEngineInspectHttpUri);
}
/**
* \brief Registration function for nfs_procedure keyword.
*/
void DetectNfsVersionRegister (void)
{
sigmatch_table[DETECT_AL_NFS_VERSION].name = "nfs_version";
sigmatch_table[DETECT_AL_NFS_VERSION].desc = "match NFS version";
sigmatch_table[DETECT_AL_NFS_VERSION].url = DOC_URL DOC_VERSION "/rules/nfs-keywords.html#version";
sigmatch_table[DETECT_AL_NFS_VERSION].Match = NULL;
sigmatch_table[DETECT_AL_NFS_VERSION].AppLayerTxMatch = DetectNfsVersionMatch;
sigmatch_table[DETECT_AL_NFS_VERSION].Setup = DetectNfsVersionSetup;
sigmatch_table[DETECT_AL_NFS_VERSION].Free = DetectNfsVersionFree;
sigmatch_table[DETECT_AL_NFS_VERSION].RegisterTests = DetectNfsVersionRegisterTests;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
DetectAppLayerInspectEngineRegister("nfs_request",
ALPROTO_NFS, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectNfsRequestGeneric);
g_nfs_request_buffer_id = DetectBufferTypeGetByName("nfs_request");
SCLogDebug("g_nfs_request_buffer_id %d", g_nfs_request_buffer_id);
}
/**
* \brief Registration function for keyword: http_method
*/
void DetectHttpMethodRegister(void)
{
sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method";
sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer";
sigmatch_table[DETECT_AL_HTTP_METHOD].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_method";
sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_METHOD].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup;
sigmatch_table[DETECT_AL_HTTP_METHOD].Free = DetectHttpMethodFree;
sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests;
sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_PAYLOAD;
DetectMpmAppLayerRegister("http_method", SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HMDMATCH, 4,
PrefilterTxMethodRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOSERVER,
DETECT_SM_LIST_HMDMATCH,
DetectEngineInspectHttpMethod);
SCLogDebug("registering http_method rule option");
}
/**
* \brief Registers the keyword handlers for the "http_response_line" keyword.
*/
void DetectHttpResponseLineRegister(void)
{
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].name = "http_response_line";
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].desc = "content modifier to match only on the HTTP response line";
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_response-line";
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Setup = DetectHttpResponseLineSetup;
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].RegisterTests = DetectHttpResponseLineRegisterTests;
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_PAYLOAD ;
DetectMpmAppLayerRegister("http_response_line", SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_HTTP_RESLINEMATCH, 2,
PrefilterTxHttpResponseLineRegister);
DetectAppLayerInspectEngineRegister(ALPROTO_HTTP, SIG_FLAG_TOCLIENT,
DETECT_SM_LIST_HTTP_RESLINEMATCH,
DetectEngineInspectHttpResponseLine);
return;
}
/**
* \brief Registration function for keyword: http_stat_msg
*/
void DetectHttpStatMsgRegister (void)
{
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].name = "http_stat_msg";
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "content modifier to match on HTTP stat-msg-buffer";
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http_stat-msg";
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetup;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Free = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].RegisterTests = DetectHttpStatMsgRegisterTests;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT;
DetectAppLayerMpmRegister("http_stat_msg", SIG_FLAG_TOCLIENT, 3,
PrefilterTxHttpStatMsgRegister);
DetectAppLayerInspectEngineRegister("http_stat_msg",
ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_LINE,
DetectEngineInspectHttpStatMsg);
DetectBufferTypeSetDescriptionByName("http_stat_msg",
"http response status message");
g_http_stat_msg_buffer_id = DetectBufferTypeGetByName("http_stat_msg");
}