aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '10150e95ad'
${ noResults }
suricata/src/detect-parse.h

118 lines
4.3 KiB
C
Raw Normal View History Unescape Escape

general: copyright bump
5 years ago
/* Copyright (C) 2007-2020 Open Information Security Foundation
Import of GPLv2 Header 050410
15 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*/
src: make include guards more library friendly Include guards for libraries should use a prefix that is meaningful for the library to avoid conflicts with other user code. For Suricata, use SURICATA. Additionally, remove the pattern of leading and trailing underscores as these are reserved for the language implementation per the C and C++ standards.
1 year ago
#ifndef SURICATA_DETECT_PARSE_H
#define SURICATA_DETECT_PARSE_H
Cleanup signature parsing and other detect.c parts.
17 years ago
rust: bindgen detect-parse.h Ticket: 7667 Currently no functions are exported. DetectFile* struct are moved to detect-file-data.h where they make more sense. ifndef SURICATA_BINDGEN_H is used for bindgen to exclude pcre2 related code
2 months ago
#include "app-layer-protos.h"
#include "detect-engine-register.h"
// types from detect.h with only forward declarations for bindgen
typedef struct DetectEngineCtx_ DetectEngineCtx;
typedef struct Signature_ Signature;
typedef struct SigMatchCtx_ SigMatchCtx;
typedef struct SigMatch_ SigMatch;
typedef struct SigMatchData_ SigMatchData;
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
Adding bidirectional operator support and unittests
16 years ago
/** Flags to indicate if the Signature parsing must be done
* switching the source and dest (for ip addresses and ports)
* or otherwise as normal */
enum {
SIG_DIREC_NORMAL,
SIG_DIREC_SWITCHED
};
/** Flags to indicate if are referencing the source of the Signature
* or the destination (for ip addresses and ports)*/
enum {
SIG_DIREC_SRC,
SIG_DIREC_DST
};
Cleanup signature parsing and other detect.c parts.
17 years ago
/* prototypes */
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
int SignatureInitDataBufferCheckExpand(Signature *s);
Added http_method rule keyword.
16 years ago
Signature *SigAlloc(void);
detect: Provide `de_ctx` to free functions This commit makes sure that the `DetectEngineCtx *` is available to each detector's "free" function.
5 years ago
void SigFree(DetectEngineCtx *de_ctx, Signature *s);
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
Signature *SigInit(DetectEngineCtx *, const char *sigstr);
detect: shrink Signature::sm_arrays Signature::sm_arrays now only contains 'built-in' lists, and so is sized appropriately.
9 years ago
SigMatchData* SigMatchList2DataArray(SigMatch *head);
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
void SigParseRegisterTests(void);
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
Signature *DetectEngineAppendSig(DetectEngineCtx *, const char *);
firewall: start of firewall rules support Config: Firewall rules are like normal rule, with some key differences. They are loaded separate, and first, from: ```yaml firewall-rule-path: /etc/suricata/firewall/ firewall-rule-files: - fw.rules ``` Can also be loaded with --firewall-rules-exclusive: Mostly for QA purposes. Allow -S with --firewall-rules-exclusive, so that firewall and threat detection rules can be tested together. Rules: Differences with regular "threat detection" rules: 1. these rules are evaluated before threat detection rules 2. these rules are evaluated in the order as they appear in the rule file 3. currently only rules specifying an explicit hook at supported a. as a consequence, no rules will be treated as (like) IP-only, PD-only or DE-only Require explicit action scope for firewall rules. Default policy is drop for the firewall tables. Actions: New action "accept" is added to allow traffic in the filter tables. New scope "accept:tx" is added to allow accepting a transaction. Tables: Rulesets are per table. Table processing order: `packet:filter` -> `packet:td` -> `app:*:*` -> `app:td`. Each of the tables has some unique properties: `packet:filter`: - default policy is `drop:packet` - rules are process in order - action scopes are explicit - `drop` or `accept` is immediate - `accept:hook` continues to `packet:td` `packet:td`: - default policy is `accept:hook` - rules are ordered by IDS/IPS ordering logic - action scopes are implicit - actions are queued - continues to `app:*:*` or `alert/action finalize` `app:*:*`: - default policy is `drop:flow` - rules are process in order - action scopes are explicit - `drop` is immediate - `accept` is conditional on possible `drop` from `packet:td` - `accept:hook` continues to `app:td`, `accept:packet` or `accept:flow` continues to `alert/action finalize` `app:td`: - default policy is `accept:hook` - rules are ordered by IDS/IPS ordering logic - action scopes are implicit - actions are queued - continues to `alert/action finalize` Implementation: During sigorder, split into packet:filter, app:*:* and general td. Allow fw rules to work when in pass:flow mode. When firewall mode is enabled, `pass:flow` will not skip the detection engine anymore, but instead process the firewall rules and then apply the pass before inspecting threat detect rules.
5 months ago
Signature *DetectFirewallRuleAppendNew(DetectEngineCtx *, const char *);
Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.
16 years ago
rust: bindgen SCSigMatchAppendSMToList Ticket: 7667
2 months ago
SigMatch *SCSigMatchAppendSMToList(DetectEngineCtx *, Signature *, uint16_t, SigMatchCtx *, int);
support multiple ipprotos in the same sig + unittest
14 years ago
void SigMatchRemoveSMFromList(Signature *, SigMatch *, int);
detect: constify mpm/detect funcs
10 years ago
int SigMatchListSMBelongsTo(const Signature *, const SigMatch *);
Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.
16 years ago
in case of duplicate signatures used the one with the latest revision
15 years ago
int DetectParseDupSigHashInit(DetectEngineCtx *);
void DetectParseDupSigHashFree(DetectEngineCtx *);
detect-parse: content modifier cleanup
9 years ago
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx,
Signature *s, const char *arg, int sm_type, int sm_list,
AppProto alproto);
Further customize content modifier buffer registration. Allow modifier setups functions to have CustomCallbacks to enable their internal conditions.
13 years ago
detect/parse: allow signature parsing to fail silently A sigmatches 'Setup' function may indicate it intends to fail silently after the first error. It will return -2 instead of -1 in this case. This is tracked in the DetectEngineCtx object, so errors will be shown again at rule reloads.
6 years ago
bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx,
const enum DetectKeywordId id);
detect/parse: add --strict-rule-keywords option Add --strict-rule-keywords commandline option to enable strict rule parsing. It can be used without options or with a comma separated list: --strict-rule-keywords --strict-rule-keywords=all --strict-rule-keywords=classtype,reference Parsing implementations can use SigMatchStrictEnabled to check if strict parsing is enabled for them and act accordingly.
6 years ago
bool SigMatchStrictEnabled(const enum DetectKeywordId id);
detect: move sm_list to string funcs to parser code
10 years ago
const char *DetectListToHumanString(int list);
const char *DetectListToString(int list);
detect: spelling: update SigTableApplyStrictCommandLineOption
2 years ago
void SigTableApplyStrictCommandLineOption(const char *str);
detect/parse: add --strict-rule-keywords option Add --strict-rule-keywords commandline option to enable strict rule parsing. It can be used without options or with a comma separated list: --strict-rule-keywords --strict-rule-keywords=all --strict-rule-keywords=classtype,reference Parsing implementations can use SigMatchStrictEnabled to check if strict parsing is enabled for them and act accordingly.
6 years ago
detect: remove hardcoded sm_list logic from setup Introduce utility functions to aid this.
9 years ago
SigMatch *DetectGetLastSM(const Signature *);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
SigMatch *DetectGetLastSMFromMpmLists(const DetectEngineCtx *de_ctx, const Signature *s);
detect: remove hardcoded sm_list logic from setup Introduce utility functions to aid this.
9 years ago
SigMatch *DetectGetLastSMFromLists(const Signature *s, ...);
SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...);
SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...);
rust: bindgen SCDetectSignatureSetAppProto Ticket: 7667
2 months ago
int WARN_UNUSED SCDetectSignatureSetAppProto(Signature *s, AppProto alproto);
detect: clean support for multi-protocol keywords such as ja4. Why ? We do not want to see hard-coded protocol constants such as ALPROTO_QUIC directly used in generic code in detect-parse.c How ? From the keyword point of view, this commit adds the function DetectSignatureSetMultiAppProto which is similar to DetectSignatureSetAppProto but takes multiple alprotos. It restricts the signature alprotos to a set of possible alprotos and errors out if the interstion gets empty. The data structure SignatureInitData gets extended with a fixed-length array, as the use case is a sparse number of protocols Ticket: 7304
10 months ago
int WARN_UNUSED DetectSignatureSetMultiAppProto(Signature *s, const AppProto *alprotos);
detect: add and use util func for alproto sets
9 years ago
detect parser: add parse regex util function Add regex setup and free util functions. Keywords often use a regex to parse rule input. Introduce a common function to do this setup. Also create a list of registered regexes to free at engine shutdown.
10 years ago
/* parse regex setup and free util funcs */
rust: bindgen detect-parse.h Ticket: 7667 Currently no functions are exported. DetectFile* struct are moved to detect-file-data.h where they make more sense. ifndef SURICATA_BINDGEN_H is used for bindgen to exclude pcre2 related code
2 months ago
#ifndef SURICATA_BINDGEN_H
typedef struct DetectParseRegex {
pcre2_code *regex;
pcre2_match_context *context;
struct DetectParseRegex *next;
} DetectParseRegex;
pcre2: only one DetectParseRegex structure
4 years ago
DetectParseRegex *DetectSetupPCRE2(const char *parse_str, int opts);
detect: fail properly on invalid transform pcrexform
5 years ago
bool DetectSetupParseRegexesOpts(const char *parse_str, DetectParseRegex *parse_regex, int opts);
detect/parse: Refactor interfaces/definitions This commit refactors existing code patterns to reduce code duplication and to be a base for supporting additional PCRE jit-related actions.
6 years ago
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *parse_regex);
void DetectParseRegexAddToFreeList(DetectParseRegex *parse_regex);
detect parser: add parse regex util function Add regex setup and free util functions. Keywords often use a regex to parse rule input. Introduce a common function to do this setup. Also create a list of registered regexes to free at engine shutdown.
10 years ago
void DetectParseFreeRegexes(void);
detect/parse: Refactor interfaces/definitions This commit refactors existing code patterns to reduce code duplication and to be a base for supporting additional PCRE jit-related actions.
6 years ago
void DetectParseFreeRegex(DetectParseRegex *r);
/* parse regex exec */
detect/pcre: Use local match variables pcre2 is not thread-safe wrt match objects so use locally scoped objects. Issue: 4797
2 years ago
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str,
int start_offset, int options);
pcre2: follow code naming style
4 years ago
int SC_Pcre2SubstringCopy(
pcre2: check for PCRE2_ERROR_UNSET Needs maybe to be generalized
4 years ago
pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen);
pcre2: follow code naming style
4 years ago
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr,
pcre2: check for PCRE2_ERROR_UNSET Needs maybe to be generalized
4 years ago
PCRE2_SIZE *bufflen);
rust: bindgen detect-parse.h Ticket: 7667 Currently no functions are exported. DetectFile* struct are moved to detect-file-data.h where they make more sense. ifndef SURICATA_BINDGEN_H is used for bindgen to exclude pcre2 related code
2 months ago
#endif
detect/parse: Refactor interfaces/definitions This commit refactors existing code patterns to reduce code duplication and to be a base for supporting additional PCRE jit-related actions.
6 years ago
detect: introduce explicit hooks Generic: <app_proto>:request_started and <app_proto>:response_started <app_proto>:request_complete and <app_proto>:response_complete Per protocol, it uses the registered progress (state) values. E.g. tls:client_hello_done A rule ruleset could be: pass tls:client_hello_done any any -> any any (tls.sni; content:"www.google.com"; sid:21; alert;) drop tls:client_hello_done any any -> any any (sid:22;) The pass rule is evaluated when the client hello is parsed, and if it doesn't match the drop rule will be evaluated. Registers each generic lists as "<alproto>:<progress state>:generic" (e.g. "tls:client_hello_done:generic"). Ticket: #7485.
6 months ago
void DetectRegisterAppLayerHookLists(void);
detect: allow rule which need both directions to match Ticket: 5665 This is done with `alert ip any any => any any` The => operator means that we will need both directions
2 years ago
src: make include guards more library friendly Include guards for libraries should use a prefix that is meaningful for the library to avoid conflicts with other user code. For Suricata, use SURICATA. Additionally, remove the pattern of leading and trailing underscores as these are reserved for the language implementation per the C and C++ standards.
1 year ago
#endif /* SURICATA_DETECT_PARSE_H */