aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add documentation url in list-keyword output.

Browse Source 
The output of the list-keyword is modified to include the url to
the keyword documentation when this is available. All documented
keywords should have their link set.

list-keyword can be used with an optional value:
 no option or short: display list of keywords
 csv: display a csv output on info an all keywords
 all: display a human readable output of keywords info
 $KWD: display the info about one keyword.
pull/175/merge
Eric Leblond 13 years ago committed by Victor Julien
parent a9ffd82116
commit 6842545331
64 changed files with 224 additions and 66 deletions
Show Stats Download Patch File Download Diff File

16
src/app-layer-parser.c
Unescape Escape View File

@ -529,6 +529,22 @@ uint16_t AppLayerGetProtoByName(const char *name)
return ALPROTO_UNKNOWN;
}
const char *AppLayerGetProtoString(int proto)
{
if ((proto > ALPROTO_MAX) || (proto < 0)) {
return "Undefined";
}
if (al_proto_table[proto].name == NULL) {
return "Unset";
} else {
return al_proto_table[proto].name;
}
return "Undefined";
}
/** \brief Description: register a parser.
*
* \param name full parser name, e.g. "http.request_line"

1
src/app-layer-parser.h
Unescape Escape View File

@ -262,6 +262,7 @@ void AppLayerRegisterGetFilesFunc(uint16_t proto,
FileContainer *(*StateGetFile)(void *, uint8_t));
void AppLayerRegisterLogger(uint16_t proto);
uint16_t AppLayerGetProtoByName(const char *);
const char *AppLayerGetProtoString(int proto);
void AppLayerRegisterTruncateFunc(uint16_t proto, void (*Truncate)(void *, uint8_t));
int AppLayerParse(void *, Flow *, uint8_t,

2
src/detect-ack.c
Unescape Escape View File

@ -48,6 +48,8 @@ static void DetectAckFree(void *);
void DetectAckRegister(void) {
sigmatch_table[DETECT_ACK].name = "ack";
sigmatch_table[DETECT_ACK].desc = "check for a specific TCP acknowledgement number";
sigmatch_table[DETECT_ACK].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#ack";
sigmatch_table[DETECT_ACK].Match = DetectAckMatch;
sigmatch_table[DETECT_ACK].Setup = DetectAckSetup;
sigmatch_table[DETECT_ACK].Free = DetectAckFree;

2
src/detect-classtype.c
Unescape Escape View File

@ -57,6 +57,8 @@ void DetectClasstypeRegister(void)
SCLogDebug("Registering the Classtype keyword handler");
sigmatch_table[DETECT_CLASSTYPE].name = "classtype";
sigmatch_table[DETECT_CLASSTYPE].desc = "information about the classification of rules and alerts";
sigmatch_table[DETECT_CLASSTYPE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Classtype";
sigmatch_table[DETECT_CLASSTYPE].Match = NULL;
sigmatch_table[DETECT_CLASSTYPE].Setup = DetectClasstypeSetup;
sigmatch_table[DETECT_CLASSTYPE].Free = NULL;

2
src/detect-content.c
Unescape Escape View File

@ -51,6 +51,8 @@ void DetectContentRegisterTests(void);
void DetectContentRegister (void) {
sigmatch_table[DETECT_CONTENT].name = "content";
sigmatch_table[DETECT_CONTENT].desc = "match on payload content";
sigmatch_table[DETECT_CONTENT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Content";
sigmatch_table[DETECT_CONTENT].Match = NULL;
sigmatch_table[DETECT_CONTENT].Setup = DetectContentSetup;
sigmatch_table[DETECT_CONTENT].Free = DetectContentFree;

2
src/detect-depth.c
Unescape Escape View File

@ -44,6 +44,8 @@ static int DetectDepthSetup (DetectEngineCtx *, Signature *, char *);
void DetectDepthRegister (void) {
sigmatch_table[DETECT_DEPTH].name = "depth";
sigmatch_table[DETECT_DEPTH].desc = "designate how many bytes from the beginning of the payload will be checked";
sigmatch_table[DETECT_DEPTH].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Depth";
sigmatch_table[DETECT_DEPTH].Match = NULL;
sigmatch_table[DETECT_DEPTH].Setup = DetectDepthSetup;
sigmatch_table[DETECT_DEPTH].Free = NULL;

2
src/detect-detection-filter.c
Unescape Escape View File

@ -61,6 +61,8 @@ void DetectDetectionFilterFree(void *);
*/
void DetectDetectionFilterRegister (void) {
sigmatch_table[DETECT_DETECTION_FILTER].name = "detection_filter";
sigmatch_table[DETECT_DETECTION_FILTER].desc = "alert on every match after a threshold has been reached";
sigmatch_table[DETECT_DETECTION_FILTER].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding#detection_filter";
sigmatch_table[DETECT_DETECTION_FILTER].Match = DetectDetectionFilterMatch;
sigmatch_table[DETECT_DETECTION_FILTER].Setup = DetectDetectionFilterSetup;
sigmatch_table[DETECT_DETECTION_FILTER].Free = DetectDetectionFilterFree;

2
src/detect-distance.c
Unescape Escape View File

@ -51,6 +51,8 @@ void DetectDistanceRegisterTests(void);
void DetectDistanceRegister (void) {
sigmatch_table[DETECT_DISTANCE].name = "distance";
sigmatch_table[DETECT_DISTANCE].desc = "indicates a relation between this content keyword and the content preceding it";
sigmatch_table[DETECT_DISTANCE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Distance";
sigmatch_table[DETECT_DISTANCE].Match = NULL;
sigmatch_table[DETECT_DISTANCE].Setup = DetectDistanceSetup;
sigmatch_table[DETECT_DISTANCE].Free = NULL;

2
src/detect-dsize.c
Unescape Escape View File

@ -54,6 +54,8 @@ static void DetectDsizeFree(void *);
*/
void DetectDsizeRegister (void) {
sigmatch_table[DETECT_DSIZE].name = "dsize";
sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload";
sigmatch_table[DETECT_DSIZE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Dsize";
sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch;
sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup;
sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree;

2
src/detect-fast-pattern.c
Unescape Escape View File

@ -107,6 +107,8 @@ void SupportFastPatternForSigMatchTypes(void)
void DetectFastPatternRegister(void)
{
sigmatch_table[DETECT_FAST_PATTERN].name = "fast_pattern";
sigmatch_table[DETECT_FAST_PATTERN].desc = "force using preceding content in the multi pattern matcher";
sigmatch_table[DETECT_FAST_PATTERN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#fast_pattern";
sigmatch_table[DETECT_FAST_PATTERN].Match = NULL;
sigmatch_table[DETECT_FAST_PATTERN].Setup = DetectFastPatternSetup;
sigmatch_table[DETECT_FAST_PATTERN].Free = NULL;

2
src/detect-file-data.c
Unescape Escape View File

@ -50,6 +50,8 @@ static int DetectFiledataSetup (DetectEngineCtx *, Signature *, char *);
*/
void DetectFiledataRegister(void) {
sigmatch_table[DETECT_FILE_DATA].name = "file_data";
sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on HTTP response body";
sigmatch_table[DETECT_FILE_DATA].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#file_data";
sigmatch_table[DETECT_FILE_DATA].Match = NULL;
sigmatch_table[DETECT_FILE_DATA].AppLayerMatch = NULL;
sigmatch_table[DETECT_FILE_DATA].alproto = ALPROTO_HTTP;

2
src/detect-fileext.c
Unescape Escape View File

@ -62,6 +62,8 @@ static void DetectFileextFree(void *);
*/
void DetectFileextRegister(void) {
sigmatch_table[DETECT_FILEEXT].name = "fileext";
sigmatch_table[DETECT_FILEEXT].desc = "match on the extension of a file name";
sigmatch_table[DETECT_FILEEXT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#fileext";
sigmatch_table[DETECT_FILEEXT].FileMatch = DetectFileextMatch;
sigmatch_table[DETECT_FILEEXT].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEEXT].Setup = DetectFileextSetup;

2
src/detect-filemagic.c
Unescape Escape View File

@ -66,6 +66,8 @@ static void DetectFilemagicFree(void *);
*/
void DetectFilemagicRegister(void) {
sigmatch_table[DETECT_FILEMAGIC].name = "filemagic";
sigmatch_table[DETECT_FILEMAGIC].desc = "match on the information libmagic returns about a file";
sigmatch_table[DETECT_FILEMAGIC].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filemagic";
sigmatch_table[DETECT_FILEMAGIC].FileMatch = DetectFilemagicMatch;
sigmatch_table[DETECT_FILEMAGIC].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEMAGIC].Setup = DetectFilemagicSetup;

2
src/detect-filemd5.c
Unescape Escape View File

@ -66,6 +66,8 @@ static int DetectFileMd5SetupNoSupport (DetectEngineCtx *a, Signature *b, char *
*/
void DetectFileMd5Register(void) {
sigmatch_table[DETECT_FILEMD5].name = "filemd5";
sigmatch_table[DETECT_FILEMD5].desc = "match file MD5 against list of MD5 checksums";
sigmatch_table[DETECT_FILEMD5].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filemd5";
sigmatch_table[DETECT_FILEMD5].FileMatch = NULL;
sigmatch_table[DETECT_FILEMD5].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5SetupNoSupport;

2
src/detect-filename.c
Unescape Escape View File

@ -61,6 +61,8 @@ static void DetectFilenameFree(void *);
*/
void DetectFilenameRegister(void) {
sigmatch_table[DETECT_FILENAME].name = "filename";
sigmatch_table[DETECT_FILENAME].desc = "match on the file name";
sigmatch_table[DETECT_FILENAME].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filename";
sigmatch_table[DETECT_FILENAME].FileMatch = DetectFilenameMatch;
sigmatch_table[DETECT_FILENAME].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILENAME].Setup = DetectFilenameSetup;

2
src/detect-filesize.c
Unescape Escape View File

@ -61,6 +61,8 @@ static void DetectFilesizeRegisterTests (void);
void DetectFilesizeRegister(void)
{
sigmatch_table[DETECT_FILESIZE].name = "filesize";
sigmatch_table[DETECT_FILESIZE].desc = "match on the size of the file as it is being transferred";
sigmatch_table[DETECT_FILESIZE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filesize";
sigmatch_table[DETECT_FILESIZE].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILESIZE].FileMatch = DetectFilesizeMatch;
sigmatch_table[DETECT_FILESIZE].Setup = DetectFilesizeSetup;

2
src/detect-filestore.c
Unescape Escape View File

@ -68,6 +68,8 @@ static void DetectFilestoreFree(void *);
*/
void DetectFilestoreRegister(void) {
sigmatch_table[DETECT_FILESTORE].name = "filestore";
sigmatch_table[DETECT_FILESTORE].desc = "stores files to disk if the rule matched";
sigmatch_table[DETECT_FILESTORE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File-keywords#filestore";
sigmatch_table[DETECT_FILESTORE].FileMatch = DetectFilestoreMatch;
sigmatch_table[DETECT_FILESTORE].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_FILESTORE].Setup = DetectFilestoreSetup;

2
src/detect-flow.c
Unescape Escape View File

@ -58,6 +58,8 @@ void DetectFlowFree(void *);
*/
void DetectFlowRegister (void) {
sigmatch_table[DETECT_FLOW].name = "flow";
sigmatch_table[DETECT_FLOW].desc = "match on direction and state of the flow";
sigmatch_table[DETECT_FLOW].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords#Flow";
sigmatch_table[DETECT_FLOW].Match = DetectFlowMatch;
sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup;
sigmatch_table[DETECT_FLOW].Free = DetectFlowFree;

2
src/detect-flowbits.c
Unescape Escape View File

@ -57,6 +57,8 @@ void FlowBitsRegisterTests(void);
void DetectFlowbitsRegister (void) {
sigmatch_table[DETECT_FLOWBITS].name = "flowbits";
sigmatch_table[DETECT_FLOWBITS].desc = "operate on flow flag";
sigmatch_table[DETECT_FLOWBITS].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords#Flowbits";
sigmatch_table[DETECT_FLOWBITS].Match = DetectFlowbitMatch;
sigmatch_table[DETECT_FLOWBITS].Setup = DetectFlowbitSetup;
sigmatch_table[DETECT_FLOWBITS].Free = DetectFlowbitFree;

2
src/detect-flowint.c
Unescape Escape View File

@ -56,6 +56,8 @@ void DetectFlowintRegisterTests(void);
void DetectFlowintRegister(void)
{
sigmatch_table[DETECT_FLOWINT].name = "flowint";
sigmatch_table[DETECT_FLOWINT].desc = "operate on a per-flow integer";
sigmatch_table[DETECT_FLOWINT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flowint";
sigmatch_table[DETECT_FLOWINT].Match = DetectFlowintMatch;
sigmatch_table[DETECT_FLOWINT].Setup = DetectFlowintSetup;
sigmatch_table[DETECT_FLOWINT].Free = DetectFlowintFree;

2
src/detect-fragbits.c
Unescape Escape View File

@ -70,6 +70,8 @@ static void DetectFragBitsFree(void *);
void DetectFragBitsRegister (void) {
sigmatch_table[DETECT_FRAGBITS].name = "fragbits";
sigmatch_table[DETECT_FRAGBITS].desc = "check if the fragmentation and reserved bits are set in the IP header";
sigmatch_table[DETECT_FRAGBITS].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Fragbits";
sigmatch_table[DETECT_FRAGBITS].Match = DetectFragBitsMatch;
sigmatch_table[DETECT_FRAGBITS].Setup = DetectFragBitsSetup;
sigmatch_table[DETECT_FRAGBITS].Free = DetectFragBitsFree;

2
src/detect-fragoffset.c
Unescape Escape View File

@ -53,6 +53,8 @@ void DetectFragOffsetFree(void *);
*/
void DetectFragOffsetRegister (void) {
sigmatch_table[DETECT_FRAGOFFSET].name = "fragoffset";
sigmatch_table[DETECT_FRAGOFFSET].desc = "match on specific decimal values of the IP fragment offset field";
sigmatch_table[DETECT_FRAGOFFSET].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Fragoffset";
sigmatch_table[DETECT_FRAGOFFSET].Match = DetectFragOffsetMatch;
sigmatch_table[DETECT_FRAGOFFSET].Setup = DetectFragOffsetSetup;
sigmatch_table[DETECT_FRAGOFFSET].Free = DetectFragOffsetFree;

2
src/detect-gid.c
Unescape Escape View File

@ -47,6 +47,8 @@ static int DetectGidSetup (DetectEngineCtx *, Signature *, char *);
void DetectGidRegister (void) {
sigmatch_table[DETECT_GID].name = "gid";
sigmatch_table[DETECT_GID].desc = "give different groups of signatures another id value";
sigmatch_table[DETECT_GID].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Gid-group-id";
sigmatch_table[DETECT_GID].Match = NULL;
sigmatch_table[DETECT_GID].Setup = DetectGidSetup;
sigmatch_table[DETECT_GID].Free = NULL;

2
src/detect-http-client-body.c
Unescape Escape View File

@ -67,6 +67,8 @@ void DetectHttpClientBodyFree(void *);
void DetectHttpClientBodyRegister(void)
{
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].name = "http_client_body";
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].desc = "content modifier to match only on HTTP request-body";
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_client_body";
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].Setup = DetectHttpClientBodySetup;

2
src/detect-http-cookie.c
Unescape Escape View File

@ -68,6 +68,8 @@ void DetectHttpCookieFree(void *);
*/
void DetectHttpCookieRegister (void) {
sigmatch_table[DETECT_AL_HTTP_COOKIE].name = "http_cookie";
sigmatch_table[DETECT_AL_HTTP_COOKIE].desc = "content modifier to match only on the HTTP cookie-buffer";
sigmatch_table[DETECT_AL_HTTP_COOKIE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_cookie";
sigmatch_table[DETECT_AL_HTTP_COOKIE].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_COOKIE].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_COOKIE].alproto = ALPROTO_HTTP;

2
src/detect-http-header.c
Unescape Escape View File

@ -68,6 +68,8 @@ void DetectHttpHeaderFree(void *);
void DetectHttpHeaderRegister(void)
{
sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header";
sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer";
sigmatch_table[DETECT_AL_HTTP_HEADER].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_header";
sigmatch_table[DETECT_AL_HTTP_HEADER].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_HEADER].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_HEADER].Setup = DetectHttpHeaderSetup;

2
src/detect-http-method.c
Unescape Escape View File

@ -68,6 +68,8 @@ void DetectHttpMethodFree(void *);
*/
void DetectHttpMethodRegister(void) {
sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method";
sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer";
sigmatch_table[DETECT_AL_HTTP_METHOD].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_method";
sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_METHOD].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_METHOD].alproto = ALPROTO_HTTP;

2
src/detect-http-raw-uri.c
Unescape Escape View File

@ -63,6 +63,8 @@ static void DetectHttpRawUriRegisterTests(void);
void DetectHttpRawUriRegister(void)
{
sigmatch_table[DETECT_AL_HTTP_RAW_URI].name = "http_raw_uri";
sigmatch_table[DETECT_AL_HTTP_RAW_URI].desc = "content modifier to match on HTTP uri";
sigmatch_table[DETECT_AL_HTTP_RAW_URI].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_uri-and-http_raw_uri";
sigmatch_table[DETECT_AL_HTTP_RAW_URI].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_RAW_URI].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_RAW_URI].alproto = ALPROTO_HTTP;

2
src/detect-http-server-body.c
Unescape Escape View File

@ -68,6 +68,8 @@ void DetectHttpServerBodyFree(void *);
void DetectHttpServerBodyRegister(void)
{
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].name = "http_server_body";
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].desc = "content modifier to match only on the HTTP response-body";
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_server_body";
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].Setup = DetectHttpServerBodySetup;

2
src/detect-http-stat-code.c
Unescape Escape View File

@ -73,6 +73,8 @@ void DetectHttpStatCodeFree(void *);
*/
void DetectHttpStatCodeRegister (void) {
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].name = "http_stat_code";
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].desc = "content modifier to match only on HTTP stat-code-buffer";
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_stat_code";
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_CODE].alproto = ALPROTO_HTTP;

2
src/detect-http-stat-msg.c
Unescape Escape View File

@ -73,6 +73,8 @@ void DetectHttpStatMsgFree(void *);
*/
void DetectHttpStatMsgRegister (void) {
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].name = "http_stat_msg";
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "content modifier to match on HTTP stat-msg-buffer";
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_stat_msg";
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_STAT_MSG].alproto = ALPROTO_HTTP;

2
src/detect-http-ua.c
Unescape Escape View File

@ -67,6 +67,8 @@ void DetectHttpUAFree(void *);
void DetectHttpUARegister(void)
{
sigmatch_table[DETECT_AL_HTTP_USER_AGENT].name = "http_user_agent";
sigmatch_table[DETECT_AL_HTTP_USER_AGENT].desc = "content modifier to match only on the HTTP User-Agent header";
sigmatch_table[DETECT_AL_HTTP_USER_AGENT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_user_agent";
sigmatch_table[DETECT_AL_HTTP_USER_AGENT].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_USER_AGENT].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_USER_AGENT].Setup = DetectHttpUASetup;

2
src/detect-http-uri.c
Unescape Escape View File

@ -63,6 +63,8 @@ void DetectHttpUriRegisterTests(void);
*/
void DetectHttpUriRegister (void) {
sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri";
sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer";
sigmatch_table[DETECT_AL_HTTP_URI].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#http_uri-and-http_raw_uri";
sigmatch_table[DETECT_AL_HTTP_URI].Match = NULL;
sigmatch_table[DETECT_AL_HTTP_URI].AppLayerMatch = NULL;
sigmatch_table[DETECT_AL_HTTP_URI].alproto = ALPROTO_HTTP;

2
src/detect-icmp-seq.c
Unescape Escape View File

@ -52,6 +52,8 @@ void DetectIcmpSeqFree(void *);
*/
void DetectIcmpSeqRegister (void) {
sigmatch_table[DETECT_ICMP_SEQ].name = "icmp_seq";
sigmatch_table[DETECT_ICMP_SEQ].desc = "check for a ICMP sequence number";
sigmatch_table[DETECT_ICMP_SEQ].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#icmp_seq";
sigmatch_table[DETECT_ICMP_SEQ].Match = DetectIcmpSeqMatch;
sigmatch_table[DETECT_ICMP_SEQ].Setup = DetectIcmpSeqSetup;
sigmatch_table[DETECT_ICMP_SEQ].Free = DetectIcmpSeqFree;

2
src/detect-icode.c
Unescape Escape View File

@ -56,6 +56,8 @@ void DetectICodeFree(void *);
*/
void DetectICodeRegister (void) {
sigmatch_table[DETECT_ICODE].name = "icode";
sigmatch_table[DETECT_ICODE].desc = "match on specific ICMP id-value";
sigmatch_table[DETECT_ICODE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#icode";
sigmatch_table[DETECT_ICODE].Match = DetectICodeMatch;
sigmatch_table[DETECT_ICODE].Setup = DetectICodeSetup;
sigmatch_table[DETECT_ICODE].Free = DetectICodeFree;

2
src/detect-id.c
Unescape Escape View File

@ -59,6 +59,8 @@ void DetectIdFree(void *);
*/
void DetectIdRegister (void) {
sigmatch_table[DETECT_ID].name = "id";
sigmatch_table[DETECT_ID].desc = "match on a specific IP ID value";
sigmatch_table[DETECT_ID].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Id";
sigmatch_table[DETECT_ID].Match = DetectIdMatch;
sigmatch_table[DETECT_ID].Setup = DetectIdSetup;
sigmatch_table[DETECT_ID].Free = DetectIdFree;

2
src/detect-ipopts.c
Unescape Escape View File

@ -56,6 +56,8 @@ void DetectIpOptsFree(void *);
*/
void DetectIpOptsRegister (void) {
sigmatch_table[DETECT_IPOPTS].name = "ipopts";
sigmatch_table[DETECT_IPOPTS].desc = "check if a specific IP option is set";
sigmatch_table[DETECT_IPOPTS].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Ipopts";
sigmatch_table[DETECT_IPOPTS].Match = DetectIpOptsMatch;
sigmatch_table[DETECT_IPOPTS].Setup = DetectIpOptsSetup;
sigmatch_table[DETECT_IPOPTS].Free = DetectIpOptsFree;

2
src/detect-ipproto.c
Unescape Escape View File

@ -65,6 +65,8 @@ void DetectIPProtoRegister(void)
int opts = 0;
sigmatch_table[DETECT_IPPROTO].name = "ip_proto";
sigmatch_table[DETECT_IPPROTO].desc = "match on the IP protocol in the packet-header";
sigmatch_table[DETECT_IPPROTO].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#ip_proto";
sigmatch_table[DETECT_IPPROTO].Match = NULL;
sigmatch_table[DETECT_IPPROTO].Setup = DetectIPProtoSetup;
sigmatch_table[DETECT_IPPROTO].Free = NULL;

2
src/detect-isdataat.c
Unescape Escape View File

@ -65,6 +65,8 @@ void DetectIsdataatFree(void *);
*/
void DetectIsdataatRegister (void) {
sigmatch_table[DETECT_ISDATAAT].name = "isdataat";
sigmatch_table[DETECT_ISDATAAT].desc = "check if there is still data at a specific part of the payload";
sigmatch_table[DETECT_ISDATAAT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Isadataat";
sigmatch_table[DETECT_ISDATAAT].Match = DetectIsdataatMatch;
sigmatch_table[DETECT_ISDATAAT].Setup = DetectIsdataatSetup;
sigmatch_table[DETECT_ISDATAAT].Free = DetectIsdataatFree;

2
src/detect-itype.c
Unescape Escape View File

@ -56,6 +56,8 @@ void DetectITypeFree(void *);
*/
void DetectITypeRegister (void) {
sigmatch_table[DETECT_ITYPE].name = "itype";
sigmatch_table[DETECT_ITYPE].desc = "matching on a specific ICMP type";
sigmatch_table[DETECT_ITYPE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#itype";
sigmatch_table[DETECT_ITYPE].Match = DetectITypeMatch;
sigmatch_table[DETECT_ITYPE].Setup = DetectITypeSetup;
sigmatch_table[DETECT_ITYPE].Free = DetectITypeFree;

2
src/detect-luajit.c
Unescape Escape View File

@ -92,6 +92,8 @@ static void DetectLuajitFree(void *);
*/
void DetectLuajitRegister(void) {
sigmatch_table[DETECT_LUAJIT].name = "luajit";
sigmatch_table[DETECT_LUAJIT].desc = "match via a luajit script";
sigmatch_table[DETECT_LUAJIT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_scripting";
sigmatch_table[DETECT_LUAJIT].Match = DetectLuajitMatch;
sigmatch_table[DETECT_LUAJIT].Setup = DetectLuajitSetup;
sigmatch_table[DETECT_LUAJIT].Free = DetectLuajitFree;

2
src/detect-metadata.c
Unescape Escape View File

@ -33,6 +33,8 @@ static int DetectMetadataSetup (DetectEngineCtx *, Signature *, char *);
void DetectMetadataRegister (void) {
sigmatch_table[DETECT_METADATA].name = "metadata";
sigmatch_table[DETECT_METADATA].desc = "ignored by suricata";
sigmatch_table[DETECT_METADATA].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Metadata";
sigmatch_table[DETECT_METADATA].Match = NULL;
sigmatch_table[DETECT_METADATA].Setup = DetectMetadataSetup;
sigmatch_table[DETECT_METADATA].Free = NULL;

2
src/detect-msg.c
Unescape Escape View File

@ -38,6 +38,8 @@ void DetectMsgRegisterTests(void);
void DetectMsgRegister (void) {
sigmatch_table[DETECT_MSG].name = "msg";
sigmatch_table[DETECT_MSG].desc = "information about the rule and the possible alert";
sigmatch_table[DETECT_MSG].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#msg-message";
sigmatch_table[DETECT_MSG].Match = NULL;
sigmatch_table[DETECT_MSG].Setup = DetectMsgSetup;
sigmatch_table[DETECT_MSG].Free = NULL;

2
src/detect-nocase.c
Unescape Escape View File

@ -46,6 +46,8 @@ static int DetectNocaseSetup (DetectEngineCtx *, Signature *, char *);
void DetectNocaseRegister (void) {
sigmatch_table[DETECT_NOCASE].name = "nocase";
sigmatch_table[DETECT_NOCASE].desc = "modify content match to be case insensitive";
sigmatch_table[DETECT_NOCASE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Nocase";
sigmatch_table[DETECT_NOCASE].Match = NULL;
sigmatch_table[DETECT_NOCASE].Setup = DetectNocaseSetup;
sigmatch_table[DETECT_NOCASE].Free = NULL;

2
src/detect-offset.c
Unescape Escape View File

@ -43,6 +43,8 @@ static int DetectOffsetSetup (DetectEngineCtx *, Signature *, char *);
void DetectOffsetRegister (void) {
sigmatch_table[DETECT_OFFSET].name = "offset";
sigmatch_table[DETECT_OFFSET].desc = "designate from which byte in the payload will be checked to find a match";
sigmatch_table[DETECT_OFFSET].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Offset";
sigmatch_table[DETECT_OFFSET].Match = NULL;
sigmatch_table[DETECT_OFFSET].Setup = DetectOffsetSetup;
sigmatch_table[DETECT_OFFSET].Free = NULL;

2
src/detect-pcre.c
Unescape Escape View File

@ -83,6 +83,8 @@ void DetectPcreRegisterTests(void);
void DetectPcreRegister (void) {
sigmatch_table[DETECT_PCRE].name = "pcre";
sigmatch_table[DETECT_PCRE].desc = "match on regular expression";
sigmatch_table[DETECT_PCRE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#Pcre-Perl-Compatible-Regular-Expressions";
sigmatch_table[DETECT_PCRE].Match = NULL;
sigmatch_table[DETECT_PCRE].AppLayerMatch = NULL;
sigmatch_table[DETECT_PCRE].alproto = ALPROTO_HTTP;

2
src/detect-priority.c
Unescape Escape View File

@ -51,6 +51,8 @@ void DetectPriorityRegister (void)
int opts = 0;
sigmatch_table[DETECT_PRIORITY].name = "priority";
sigmatch_table[DETECT_PRIORITY].desc = "rules with a higher priority will be examined first";
sigmatch_table[DETECT_PRIORITY].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Priority";
sigmatch_table[DETECT_PRIORITY].Match = NULL;
sigmatch_table[DETECT_PRIORITY].Setup = DetectPrioritySetup;
sigmatch_table[DETECT_PRIORITY].Free = NULL;

2
src/detect-reference.c
Unescape Escape View File

@ -56,6 +56,8 @@ static int DetectReferenceSetup(DetectEngineCtx *, Signature *s, char *str);
void DetectReferenceRegister(void)
{
sigmatch_table[DETECT_REFERENCE].name = "reference";
sigmatch_table[DETECT_REFERENCE].desc = "direct to places where information about the rule can be found";
sigmatch_table[DETECT_REFERENCE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Reference";
sigmatch_table[DETECT_REFERENCE].Match = NULL;
sigmatch_table[DETECT_REFERENCE].Setup = DetectReferenceSetup;
sigmatch_table[DETECT_REFERENCE].Free = NULL;

2
src/detect-rev.c
Unescape Escape View File

@ -32,6 +32,8 @@ static int DetectRevSetup (DetectEngineCtx *, Signature *, char *);
void DetectRevRegister (void) {
sigmatch_table[DETECT_REV].name = "rev";
sigmatch_table[DETECT_REV].desc = "set version of the rule";
sigmatch_table[DETECT_REV].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Rev-Revision";
sigmatch_table[DETECT_REV].Match = NULL;
sigmatch_table[DETECT_REV].Setup = DetectRevSetup;
sigmatch_table[DETECT_REV].Free = NULL;

2
src/detect-rpc.c
Unescape Escape View File

@ -58,6 +58,8 @@ void DetectRpcFree(void *);
*/
void DetectRpcRegister (void) {
sigmatch_table[DETECT_RPC].name = "rpc";
sigmatch_table[DETECT_RPC].desc = "match RPC procedure numbers and RPC version";
sigmatch_table[DETECT_RPC].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#rpc";
sigmatch_table[DETECT_RPC].Match = DetectRpcMatch;
sigmatch_table[DETECT_RPC].Setup = DetectRpcSetup;
sigmatch_table[DETECT_RPC].Free = DetectRpcFree;

2
src/detect-sameip.c
Unescape Escape View File

@ -49,6 +49,8 @@ static void DetectSameipRegisterTests(void);
void DetectSameipRegister(void)
{
sigmatch_table[DETECT_SAMEIP].name = "sameip";
sigmatch_table[DETECT_SAMEIP].desc = "check if the IP address of the source is the same as the IP address of the destination";
sigmatch_table[DETECT_SAMEIP].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#sameip";
sigmatch_table[DETECT_SAMEIP].Match = DetectSameipMatch;
sigmatch_table[DETECT_SAMEIP].Setup = DetectSameipSetup;
sigmatch_table[DETECT_SAMEIP].Free = NULL;

2
src/detect-seq.c
Unescape Escape View File

@ -48,6 +48,8 @@ static void DetectSeqFree(void *);
void DetectSeqRegister(void) {
sigmatch_table[DETECT_SEQ].name = "seq";
sigmatch_table[DETECT_SEQ].desc = "check for a specific TCP sequence number";
sigmatch_table[DETECT_SEQ].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#seq";
sigmatch_table[DETECT_SEQ].Match = DetectSeqMatch;
sigmatch_table[DETECT_SEQ].Setup = DetectSeqSetup;
sigmatch_table[DETECT_SEQ].Free = DetectSeqFree;

2
src/detect-sid.c
Unescape Escape View File

@ -32,6 +32,8 @@ static int DetectSidSetup (DetectEngineCtx *, Signature *, char *);
void DetectSidRegister (void) {
sigmatch_table[DETECT_SID].name = "sid";
sigmatch_table[DETECT_SID].desc = "set rule id";
sigmatch_table[DETECT_SID].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Meta-settings#Sid-signature-id";
sigmatch_table[DETECT_SID].Match = NULL;
sigmatch_table[DETECT_SID].Setup = DetectSidSetup;
sigmatch_table[DETECT_SID].Free = NULL;

2
src/detect-stream_size.c
Unescape Escape View File

@ -55,6 +55,8 @@ void DetectStreamSizeRegisterTests(void);
void DetectStreamSizeRegister(void) {
sigmatch_table[DETECT_STREAM_SIZE].name = "stream_size";
sigmatch_table[DETECT_STREAM_SIZE].desc = "match on amount of bytes of a stream";
sigmatch_table[DETECT_STREAM_SIZE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords#stream_size";
sigmatch_table[DETECT_STREAM_SIZE].Match = DetectStreamSizeMatch;
sigmatch_table[DETECT_STREAM_SIZE].Setup = DetectStreamSizeSetup;
sigmatch_table[DETECT_STREAM_SIZE].Free = DetectStreamSizeFree;

2
src/detect-threshold.c
Unescape Escape View File

@ -72,6 +72,8 @@ static void DetectThresholdFree(void *);
void DetectThresholdRegister (void) {
sigmatch_table[DETECT_THRESHOLD].name = "threshold";
sigmatch_table[DETECT_THRESHOLD].desc = "control the rule's alert frequency";
sigmatch_table[DETECT_THRESHOLD].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding#threshold";
sigmatch_table[DETECT_THRESHOLD].Match = DetectThresholdMatch;
sigmatch_table[DETECT_THRESHOLD].Setup = DetectThresholdSetup;
sigmatch_table[DETECT_THRESHOLD].Free = DetectThresholdFree;

2
src/detect-tls-version.c
Unescape Escape View File

@ -68,6 +68,8 @@ void DetectTlsVersionFree(void *);
*/
void DetectTlsVersionRegister (void) {
sigmatch_table[DETECT_AL_TLS_VERSION].name = "tls.version";
sigmatch_table[DETECT_AL_TLS_VERSION].desc = "match on TLS/SSL version";
sigmatch_table[DETECT_AL_TLS_VERSION].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsversion";
sigmatch_table[DETECT_AL_TLS_VERSION].Match = NULL;
sigmatch_table[DETECT_AL_TLS_VERSION].AppLayerMatch = DetectTlsVersionMatch;
sigmatch_table[DETECT_AL_TLS_VERSION].alproto = ALPROTO_TLS;

12
src/detect-tls.c
Unescape Escape View File

@ -93,7 +93,8 @@ static int DetectTlsStoreMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *, u
*/
void DetectTlsRegister (void) {
sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject";
sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "Match TLS/SSL certificate Subject field";
sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field";
sigmatch_table[DETECT_AL_TLS_SUBJECT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlssubject";
sigmatch_table[DETECT_AL_TLS_SUBJECT].Match = NULL;
sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerMatch = DetectTlsSubjectMatch;
sigmatch_table[DETECT_AL_TLS_SUBJECT].alproto = ALPROTO_TLS;
@ -102,7 +103,8 @@ void DetectTlsRegister (void) {
sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn";
sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "Match TLS/SSL certificate IssuerDN field";
sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field";
sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsissuerdn";
sigmatch_table[DETECT_AL_TLS_ISSUERDN].Match = NULL;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerMatch = DetectTlsIssuerDNMatch;
sigmatch_table[DETECT_AL_TLS_ISSUERDN].alproto = ALPROTO_TLS;
@ -111,7 +113,8 @@ void DetectTlsRegister (void) {
sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint";
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "Match TLS/SSL certificate SHA1 fingerprint";
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint";
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsfingerprint";
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Match = NULL;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerMatch = DetectTlsFingerprintMatch;
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].alproto = ALPROTO_TLS;
@ -120,7 +123,8 @@ void DetectTlsRegister (void) {
sigmatch_table[DETECT_AL_TLS_FINGERPRINT].RegisterTests = NULL;
sigmatch_table[DETECT_AL_TLS_STORE].name = "tls.store";
sigmatch_table[DETECT_AL_TLS_STORE].desc = "Store certificate on disk";
sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk";
sigmatch_table[DETECT_AL_TLS_STORE].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords#tlsstore";
sigmatch_table[DETECT_AL_TLS_STORE].Match = NULL;
sigmatch_table[DETECT_AL_TLS_STORE].AppLayerMatch = DetectTlsStoreMatch;
sigmatch_table[DETECT_AL_TLS_STORE].alproto = ALPROTO_TLS;

2
src/detect-ttl.c
Unescape Escape View File

@ -53,6 +53,8 @@ void DetectTtlRegisterTests (void);
void DetectTtlRegister(void) {
sigmatch_table[DETECT_TTL].name = "ttl";
sigmatch_table[DETECT_TTL].desc = "check for a specific IP time-to-live value";
sigmatch_table[DETECT_TTL].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#ttl";
sigmatch_table[DETECT_TTL].Match = DetectTtlMatch;
sigmatch_table[DETECT_TTL].Setup = DetectTtlSetup;
sigmatch_table[DETECT_TTL].Free = DetectTtlFree;

2
src/detect-urilen.c
Unescape Escape View File

@ -61,6 +61,8 @@ void DetectUrilenRegisterTests (void);
void DetectUrilenRegister(void)
{
sigmatch_table[DETECT_AL_URILEN].name = "urilen";
sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri";
sigmatch_table[DETECT_AL_URILEN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords#Urilen";
sigmatch_table[DETECT_AL_URILEN].Match = NULL;
sigmatch_table[DETECT_AL_URILEN].alproto = ALPROTO_HTTP;
sigmatch_table[DETECT_AL_URILEN].AppLayerMatch = NULL /**< We handle this at detect-engine-uri.c now */;

2
src/detect-window.c
Unescape Escape View File

@ -57,6 +57,8 @@ void DetectWindowFree(void *);
*/
void DetectWindowRegister (void) {
sigmatch_table[DETECT_WINDOW].name = "window";
sigmatch_table[DETECT_WINDOW].desc = "check for a specific TCP window size";
sigmatch_table[DETECT_WINDOW].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Header_keywords#Window";
sigmatch_table[DETECT_WINDOW].Match = DetectWindowMatch;
sigmatch_table[DETECT_WINDOW].Setup = DetectWindowSetup;
sigmatch_table[DETECT_WINDOW].Free = DetectWindowFree;

2
src/detect-within.c
Unescape Escape View File

@ -48,6 +48,8 @@ void DetectWithinRegisterTests(void);
void DetectWithinRegister (void) {
sigmatch_table[DETECT_WITHIN].name = "within";
sigmatch_table[DETECT_WITHIN].desc = "indicate that this content match has to be within a certain distance of the previous content keyword match";
sigmatch_table[DETECT_WITHIN].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Within";
sigmatch_table[DETECT_WITHIN].Match = NULL;
sigmatch_table[DETECT_WITHIN].Setup = DetectWithinSetup;
sigmatch_table[DETECT_WITHIN].Free = NULL;

48
src/detect.c
Unescape Escape View File

@ -4576,19 +4576,19 @@ static inline void PrintFeatureList(int flags, char sep)
if (flags & SIGMATCH_IPONLY_COMPAT) {
if (prev == 1)
printf("%c", sep);
printf("IP only rule");
printf("compatible with IP only rule");
prev = 1;
}
if (flags & SIGMATCH_DEONLY_COMPAT) {
if (prev == 1)
printf("%c", sep);
printf("IP only rule");
printf("compatible with decoder event only rule");
prev = 1;
}
if (flags & SIGMATCH_PAYLOAD) {
if (prev == 1)
printf("%c", sep);
printf("payload inspecting rule");
printf("payload inspecting keyword");
prev = 1;
}
if (prev == 0) {
@ -4596,6 +4596,21 @@ static inline void PrintFeatureList(int flags, char sep)
}
}
static inline void SigMultilinePrint(int i, char *prefix)
{
if (sigmatch_table[i].desc) {
printf("%sDescription: %s\n", prefix, sigmatch_table[i].desc);
}
printf("%sProtocol: %s\n", prefix,
AppLayerGetProtoString(sigmatch_table[i].alproto));
printf("%sFeatures: ", prefix);
PrintFeatureList(sigmatch_table[i].flags, ',');
if (sigmatch_table[i].url) {
printf("\n%sDocumentation: %s", prefix, sigmatch_table[i].url);
}
printf("\n");
}
void SigTableList(const char *keyword)
{
size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt);
@ -4608,8 +4623,8 @@ void SigTableList(const char *keyword)
if (sigmatch_table[i].name != NULL)
printf("- %s\n", sigmatch_table[i].name);
}
} else if (!strcmp("all", keyword)) {
printf("name;description;app layer;features\n");
} else if (!strcmp("csv", keyword)) {
printf("name;description;app layer;features;documentation\n");
for (i = 0; i < size; i++) {
if (sigmatch_table[i].name != NULL) {
printf("%s;", sigmatch_table[i].name);
@ -4618,24 +4633,27 @@ void SigTableList(const char *keyword)
}
/* Build feature */
printf(";%s;",
TmModuleAlprotoToString(sigmatch_table[i].alproto));
AppLayerGetProtoString(sigmatch_table[i].alproto));
PrintFeatureList(sigmatch_table[i].flags, ':');
printf(";");
if (sigmatch_table[i].url) {
printf("%s", sigmatch_table[i].url);
}
printf(";");
printf("\n");
}
}
} else if (!strcmp("all", keyword)) {
for (i = 0; i < size; i++) {
printf("%s:\n", sigmatch_table[i].name);
SigMultilinePrint(i, "\t");
}
} else {
for (i = 0; i < size; i++) {
if ((sigmatch_table[i].name != NULL) &&
!strcmp(sigmatch_table[i].name, keyword)) {
printf("%s\n", sigmatch_table[i].name);
if (sigmatch_table[i].desc) {
printf("Description: %s\n", sigmatch_table[i].desc);
}
printf("Protocol: %s\n",
TmModuleAlprotoToString(sigmatch_table[i].alproto));
printf("Features: ");
PrintFeatureList(sigmatch_table[i].flags, ',');
printf("\n");
printf("= %s =\n", sigmatch_table[i].name);
SigMultilinePrint(i, "");
}
}
}

1
src/detect.h
Unescape Escape View File

@ -861,6 +861,7 @@ typedef struct SigTableElmt_ {
uint8_t flags;
char *name;
char *desc;
char *url;
} SigTableElmt;

96
src/suricata.c
Unescape Escape View File

@ -462,73 +462,73 @@ void usage(const char *progname)
printf("%s %s\n", PROG_NAME, PROG_VER);
#endif
printf("USAGE: %s [OPTIONS] [BPF FILTER]\n\n", progname);
printf("\t-c <path> : path to configuration file\n");
printf("\t-T : test configuration file (use with -c)\n");
printf("\t-i <dev or ip> : run in pcap live mode\n");
printf("\t-F <bpf filter file> : bpf filter file\n");
printf("\t-r <path> : run in pcap file/offline mode\n");
printf("\t-c <path> : path to configuration file\n");
printf("\t-T : test configuration file (use with -c)\n");
printf("\t-i <dev or ip> : run in pcap live mode\n");
printf("\t-F <bpf filter file> : bpf filter file\n");
printf("\t-r <path> : run in pcap file/offline mode\n");
#ifdef NFQ
printf("\t-q <qid> : run in inline nfqueue mode\n");
printf("\t-q <qid> : run in inline nfqueue mode\n");
#endif /* NFQ */
#ifdef IPFW
printf("\t-d <divert port> : run in inline ipfw divert mode\n");
printf("\t-d <divert port> : run in inline ipfw divert mode\n");
#endif /* IPFW */
printf("\t-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)\n");
printf("\t-S <path> : path to signature file loaded exclusively (optional)\n");
printf("\t-l <dir> : default log directory\n");
printf("\t-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)\n");
printf("\t-S <path> : path to signature file loaded exclusively (optional)\n");
printf("\t-l <dir> : default log directory\n");
#ifndef OS_WIN32
printf("\t-D : run as daemon\n");
printf("\t-D : run as daemon\n");
#else
printf("\t--service-install : install as service\n");
printf("\t--service-remove : remove service\n");
printf("\t--service-change-params : change service startup parameters\n");
printf("\t--service-install : install as service\n");
printf("\t--service-remove : remove service\n");
printf("\t--service-change-params : change service startup parameters\n");
#endif /* OS_WIN32 */
printf("\t-V : display Suricata version\n");
printf("\t-V : display Suricata version\n");
#ifdef UNITTESTS
printf("\t-u : run the unittests and exit\n");
printf("\t-U, --unittest-filter=REGEX : filter unittests with a regex\n");
printf("\t--list-unittests : list unit tests\n");
printf("\t--fatal-unittests : enable fatal failure on unittest error\n");
printf("\t-u : run the unittests and exit\n");
printf("\t-U, --unittest-filter=REGEX : filter unittests with a regex\n");
printf("\t--list-unittests : list unit tests\n");
printf("\t--fatal-unittests : enable fatal failure on unittest error\n");
#endif /* UNITTESTS */
printf("\t--list-app-layer-protos : list supported app layer protocols\n");
printf("\t--list-keywords[=any|<kword>]: list keywords implemented by the engine\n");
printf("\t--list-app-layer-protos : list supported app layer protocols\n");
printf("\t--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine\n");
#ifdef __SC_CUDA_SUPPORT__
printf("\t--list-cuda-cards : list cuda supported cards\n");
#endif
printf("\t--list-runmodes : list supported runmodes\n");
printf("\t--runmode <runmode_id> : specific runmode modification the engine should run. The argument\n"
"\t supplied should be the id for the runmode obtained by running\n"
"\t --list-runmodes\n");
printf("\t--engine-analysis : print reports on analysis of different sections in the engine and exit.\n"
"\t Please have a look at the conf parameter engine-analysis on what reports\n"
"\t can be printed\n");
printf("\t--pidfile <file> : write pid to this file (only for daemon mode)\n");
printf("\t--init-errors-fatal : enable fatal failure on signature init error\n");
printf("\t--dump-config : show the running configuration\n");
printf("\t--build-info : display build information\n");
printf("\t--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml\n");
printf("\t--list-cuda-cards : list cuda supported cards\n");
#endif
printf("\t--list-runmodes : list supported runmodes\n");
printf("\t--runmode <runmode_id> : specific runmode modification the engine should run. The argument\n"
"\t supplied should be the id for the runmode obtained by running\n"
"\t --list-runmodes\n");
printf("\t--engine-analysis : print reports on analysis of different sections in the engine and exit.\n"
"\t Please have a look at the conf parameter engine-analysis on what reports\n"
"\t can be printed\n");
printf("\t--pidfile <file> : write pid to this file (only for daemon mode)\n");
printf("\t--init-errors-fatal : enable fatal failure on signature init error\n");
printf("\t--dump-config : show the running configuration\n");
printf("\t--build-info : display build information\n");
printf("\t--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml\n");
#ifdef HAVE_PCAP_SET_BUFF
printf("\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX);
printf("\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX);
#endif /* HAVE_SET_PCAP_BUFF */
#ifdef HAVE_AF_PACKET
printf("\t--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml\n");
printf("\t--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml\n");
#endif
#ifdef HAVE_PFRING
printf("\t--pfring[=<dev>] : run in pfring mode, use interfaces from suricata.yaml\n");
printf("\t--pfring-int <dev> : run in pfring mode, use interface <dev>\n");
printf("\t--pfring-cluster-id <id> : pfring cluster id \n");
printf("\t--pfring-cluster-type <type> : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n");
printf("\t--pfring[=<dev>] : run in pfring mode, use interfaces from suricata.yaml\n");
printf("\t--pfring-int <dev> : run in pfring mode, use interface <dev>\n");
printf("\t--pfring-cluster-id <id> : pfring cluster id \n");
printf("\t--pfring-cluster-type <type> : pfring cluster type for PF_RING 4.1.2 and later cluster_round_robin|cluster_flow\n");
#endif /* HAVE_PFRING */
#ifdef HAVE_LIBCAP_NG
printf("\t--user <user> : run suricata as this user after init\n");
printf("\t--group <group> : run suricata as this group after init\n");
printf("\t--user <user> : run suricata as this user after init\n");
printf("\t--group <group> : run suricata as this group after init\n");
#endif /* HAVE_LIBCAP_NG */
printf("\t--erf-in <path> : process an ERF file\n");
printf("\t--erf-in <path> : process an ERF file\n");
#ifdef HAVE_DAG
printf("\t--dag <dagX:Y> : process ERF records from DAG interface X, stream Y\n");
printf("\t--dag <dagX:Y> : process ERF records from DAG interface X, stream Y\n");
#endif
#ifdef HAVE_NAPATECH
printf("\t--napatech : run Napatech Streams using the API\n");
printf("\t--napatech : run Napatech Streams using the API\n");
#endif
printf("\n");
printf("\nTo run the engine with default configuration on "
@ -921,7 +921,9 @@ int main(int argc, char **argv)
exit(EXIT_SUCCESS);
} else if (strcmp((long_opts[option_index]).name, "list-keywords") == 0) {
if (optarg) {
keyword_info = optarg;
if (strcmp("short",optarg)) {
keyword_info = optarg;
}
}
} else if (strcmp((long_opts[option_index]).name, "runmode") == 0) {
runmode_custom_mode = optarg;

Write Preview
Loading…
Cancel
Save