aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http user agent keyword + mpm + inspection + fast pattern support added

Browse Source
remotes/origin/HEAD
Anoop Saldanha 13 years ago committed by Victor Julien
parent bd3a655aeb
commit 988c92f71c
25 changed files with 5716 additions and 69 deletions
Show Stats Download Patch File Download Diff File

2
src/Makefile.am
Unescape Escape View File

@ -92,6 +92,7 @@ detect-engine-hcd.c detect-engine-hcd.h \
detect-engine-hrud.c detect-engine-hrud.h \ detect-engine-hrud.c detect-engine-hrud.h \
detect-engine-hsmd.c detect-engine-hsmd.h \ detect-engine-hsmd.c detect-engine-hsmd.h \
detect-engine-hscd.c detect-engine-hscd.h \ detect-engine-hscd.c detect-engine-hscd.h \
detect-engine-hua.c detect-engine-hua.h \
detect-engine-state.c detect-engine-state.h \ detect-engine-state.c detect-engine-state.h \
detect-engine-file.c detect-engine-file.h \ detect-engine-file.c detect-engine-file.h \
detect-engine-analyzer.c detect-engine-analyzer.h \ detect-engine-analyzer.c detect-engine-analyzer.h \
@ -149,6 +150,7 @@ detect-http-raw-header.c detect-http-raw-header.h \
detect-http-uri.c detect-http-uri.h \ detect-http-uri.c detect-http-uri.h \
detect-http-raw-uri.c detect-http-raw-uri.h \ detect-http-raw-uri.c detect-http-raw-uri.h \
detect-file-data.c detect-file-data.h \ detect-file-data.c detect-file-data.h \
detect-http-ua.c detect-http-ua.h \
detect-tls.c detect-tls.h \ detect-tls.c detect-tls.h \
detect-tls-version.c detect-tls-version.h \ detect-tls-version.c detect-tls-version.h \
detect-ssh-proto-version.c detect-ssh-proto-version.h \ detect-ssh-proto-version.c detect-ssh-proto-version.h \

11
src/detect-content.h
Unescape Escape View File

@ -54,15 +54,16 @@
#define DETECT_CONTENT_HRUD_MPM 0x00100000 #define DETECT_CONTENT_HRUD_MPM 0x00100000
#define DETECT_CONTENT_HSMD_MPM 0x00200000 #define DETECT_CONTENT_HSMD_MPM 0x00200000
#define DETECT_CONTENT_HSCD_MPM 0x00400000 #define DETECT_CONTENT_HSCD_MPM 0x00400000
#define DETECT_CONTENT_HUAD_MPM 0x00800000
/* BE - byte extract */ /* BE - byte extract */
#define DETECT_CONTENT_OFFSET_BE 0x00800000 #define DETECT_CONTENT_OFFSET_BE 0x01000000
#define DETECT_CONTENT_DEPTH_BE 0x01000000 #define DETECT_CONTENT_DEPTH_BE 0x02000000
#define DETECT_CONTENT_DISTANCE_BE 0x02000000 #define DETECT_CONTENT_DISTANCE_BE 0x04000000
#define DETECT_CONTENT_WITHIN_BE 0x04000000 #define DETECT_CONTENT_WITHIN_BE 0x08000000
/* replace data */ /* replace data */
#define DETECT_CONTENT_REPLACE 0x08000000 #define DETECT_CONTENT_REPLACE 0x10000000
#define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \ #define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \
(c)->flags & DETECT_CONTENT_WITHIN || \ (c)->flags & DETECT_CONTENT_WITHIN || \

7
src/detect-depth.c
Unescape Escape View File

@ -85,7 +85,7 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
break; break;
default: default:
pm = SigMatchGetLastSMFromLists(s, 22, pm = SigMatchGetLastSMFromLists(s, 24,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
@ -96,13 +96,14 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, char *depths
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
if (pm == NULL) { if (pm == NULL) {
SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs " SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "depth needs "
"preceeding content, uricontent option, http_client_body, " "preceeding content, uricontent option, http_client_body, "
"http_server_body, http_header option, http_raw_header option, " "http_server_body, http_header option, http_raw_header option, "
"http_method option, http_cookie, http_raw_uri, " "http_method option, http_cookie, http_raw_uri, "
"http_stat_msg or http_stat_code option"); "http_stat_msg, http_stat_code or http_user_agent option");
if (dubbed) if (dubbed)
SCFree(str); SCFree(str);
return -1; return -1;

9
src/detect-distance.c
Unescape Escape View File

@ -160,7 +160,7 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
} }
} }
} else { } else {
pm = SigMatchGetLastSMFromLists(s, 22, pm = SigMatchGetLastSMFromLists(s, 24,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
@ -171,13 +171,14 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH]); DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
if (pm == NULL) { if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs " SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "within needs "
"preceeding content, uricontent option, http_client_body, " "preceeding content, uricontent option, http_client_body, "
"http_server_body, http_header, http_raw_header, http_method, " "http_server_body, http_header, http_raw_header, http_method, "
"http_cookie, http_raw_uri, http_stat_msg or http_stat_code " "http_cookie, http_raw_uri, http_stat_msg, http_stat_code "
"option"); "or http_user_agent option");
if (dubbed) if (dubbed)
SCFree(str); SCFree(str);
return -1; return -1;

1
src/detect-engine-content-inspection.h
Unescape Escape View File

@ -38,6 +38,7 @@ enum {
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HMD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSCD, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSCD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSMD, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HSMD,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HUAD,
}; };
int DetectEngineContentInspection(DetectEngineCtx *, int DetectEngineContentInspection(DetectEngineCtx *,

1789
src/detect-engine-hua.c
View File

File diff suppressed because it is too large Load Diff

33
src/detect-engine-hua.h
Unescape Escape View File

@ -0,0 +1,33 @@
/* Copyright (C) 2007-2012 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/** \file
*
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
*/
#ifndef __DETECT_ENGINE_HUA_H__
#define __DETECT_ENGINE_HUA_H__
#include "app-layer-htp.h"
int DetectEngineInspectHttpUA(DetectEngineCtx *, DetectEngineThreadCtx *,
Signature *, Flow *, uint8_t, void *);
int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *, Flow *, HtpState *, uint8_t);
void DetectEngineHttpUARegisterTests(void);
#endif /* __DETECT_ENGINE_HUA_H__ */

104
src/detect-engine-mpm.c
Unescape Escape View File

@ -598,6 +598,40 @@ uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *det_ctx,
SCReturnUInt(ret); SCReturnUInt(ret);
} }
/**
* \brief Http user agent match -- searches for one pattern per signature.
*
* \param det_ctx Detection engine thread ctx.
* \param cookie User-Agent to inspect.
* \param cookie_len User-Agent buffer length.
*
* \retval ret Number of matches.
*/
uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx,
uint8_t *ua, uint32_t ua_len, uint8_t flags)
{
SCEnter();
uint32_t ret;
if (flags & STREAM_TOSERVER) {
if (det_ctx->sgh->mpm_huad_ctx_ts == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_ts->mpm_type].
Search(det_ctx->sgh->mpm_huad_ctx_ts, &det_ctx->mtcu,
&det_ctx->pmq, ua, ua_len);
} else {
if (det_ctx->sgh->mpm_huad_ctx_tc == NULL)
SCReturnUInt(0);
ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_tc->mpm_type].
Search(det_ctx->sgh->mpm_huad_ctx_tc, &det_ctx->mtcu,
&det_ctx->pmq, ua, ua_len);
}
SCReturnUInt(ret);
}
/** \brief Pattern match -- searches for only one pattern per signature. /** \brief Pattern match -- searches for only one pattern per signature.
* *
* \param det_ctx detection engine thread ctx * \param det_ctx detection engine thread ctx
@ -1260,6 +1294,7 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
case DETECT_SM_LIST_HCDMATCH: case DETECT_SM_LIST_HCDMATCH:
case DETECT_SM_LIST_HSMDMATCH: case DETECT_SM_LIST_HSMDMATCH:
case DETECT_SM_LIST_HSCDMATCH: case DETECT_SM_LIST_HSCDMATCH:
case DETECT_SM_LIST_HUADMATCH:
{ {
MpmCtx *mpm_ctx_ts = NULL; MpmCtx *mpm_ctx_ts = NULL;
MpmCtx *mpm_ctx_tc = NULL; MpmCtx *mpm_ctx_tc = NULL;
@ -1336,6 +1371,13 @@ static void PopulateMpmAddPatternToMpm(DetectEngineCtx *de_ctx,
mpm_ctx_tc = sgh->mpm_hscd_ctx_tc; mpm_ctx_tc = sgh->mpm_hscd_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HSCD; sgh_flags = SIG_GROUP_HEAD_MPM_HSCD;
cd_flags = DETECT_CONTENT_HSCD_MPM; cd_flags = DETECT_CONTENT_HSCD_MPM;
} else if (sm_list == DETECT_SM_LIST_HUADMATCH) {
if (s->flags & SIG_FLAG_TOSERVER)
mpm_ctx_ts = sgh->mpm_huad_ctx_ts;
if (s->flags & SIG_FLAG_TOCLIENT)
mpm_ctx_tc = sgh->mpm_huad_ctx_tc;
sgh_flags = SIG_GROUP_HEAD_MPM_HUAD;
cd_flags = DETECT_CONTENT_HUAD_MPM;
} }
cd = (DetectContentData *)mpm_sm->ctx; cd = (DetectContentData *)mpm_sm->ctx;
@ -1631,6 +1673,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
uint32_t has_co_hsmd = 0; uint32_t has_co_hsmd = 0;
/* used to indicate if sgh has atleast one sig with http_stat_code */ /* used to indicate if sgh has atleast one sig with http_stat_code */
uint32_t has_co_hscd = 0; uint32_t has_co_hscd = 0;
/* used to indicate if sgh has atleast one sig with http_user_agent */
uint32_t has_co_huad = 0;
//uint32_t cnt = 0; //uint32_t cnt = 0;
uint32_t sig = 0; uint32_t sig = 0;
@ -1686,6 +1730,10 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) {
has_co_hscd = 1; has_co_hscd = 1;
} }
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
has_co_huad = 1;
}
} }
if (has_co_packet > 0) { if (has_co_packet > 0) {
@ -1724,6 +1772,9 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (has_co_hscd > 0) { if (has_co_hscd > 0) {
sh->flags |= SIG_GROUP_HAVEHSCDCONTENT; sh->flags |= SIG_GROUP_HAVEHSCDCONTENT;
} }
if (has_co_huad > 0) {
sh->flags |= SIG_GROUP_HAVEHUADCONTENT;
}
/* intialize contexes */ /* intialize contexes */
if (sh->flags & SIG_GROUP_HAVECONTENT) { if (sh->flags & SIG_GROUP_HAVECONTENT) {
@ -2025,6 +2076,28 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
#endif #endif
} }
if (sh->flags & SIG_GROUP_HAVEHUADCONTENT) {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_SINGLE) {
sh->mpm_huad_ctx_ts = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_huad, 0);
sh->mpm_huad_ctx_tc = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_huad, 1);
} else {
sh->mpm_huad_ctx_ts = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 0);
sh->mpm_huad_ctx_tc = MpmFactoryGetMpmCtxForProfile(MPM_CTX_FACTORY_UNIQUE_CONTEXT, 1);
}
if (sh->mpm_huad_ctx_ts == NULL || sh->mpm_huad_ctx_tc == NULL) {
SCLogDebug("sh->mpm_huad_ctx == NULL. This should never happen");
exit(EXIT_FAILURE);
}
#ifndef __SC_CUDA_SUPPORT__
MpmInitCtx(sh->mpm_huad_ctx_ts, de_ctx->mpm_matcher, -1);
MpmInitCtx(sh->mpm_huad_ctx_tc, de_ctx->mpm_matcher, -1);
#else
MpmInitCtx(sh->mpm_huad_ctx_ts, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle);
MpmInitCtx(sh->mpm_huad_ctx_tc, de_ctx->mpm_matcher, de_ctx->cuda_rc_mod_handle);
#endif
}
if (sh->flags & SIG_GROUP_HAVECONTENT || if (sh->flags & SIG_GROUP_HAVECONTENT ||
sh->flags & SIG_GROUP_HAVESTREAMCONTENT || sh->flags & SIG_GROUP_HAVESTREAMCONTENT ||
sh->flags & SIG_GROUP_HAVEURICONTENT || sh->flags & SIG_GROUP_HAVEURICONTENT ||
@ -2036,7 +2109,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
sh->flags & SIG_GROUP_HAVEHCDCONTENT || sh->flags & SIG_GROUP_HAVEHCDCONTENT ||
sh->flags & SIG_GROUP_HAVEHSMDCONTENT || sh->flags & SIG_GROUP_HAVEHSMDCONTENT ||
sh->flags & SIG_GROUP_HAVEHSCDCONTENT || sh->flags & SIG_GROUP_HAVEHSCDCONTENT ||
sh->flags & SIG_GROUP_HAVEHRUDCONTENT) { sh->flags & SIG_GROUP_HAVEHRUDCONTENT ||
sh->flags & SIG_GROUP_HAVEHUADCONTENT) {
PatternMatchPreparePopulateMpm(de_ctx, sh); PatternMatchPreparePopulateMpm(de_ctx, sh);
@ -2386,6 +2460,30 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
} }
} }
} }
if (sh->mpm_huad_ctx_ts != NULL) {
if (sh->mpm_huad_ctx_ts->pattern_cnt == 0) {
MpmFactoryReClaimMpmCtx(sh->mpm_huad_ctx_ts);
sh->mpm_huad_ctx_ts = NULL;
} else {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL &&
sh->flags & SIG_GROUP_HAVEHUADCONTENT) {
if (mpm_table[sh->mpm_huad_ctx_ts->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_huad_ctx_ts->mpm_type].Prepare(sh->mpm_huad_ctx_ts);
}
}
}
if (sh->mpm_huad_ctx_tc != NULL) {
if (sh->mpm_huad_ctx_tc->pattern_cnt == 0) {
MpmFactoryReClaimMpmCtx(sh->mpm_huad_ctx_tc);
sh->mpm_huad_ctx_tc = NULL;
} else {
if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL &&
sh->flags & SIG_GROUP_HAVEHUADCONTENT) {
if (mpm_table[sh->mpm_huad_ctx_tc->mpm_type].Prepare != NULL)
mpm_table[sh->mpm_huad_ctx_tc->mpm_type].Prepare(sh->mpm_huad_ctx_tc);
}
}
}
//} /* if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) */ //} /* if (de_ctx->sgh_mpm_context == ENGINE_SGH_MPM_FACTORY_CONTEXT_FULL) */
} else { } else {
MpmFactoryReClaimMpmCtx(sh->mpm_proto_other_ctx); MpmFactoryReClaimMpmCtx(sh->mpm_proto_other_ctx);
@ -2415,6 +2513,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
sh->mpm_hsmd_ctx_ts = NULL; sh->mpm_hsmd_ctx_ts = NULL;
MpmFactoryReClaimMpmCtx(sh->mpm_hscd_ctx_ts); MpmFactoryReClaimMpmCtx(sh->mpm_hscd_ctx_ts);
sh->mpm_hscd_ctx_ts = NULL; sh->mpm_hscd_ctx_ts = NULL;
MpmFactoryReClaimMpmCtx(sh->mpm_huad_ctx_ts);
sh->mpm_huad_ctx_ts = NULL;
MpmFactoryReClaimMpmCtx(sh->mpm_proto_tcp_ctx_tc); MpmFactoryReClaimMpmCtx(sh->mpm_proto_tcp_ctx_tc);
sh->mpm_proto_tcp_ctx_tc = NULL; sh->mpm_proto_tcp_ctx_tc = NULL;
@ -2440,6 +2540,8 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
sh->mpm_hsmd_ctx_tc = NULL; sh->mpm_hsmd_ctx_tc = NULL;
MpmFactoryReClaimMpmCtx(sh->mpm_hscd_ctx_tc); MpmFactoryReClaimMpmCtx(sh->mpm_hscd_ctx_tc);
sh->mpm_hscd_ctx_tc = NULL; sh->mpm_hscd_ctx_tc = NULL;
MpmFactoryReClaimMpmCtx(sh->mpm_huad_ctx_tc);
sh->mpm_huad_ctx_tc = NULL;
} }
return 0; return 0;

1
src/detect-engine-mpm.h
Unescape Escape View File

@ -47,6 +47,7 @@ uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, u
uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t); uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *); void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *);
void StreamPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg); void StreamPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx, StreamMsg *smsg);

39
src/detect-engine-state.c
Unescape Escape View File

@ -66,6 +66,7 @@
#include "detect-engine-hrud.h" #include "detect-engine-hrud.h"
#include "detect-engine-hsmd.h" #include "detect-engine-hsmd.h"
#include "detect-engine-hscd.h" #include "detect-engine-hscd.h"
#include "detect-engine-hua.h"
#include "detect-engine-dcepayload.h" #include "detect-engine-dcepayload.h"
#include "detect-engine-file.h" #include "detect-engine-file.h"
@ -264,7 +265,7 @@ int DeStateUpdateInspectTransactionId(Flow *f, char direction) {
* many args is slow. * many args is slow.
*/ */
static void DeStateSignatureAppend(DetectEngineState *state, Signature *s, static void DeStateSignatureAppend(DetectEngineState *state, Signature *s,
SigMatch *sm, uint16_t match_flags) { SigMatch *sm, uint32_t match_flags) {
DeStateStore *store = state->tail; DeStateStore *store = state->tail;
if (store == NULL) { if (store == NULL) {
@ -396,8 +397,8 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
SigMatch *sm = s->sm_lists[DETECT_SM_LIST_AMATCH]; SigMatch *sm = s->sm_lists[DETECT_SM_LIST_AMATCH];
int match = 0; int match = 0;
int r = 0; int r = 0;
uint16_t inspect_flags = 0; uint32_t inspect_flags = 0;
uint16_t match_flags = 0; uint32_t match_flags = 0;
uint16_t file_no_match = 0; uint16_t file_no_match = 0;
if (alstate == NULL) { if (alstate == NULL) {
@ -503,6 +504,14 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HSCD_INSPECT; inspect_flags |= DE_STATE_FLAG_HSCD_INSPECT;
} }
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HUAD_INSPECT;
if (DetectEngineInspectHttpUA(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
match_flags |= DE_STATE_FLAG_HUAD_MATCH;
}
SCLogDebug("inspecting http cookie");
}
} else if (flags & STREAM_TOCLIENT) { } else if (flags & STREAM_TOCLIENT) {
/* For to client set the flags in inspect so it can't match /* For to client set the flags in inspect so it can't match
* if the sig requires something only the request has. The rest * if the sig requires something only the request has. The rest
@ -588,6 +597,9 @@ int DeStateDetectStartDetection(ThreadVars *tv, DetectEngineCtx *de_ctx,
} }
SCLogDebug("inspecting http stat code"); SCLogDebug("inspecting http stat code");
} }
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
inspect_flags |= DE_STATE_FLAG_HUAD_INSPECT;
}
} }
} else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { } else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) {
if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) {
@ -701,8 +713,8 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
SigIntId cnt = 0; SigIntId cnt = 0;
SigIntId store_cnt = 0; SigIntId store_cnt = 0;
DeStateStore *store = NULL; DeStateStore *store = NULL;
uint16_t inspect_flags = 0; uint32_t inspect_flags = 0;
uint16_t match_flags = 0; uint32_t match_flags = 0;
int match = 0; int match = 0;
uint16_t file_no_match = 0; uint16_t file_no_match = 0;
@ -927,6 +939,18 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
inspect_flags |= DE_STATE_FLAG_HSCD_INSPECT; inspect_flags |= DE_STATE_FLAG_HSCD_INSPECT;
} }
} }
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_HUAD_MATCH)) {
SCLogDebug("inspecting http user agent data");
inspect_flags |= DE_STATE_FLAG_HUAD_INSPECT;
if (DetectEngineInspectHttpUA(de_ctx, det_ctx, s, f,
flags, alstate) == 1) {
SCLogDebug("http user agent matched");
match_flags |= DE_STATE_FLAG_HUAD_MATCH;
}
}
}
} else if (alproto == ALPROTO_HTTP && (flags & STREAM_TOCLIENT)) { } else if (alproto == ALPROTO_HTTP && (flags & STREAM_TOCLIENT)) {
/* For to client set the flags in inspect so it can't match /* For to client set the flags in inspect so it can't match
* if the sig requires something only the request has. The rest * if the sig requires something only the request has. The rest
@ -1039,6 +1063,11 @@ int DeStateDetectContinueDetection(ThreadVars *tv, DetectEngineCtx *de_ctx, Dete
} }
} }
} }
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
if (!(item->flags & DE_STATE_FLAG_HUAD_MATCH)) {
inspect_flags |= DE_STATE_FLAG_HUAD_INSPECT;
}
}
} else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) { } else if (alproto == ALPROTO_DCERPC || alproto == ALPROTO_SMB || alproto == ALPROTO_SMB2) {
if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) { if (s->sm_lists[DETECT_SM_LIST_DMATCH] != NULL) {

36
src/detect-engine-state.h
Unescape Escape View File

@ -51,22 +51,23 @@
#define DE_STATE_CHUNK_SIZE 15 #define DE_STATE_CHUNK_SIZE 15
/* per stored sig flags */ /* per stored sig flags */
#define DE_STATE_FLAG_PAYLOAD_MATCH 0x0001 /**< payload part of the sig matched */ #define DE_STATE_FLAG_PAYLOAD_MATCH 1 /**< payload part of the sig matched */
#define DE_STATE_FLAG_URI_MATCH 0x0002 /**< uri part of the sig matched */ #define DE_STATE_FLAG_URI_MATCH 1 << 1 /**< uri part of the sig matched */
#define DE_STATE_FLAG_DCE_MATCH 0x0004 /**< dce payload inspection part matched */ #define DE_STATE_FLAG_DCE_MATCH 1 << 2 /**< dce payload inspection part matched */
#define DE_STATE_FLAG_HCBD_MATCH 0x0008 /**< hcbd payload inspection part matched */ #define DE_STATE_FLAG_HCBD_MATCH 1 << 3 /**< hcbd payload inspection part matched */
#define DE_STATE_FLAG_HSBD_MATCH 0x0010 /**< hcbd payload inspection part matched */ #define DE_STATE_FLAG_HSBD_MATCH 1 << 4 /**< hcbd payload inspection part matched */
#define DE_STATE_FLAG_HHD_MATCH 0x0020 /**< hhd payload inspection part matched */ #define DE_STATE_FLAG_HHD_MATCH 1 << 5 /**< hhd payload inspection part matched */
#define DE_STATE_FLAG_HRHD_MATCH 0x0040 /**< hrhd payload inspection part matched */ #define DE_STATE_FLAG_HRHD_MATCH 1 << 6 /**< hrhd payload inspection part matched */
#define DE_STATE_FLAG_HMD_MATCH 0x0080 /**< hmd payload inspection part matched */ #define DE_STATE_FLAG_HMD_MATCH 1 << 7 /**< hmd payload inspection part matched */
#define DE_STATE_FLAG_HCD_MATCH 0x0100 /**< hcd payload inspection part matched */ #define DE_STATE_FLAG_HCD_MATCH 1 << 8 /**< hcd payload inspection part matched */
#define DE_STATE_FLAG_HRUD_MATCH 0x0200 /**< hrud payload inspection part matched */ #define DE_STATE_FLAG_HRUD_MATCH 1 << 9 /**< hrud payload inspection part matched */
#define DE_STATE_FLAG_FILE_TC_MATCH 0x0400 #define DE_STATE_FLAG_FILE_TC_MATCH 1 << 10
#define DE_STATE_FLAG_FILE_TS_MATCH 0x0800 #define DE_STATE_FLAG_FILE_TS_MATCH 1 << 11
#define DE_STATE_FLAG_FULL_MATCH 0x1000 /**< sig already fully matched */ #define DE_STATE_FLAG_FULL_MATCH 1 << 12 /**< sig already fully matched */
#define DE_STATE_FLAG_SIG_CANT_MATCH 0x2000 /**< signature has no chance of matching */ #define DE_STATE_FLAG_SIG_CANT_MATCH 1 << 13 /**< signature has no chance of matching */
#define DE_STATE_FLAG_HSMD_MATCH 0x4000 /**< hsmd payload inspection part matched */ #define DE_STATE_FLAG_HSMD_MATCH 1 << 14 /**< hsmd payload inspection part matched */
#define DE_STATE_FLAG_HSCD_MATCH 0x8000 /**< hscd payload inspection part matched */ #define DE_STATE_FLAG_HSCD_MATCH 1 << 15 /**< hscd payload inspection part matched */
#define DE_STATE_FLAG_HUAD_MATCH 1 << 16 /**< huad payload inspection part matched */
#define DE_STATE_FLAG_URI_INSPECT DE_STATE_FLAG_URI_MATCH /**< uri part of the sig inspected */ #define DE_STATE_FLAG_URI_INSPECT DE_STATE_FLAG_URI_MATCH /**< uri part of the sig inspected */
#define DE_STATE_FLAG_DCE_INSPECT DE_STATE_FLAG_DCE_MATCH /**< dce payload inspection part inspected */ #define DE_STATE_FLAG_DCE_INSPECT DE_STATE_FLAG_DCE_MATCH /**< dce payload inspection part inspected */
@ -81,6 +82,7 @@
#define DE_STATE_FLAG_FILE_TS_INSPECT DE_STATE_FLAG_FILE_TS_MATCH #define DE_STATE_FLAG_FILE_TS_INSPECT DE_STATE_FLAG_FILE_TS_MATCH
#define DE_STATE_FLAG_HSMD_INSPECT DE_STATE_FLAG_HSMD_MATCH /**< hsmd payload inspection part inspected */ #define DE_STATE_FLAG_HSMD_INSPECT DE_STATE_FLAG_HSMD_MATCH /**< hsmd payload inspection part inspected */
#define DE_STATE_FLAG_HSCD_INSPECT DE_STATE_FLAG_HSCD_MATCH /**< hscd payload inspection part inspected */ #define DE_STATE_FLAG_HSCD_INSPECT DE_STATE_FLAG_HSCD_MATCH /**< hscd payload inspection part inspected */
#define DE_STATE_FLAG_HUAD_INSPECT DE_STATE_FLAG_HUAD_MATCH /**< huad payload inspection part inspected */
/* state flags */ /* state flags */
#define DE_STATE_FILE_STORE_DISABLED 0x0001 #define DE_STATE_FILE_STORE_DISABLED 0x0001
@ -100,7 +102,7 @@ typedef enum {
typedef struct DeStateStoreItem_ { typedef struct DeStateStoreItem_ {
SigIntId sid; /**< Signature internal id to store the state for (16 or SigIntId sid; /**< Signature internal id to store the state for (16 or
* 32 bit depending on how SigIntId is defined). */ * 32 bit depending on how SigIntId is defined). */
uint16_t flags; /**< flags */ uint32_t flags; /**< flags */
SigMatch *nm; /**< next sig match to try, or null if done */ SigMatch *nm; /**< next sig match to try, or null if done */
} DeStateStoreItem; } DeStateStoreItem;

1239
src/detect-fast-pattern.c
View File

File diff suppressed because it is too large Load Diff

2354
src/detect-http-ua.c
View File

File diff suppressed because it is too large Load Diff

29
src/detect-http-ua.h
Unescape Escape View File

@ -0,0 +1,29 @@
/* Copyright (C) 2007-2012 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
*/
#ifndef __DETECT_HTTP_UA_H__
#define __DETECT_HTTP_UA_H__
void DetectHttpUARegister(void);
#endif /* __DETECT_HTTP_UA_H__ */

22
src/detect-isdataat.c
Unescape Escape View File

@ -351,41 +351,43 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
} }
return 0; return 0;
} }
pm = SigMatchGetLastSMFromLists(s, 54, pm = SigMatchGetLastSMFromLists(s, 56,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 1 */ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], /* 5 */ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 10 */ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSBDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH], /* 15 */ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], /* 20 */ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH], DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_DMATCH],
DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]); /* 25 */ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH]);
if (pm == NULL) { if (pm == NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "isdataat relative seen " SCLogError(SC_ERR_INVALID_SIGNATURE, "isdataat relative seen "
"without a previous content uricontent, " "without a previous content uricontent, "
"http_client_body, http_header, http_raw_header, " "http_client_body, http_header, http_raw_header, "
"http_method, http_cookie, http_raw_uri, " "http_method, http_cookie, http_raw_uri, "
"http_stat_msg, http_stat_code, byte_test, " "http_stat_msg, http_stat_code, byte_test, "
"byte_extract, byte_jump keyword"); "byte_extract, byte_jump or http_user_agent keyword");
goto error; goto error;
} else { } else {
int list_type = SigMatchListSMBelongsTo(s, pm); int list_type = SigMatchListSMBelongsTo(s, pm);
@ -457,10 +459,6 @@ int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, char *isdataatst
return 0; return 0;
error: error:
//if (idad != NULL)
// DetectIsdataatFree(idad);
//if (sm != NULL)
// SCFree(sm);
return -1; return -1;
} }

8
src/detect-nocase.c
Unescape Escape View File

@ -74,7 +74,7 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
} }
/* Search for the first previous SigMatch that supports nocase */ /* Search for the first previous SigMatch that supports nocase */
SigMatch *pm = SigMatchGetLastSMFromLists(s, 22, SigMatch *pm = SigMatchGetLastSMFromLists(s, 24,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -85,12 +85,14 @@ static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, char *nulls
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
if (pm == NULL) { if (pm == NULL) {
SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceeding " SCLogError(SC_ERR_NOCASE_MISSING_PATTERN, "\"nocase\" needs a preceeding "
"content, uricontent, http_client_body, http_server_body, " "content, uricontent, http_client_body, http_server_body, "
"http_header, http_method, http_uri, http_cookie, " "http_header, http_method, http_uri, http_cookie, "
"http_raw_uri, http_stat_msg or http_stat_code option"); "http_raw_uri, http_stat_msg, http_stat_code or http_user_agent "
"option");
SCReturnInt(-1); SCReturnInt(-1);
} }

9
src/detect-offset.c
Unescape Escape View File

@ -83,7 +83,7 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
break; break;
default: default:
pm = SigMatchGetLastSMFromLists(s, 22, pm = SigMatchGetLastSMFromLists(s, 24,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -94,13 +94,14 @@ int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, char *offsetstr)
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
if (pm == NULL) { if (pm == NULL) {
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs " SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs "
"preceeding content or uricontent option, http_client_body, " "preceeding content or uricontent option, http_client_body, "
"http_header, http_raw_header, http_method, " "http_header, http_raw_header, http_method, "
"http_cookie, http_raw_uri, http_stat_msg or " "http_cookie, http_raw_uri, http_stat_msg, "
"http_stat_code option"); "http_stat_code or http_user_agent option");
if (dubbed) if (dubbed)
SCFree(str); SCFree(str);
return -1; return -1;

8
src/detect-parse.c
Unescape Escape View File

@ -1098,7 +1098,8 @@ static int SigValidate(Signature *s) {
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH], DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]); DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_REPLACE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
if (pm != NULL) { if (pm != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature has" SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature has"
" replace keyword linked with a modified content" " replace keyword linked with a modified content"
@ -1116,7 +1117,8 @@ static int SigValidate(Signature *s) {
s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH] || s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH] || s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH] || s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH]) s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH] ||
s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH])
{ {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet " SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature combines packet "
"specific matches (like dsize, flags, ttl) with stream / " "specific matches (like dsize, flags, ttl) with stream / "
@ -1246,6 +1248,8 @@ static Signature *SigInitHelper(DetectEngineCtx *de_ctx, char *sigstr,
sig->flags |= SIG_FLAG_STATE_MATCH; sig->flags |= SIG_FLAG_STATE_MATCH;
if (sig->sm_lists[DETECT_SM_LIST_HSCDMATCH]) if (sig->sm_lists[DETECT_SM_LIST_HSCDMATCH])
sig->flags |= SIG_FLAG_STATE_MATCH; sig->flags |= SIG_FLAG_STATE_MATCH;
if (sig->sm_lists[DETECT_SM_LIST_HUADMATCH])
sig->flags |= SIG_FLAG_STATE_MATCH;
if (!(sig->init_flags & SIG_FLAG_INIT_FLOW)) { if (!(sig->init_flags & SIG_FLAG_INIT_FLOW)) {
sig->flags |= SIG_FLAG_TOSERVER; sig->flags |= SIG_FLAG_TOSERVER;

21
src/detect-pcre.c
Unescape Escape View File

@ -850,6 +850,13 @@ DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx, char *regexstr)
} }
pd->flags |= DETECT_PCRE_URI; pd->flags |= DETECT_PCRE_URI;
break; break;
case 'V':
if (pd->flags & DETECT_PCRE_RAWBYTES) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'V' inconsistent with 'B'");
goto error;
}
pd->flags |= DETECT_PCRE_HTTP_USER_AGENT;
break;
case 'H': /* snort's option */ case 'H': /* snort's option */
if (pd->flags & DETECT_PCRE_RAW_HEADER) { if (pd->flags & DETECT_PCRE_RAW_HEADER) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'H' inconsistent with 'D'"); SCLogError(SC_ERR_INVALID_SIGNATURE, "regex modifier 'H' inconsistent with 'D'");
@ -1100,7 +1107,8 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
(pd->flags & DETECT_PCRE_HTTP_STAT_CODE) || (pd->flags & DETECT_PCRE_HTTP_STAT_CODE) ||
(pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) || (pd->flags & DETECT_PCRE_HTTP_CLIENT_BODY) ||
(pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) || (pd->flags & DETECT_PCRE_HTTP_SERVER_BODY) ||
(pd->flags & DETECT_PCRE_HTTP_RAW_URI) ) { (pd->flags & DETECT_PCRE_HTTP_RAW_URI) ||
(pd->flags & DETECT_PCRE_HTTP_USER_AGENT) ) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. " SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
"DCERPC rule has pcre keyword with http related modifier."); "DCERPC rule has pcre keyword with http related modifier.");
goto error; goto error;
@ -1142,6 +1150,17 @@ static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, char *regexst
s->alproto = ALPROTO_HTTP; s->alproto = ALPROTO_HTTP;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH); SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HCDMATCH);
} else if (pd->flags & DETECT_PCRE_HTTP_USER_AGENT) {
SCLogDebug("User-Agent inspection modifier set on pcre");
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains "
"conflicting keywords.");
goto error;
}
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_HTTP;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_HUADMATCH);
} else if (pd->flags & DETECT_PCRE_METHOD) { } else if (pd->flags & DETECT_PCRE_METHOD) {
//sm->type = DETECT_PCRE_HTTPMETHOD; //sm->type = DETECT_PCRE_HTTPMETHOD;

4
src/detect-pcre.h
Unescape Escape View File

@ -45,8 +45,10 @@
#define DETECT_PCRE_HTTP_RAW_URI 0x02000 #define DETECT_PCRE_HTTP_RAW_URI 0x02000
#define DETECT_PCRE_HTTP_STAT_MSG 0x04000 #define DETECT_PCRE_HTTP_STAT_MSG 0x04000
#define DETECT_PCRE_HTTP_STAT_CODE 0x08000 #define DETECT_PCRE_HTTP_STAT_CODE 0x08000
#define DETECT_PCRE_HTTP_USER_AGENT 0x10000
#define DETECT_PCRE_NEGATE 0x10000
#define DETECT_PCRE_NEGATE 0x20000
typedef struct DetectPcreData_ { typedef struct DetectPcreData_ {
/* pcre options */ /* pcre options */

8
src/detect-within.c
Unescape Escape View File

@ -163,7 +163,7 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
} }
} }
} else { } else {
pm = SigMatchGetLastSMFromLists(s, 22, pm = SigMatchGetLastSMFromLists(s, 24,
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
@ -174,13 +174,15 @@ static int DetectWithinSetup (DetectEngineCtx *de_ctx, Signature *s, char *withi
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH], DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH]); DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH]);
if (pm == NULL) { if (pm == NULL) {
SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires " SCLogError(SC_ERR_WITHIN_MISSING_CONTENT, "\"within\" requires "
"preceeding content, uricontent, http_client_body, " "preceeding content, uricontent, http_client_body, "
"http_server_body, http_header, http_raw_header, " "http_server_body, http_header, http_raw_header, "
"http_method, http_cookie, http_raw_uri, " "http_method, http_cookie, http_raw_uri, "
"http_stat_msg or http_stat_code option"); "http_stat_msg, http_stat_code or http_user_agent "
"option");
if (dubbed) if (dubbed)
SCFree(str); SCFree(str);
return -1; return -1;

34
src/detect.c
Unescape Escape View File

@ -50,6 +50,7 @@
#include "detect-http-cookie.h" #include "detect-http-cookie.h"
#include "detect-http-method.h" #include "detect-http-method.h"
#include "detect-http-ua.h"
#include "detect-engine-event.h" #include "detect-engine-event.h"
#include "decode.h" #include "decode.h"
@ -131,6 +132,7 @@
#include "detect-engine-hrud.h" #include "detect-engine-hrud.h"
#include "detect-engine-hsmd.h" #include "detect-engine-hsmd.h"
#include "detect-engine-hscd.h" #include "detect-engine-hscd.h"
#include "detect-engine-hua.h"
#include "detect-byte-extract.h" #include "detect-byte-extract.h"
#include "detect-file-data.h" #include "detect-file-data.h"
#include "detect-replace.h" #include "detect-replace.h"
@ -1250,6 +1252,11 @@ static inline void DetectMpmPrefilter(DetectEngineCtx *de_ctx,
DetectEngineRunHttpStatCodeMpm(det_ctx, p->flow, alstate, flags); DetectEngineRunHttpStatCodeMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSCD); PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HSCD);
} }
if (det_ctx->sgh->flags & SIG_GROUP_HEAD_MPM_HUAD) {
PACKET_PROFILING_DETECT_START(p, PROF_DETECT_MPM_HUAD);
DetectEngineRunHttpUAMpm(det_ctx, p->flow, alstate, flags);
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_MPM_HUAD);
}
} }
} else { } else {
SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED"); SCLogDebug("NOT p->flowflags & FLOW_PKT_ESTABLISHED");
@ -1978,6 +1985,9 @@ int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s) {
if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL) if (s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL)
return 0; return 0;
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL)
return 0;
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL)
return 0; return 0;
@ -2058,7 +2068,8 @@ static int SignatureIsDEOnly(DetectEngineCtx *de_ctx, Signature *s) {
s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HCDMATCH] != NULL ||
s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HSMDMATCH] != NULL ||
s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL || s->sm_lists[DETECT_SM_LIST_HSCDMATCH] != NULL ||
s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL) s->sm_lists[DETECT_SM_LIST_HRUDMATCH] != NULL ||
s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL)
{ {
SCReturnInt(0); SCReturnInt(0);
} }
@ -2209,6 +2220,11 @@ static int SignatureCreateMask(Signature *s) {
SCLogDebug("sig requires http app state"); SCLogDebug("sig requires http app state");
} }
if (s->sm_lists[DETECT_SM_LIST_HUADMATCH] != NULL) {
s->mask |= SIG_MASK_REQUIRE_HTTP_STATE;
SCLogDebug("sig requires http app state");
}
SigMatch *sm; SigMatch *sm;
for (sm = s->sm_lists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) { for (sm = s->sm_lists[DETECT_SM_LIST_AMATCH] ; sm != NULL; sm = sm->next) {
switch(sm->type) { switch(sm->type) {
@ -2366,6 +2382,9 @@ static void SigInitStandardMpmFactoryContexts(DetectEngineCtx *de_ctx)
de_ctx->sgh_mpm_context_hscd = de_ctx->sgh_mpm_context_hscd =
MpmFactoryRegisterMpmCtxProfile("hscd", MpmFactoryRegisterMpmCtxProfile("hscd",
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD); MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
de_ctx->sgh_mpm_context_huad =
MpmFactoryRegisterMpmCtxProfile("huad",
MPM_CTX_FACTORY_FLAGS_PREPARE_WITH_SIG_GROUP_BUILD);
de_ctx->sgh_mpm_context_app_proto_detect = de_ctx->sgh_mpm_context_app_proto_detect =
MpmFactoryRegisterMpmCtxProfile("app_proto_detect", 0); MpmFactoryRegisterMpmCtxProfile("app_proto_detect", 0);
@ -4425,6 +4444,18 @@ int SigGroupBuild (DetectEngineCtx *de_ctx) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx); mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
} }
//printf("hscd- %d\n", mpm_ctx->pattern_cnt); //printf("hscd- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_huad, 0);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
//printf("huad- %d\n", mpm_ctx->pattern_cnt);
mpm_ctx = MpmFactoryGetMpmCtxForProfile(de_ctx->sgh_mpm_context_huad, 1);
if (mpm_table[de_ctx->mpm_matcher].Prepare != NULL) {
mpm_table[de_ctx->mpm_matcher].Prepare(mpm_ctx);
}
//printf("huad- %d\n", mpm_ctx->pattern_cnt);
} }
// SigAddressPrepareStage5(de_ctx); // SigAddressPrepareStage5(de_ctx);
@ -4541,6 +4572,7 @@ void SigTableSetup(void) {
DetectFilemagicRegister(); DetectFilemagicRegister();
DetectFileMd5Register(); DetectFileMd5Register();
DetectAppLayerEventRegister(); DetectAppLayerEventRegister();
DetectHttpUARegister();
uint8_t i = 0; uint8_t i = 0;
for (i = 0; i < DETECT_TBLSIZE; i++) { for (i = 0; i < DETECT_TBLSIZE; i++) {

8
src/detect.h
Unescape Escape View File

@ -104,6 +104,8 @@ enum {
DETECT_SM_LIST_HSMDMATCH, DETECT_SM_LIST_HSMDMATCH,
/* list for http_stat_code keyword and the ones relative to it */ /* list for http_stat_code keyword and the ones relative to it */
DETECT_SM_LIST_HSCDMATCH, DETECT_SM_LIST_HSCDMATCH,
/* list for http_user_agent keyword and the ones relative to it */
DETECT_SM_LIST_HUADMATCH,
DETECT_SM_LIST_FILEMATCH, DETECT_SM_LIST_FILEMATCH,
@ -645,6 +647,7 @@ typedef struct DetectEngineCtx_ {
int32_t sgh_mpm_context_hrud; int32_t sgh_mpm_context_hrud;
int32_t sgh_mpm_context_hsmd; int32_t sgh_mpm_context_hsmd;
int32_t sgh_mpm_context_hscd; int32_t sgh_mpm_context_hscd;
int32_t sgh_mpm_context_huad;
int32_t sgh_mpm_context_app_proto_detect; int32_t sgh_mpm_context_app_proto_detect;
/** sgh for signatures that match against invalid packets. In those cases /** sgh for signatures that match against invalid packets. In those cases
@ -823,6 +826,8 @@ typedef struct SigTableElmt_ {
#define SIG_GROUP_HEAD_MPM_HSMD 0x08000000 #define SIG_GROUP_HEAD_MPM_HSMD 0x08000000
#define SIG_GROUP_HAVEHSCDCONTENT 0x10000000 #define SIG_GROUP_HAVEHSCDCONTENT 0x10000000
#define SIG_GROUP_HEAD_MPM_HSCD 0x20000000 #define SIG_GROUP_HEAD_MPM_HSCD 0x20000000
#define SIG_GROUP_HAVEHUADCONTENT 0x40000000
#define SIG_GROUP_HEAD_MPM_HUAD 0x80000000
typedef struct SigGroupHeadInitData_ { typedef struct SigGroupHeadInitData_ {
/* list of content containers /* list of content containers
@ -880,6 +885,7 @@ typedef struct SigGroupHead_ {
MpmCtx *mpm_hrud_ctx_ts; MpmCtx *mpm_hrud_ctx_ts;
MpmCtx *mpm_hsmd_ctx_ts; MpmCtx *mpm_hsmd_ctx_ts;
MpmCtx *mpm_hscd_ctx_ts; MpmCtx *mpm_hscd_ctx_ts;
MpmCtx *mpm_huad_ctx_ts;
MpmCtx *mpm_proto_tcp_ctx_tc; MpmCtx *mpm_proto_tcp_ctx_tc;
MpmCtx *mpm_proto_udp_ctx_tc; MpmCtx *mpm_proto_udp_ctx_tc;
@ -894,6 +900,7 @@ typedef struct SigGroupHead_ {
MpmCtx *mpm_hrud_ctx_tc; MpmCtx *mpm_hrud_ctx_tc;
MpmCtx *mpm_hsmd_ctx_tc; MpmCtx *mpm_hsmd_ctx_tc;
MpmCtx *mpm_hscd_ctx_tc; MpmCtx *mpm_hscd_ctx_tc;
MpmCtx *mpm_huad_ctx_tc;
uint16_t mpm_uricontent_maxlen; uint16_t mpm_uricontent_maxlen;
@ -998,6 +1005,7 @@ enum {
DETECT_AL_HTTP_RAW_URI, DETECT_AL_HTTP_RAW_URI,
DETECT_AL_HTTP_STAT_MSG, DETECT_AL_HTTP_STAT_MSG,
DETECT_AL_HTTP_STAT_CODE, DETECT_AL_HTTP_STAT_CODE,
DETECT_AL_HTTP_USER_AGENT,
DETECT_AL_SSH_PROTOVERSION, DETECT_AL_SSH_PROTOVERSION,
DETECT_AL_SSH_SOFTWAREVERSION, DETECT_AL_SSH_SOFTWAREVERSION,
DETECT_AL_SSL_VERSION, DETECT_AL_SSL_VERSION,

1
src/suricata-common.h
Unescape Escape View File

@ -188,6 +188,7 @@ typedef enum PacketProfileDetectId_ {
PROF_DETECT_MPM_HRUD, PROF_DETECT_MPM_HRUD,
PROF_DETECT_MPM_HSMD, PROF_DETECT_MPM_HSMD,
PROF_DETECT_MPM_HSCD, PROF_DETECT_MPM_HSCD,
PROF_DETECT_MPM_HUAD,
PROF_DETECT_IPONLY, PROF_DETECT_IPONLY,
PROF_DETECT_RULES, PROF_DETECT_RULES,
PROF_DETECT_STATEFUL, PROF_DETECT_STATEFUL,

2
src/suricata.c
Unescape Escape View File

@ -74,6 +74,7 @@
#include "detect-engine-hrud.h" #include "detect-engine-hrud.h"
#include "detect-engine-hsmd.h" #include "detect-engine-hsmd.h"
#include "detect-engine-hscd.h" #include "detect-engine-hscd.h"
#include "detect-engine-hua.h"
#include "detect-engine-state.h" #include "detect-engine-state.h"
#include "detect-engine-tag.h" #include "detect-engine-tag.h"
#include "detect-fast-pattern.h" #include "detect-fast-pattern.h"
@ -1523,6 +1524,7 @@ int main(int argc, char **argv)
DetectEngineHttpRawUriRegisterTests(); DetectEngineHttpRawUriRegisterTests();
DetectEngineHttpStatMsgRegisterTests(); DetectEngineHttpStatMsgRegisterTests();
DetectEngineHttpStatCodeRegisterTests(); DetectEngineHttpStatCodeRegisterTests();
DetectEngineHttpUARegisterTests();
DetectEngineRegisterTests(); DetectEngineRegisterTests();
SCLogRegisterTests(); SCLogRegisterTests();
SMTPParserRegisterTests(); SMTPParserRegisterTests();

Write Preview
Loading…
Cancel
Save