aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: move keyword registration into own file

Browse Source
pull/3077/head
Victor Julien 8 years ago
parent 90569d5fd6
commit c374324916
6 changed files with 736 additions and 616 deletions
Show Stats Download Patch File Download Diff File

1
src/Makefile.am
Unescape Escape View File

@ -142,6 +142,7 @@ detect-engine-prefilter.c detect-engine-prefilter.h \
detect-engine-prefilter-common.c detect-engine-prefilter-common.h \
detect-engine-proto.c detect-engine-proto.h \
detect-engine-profile.c detect-engine-profile.h \
detect-engine-register.c detect-engine-register.h \
detect-engine-siggroup.c detect-engine-siggroup.h \
detect-engine-sigorder.c detect-engine-sigorder.h \
detect-engine-state.c detect-engine-state.h \

503
src/detect-engine-register.c
Unescape Escape View File

@ -0,0 +1,503 @@
/* Copyright (C) 2007-2017 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*/
#include "suricata-common.h"
#include "suricata.h"
#include "debug.h"
#include "detect.h"
#include "flow.h"
#include "flow-private.h"
#include "flow-bit.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-profile.h"
#include "detect-engine-alert.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
#include "detect-engine-proto.h"
#include "detect-engine-port.h"
#include "detect-engine-mpm.h"
#include "detect-engine-iponly.h"
#include "detect-engine-threshold.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-payload.h"
#include "detect-engine-dcepayload.h"
#include "detect-engine-uri.h"
#include "detect-dns-query.h"
#include "detect-tls-sni.h"
#include "detect-tls-cert-fingerprint.h"
#include "detect-tls-cert-issuer.h"
#include "detect-tls-cert-subject.h"
#include "detect-tls-cert-serial.h"
#include "detect-engine-state.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-filedata-smtp.h"
#include "detect-http-cookie.h"
#include "detect-http-method.h"
#include "detect-http-ua.h"
#include "detect-http-hh.h"
#include "detect-http-hrh.h"
#include "detect-nfs-procedure.h"
#include "detect-nfs-version.h"
#include "detect-engine-event.h"
#include "decode.h"
#include "detect-base64-decode.h"
#include "detect-base64-data.h"
#include "detect-ipopts.h"
#include "detect-flags.h"
#include "detect-fragbits.h"
#include "detect-fragoffset.h"
#include "detect-gid.h"
#include "detect-ack.h"
#include "detect-seq.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-pcre.h"
#include "detect-depth.h"
#include "detect-nocase.h"
#include "detect-rawbytes.h"
#include "detect-bytetest.h"
#include "detect-bytejump.h"
#include "detect-sameip.h"
#include "detect-l3proto.h"
#include "detect-ipproto.h"
#include "detect-within.h"
#include "detect-distance.h"
#include "detect-offset.h"
#include "detect-sid.h"
#include "detect-prefilter.h"
#include "detect-priority.h"
#include "detect-classtype.h"
#include "detect-reference.h"
#include "detect-tag.h"
#include "detect-threshold.h"
#include "detect-metadata.h"
#include "detect-msg.h"
#include "detect-rev.h"
#include "detect-flow.h"
#include "detect-window.h"
#include "detect-ftpbounce.h"
#include "detect-isdataat.h"
#include "detect-id.h"
#include "detect-rpc.h"
#include "detect-asn1.h"
#include "detect-filename.h"
#include "detect-fileext.h"
#include "detect-filestore.h"
#include "detect-filemagic.h"
#include "detect-filemd5.h"
#include "detect-filesha1.h"
#include "detect-filesha256.h"
#include "detect-filesize.h"
#include "detect-dsize.h"
#include "detect-flowvar.h"
#include "detect-flowint.h"
#include "detect-pktvar.h"
#include "detect-noalert.h"
#include "detect-flowbits.h"
#include "detect-hostbits.h"
#include "detect-xbits.h"
#include "detect-csum.h"
#include "detect-stream_size.h"
#include "detect-engine-sigorder.h"
#include "detect-ttl.h"
#include "detect-fast-pattern.h"
#include "detect-itype.h"
#include "detect-icode.h"
#include "detect-icmp-id.h"
#include "detect-icmp-seq.h"
#include "detect-dce-iface.h"
#include "detect-dce-opnum.h"
#include "detect-dce-stub-data.h"
#include "detect-urilen.h"
#include "detect-detection-filter.h"
#include "detect-http-client-body.h"
#include "detect-http-server-body.h"
#include "detect-http-header.h"
#include "detect-http-header-names.h"
#include "detect-http-headers.h"
#include "detect-http-raw-header.h"
#include "detect-http-uri.h"
#include "detect-http-protocol.h"
#include "detect-http-start.h"
#include "detect-http-raw-uri.h"
#include "detect-http-stat-msg.h"
#include "detect-http-request-line.h"
#include "detect-http-response-line.h"
#include "detect-engine-hcbd.h"
#include "detect-engine-hsbd.h"
#include "detect-engine-hrhd.h"
#include "detect-engine-hmd.h"
#include "detect-engine-hcd.h"
#include "detect-engine-hrud.h"
#include "detect-engine-hsmd.h"
#include "detect-engine-hscd.h"
#include "detect-engine-hua.h"
#include "detect-engine-hhhd.h"
#include "detect-engine-hrhhd.h"
#include "detect-byte-extract.h"
#include "detect-file-data.h"
#include "detect-pkt-data.h"
#include "detect-replace.h"
#include "detect-tos.h"
#include "detect-app-layer-event.h"
#include "detect-lua.h"
#include "detect-iprep.h"
#include "detect-geoip.h"
#include "detect-app-layer-protocol.h"
#include "detect-template.h"
#include "detect-target.h"
#include "detect-template-buffer.h"
#include "detect-bypass.h"
#include "detect-engine-content-inspection.h"
#include "util-rule-vars.h"
#include "app-layer.h"
#include "app-layer-protos.h"
#include "app-layer-htp.h"
#include "app-layer-smtp.h"
#include "app-layer-template.h"
#include "detect-tls.h"
#include "detect-tls-cert-validity.h"
#include "detect-tls-version.h"
#include "detect-ssh-proto.h"
#include "detect-ssh-proto-version.h"
#include "detect-ssh-software.h"
#include "detect-ssh-software-version.h"
#include "detect-http-stat-code.h"
#include "detect-ssl-version.h"
#include "detect-ssl-state.h"
#include "detect-modbus.h"
#include "detect-cipservice.h"
#include "detect-dnp3.h"
#include "action-globals.h"
#include "tm-threads.h"
#include "pkt-var.h"
#include "conf.h"
#include "conf-yaml-loader.h"
#include "stream-tcp.h"
#include "stream-tcp-inline.h"
#include "util-lua.h"
#include "util-var-name.h"
#include "util-classification-config.h"
#include "util-threshold-config.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-debug.h"
#include "util-hashlist.h"
#include "util-cuda.h"
#include "util-privs.h"
#include "util-profiling.h"
#include "util-validate.h"
#include "util-optimize.h"
#include "util-path.h"
#include "util-mpm-ac.h"
#include "runmodes.h"
static void PrintFeatureList(const SigTableElmt *e, char sep)
{
const uint8_t flags = e->flags;
int prev = 0;
if (flags & SIGMATCH_NOOPT) {
printf("No option");
prev = 1;
}
if (flags & SIGMATCH_IPONLY_COMPAT) {
if (prev == 1)
printf("%c", sep);
printf("compatible with IP only rule");
prev = 1;
}
if (flags & SIGMATCH_DEONLY_COMPAT) {
if (prev == 1)
printf("%c", sep);
printf("compatible with decoder event only rule");
prev = 1;
}
if (e->SupportsPrefilter) {
if (prev == 1)
printf("%c", sep);
printf("prefilter");
prev = 1;
}
if (prev == 0) {
printf("none");
}
}
static void SigMultilinePrint(int i, const char *prefix)
{
if (sigmatch_table[i].desc) {
printf("%sDescription: %s\n", prefix, sigmatch_table[i].desc);
}
printf("%sFeatures: ", prefix);
PrintFeatureList(&sigmatch_table[i], ',');
if (sigmatch_table[i].url) {
printf("\n%sDocumentation: %s", prefix, sigmatch_table[i].url);
}
printf("\n");
}
void SigTableList(const char *keyword)
{
size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt);
size_t i;
if (keyword == NULL) {
printf("=====Supported keywords=====\n");
for (i = 0; i < size; i++) {
if (sigmatch_table[i].name != NULL) {
if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) {
printf("- %s (not built-in)\n", sigmatch_table[i].name);
} else {
printf("- %s\n", sigmatch_table[i].name);
}
}
}
} else if (strcmp("csv", keyword) == 0) {
printf("name;description;app layer;features;documentation\n");
for (i = 0; i < size; i++) {
if (sigmatch_table[i].name != NULL) {
if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) {
continue;
}
printf("%s;", sigmatch_table[i].name);
if (sigmatch_table[i].desc) {
printf("%s", sigmatch_table[i].desc);
}
/* Build feature */
printf(";Unset;"); // this used to be alproto
PrintFeatureList(&sigmatch_table[i], ':');
printf(";");
if (sigmatch_table[i].url) {
printf("%s", sigmatch_table[i].url);
}
printf(";");
printf("\n");
}
}
} else if (strcmp("all", keyword) == 0) {
for (i = 0; i < size; i++) {
if (sigmatch_table[i].name != NULL) {
printf("%s:\n", sigmatch_table[i].name);
SigMultilinePrint(i, "\t");
}
}
} else {
for (i = 0; i < size; i++) {
if ((sigmatch_table[i].name != NULL) &&
strcmp(sigmatch_table[i].name, keyword) == 0) {
printf("= %s =\n", sigmatch_table[i].name);
if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) {
printf("Not built-in\n");
return;
}
SigMultilinePrint(i, "");
return;
}
}
}
return;
}
void SigTableSetup(void)
{
memset(sigmatch_table, 0, sizeof(sigmatch_table));
DetectSidRegister();
DetectPriorityRegister();
DetectPrefilterRegister();
DetectRevRegister();
DetectClasstypeRegister();
DetectReferenceRegister();
DetectTagRegister();
DetectThresholdRegister();
DetectMetadataRegister();
DetectMsgRegister();
DetectAckRegister();
DetectSeqRegister();
DetectContentRegister();
DetectUricontentRegister();
/* NOTE: the order of these currently affects inspect
* engine registration order and ultimately the order
* of inspect engines in the rule. Which in turn affects
* state keeping */
DetectHttpUriRegister();
DetectHttpRequestLineRegister();
DetectHttpClientBodyRegister();
DetectHttpResponseLineRegister();
DetectHttpServerBodyRegister();
DetectHttpHeaderRegister();
DetectHttpHeaderNamesRegister();
DetectHttpHeadersRegister();
DetectHttpProtocolRegister();
DetectHttpStartRegister();
DetectHttpRawHeaderRegister();
DetectHttpMethodRegister();
DetectHttpCookieRegister();
DetectHttpRawUriRegister();
DetectFilenameRegister();
DetectFileextRegister();
DetectFilestoreRegister();
DetectFilemagicRegister();
DetectFileMd5Register();
DetectFileSha1Register();
DetectFileSha256Register();
DetectFilesizeRegister();
DetectHttpUARegister();
DetectHttpHHRegister();
DetectHttpHRHRegister();
DetectHttpStatMsgRegister();
DetectHttpStatCodeRegister();
DetectDnsQueryRegister();
DetectModbusRegister();
DetectCipServiceRegister();
DetectEnipCommandRegister();
DetectDNP3Register();
DetectTlsSniRegister();
DetectTlsIssuerRegister();
DetectTlsSubjectRegister();
DetectTlsSerialRegister();
DetectTlsFingerprintRegister();
DetectAppLayerEventRegister();
/* end of order dependent regs */
DetectPcreRegister();
DetectDepthRegister();
DetectNocaseRegister();
DetectRawbytesRegister();
DetectBytetestRegister();
DetectBytejumpRegister();
DetectSameipRegister();
DetectGeoipRegister();
DetectL3ProtoRegister();
DetectIPProtoRegister();
DetectWithinRegister();
DetectDistanceRegister();
DetectOffsetRegister();
DetectReplaceRegister();
DetectFlowRegister();
DetectWindowRegister();
DetectRpcRegister();
DetectFtpbounceRegister();
DetectIsdataatRegister();
DetectIdRegister();
DetectDsizeRegister();
DetectFlowvarRegister();
DetectFlowintRegister();
DetectPktvarRegister();
DetectNoalertRegister();
DetectFlowbitsRegister();
DetectHostbitsRegister();
DetectXbitsRegister();
DetectEngineEventRegister();
DetectIpOptsRegister();
DetectFlagsRegister();
DetectFragBitsRegister();
DetectFragOffsetRegister();
DetectGidRegister();
DetectMarkRegister();
DetectCsumRegister();
DetectStreamSizeRegister();
DetectTtlRegister();
DetectTosRegister();
DetectFastPatternRegister();
DetectITypeRegister();
DetectICodeRegister();
DetectIcmpIdRegister();
DetectIcmpSeqRegister();
DetectDceIfaceRegister();
DetectDceOpnumRegister();
DetectDceStubDataRegister();
DetectTlsRegister();
DetectTlsValidityRegister();
DetectTlsVersionRegister();
DetectNfsProcedureRegister();
DetectNfsVersionRegister();
DetectUrilenRegister();
DetectDetectionFilterRegister();
DetectAsn1Register();
DetectSshProtocolRegister();
DetectSshVersionRegister();
DetectSshSoftwareRegister();
DetectSshSoftwareVersionRegister();
DetectSslStateRegister();
DetectSslVersionRegister();
DetectByteExtractRegister();
DetectFiledataRegister();
DetectPktDataRegister();
DetectLuaRegister();
DetectIPRepRegister();
DetectAppLayerProtocolRegister();
DetectBase64DecodeRegister();
DetectBase64DataRegister();
DetectTemplateRegister();
DetectTargetRegister();
DetectTemplateBufferRegister();
DetectBypassRegister();
/* close keyword registration */
DetectBufferTypeFinalizeRegistration();
}
void SigTableRegisterTests(void)
{
/* register the tests */
int i = 0;
for (i = 0; i < DETECT_TBLSIZE; i++) {
g_ut_modules++;
if (sigmatch_table[i].RegisterTests != NULL) {
sigmatch_table[i].RegisterTests();
g_ut_covered++;
} else {
SCLogDebug("detection plugin %s has no unittest "
"registration function.", sigmatch_table[i].name);
if (coverage_unittests)
SCLogWarning(SC_WARN_NO_UNITTESTS, "detection plugin %s has no unittest "
"registration function.", sigmatch_table[i].name);
}
}
}

210
src/detect-engine-register.h
Unescape Escape View File

@ -0,0 +1,210 @@
/* Copyright (C) 2007-2017 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*/
#ifndef __DETECT_ENGINE_REGISTER_H__
#define __DETECT_ENGINE_REGISTER_H__
enum {
DETECT_SID,
DETECT_PRIORITY,
DETECT_REV,
DETECT_CLASSTYPE,
/* sorted by prefilter priority. Higher in this list means it will be
* picked over ones lower in the list */
DETECT_AL_APP_LAYER_PROTOCOL,
DETECT_ACK,
DETECT_SEQ,
DETECT_WINDOW,
DETECT_IPOPTS,
DETECT_FLAGS,
DETECT_FRAGBITS,
DETECT_FRAGOFFSET,
DETECT_TTL,
DETECT_TOS,
DETECT_ITYPE,
DETECT_ICODE,
DETECT_ICMP_ID,
DETECT_ICMP_SEQ,
DETECT_DSIZE,
DETECT_FLOW,
/* end prefilter sort */
DETECT_THRESHOLD,
DETECT_METADATA,
DETECT_REFERENCE,
DETECT_TAG,
DETECT_MSG,
DETECT_CONTENT,
DETECT_URICONTENT,
DETECT_PCRE,
DETECT_DEPTH,
DETECT_DISTANCE,
DETECT_WITHIN,
DETECT_OFFSET,
DETECT_REPLACE,
DETECT_NOCASE,
DETECT_FAST_PATTERN,
DETECT_RAWBYTES,
DETECT_BYTETEST,
DETECT_BYTEJUMP,
DETECT_SAMEIP,
DETECT_GEOIP,
DETECT_IPPROTO,
DETECT_FTPBOUNCE,
DETECT_ISDATAAT,
DETECT_ID,
DETECT_RPC,
DETECT_FLOWVAR,
DETECT_FLOWVAR_POSTMATCH,
DETECT_FLOWINT,
DETECT_PKTVAR,
DETECT_NOALERT,
DETECT_FLOWBITS,
DETECT_HOSTBITS,
DETECT_IPV4_CSUM,
DETECT_TCPV4_CSUM,
DETECT_TCPV6_CSUM,
DETECT_UDPV4_CSUM,
DETECT_UDPV6_CSUM,
DETECT_ICMPV4_CSUM,
DETECT_ICMPV6_CSUM,
DETECT_STREAM_SIZE,
DETECT_DETECTION_FILTER,
DETECT_DECODE_EVENT,
DETECT_GID,
DETECT_MARK,
DETECT_AL_TLS_VERSION,
DETECT_AL_TLS_SUBJECT,
DETECT_AL_TLS_ISSUERDN,
DETECT_AL_TLS_NOTBEFORE,
DETECT_AL_TLS_NOTAFTER,
DETECT_AL_TLS_EXPIRED,
DETECT_AL_TLS_VALID,
DETECT_AL_TLS_FINGERPRINT,
DETECT_AL_TLS_STORE,
DETECT_AL_HTTP_COOKIE,
DETECT_AL_HTTP_METHOD,
DETECT_AL_HTTP_PROTOCOL,
DETECT_AL_HTTP_START,
DETECT_AL_URILEN,
DETECT_AL_HTTP_CLIENT_BODY,
DETECT_AL_HTTP_SERVER_BODY,
DETECT_AL_HTTP_HEADER,
DETECT_AL_HTTP_HEADER_NAMES,
DETECT_AL_HTTP_HEADER_ACCEPT,
DETECT_AL_HTTP_HEADER_ACCEPT_LANG,
DETECT_AL_HTTP_HEADER_ACCEPT_ENC,
DETECT_AL_HTTP_HEADER_CONNECTION,
DETECT_AL_HTTP_HEADER_CONTENT_LEN,
DETECT_AL_HTTP_HEADER_CONTENT_TYPE,
DETECT_AL_HTTP_HEADER_REFERER,
DETECT_AL_HTTP_RAW_HEADER,
DETECT_AL_HTTP_URI,
DETECT_AL_HTTP_RAW_URI,
DETECT_AL_HTTP_STAT_MSG,
DETECT_AL_HTTP_STAT_CODE,
DETECT_AL_HTTP_USER_AGENT,
DETECT_AL_HTTP_HOST,
DETECT_AL_HTTP_RAW_HOST,
DETECT_AL_HTTP_REQUEST_LINE,
DETECT_AL_HTTP_RESPONSE_LINE,
DETECT_AL_NFS_PROCEDURE,
DETECT_AL_NFS_VERSION,
DETECT_AL_SSH_PROTOCOL,
DETECT_AL_SSH_PROTOVERSION,
DETECT_AL_SSH_SOFTWARE,
DETECT_AL_SSH_SOFTWAREVERSION,
DETECT_AL_SSL_VERSION,
DETECT_AL_SSL_STATE,
DETECT_BYTE_EXTRACT,
DETECT_FILE_DATA,
DETECT_PKT_DATA,
DETECT_AL_APP_LAYER_EVENT,
DETECT_DCE_IFACE,
DETECT_DCE_OPNUM,
DETECT_DCE_STUB_DATA,
DETECT_ASN1,
DETECT_ENGINE_EVENT,
DETECT_STREAM_EVENT,
DETECT_FILENAME,
DETECT_FILEEXT,
DETECT_FILESTORE,
DETECT_FILEMAGIC,
DETECT_FILEMD5,
DETECT_FILESHA1,
DETECT_FILESHA256,
DETECT_FILESIZE,
DETECT_L3PROTO,
DETECT_LUA,
DETECT_IPREP,
DETECT_AL_DNS_QUERY,
DETECT_AL_TLS_SNI,
DETECT_AL_TLS_CERT_ISSUER,
DETECT_AL_TLS_CERT_SUBJECT,
DETECT_AL_TLS_CERT_SERIAL,
DETECT_AL_TLS_CERT_FINGERPRINT,
DETECT_AL_MODBUS,
DETECT_CIPSERVICE,
DETECT_ENIPCOMMAND,
DETECT_AL_DNP3DATA,
DETECT_AL_DNP3FUNC,
DETECT_AL_DNP3IND,
DETECT_AL_DNP3OBJ,
DETECT_XBITS,
DETECT_BASE64_DECODE,
DETECT_BASE64_DATA,
DETECT_TEMPLATE,
DETECT_TARGET,
DETECT_AL_TEMPLATE_BUFFER,
DETECT_BYPASS,
DETECT_PREFILTER,
/* make sure this stays last */
DETECT_TBLSIZE,
};
/* Table with all SigMatch registrations */
SigTableElmt sigmatch_table[DETECT_TBLSIZE];
void SigTableList(const char *keyword);
void SigTableSetup(void);
void SigTableRegisterTests(void);
#endif /* __DETECT_ENGINE_REGISTER_H__ */

454
src/detect.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2014 Open Information Security Foundation
/* Copyright (C) 2007-2017 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -25,12 +25,22 @@
#include "suricata-common.h"
#include "suricata.h"
#include "tm-threads.h"
#include "debug.h"
#include "detect.h"
#include "decode.h"
#include "flow.h"
#include "flow-private.h"
#include "flow-bit.h"
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-protos.h"
#include "pkt-var.h"
#include "conf.h"
#include "conf-yaml-loader.h"
#include "action-globals.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-profile.h"
@ -45,114 +55,13 @@
#include "detect-engine-threshold.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-payload.h"
#include "detect-engine-dcepayload.h"
#include "detect-engine-uri.h"
#include "detect-dns-query.h"
#include "detect-tls-sni.h"
#include "detect-tls-cert-issuer.h"
#include "detect-tls-cert-subject.h"
#include "detect-tls-cert-serial.h"
#include "detect-tls-cert-fingerprint.h"
#include "detect-engine-state.h"
#include "detect-engine-analyzer.h"
#include "detect-engine-payload.h"
#include "detect-engine-filedata-smtp.h"
#include "detect-http-cookie.h"
#include "detect-http-method.h"
#include "detect-http-ua.h"
#include "detect-http-hh.h"
#include "detect-http-hrh.h"
#include "detect-nfs-procedure.h"
#include "detect-nfs-version.h"
#include "detect-engine-event.h"
#include "decode.h"
#include "detect-base64-decode.h"
#include "detect-base64-data.h"
#include "detect-ipopts.h"
#include "detect-flags.h"
#include "detect-fragbits.h"
#include "detect-fragoffset.h"
#include "detect-gid.h"
#include "detect-ack.h"
#include "detect-seq.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-pcre.h"
#include "detect-depth.h"
#include "detect-nocase.h"
#include "detect-rawbytes.h"
#include "detect-bytetest.h"
#include "detect-bytejump.h"
#include "detect-sameip.h"
#include "detect-l3proto.h"
#include "detect-ipproto.h"
#include "detect-within.h"
#include "detect-distance.h"
#include "detect-offset.h"
#include "detect-sid.h"
#include "detect-prefilter.h"
#include "detect-priority.h"
#include "detect-classtype.h"
#include "detect-reference.h"
#include "detect-tag.h"
#include "detect-threshold.h"
#include "detect-metadata.h"
#include "detect-msg.h"
#include "detect-rev.h"
#include "detect-flow.h"
#include "detect-window.h"
#include "detect-ftpbounce.h"
#include "detect-isdataat.h"
#include "detect-id.h"
#include "detect-rpc.h"
#include "detect-asn1.h"
#include "detect-filename.h"
#include "detect-fileext.h"
#include "detect-filestore.h"
#include "detect-filemagic.h"
#include "detect-filemd5.h"
#include "detect-filesha1.h"
#include "detect-filesha256.h"
#include "detect-filesize.h"
#include "detect-dsize.h"
#include "detect-flowvar.h"
#include "detect-flowint.h"
#include "detect-pktvar.h"
#include "detect-noalert.h"
#include "detect-flowbits.h"
#include "detect-hostbits.h"
#include "detect-xbits.h"
#include "detect-csum.h"
#include "detect-stream_size.h"
#include "detect-engine-sigorder.h"
#include "detect-ttl.h"
#include "detect-fast-pattern.h"
#include "detect-itype.h"
#include "detect-icode.h"
#include "detect-icmp-id.h"
#include "detect-icmp-seq.h"
#include "detect-dce-iface.h"
#include "detect-dce-opnum.h"
#include "detect-dce-stub-data.h"
#include "detect-urilen.h"
#include "detect-detection-filter.h"
#include "detect-http-client-body.h"
#include "detect-http-server-body.h"
#include "detect-http-header.h"
#include "detect-http-header-names.h"
#include "detect-http-headers.h"
#include "detect-http-raw-header.h"
#include "detect-http-uri.h"
#include "detect-http-protocol.h"
#include "detect-http-start.h"
#include "detect-http-raw-uri.h"
#include "detect-http-stat-msg.h"
#include "detect-http-request-line.h"
#include "detect-http-response-line.h"
#include "detect-engine-hcbd.h"
#include "detect-engine-hsbd.h"
#include "detect-engine-hrhd.h"
@ -164,72 +73,21 @@
#include "detect-engine-hua.h"
#include "detect-engine-hhhd.h"
#include "detect-engine-hrhhd.h"
#include "detect-byte-extract.h"
#include "detect-file-data.h"
#include "detect-pkt-data.h"
#include "detect-replace.h"
#include "detect-tos.h"
#include "detect-app-layer-event.h"
#include "detect-lua.h"
#include "detect-iprep.h"
#include "detect-geoip.h"
#include "detect-app-layer-protocol.h"
#include "detect-template.h"
#include "detect-target.h"
#include "detect-template-buffer.h"
#include "detect-bypass.h"
#include "detect-engine-content-inspection.h"
#include "util-rule-vars.h"
#include "app-layer.h"
#include "app-layer-protos.h"
#include "app-layer-htp.h"
#include "app-layer-smtp.h"
#include "app-layer-template.h"
#include "detect-tls.h"
#include "detect-tls-cert-validity.h"
#include "detect-tls-version.h"
#include "detect-ssh-proto.h"
#include "detect-ssh-proto-version.h"
#include "detect-ssh-software.h"
#include "detect-ssh-software-version.h"
#include "detect-http-stat-code.h"
#include "detect-ssl-version.h"
#include "detect-ssl-state.h"
#include "detect-modbus.h"
#include "detect-cipservice.h"
#include "detect-dnp3.h"
#include "action-globals.h"
#include "tm-threads.h"
#include "pkt-var.h"
#include "conf.h"
#include "conf-yaml-loader.h"
#include "stream-tcp.h"
#include "stream-tcp-inline.h"
#include "detect-filestore.h"
#include "detect-flowvar.h"
#include "detect-replace.h"
#include "util-lua.h"
#include "util-rule-vars.h"
#include "util-var-name.h"
#include "util-classification-config.h"
#include "util-threshold-config.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-debug.h"
#include "util-hashlist.h"
#include "util-cuda.h"
#include "util-privs.h"
#include "util-profiling.h"
#include "util-validate.h"
#include "util-optimize.h"
#include "util-path.h"
#include "util-mpm-ac.h"
#include "util-detect.h"
#include "runmodes.h"
#ifdef HAVE_GLOB_H
#include <glob.h>
@ -1602,280 +1460,6 @@ void DisableDetectFlowFileFlags(Flow *f)
DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOCLIENT);
}
static void PrintFeatureList(const SigTableElmt *e, char sep)
{
const uint8_t flags = e->flags;
int prev = 0;
if (flags & SIGMATCH_NOOPT) {
printf("No option");
prev = 1;
}
if (flags & SIGMATCH_IPONLY_COMPAT) {
if (prev == 1)
printf("%c", sep);
printf("compatible with IP only rule");
prev = 1;
}
if (flags & SIGMATCH_DEONLY_COMPAT) {
if (prev == 1)
printf("%c", sep);
printf("compatible with decoder event only rule");
prev = 1;
}
if (e->SupportsPrefilter) {
if (prev == 1)
printf("%c", sep);
printf("prefilter");
prev = 1;
}
if (prev == 0) {
printf("none");
}
}
static void SigMultilinePrint(int i, const char *prefix)
{
if (sigmatch_table[i].desc) {
printf("%sDescription: %s\n", prefix, sigmatch_table[i].desc);
}
printf("%sFeatures: ", prefix);
PrintFeatureList(&sigmatch_table[i], ',');
if (sigmatch_table[i].url) {
printf("\n%sDocumentation: %s", prefix, sigmatch_table[i].url);
}
printf("\n");
}
void SigTableList(const char *keyword)
{
size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt);
size_t i;
if (keyword == NULL) {
printf("=====Supported keywords=====\n");
for (i = 0; i < size; i++) {
if (sigmatch_table[i].name != NULL) {
if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) {
printf("- %s (not built-in)\n", sigmatch_table[i].name);
} else {
printf("- %s\n", sigmatch_table[i].name);
}
}
}
} else if (strcmp("csv", keyword) == 0) {
printf("name;description;app layer;features;documentation\n");
for (i = 0; i < size; i++) {
if (sigmatch_table[i].name != NULL) {
if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) {
continue;
}
printf("%s;", sigmatch_table[i].name);
if (sigmatch_table[i].desc) {
printf("%s", sigmatch_table[i].desc);
}
/* Build feature */
printf(";Unset;"); // this used to be alproto
PrintFeatureList(&sigmatch_table[i], ':');
printf(";");
if (sigmatch_table[i].url) {
printf("%s", sigmatch_table[i].url);
}
printf(";");
printf("\n");
}
}
} else if (strcmp("all", keyword) == 0) {
for (i = 0; i < size; i++) {
if (sigmatch_table[i].name != NULL) {
printf("%s:\n", sigmatch_table[i].name);
SigMultilinePrint(i, "\t");
}
}
} else {
for (i = 0; i < size; i++) {
if ((sigmatch_table[i].name != NULL) &&
strcmp(sigmatch_table[i].name, keyword) == 0) {
printf("= %s =\n", sigmatch_table[i].name);
if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) {
printf("Not built-in\n");
return;
}
SigMultilinePrint(i, "");
return;
}
}
}
return;
}
void SigTableSetup(void)
{
memset(sigmatch_table, 0, sizeof(sigmatch_table));
DetectSidRegister();
DetectPriorityRegister();
DetectPrefilterRegister();
DetectRevRegister();
DetectClasstypeRegister();
DetectReferenceRegister();
DetectTagRegister();
DetectThresholdRegister();
DetectMetadataRegister();
DetectMsgRegister();
DetectAckRegister();
DetectSeqRegister();
DetectContentRegister();
DetectUricontentRegister();
/* NOTE: the order of these currently affects inspect
* engine registration order and ultimately the order
* of inspect engines in the rule. Which in turn affects
* state keeping */
DetectHttpUriRegister();
DetectHttpRequestLineRegister();
DetectHttpClientBodyRegister();
DetectHttpResponseLineRegister();
DetectHttpServerBodyRegister();
DetectHttpHeaderRegister();
DetectHttpHeaderNamesRegister();
DetectHttpHeadersRegister();
DetectHttpProtocolRegister();
DetectHttpStartRegister();
DetectHttpRawHeaderRegister();
DetectHttpMethodRegister();
DetectHttpCookieRegister();
DetectHttpRawUriRegister();
DetectFilenameRegister();
DetectFileextRegister();
DetectFilestoreRegister();
DetectFilemagicRegister();
DetectFileMd5Register();
DetectFileSha1Register();
DetectFileSha256Register();
DetectFilesizeRegister();
DetectHttpUARegister();
DetectHttpHHRegister();
DetectHttpHRHRegister();
DetectHttpStatMsgRegister();
DetectHttpStatCodeRegister();
DetectDnsQueryRegister();
DetectModbusRegister();
DetectCipServiceRegister();
DetectEnipCommandRegister();
DetectDNP3Register();
DetectTlsSniRegister();
DetectTlsIssuerRegister();
DetectTlsSubjectRegister();
DetectTlsSerialRegister();
DetectTlsFingerprintRegister();
DetectAppLayerEventRegister();
/* end of order dependent regs */
DetectPcreRegister();
DetectDepthRegister();
DetectNocaseRegister();
DetectRawbytesRegister();
DetectBytetestRegister();
DetectBytejumpRegister();
DetectSameipRegister();
DetectGeoipRegister();
DetectL3ProtoRegister();
DetectIPProtoRegister();
DetectWithinRegister();
DetectDistanceRegister();
DetectOffsetRegister();
DetectReplaceRegister();
DetectFlowRegister();
DetectWindowRegister();
DetectRpcRegister();
DetectFtpbounceRegister();
DetectIsdataatRegister();
DetectIdRegister();
DetectDsizeRegister();
DetectFlowvarRegister();
DetectFlowintRegister();
DetectPktvarRegister();
DetectNoalertRegister();
DetectFlowbitsRegister();
DetectHostbitsRegister();
DetectXbitsRegister();
DetectEngineEventRegister();
DetectIpOptsRegister();
DetectFlagsRegister();
DetectFragBitsRegister();
DetectFragOffsetRegister();
DetectGidRegister();
DetectMarkRegister();
DetectCsumRegister();
DetectStreamSizeRegister();
DetectTtlRegister();
DetectTosRegister();
DetectFastPatternRegister();
DetectITypeRegister();
DetectICodeRegister();
DetectIcmpIdRegister();
DetectIcmpSeqRegister();
DetectDceIfaceRegister();
DetectDceOpnumRegister();
DetectDceStubDataRegister();
DetectTlsRegister();
DetectTlsValidityRegister();
DetectTlsVersionRegister();
DetectNfsProcedureRegister();
DetectNfsVersionRegister();
DetectUrilenRegister();
DetectDetectionFilterRegister();
DetectAsn1Register();
DetectSshProtocolRegister();
DetectSshVersionRegister();
DetectSshSoftwareRegister();
DetectSshSoftwareVersionRegister();
DetectSslStateRegister();
DetectSslVersionRegister();
DetectByteExtractRegister();
DetectFiledataRegister();
DetectPktDataRegister();
DetectLuaRegister();
DetectIPRepRegister();
DetectAppLayerProtocolRegister();
DetectBase64DecodeRegister();
DetectBase64DataRegister();
DetectTemplateRegister();
DetectTargetRegister();
DetectTemplateBufferRegister();
DetectBypassRegister();
/* close keyword registration */
DetectBufferTypeFinalizeRegistration();
}
void SigTableRegisterTests(void)
{
/* register the tests */
int i = 0;
for (i = 0; i < DETECT_TBLSIZE; i++) {
g_ut_modules++;
if (sigmatch_table[i].RegisterTests != NULL) {
sigmatch_table[i].RegisterTests();
g_ut_covered++;
} else {
SCLogDebug("detection plugin %s has no unittest "
"registration function.", sigmatch_table[i].name);
if (coverage_unittests)
SCLogWarning(SC_WARN_NO_UNITTESTS, "detection plugin %s has no unittest "
"registration function.", sigmatch_table[i].name);
}
}
}
/*
* TESTS
*/

182
src/detect.h
Unescape Escape View File

@ -1204,184 +1204,6 @@ typedef struct DetectEngineMasterCtx_ {
/** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */
enum {
DETECT_SID,
DETECT_PRIORITY,
DETECT_REV,
DETECT_CLASSTYPE,
/* sorted by prefilter priority. Higher in this list means it will be
* picked over ones lower in the list */
DETECT_AL_APP_LAYER_PROTOCOL,
DETECT_ACK,
DETECT_SEQ,
DETECT_WINDOW,
DETECT_IPOPTS,
DETECT_FLAGS,
DETECT_FRAGBITS,
DETECT_FRAGOFFSET,
DETECT_TTL,
DETECT_TOS,
DETECT_ITYPE,
DETECT_ICODE,
DETECT_ICMP_ID,
DETECT_ICMP_SEQ,
DETECT_DSIZE,
DETECT_FLOW,
/* end prefilter sort */
DETECT_THRESHOLD,
DETECT_METADATA,
DETECT_REFERENCE,
DETECT_TAG,
DETECT_MSG,
DETECT_CONTENT,
DETECT_URICONTENT,
DETECT_PCRE,
DETECT_DEPTH,
DETECT_DISTANCE,
DETECT_WITHIN,
DETECT_OFFSET,
DETECT_REPLACE,
DETECT_NOCASE,
DETECT_FAST_PATTERN,
DETECT_RAWBYTES,
DETECT_BYTETEST,
DETECT_BYTEJUMP,
DETECT_SAMEIP,
DETECT_GEOIP,
DETECT_IPPROTO,
DETECT_FTPBOUNCE,
DETECT_ISDATAAT,
DETECT_ID,
DETECT_RPC,
DETECT_FLOWVAR,
DETECT_FLOWVAR_POSTMATCH,
DETECT_FLOWINT,
DETECT_PKTVAR,
DETECT_NOALERT,
DETECT_FLOWBITS,
DETECT_HOSTBITS,
DETECT_IPV4_CSUM,
DETECT_TCPV4_CSUM,
DETECT_TCPV6_CSUM,
DETECT_UDPV4_CSUM,
DETECT_UDPV6_CSUM,
DETECT_ICMPV4_CSUM,
DETECT_ICMPV6_CSUM,
DETECT_STREAM_SIZE,
DETECT_DETECTION_FILTER,
DETECT_DECODE_EVENT,
DETECT_GID,
DETECT_MARK,
DETECT_AL_TLS_VERSION,
DETECT_AL_TLS_SUBJECT,
DETECT_AL_TLS_ISSUERDN,
DETECT_AL_TLS_NOTBEFORE,
DETECT_AL_TLS_NOTAFTER,
DETECT_AL_TLS_EXPIRED,
DETECT_AL_TLS_VALID,
DETECT_AL_TLS_FINGERPRINT,
DETECT_AL_TLS_STORE,
DETECT_AL_HTTP_COOKIE,
DETECT_AL_HTTP_METHOD,
DETECT_AL_HTTP_PROTOCOL,
DETECT_AL_HTTP_START,
DETECT_AL_URILEN,
DETECT_AL_HTTP_CLIENT_BODY,
DETECT_AL_HTTP_SERVER_BODY,
DETECT_AL_HTTP_HEADER,
DETECT_AL_HTTP_HEADER_NAMES,
DETECT_AL_HTTP_HEADER_ACCEPT,
DETECT_AL_HTTP_HEADER_ACCEPT_LANG,
DETECT_AL_HTTP_HEADER_ACCEPT_ENC,
DETECT_AL_HTTP_HEADER_CONNECTION,
DETECT_AL_HTTP_HEADER_CONTENT_LEN,
DETECT_AL_HTTP_HEADER_CONTENT_TYPE,
DETECT_AL_HTTP_HEADER_REFERER,
DETECT_AL_HTTP_RAW_HEADER,
DETECT_AL_HTTP_URI,
DETECT_AL_HTTP_RAW_URI,
DETECT_AL_HTTP_STAT_MSG,
DETECT_AL_HTTP_STAT_CODE,
DETECT_AL_HTTP_USER_AGENT,
DETECT_AL_HTTP_HOST,
DETECT_AL_HTTP_RAW_HOST,
DETECT_AL_HTTP_REQUEST_LINE,
DETECT_AL_HTTP_RESPONSE_LINE,
DETECT_AL_NFS_PROCEDURE,
DETECT_AL_NFS_VERSION,
DETECT_AL_SSH_PROTOCOL,
DETECT_AL_SSH_PROTOVERSION,
DETECT_AL_SSH_SOFTWARE,
DETECT_AL_SSH_SOFTWAREVERSION,
DETECT_AL_SSL_VERSION,
DETECT_AL_SSL_STATE,
DETECT_BYTE_EXTRACT,
DETECT_FILE_DATA,
DETECT_PKT_DATA,
DETECT_AL_APP_LAYER_EVENT,
DETECT_DCE_IFACE,
DETECT_DCE_OPNUM,
DETECT_DCE_STUB_DATA,
DETECT_ASN1,
DETECT_ENGINE_EVENT,
DETECT_STREAM_EVENT,
DETECT_FILENAME,
DETECT_FILEEXT,
DETECT_FILESTORE,
DETECT_FILEMAGIC,
DETECT_FILEMD5,
DETECT_FILESHA1,
DETECT_FILESHA256,
DETECT_FILESIZE,
DETECT_L3PROTO,
DETECT_LUA,
DETECT_IPREP,
DETECT_AL_DNS_QUERY,
DETECT_AL_TLS_SNI,
DETECT_AL_TLS_CERT_ISSUER,
DETECT_AL_TLS_CERT_SUBJECT,
DETECT_AL_TLS_CERT_SERIAL,
DETECT_AL_TLS_CERT_FINGERPRINT,
DETECT_AL_MODBUS,
DETECT_CIPSERVICE,
DETECT_ENIPCOMMAND,
DETECT_AL_DNP3DATA,
DETECT_AL_DNP3FUNC,
DETECT_AL_DNP3IND,
DETECT_AL_DNP3OBJ,
DETECT_XBITS,
DETECT_BASE64_DECODE,
DETECT_BASE64_DATA,
DETECT_TEMPLATE,
DETECT_TARGET,
DETECT_AL_TEMPLATE_BUFFER,
DETECT_BYPASS,
DETECT_PREFILTER,
/* make sure this stays last */
DETECT_TBLSIZE,
};
/* Table with all SigMatch registrations */
SigTableElmt sigmatch_table[DETECT_TBLSIZE];
/* detection api */
TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq);
@ -1392,7 +1214,6 @@ void SigMatchSignaturesBuildMatchArray(DetectEngineThreadCtx *,
uint16_t);
void SigMatchFree(SigMatch *sm);
void SigTableRegisterTests(void);
void SigRegisterTests(void);
void DetectSimdRegisterTests(void);
void TmModuleDetectRegister (void);
@ -1402,8 +1223,6 @@ void SigAddressPrepareBidirectionals (DetectEngineCtx *);
void DisableDetectFlowFileFlags(Flow *f);
char *DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file);
int SigLoadSignatures (DetectEngineCtx *, char *, int);
void SigTableList(const char *keyword);
void SigTableSetup(void);
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Packet *p);
@ -1422,6 +1241,7 @@ int SigMatchSignaturesRunPostMatch(ThreadVars *tv,
void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t);
#include "detect-engine-build.h"
#include "detect-engine-register.h"
#endif /* __DETECT_H__ */

2
src/tests/detect.c
Unescape Escape View File

@ -23,6 +23,8 @@
#include "../pkt-var.h"
#include "../flow-util.h"
#include "../stream-tcp-reassemble.h"
#include "../util-unittest.h"
#include "../util-unittest-helper.h"
static const char *dummy_conf_string =
"%YAML 1.1\n"

Write Preview
Loading…
Cancel
Save