aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/websocket: move keywords to rust

Browse Source 
Ticket: 4863
pull/11309/head
Philippe Antoine 1 year ago committed by Victor Julien
parent 16952d67e7
commit ce1eea4ad6
7 changed files with 258 additions and 325 deletions
Show Stats Download Patch File Download Diff File

292
rust/src/websocket/detect.rs
Unescape Escape View File

@ -15,9 +15,15 @@
* 02110-1301, USA.
*/
use super::websocket::WebSocketTransaction;
use super::websocket::{WebSocketTransaction, ALPROTO_WEBSOCKET};
use crate::detect::uint::{
detect_parse_uint, detect_parse_uint_enum, DetectUintData, DetectUintMode,
detect_parse_uint, detect_parse_uint_enum, rs_detect_u32_free, rs_detect_u32_match,
rs_detect_u32_parse, rs_detect_u8_free, rs_detect_u8_match, DetectUintData, DetectUintMode,
};
use crate::detect::{
DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperBufferRegister,
DetectHelperGetData, DetectHelperKeywordRegister, DetectSignatureSetAppProto, SCSigTableElmt,
SigMatchAppendSMToList, SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT,
};
use crate::websocket::parser::WebSocketOpcode;
@ -28,39 +34,9 @@ use nom7::multi::many1;
use nom7::IResult;
use std::ffi::CStr;
use std::os::raw::{c_int, c_void};
#[no_mangle]
pub unsafe extern "C" fn SCWebSocketGetOpcode(tx: &mut WebSocketTransaction) -> u8 {
return tx.pdu.opcode;
}
#[no_mangle]
pub unsafe extern "C" fn SCWebSocketGetFlags(tx: &mut WebSocketTransaction) -> u8 {
return tx.pdu.flags;
}
#[no_mangle]
pub unsafe extern "C" fn SCWebSocketGetPayload(
tx: &WebSocketTransaction, buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
*buffer = tx.pdu.payload.as_ptr();
*buffer_len = tx.pdu.payload.len() as u32;
return true;
}
#[no_mangle]
pub unsafe extern "C" fn SCWebSocketGetMask(
tx: &mut WebSocketTransaction, value: *mut u32,
) -> bool {
if let Some(xorkey) = tx.pdu.mask {
*value = xorkey;
return true;
}
return false;
}
#[no_mangle]
pub unsafe extern "C" fn SCWebSocketParseOpcode(
unsafe extern "C" fn websocket_parse_opcode(
ustr: *const std::os::raw::c_char,
) -> *mut DetectUintData<u8> {
let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
@ -120,8 +96,7 @@ fn parse_flags(s: &str) -> Option<DetectUintData<u8>> {
return None;
}
#[no_mangle]
pub unsafe extern "C" fn SCWebSocketParseFlags(
unsafe extern "C" fn websocket_parse_flags(
ustr: *const std::os::raw::c_char,
) -> *mut DetectUintData<u8> {
let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe
@ -133,3 +108,248 @@ pub unsafe extern "C" fn SCWebSocketParseFlags(
}
return std::ptr::null_mut();
}
static mut G_WEBSOCKET_OPCODE_KW_ID: c_int = 0;
static mut G_WEBSOCKET_OPCODE_BUFFER_ID: c_int = 0;
static mut G_WEBSOCKET_MASK_KW_ID: c_int = 0;
static mut G_WEBSOCKET_MASK_BUFFER_ID: c_int = 0;
static mut G_WEBSOCKET_FLAGS_KW_ID: c_int = 0;
static mut G_WEBSOCKET_FLAGS_BUFFER_ID: c_int = 0;
static mut G_WEBSOCKET_PAYLOAD_BUFFER_ID: c_int = 0;
unsafe extern "C" fn websocket_detect_opcode_setup(
de: *mut c_void, s: *mut c_void, raw: *const libc::c_char,
) -> c_int {
if DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) != 0 {
return -1;
}
let ctx = websocket_parse_opcode(raw) as *mut c_void;
if ctx.is_null() {
return -1;
}
if SigMatchAppendSMToList(
de,
s,
G_WEBSOCKET_OPCODE_KW_ID,
ctx,
G_WEBSOCKET_OPCODE_BUFFER_ID,
)
.is_null()
{
websocket_detect_opcode_free(std::ptr::null_mut(), ctx);
return -1;
}
return 0;
}
unsafe extern "C" fn websocket_detect_opcode_match(
_de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
_sig: *const c_void, ctx: *const c_void,
) -> c_int {
let tx = cast_pointer!(tx, WebSocketTransaction);
let ctx = cast_pointer!(ctx, DetectUintData<u8>);
return rs_detect_u8_match(tx.pdu.opcode, ctx);
}
unsafe extern "C" fn websocket_detect_opcode_free(_de: *mut c_void, ctx: *mut c_void) {
// Just unbox...
let ctx = cast_pointer!(ctx, DetectUintData<u8>);
rs_detect_u8_free(ctx);
}
unsafe extern "C" fn websocket_detect_mask_setup(
de: *mut c_void, s: *mut c_void, raw: *const libc::c_char,
) -> c_int {
if DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) != 0 {
return -1;
}
let ctx = rs_detect_u32_parse(raw) as *mut c_void;
if ctx.is_null() {
return -1;
}
if SigMatchAppendSMToList(
de,
s,
G_WEBSOCKET_MASK_KW_ID,
ctx,
G_WEBSOCKET_MASK_BUFFER_ID,
)
.is_null()
{
websocket_detect_mask_free(std::ptr::null_mut(), ctx);
return -1;
}
return 0;
}
unsafe extern "C" fn websocket_detect_mask_match(
_de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
_sig: *const c_void, ctx: *const c_void,
) -> c_int {
let tx = cast_pointer!(tx, WebSocketTransaction);
let ctx = cast_pointer!(ctx, DetectUintData<u32>);
if let Some(xorkey) = tx.pdu.mask {
return rs_detect_u32_match(xorkey, ctx);
}
return 0;
}
unsafe extern "C" fn websocket_detect_mask_free(_de: *mut c_void, ctx: *mut c_void) {
// Just unbox...
let ctx = cast_pointer!(ctx, DetectUintData<u32>);
rs_detect_u32_free(ctx);
}
unsafe extern "C" fn websocket_detect_flags_setup(
de: *mut c_void, s: *mut c_void, raw: *const libc::c_char,
) -> c_int {
if DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) != 0 {
return -1;
}
let ctx = websocket_parse_flags(raw) as *mut c_void;
if ctx.is_null() {
return -1;
}
if SigMatchAppendSMToList(
de,
s,
G_WEBSOCKET_FLAGS_KW_ID,
ctx,
G_WEBSOCKET_FLAGS_BUFFER_ID,
)
.is_null()
{
websocket_detect_flags_free(std::ptr::null_mut(), ctx);
return -1;
}
return 0;
}
unsafe extern "C" fn websocket_detect_flags_match(
_de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
_sig: *const c_void, ctx: *const c_void,
) -> c_int {
let tx = cast_pointer!(tx, WebSocketTransaction);
let ctx = cast_pointer!(ctx, DetectUintData<u8>);
return rs_detect_u8_match(tx.pdu.flags, ctx);
}
unsafe extern "C" fn websocket_detect_flags_free(_de: *mut c_void, ctx: *mut c_void) {
// Just unbox...
let ctx = cast_pointer!(ctx, DetectUintData<u8>);
rs_detect_u8_free(ctx);
}
pub unsafe extern "C" fn websocket_detect_payload_setup(
de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
) -> c_int {
if DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) != 0 {
return -1;
}
if DetectBufferSetActiveList(de, s, G_WEBSOCKET_PAYLOAD_BUFFER_ID) < 0 {
return -1;
}
return 0;
}
pub unsafe extern "C" fn websocket_detect_payload_get(
tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32,
) -> bool {
let tx = cast_pointer!(tx, WebSocketTransaction);
*buffer = tx.pdu.payload.as_ptr();
*buffer_len = tx.pdu.payload.len() as u32;
return true;
}
pub unsafe extern "C" fn websocket_detect_payload_get_data(
de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8,
tx: *const c_void, list_id: c_int,
) -> *mut c_void {
return DetectHelperGetData(
de,
transforms,
flow,
flow_flags,
tx,
list_id,
websocket_detect_payload_get,
);
}
#[no_mangle]
pub unsafe extern "C" fn ScDetectWebsocketRegister() {
let kw = SCSigTableElmt {
name: b"websocket.opcode\0".as_ptr() as *const libc::c_char,
desc: b"match WebSocket opcode\0".as_ptr() as *const libc::c_char,
url: b"/rules/websocket-keywords.html#websocket-opcode\0".as_ptr() as *const libc::c_char,
AppLayerTxMatch: Some(websocket_detect_opcode_match),
Setup: websocket_detect_opcode_setup,
Free: Some(websocket_detect_opcode_free),
flags: 0,
};
unsafe {
G_WEBSOCKET_OPCODE_KW_ID = DetectHelperKeywordRegister(&kw);
G_WEBSOCKET_OPCODE_BUFFER_ID = DetectHelperBufferRegister(
b"websocket.opcode\0".as_ptr() as *const libc::c_char,
ALPROTO_WEBSOCKET,
true,
true,
);
}
let kw = SCSigTableElmt {
name: b"websocket.mask\0".as_ptr() as *const libc::c_char,
desc: b"match WebSocket mask\0".as_ptr() as *const libc::c_char,
url: b"/rules/websocket-keywords.html#websocket-mask\0".as_ptr() as *const libc::c_char,
AppLayerTxMatch: Some(websocket_detect_mask_match),
Setup: websocket_detect_mask_setup,
Free: Some(websocket_detect_mask_free),
flags: 0,
};
unsafe {
G_WEBSOCKET_MASK_KW_ID = DetectHelperKeywordRegister(&kw);
G_WEBSOCKET_MASK_BUFFER_ID = DetectHelperBufferRegister(
b"websocket.mask\0".as_ptr() as *const libc::c_char,
ALPROTO_WEBSOCKET,
true,
true,
);
}
let kw = SCSigTableElmt {
name: b"websocket.flags\0".as_ptr() as *const libc::c_char,
desc: b"match WebSocket flags\0".as_ptr() as *const libc::c_char,
url: b"/rules/websocket-keywords.html#websocket-flags\0".as_ptr() as *const libc::c_char,
AppLayerTxMatch: Some(websocket_detect_flags_match),
Setup: websocket_detect_flags_setup,
Free: Some(websocket_detect_flags_free),
flags: 0,
};
unsafe {
G_WEBSOCKET_FLAGS_KW_ID = DetectHelperKeywordRegister(&kw);
G_WEBSOCKET_FLAGS_BUFFER_ID = DetectHelperBufferRegister(
b"websocket.flags\0".as_ptr() as *const libc::c_char,
ALPROTO_WEBSOCKET,
true,
true,
);
}
let kw = SCSigTableElmt {
name: b"websocket.payload\0".as_ptr() as *const libc::c_char,
desc: b"match WebSocket payload\0".as_ptr() as *const libc::c_char,
url: b"/rules/websocket-keywords.html#websocket-payload\0".as_ptr() as *const libc::c_char,
Setup: websocket_detect_payload_setup,
flags: SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER,
AppLayerTxMatch: None,
Free: None,
};
unsafe {
let _g_ws_payload_kw_id = DetectHelperKeywordRegister(&kw);
G_WEBSOCKET_PAYLOAD_BUFFER_ID = DetectHelperBufferMpmRegister(
b"websocket.payload\0".as_ptr() as *const libc::c_char,
b"WebSocket payload\0".as_ptr() as *const libc::c_char,
ALPROTO_WEBSOCKET,
true,
true,
websocket_detect_payload_get_data,
);
}
}

2
rust/src/websocket/websocket.rs
Unescape Escape View File

@ -32,7 +32,7 @@ use std::ffi::CString;
use std::io::Read;
use std::os::raw::{c_char, c_int, c_void};
static mut ALPROTO_WEBSOCKET: AppProto = ALPROTO_UNKNOWN;
pub(super) static mut ALPROTO_WEBSOCKET: AppProto = ALPROTO_UNKNOWN;
static mut WEBSOCKET_MAX_PAYLOAD_SIZE: u32 = 0xFFFF;

2
src/Makefile.am
Unescape Escape View File

@ -367,7 +367,6 @@ noinst_HEADERS = \
detect-urilen.h \
detect-within.h \
detect-xbits.h \
detect-websocket.h \
device-storage.h \
feature.h \
flow-bit.h \
@ -986,7 +985,6 @@ libsuricata_c_a_SOURCES = \
detect-urilen.c \
detect-within.c \
detect-xbits.c \
detect-websocket.c \
device-storage.c \
feature.c \
flow-bit.c \

3
src/detect-engine-register.c
Unescape Escape View File

@ -235,7 +235,6 @@
#include "detect-quic-cyu-hash.h"
#include "detect-quic-cyu-string.h"
#include "detect-ja4-hash.h"
#include "detect-websocket.h"
#include "detect-bypass.h"
#include "detect-ftpdata.h"
@ -753,7 +752,6 @@ void SigTableSetup(void)
DetectQuicCyuHashRegister();
DetectQuicCyuStringRegister();
DetectJa4HashRegister();
DetectWebsocketRegister();
DetectBypassRegister();
DetectConfigRegister();
@ -776,6 +774,7 @@ void SigTableSetup(void)
ScDetectSNMPRegister();
ScDetectDHCPRegister();
ScDetectWebsocketRegister();
/* close keyword registration */
DetectBufferTypeCloseRegistration();

4
src/detect-engine-register.h
Unescape Escape View File

@ -331,10 +331,6 @@ enum DetectKeywordId {
DETECT_AL_QUIC_UA,
DETECT_AL_QUIC_CYU_HASH,
DETECT_AL_QUIC_CYU_STRING,
DETECT_WEBSOCKET_MASK,
DETECT_WEBSOCKET_OPCODE,
DETECT_WEBSOCKET_FLAGS,
DETECT_WEBSOCKET_PAYLOAD,
DETECT_BYPASS,

251
src/detect-websocket.c
Unescape Escape View File

@ -1,251 +0,0 @@
/* Copyright (C) 2023 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Philippe Antoine
*/
#include "suricata-common.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-content-inspection.h"
#include "detect-engine-uint.h"
#include "detect-engine-prefilter.h"
#include "detect-websocket.h"
#include "rust.h"
static int websocket_tx_id = 0;
static int websocket_payload_id = 0;
/**
* \internal
* \brief this function will free memory associated with DetectWebSocketOpcodeData
*
* \param de pointer to DetectWebSocketOpcodeData
*/
static void DetectWebSocketOpcodeFree(DetectEngineCtx *de_ctx, void *de_ptr)
{
rs_detect_u8_free(de_ptr);
}
/**
* \internal
* \brief Function to match opcode of a websocket tx
*
* \param det_ctx Pointer to the pattern matcher thread.
* \param f Pointer to the current flow.
* \param flags Flags.
* \param state App layer state.
* \param txv Pointer to the transaction.
* \param s Pointer to the Signature.
* \param ctx Pointer to the sigmatch that we will cast into DetectWebSocketOpcodeData.
*
* \retval 0 no match.
* \retval 1 match.
*/
static int DetectWebSocketOpcodeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags,
void *state, void *txv, const Signature *s, const SigMatchCtx *ctx)
{
const DetectU8Data *de = (const DetectU8Data *)ctx;
uint8_t opc = SCWebSocketGetOpcode(txv);
return DetectU8Match(opc, de);
}
/**
* \internal
* \brief this function is used to add the parsed sigmatch into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param rawstr pointer to the user provided options
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectWebSocketOpcodeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
{
if (DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) < 0)
return -1;
DetectU8Data *de = SCWebSocketParseOpcode(rawstr);
if (de == NULL)
return -1;
if (SigMatchAppendSMToList(
de_ctx, s, DETECT_WEBSOCKET_OPCODE, (SigMatchCtx *)de, websocket_tx_id) == NULL) {
DetectWebSocketOpcodeFree(de_ctx, de);
return -1;
}
return 0;
}
/**
* \internal
* \brief this function will free memory associated with DetectWebSocketMaskData
*
* \param de pointer to DetectWebSocketMaskData
*/
static void DetectWebSocketMaskFree(DetectEngineCtx *de_ctx, void *de_ptr)
{
rs_detect_u32_free(de_ptr);
}
static int DetectWebSocketMaskMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags,
void *state, void *txv, const Signature *s, const SigMatchCtx *ctx)
{
uint32_t val;
const DetectU32Data *du32 = (const DetectU32Data *)ctx;
if (SCWebSocketGetMask(txv, &val)) {
return DetectU32Match(val, du32);
}
return 0;
}
static int DetectWebSocketMaskSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
{
if (DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) < 0)
return -1;
DetectU32Data *du32 = DetectU32Parse(rawstr);
if (du32 == NULL)
return -1;
if (SigMatchAppendSMToList(
de_ctx, s, DETECT_WEBSOCKET_MASK, (SigMatchCtx *)du32, websocket_tx_id) == NULL) {
DetectWebSocketMaskFree(de_ctx, du32);
return -1;
}
return 0;
}
static void DetectWebSocketFlagsFree(DetectEngineCtx *de_ctx, void *de_ptr)
{
rs_detect_u8_free(de_ptr);
}
static int DetectWebSocketFlagsMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags,
void *state, void *txv, const Signature *s, const SigMatchCtx *ctx)
{
const DetectU8Data *de = (const DetectU8Data *)ctx;
uint8_t val = SCWebSocketGetFlags(txv);
return DetectU8Match(val, de);
}
static int DetectWebSocketFlagsSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
{
if (DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) < 0)
return -1;
DetectU8Data *de = SCWebSocketParseFlags(rawstr);
if (de == NULL)
return -1;
if (SigMatchAppendSMToList(
de_ctx, s, DETECT_WEBSOCKET_FLAGS, (SigMatchCtx *)de, websocket_tx_id) == NULL) {
DetectWebSocketOpcodeFree(de_ctx, de);
return -1;
}
return 0;
}
static int DetectWebSocketPayloadSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rulestr)
{
if (DetectBufferSetActiveList(de_ctx, s, websocket_payload_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) != 0)
return -1;
return 0;
}
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv,
const int list_id)
{
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
const uint8_t *b = NULL;
uint32_t b_len = 0;
if (!SCWebSocketGetPayload(txv, &b, &b_len))
return NULL;
if (b == NULL || b_len == 0)
return NULL;
InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len);
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
/**
* \brief Registration function for websocket.opcode: keyword
*/
void DetectWebsocketRegister(void)
{
sigmatch_table[DETECT_WEBSOCKET_OPCODE].name = "websocket.opcode";
sigmatch_table[DETECT_WEBSOCKET_OPCODE].desc = "match WebSocket opcode";
sigmatch_table[DETECT_WEBSOCKET_OPCODE].url = "/rules/websocket-keywords.html#websocket-opcode";
sigmatch_table[DETECT_WEBSOCKET_OPCODE].AppLayerTxMatch = DetectWebSocketOpcodeMatch;
sigmatch_table[DETECT_WEBSOCKET_OPCODE].Setup = DetectWebSocketOpcodeSetup;
sigmatch_table[DETECT_WEBSOCKET_OPCODE].Free = DetectWebSocketOpcodeFree;
DetectAppLayerInspectEngineRegister("websocket.tx", ALPROTO_WEBSOCKET, SIG_FLAG_TOSERVER, 1,
DetectEngineInspectGenericList, NULL);
DetectAppLayerInspectEngineRegister("websocket.tx", ALPROTO_WEBSOCKET, SIG_FLAG_TOCLIENT, 1,
DetectEngineInspectGenericList, NULL);
websocket_tx_id = DetectBufferTypeGetByName("websocket.tx");
sigmatch_table[DETECT_WEBSOCKET_MASK].name = "websocket.mask";
sigmatch_table[DETECT_WEBSOCKET_MASK].desc = "match WebSocket mask";
sigmatch_table[DETECT_WEBSOCKET_MASK].url = "/rules/websocket-keywords.html#websocket-mask";
sigmatch_table[DETECT_WEBSOCKET_MASK].AppLayerTxMatch = DetectWebSocketMaskMatch;
sigmatch_table[DETECT_WEBSOCKET_MASK].Setup = DetectWebSocketMaskSetup;
sigmatch_table[DETECT_WEBSOCKET_MASK].Free = DetectWebSocketMaskFree;
sigmatch_table[DETECT_WEBSOCKET_FLAGS].name = "websocket.flags";
sigmatch_table[DETECT_WEBSOCKET_FLAGS].desc = "match WebSocket flags";
sigmatch_table[DETECT_WEBSOCKET_FLAGS].url = "/rules/websocket-keywords.html#websocket-flags";
sigmatch_table[DETECT_WEBSOCKET_FLAGS].AppLayerTxMatch = DetectWebSocketFlagsMatch;
sigmatch_table[DETECT_WEBSOCKET_FLAGS].Setup = DetectWebSocketFlagsSetup;
sigmatch_table[DETECT_WEBSOCKET_FLAGS].Free = DetectWebSocketFlagsFree;
sigmatch_table[DETECT_WEBSOCKET_PAYLOAD].name = "websocket.payload";
sigmatch_table[DETECT_WEBSOCKET_PAYLOAD].desc = "match WebSocket payload";
sigmatch_table[DETECT_WEBSOCKET_PAYLOAD].url =
"/rules/websocket-keywords.html#websocket-payload";
sigmatch_table[DETECT_WEBSOCKET_PAYLOAD].Setup = DetectWebSocketPayloadSetup;
sigmatch_table[DETECT_WEBSOCKET_PAYLOAD].flags |= SIGMATCH_NOOPT;
DetectAppLayerInspectEngineRegister("websocket.payload", ALPROTO_WEBSOCKET, SIG_FLAG_TOSERVER,
0, DetectEngineInspectBufferGeneric, GetData);
DetectAppLayerInspectEngineRegister("websocket.payload", ALPROTO_WEBSOCKET, SIG_FLAG_TOCLIENT,
0, DetectEngineInspectBufferGeneric, GetData);
DetectAppLayerMpmRegister("websocket.payload", SIG_FLAG_TOSERVER, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_WEBSOCKET, 1);
DetectAppLayerMpmRegister("websocket.payload", SIG_FLAG_TOCLIENT, 2,
PrefilterGenericMpmRegister, GetData, ALPROTO_WEBSOCKET, 1);
websocket_payload_id = DetectBufferTypeGetByName("websocket.payload");
}

29
src/detect-websocket.h
Unescape Escape View File

@ -1,29 +0,0 @@
/* Copyright (C) 2023 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Philippe Antoine
*/
#ifndef __DETECT_WEBSOCKET_H__
#define __DETECT_WEBSOCKET_H__
void DetectWebsocketRegister(void);
#endif /* __DETECT_WEBSOCKET_H__ */
Write Preview
Loading…
Cancel
Save