*/
void DetectAppLayerEventRegister(void)
{
- sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event";
- sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "match on events generated by the App Layer Parsers and the protocol detection engine";
- sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
- sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Match =
- DetectAppLayerEventPktMatch;
- sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetup;
- sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
+ sigmatch_table[DETECT_APP_LAYER_EVENT].name = "app-layer-event";
+ sigmatch_table[DETECT_APP_LAYER_EVENT].desc =
+ "match on events generated by the App Layer Parsers and the protocol detection engine";
+ sigmatch_table[DETECT_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
+ sigmatch_table[DETECT_APP_LAYER_EVENT].Match = DetectAppLayerEventPktMatch;
+ sigmatch_table[DETECT_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetup;
+ sigmatch_table[DETECT_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
DetectAppLayerInspectEngineRegister("app-layer-events", ALPROTO_UNKNOWN, SIG_FLAG_TOSERVER, 0,
DetectEngineAptEventInspect, NULL);
}
}
if (OutdatedEvent(arg)) {
- if (SigMatchStrictEnabled(DETECT_AL_APP_LAYER_EVENT)) {
+ if (SigMatchStrictEnabled(DETECT_APP_LAYER_EVENT)) {
SCLogError("app-layer-event keyword no longer supports event \"%s\"", arg);
return -1;
} else {
r = DetectEngineGetEventInfo(event_name, &event_id, &event_type);
}
if (r < 0) {
- if (SigMatchStrictEnabled(DETECT_AL_APP_LAYER_EVENT)) {
+ if (SigMatchStrictEnabled(DETECT_APP_LAYER_EVENT)) {
SCLogError("app-layer-event keyword's "
"protocol \"%s\" doesn't have event \"%s\" registered",
alproto_name, event_name);
SCLogDebug("data->event_id %u", data->event_id);
if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_APP_LAYER_EVENT, (SigMatchCtx *)data,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_APP_LAYER_EVENT, (SigMatchCtx *)data,
DETECT_SM_LIST_MATCH) == NULL) {
goto error;
}
if (DetectSignatureSetAppProto(s, data->alproto) != 0)
goto error;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_APP_LAYER_EVENT, (SigMatchCtx *)data,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_APP_LAYER_EVENT, (SigMatchCtx *)data,
g_applayer_events_list_id) == NULL) {
goto error;
}
SigMatch *tsm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
for ( ; tsm != NULL; tsm = tsm->next) {
- if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) {
+ if (tsm->type == DETECT_APP_LAYER_PROTOCOL) {
const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx;
if (HasConflicts(data, them)) {
}
}
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_APP_LAYER_PROTOCOL, (SigMatchCtx *)data,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_APP_LAYER_PROTOCOL, (SigMatchCtx *)data,
DETECT_SM_LIST_MATCH) == NULL) {
goto error;
}
static int PrefilterSetupAppProto(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
{
- return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_AL_APP_LAYER_PROTOCOL,
- SIG_MASK_REQUIRE_FLOW, PrefilterPacketAppProtoSet, PrefilterPacketAppProtoCompare,
+ return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_APP_LAYER_PROTOCOL, SIG_MASK_REQUIRE_FLOW,
+ PrefilterPacketAppProtoSet, PrefilterPacketAppProtoCompare,
PrefilterPacketAppProtoMatch);
}
void DetectAppLayerProtocolRegister(void)
{
- sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].name = "app-layer-protocol";
- sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol";
- sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol";
- sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Match =
- DetectAppLayerProtocolPacketMatch;
- sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Setup =
- DetectAppLayerProtocolSetup;
- sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Free =
- DetectAppLayerProtocolFree;
+ sigmatch_table[DETECT_APP_LAYER_PROTOCOL].name = "app-layer-protocol";
+ sigmatch_table[DETECT_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol";
+ sigmatch_table[DETECT_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol";
+ sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Match = DetectAppLayerProtocolPacketMatch;
+ sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Setup = DetectAppLayerProtocolSetup;
+ sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Free = DetectAppLayerProtocolFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].RegisterTests =
- DetectAppLayerProtocolRegisterTests;
+ sigmatch_table[DETECT_APP_LAYER_PROTOCOL].RegisterTests = DetectAppLayerProtocolRegisterTests;
#endif
- sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].flags =
- (SIGMATCH_QUOTES_OPTIONAL|SIGMATCH_HANDLE_NEGATION);
+ sigmatch_table[DETECT_APP_LAYER_PROTOCOL].flags =
+ (SIGMATCH_QUOTES_OPTIONAL | SIGMATCH_HANDLE_NEGATION);
- sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].SetupPrefilter =
- PrefilterSetupAppProto;
- sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].SupportsPrefilter =
- PrefilterAppProtoIsPrefilterable;
+ sigmatch_table[DETECT_APP_LAYER_PROTOCOL].SetupPrefilter = PrefilterSetupAppProto;
+ sigmatch_table[DETECT_APP_LAYER_PROTOCOL].SupportsPrefilter = PrefilterAppProtoIsPrefilterable;
}
/**********************************Unittests***********************************/
}
dnp3->function_code = function_code;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNP3FUNC, (SigMatchCtx *)dnp3,
- g_dnp3_match_buffer_id) == NULL) {
+ if (SigMatchAppendSMToList(
+ de_ctx, s, DETECT_DNP3FUNC, (SigMatchCtx *)dnp3, g_dnp3_match_buffer_id) == NULL) {
goto error;
}
}
detect->ind_flags = flags;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNP3IND, (SigMatchCtx *)detect,
- g_dnp3_match_buffer_id) == NULL) {
+ if (SigMatchAppendSMToList(
+ de_ctx, s, DETECT_DNP3IND, (SigMatchCtx *)detect, g_dnp3_match_buffer_id) == NULL) {
goto error;
}
detect->obj_group = group;
detect->obj_variation = variation;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNP3OBJ, (SigMatchCtx *)detect,
- g_dnp3_match_buffer_id) == NULL) {
+ if (SigMatchAppendSMToList(
+ de_ctx, s, DETECT_DNP3OBJ, (SigMatchCtx *)detect, g_dnp3_match_buffer_id) == NULL) {
goto fail;
}
{
SCEnter();
- sigmatch_table[DETECT_AL_DNP3FUNC].name = "dnp3_func";
- sigmatch_table[DETECT_AL_DNP3FUNC].alias = "dnp3.func";
- sigmatch_table[DETECT_AL_DNP3FUNC].desc = "match on the application function code found in DNP3 request and responses";
- sigmatch_table[DETECT_AL_DNP3FUNC].url = "/rules/dnp3-keywords.html#dnp3-func";
- sigmatch_table[DETECT_AL_DNP3FUNC].Match = NULL;
- sigmatch_table[DETECT_AL_DNP3FUNC].AppLayerTxMatch = DetectDNP3FuncMatch;
- sigmatch_table[DETECT_AL_DNP3FUNC].Setup = DetectDNP3FuncSetup;
- sigmatch_table[DETECT_AL_DNP3FUNC].Free = DetectDNP3Free;
+ sigmatch_table[DETECT_DNP3FUNC].name = "dnp3_func";
+ sigmatch_table[DETECT_DNP3FUNC].alias = "dnp3.func";
+ sigmatch_table[DETECT_DNP3FUNC].desc =
+ "match on the application function code found in DNP3 request and responses";
+ sigmatch_table[DETECT_DNP3FUNC].url = "/rules/dnp3-keywords.html#dnp3-func";
+ sigmatch_table[DETECT_DNP3FUNC].Match = NULL;
+ sigmatch_table[DETECT_DNP3FUNC].AppLayerTxMatch = DetectDNP3FuncMatch;
+ sigmatch_table[DETECT_DNP3FUNC].Setup = DetectDNP3FuncSetup;
+ sigmatch_table[DETECT_DNP3FUNC].Free = DetectDNP3Free;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_DNP3FUNC].RegisterTests =
- DetectDNP3FuncRegisterTests;
+ sigmatch_table[DETECT_DNP3FUNC].RegisterTests = DetectDNP3FuncRegisterTests;
#endif
SCReturn;
}
{
SCEnter();
- sigmatch_table[DETECT_AL_DNP3IND].name = "dnp3_ind";
- sigmatch_table[DETECT_AL_DNP3IND].alias = "dnp3.ind";
- sigmatch_table[DETECT_AL_DNP3IND].desc = "match on the DNP3 internal indicator flags in the response application header";
- sigmatch_table[DETECT_AL_DNP3IND].url = "/rules/dnp3-keywords.html#dnp3-ind";
- sigmatch_table[DETECT_AL_DNP3IND].Match = NULL;
- sigmatch_table[DETECT_AL_DNP3IND].AppLayerTxMatch = DetectDNP3IndMatch;
- sigmatch_table[DETECT_AL_DNP3IND].Setup = DetectDNP3IndSetup;
- sigmatch_table[DETECT_AL_DNP3IND].Free = DetectDNP3Free;
+ sigmatch_table[DETECT_DNP3IND].name = "dnp3_ind";
+ sigmatch_table[DETECT_DNP3IND].alias = "dnp3.ind";
+ sigmatch_table[DETECT_DNP3IND].desc =
+ "match on the DNP3 internal indicator flags in the response application header";
+ sigmatch_table[DETECT_DNP3IND].url = "/rules/dnp3-keywords.html#dnp3-ind";
+ sigmatch_table[DETECT_DNP3IND].Match = NULL;
+ sigmatch_table[DETECT_DNP3IND].AppLayerTxMatch = DetectDNP3IndMatch;
+ sigmatch_table[DETECT_DNP3IND].Setup = DetectDNP3IndSetup;
+ sigmatch_table[DETECT_DNP3IND].Free = DetectDNP3Free;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_DNP3IND].RegisterTests =
- DetectDNP3IndRegisterTests;
+ sigmatch_table[DETECT_DNP3IND].RegisterTests = DetectDNP3IndRegisterTests;
#endif
SCReturn;
}
{
SCEnter();
- sigmatch_table[DETECT_AL_DNP3OBJ].name = "dnp3_obj";
- sigmatch_table[DETECT_AL_DNP3OBJ].alias = "dnp3.obj";
- sigmatch_table[DETECT_AL_DNP3OBJ].desc = "match on the DNP3 application data objects";
- sigmatch_table[DETECT_AL_DNP3OBJ].url = "/rules/dnp3-keywords.html#dnp3-obj";
- sigmatch_table[DETECT_AL_DNP3OBJ].Match = NULL;
- sigmatch_table[DETECT_AL_DNP3OBJ].AppLayerTxMatch = DetectDNP3ObjMatch;
- sigmatch_table[DETECT_AL_DNP3OBJ].Setup = DetectDNP3ObjSetup;
- sigmatch_table[DETECT_AL_DNP3OBJ].Free = DetectDNP3Free;
+ sigmatch_table[DETECT_DNP3OBJ].name = "dnp3_obj";
+ sigmatch_table[DETECT_DNP3OBJ].alias = "dnp3.obj";
+ sigmatch_table[DETECT_DNP3OBJ].desc = "match on the DNP3 application data objects";
+ sigmatch_table[DETECT_DNP3OBJ].url = "/rules/dnp3-keywords.html#dnp3-obj";
+ sigmatch_table[DETECT_DNP3OBJ].Match = NULL;
+ sigmatch_table[DETECT_DNP3OBJ].AppLayerTxMatch = DetectDNP3ObjMatch;
+ sigmatch_table[DETECT_DNP3OBJ].Setup = DetectDNP3ObjSetup;
+ sigmatch_table[DETECT_DNP3OBJ].Free = DetectDNP3Free;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_DNP3OBJ].RegisterTests =
- DetectDNP3ObjRegisterTests;
+ sigmatch_table[DETECT_DNP3OBJ].RegisterTests = DetectDNP3ObjRegisterTests;
#endif
SCReturn;
}
{
SCEnter();
- sigmatch_table[DETECT_AL_DNP3DATA].name = "dnp3.data";
- sigmatch_table[DETECT_AL_DNP3DATA].alias = "dnp3_data";
- sigmatch_table[DETECT_AL_DNP3DATA].desc = "make the following content options to match on the re-assembled application buffer";
- sigmatch_table[DETECT_AL_DNP3DATA].url = "/rules/dnp3-keywords.html#dnp3-data";
- sigmatch_table[DETECT_AL_DNP3DATA].Setup = DetectDNP3DataSetup;
- sigmatch_table[DETECT_AL_DNP3DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_DNP3DATA].name = "dnp3.data";
+ sigmatch_table[DETECT_DNP3DATA].alias = "dnp3_data";
+ sigmatch_table[DETECT_DNP3DATA].desc =
+ "make the following content options to match on the re-assembled application buffer";
+ sigmatch_table[DETECT_DNP3DATA].url = "/rules/dnp3-keywords.html#dnp3-data";
+ sigmatch_table[DETECT_DNP3DATA].Setup = DetectDNP3DataSetup;
+ sigmatch_table[DETECT_DNP3DATA].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister("dnp3_data", ALPROTO_DNP3, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectBufferGeneric, GetDNP3Data);
void DetectDnsAnswerNameRegister(void)
{
static const char *keyword = "dns.answer.name";
- sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].name = keyword;
- sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].desc = "DNS answer name sticky buffer";
- sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].url = "/rules/dns-keywords.html#dns-answer-name";
- sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].Setup = DetectSetup;
- sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_DNS_ANSWER_NAME].name = keyword;
+ sigmatch_table[DETECT_DNS_ANSWER_NAME].desc = "DNS answer name sticky buffer";
+ sigmatch_table[DETECT_DNS_ANSWER_NAME].url = "/rules/dns-keywords.html#dns-answer-name";
+ sigmatch_table[DETECT_DNS_ANSWER_NAME].Setup = DetectSetup;
+ sigmatch_table[DETECT_DNS_ANSWER_NAME].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_DNS_ANSWER_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
/* Register in the TO_SERVER direction, even though this is not
normal, it could be provided as part of a request. */
return -1;
}
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNS_OPCODE, (SigMatchCtx *)detect,
- dns_opcode_list_id) == NULL) {
+ if (SigMatchAppendSMToList(
+ de_ctx, s, DETECT_DNS_OPCODE, (SigMatchCtx *)detect, dns_opcode_list_id) == NULL) {
goto error;
}
void DetectDnsOpcodeRegister(void)
{
- sigmatch_table[DETECT_AL_DNS_OPCODE].name = "dns.opcode";
- sigmatch_table[DETECT_AL_DNS_OPCODE].desc = "Match the DNS header opcode flag.";
- sigmatch_table[DETECT_AL_DNS_OPCODE].Setup = DetectDnsOpcodeSetup;
- sigmatch_table[DETECT_AL_DNS_OPCODE].Free = DetectDnsOpcodeFree;
- sigmatch_table[DETECT_AL_DNS_OPCODE].Match = NULL;
- sigmatch_table[DETECT_AL_DNS_OPCODE].AppLayerTxMatch =
- DetectDnsOpcodeMatch;
+ sigmatch_table[DETECT_DNS_OPCODE].name = "dns.opcode";
+ sigmatch_table[DETECT_DNS_OPCODE].desc = "Match the DNS header opcode flag.";
+ sigmatch_table[DETECT_DNS_OPCODE].Setup = DetectDnsOpcodeSetup;
+ sigmatch_table[DETECT_DNS_OPCODE].Free = DetectDnsOpcodeFree;
+ sigmatch_table[DETECT_DNS_OPCODE].Match = NULL;
+ sigmatch_table[DETECT_DNS_OPCODE].AppLayerTxMatch = DetectDnsOpcodeMatch;
DetectAppLayerInspectEngineRegister(
"dns.opcode", ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL);
void DetectDnsQueryNameRegister(void)
{
static const char *keyword = "dns.query.name";
- sigmatch_table[DETECT_AL_DNS_QUERY_NAME].name = keyword;
- sigmatch_table[DETECT_AL_DNS_QUERY_NAME].desc = "DNS query name sticky buffer";
- sigmatch_table[DETECT_AL_DNS_QUERY_NAME].url = "/rules/dns-keywords.html#dns-query-name";
- sigmatch_table[DETECT_AL_DNS_QUERY_NAME].Setup = DetectSetup;
- sigmatch_table[DETECT_AL_DNS_QUERY_NAME].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_DNS_QUERY_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_DNS_QUERY_NAME].name = keyword;
+ sigmatch_table[DETECT_DNS_QUERY_NAME].desc = "DNS query name sticky buffer";
+ sigmatch_table[DETECT_DNS_QUERY_NAME].url = "/rules/dns-keywords.html#dns-query-name";
+ sigmatch_table[DETECT_DNS_QUERY_NAME].Setup = DetectSetup;
+ sigmatch_table[DETECT_DNS_QUERY_NAME].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_DNS_QUERY_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
/* Register in both directions as the query is usually echoed back
in the response. */
*/
void DetectDnsQueryRegister (void)
{
- sigmatch_table[DETECT_AL_DNS_QUERY].name = "dns.query";
- sigmatch_table[DETECT_AL_DNS_QUERY].alias = "dns_query";
- sigmatch_table[DETECT_AL_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer";
- sigmatch_table[DETECT_AL_DNS_QUERY].url = "/rules/dns-keywords.html#dns-query";
- sigmatch_table[DETECT_AL_DNS_QUERY].Setup = DetectDnsQuerySetup;
+ sigmatch_table[DETECT_DNS_QUERY].name = "dns.query";
+ sigmatch_table[DETECT_DNS_QUERY].alias = "dns_query";
+ sigmatch_table[DETECT_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer";
+ sigmatch_table[DETECT_DNS_QUERY].url = "/rules/dns-keywords.html#dns-query";
+ sigmatch_table[DETECT_DNS_QUERY].Setup = DetectDnsQuerySetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests;
+ sigmatch_table[DETECT_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests;
#endif
- sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_DNS_QUERY].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_DNS_QUERY].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerMultiRegister(
"dns_query", ALPROTO_DNS, SIG_FLAG_TOSERVER, 1, DnsQueryGetData, 2, 1);
}
if (SigMatchAppendSMToList(
- de_ctx, s, DETECT_AL_DNS_RCODE, (SigMatchCtx *)detect, dns_rcode_list_id) == NULL) {
+ de_ctx, s, DETECT_DNS_RCODE, (SigMatchCtx *)detect, dns_rcode_list_id) == NULL) {
DetectDnsRcodeFree(de_ctx, detect);
SCReturnInt(-1);
}
void DetectDnsRcodeRegister(void)
{
- sigmatch_table[DETECT_AL_DNS_RCODE].name = "dns.rcode";
- sigmatch_table[DETECT_AL_DNS_RCODE].desc = "Match the DNS header rcode flag.";
- sigmatch_table[DETECT_AL_DNS_RCODE].url = "/rules/dns-keywords.html#dns-rcode";
- sigmatch_table[DETECT_AL_DNS_RCODE].Setup = DetectDnsRcodeSetup;
- sigmatch_table[DETECT_AL_DNS_RCODE].Free = DetectDnsRcodeFree;
- sigmatch_table[DETECT_AL_DNS_RCODE].Match = NULL;
- sigmatch_table[DETECT_AL_DNS_RCODE].AppLayerTxMatch = DetectDnsRcodeMatch;
+ sigmatch_table[DETECT_DNS_RCODE].name = "dns.rcode";
+ sigmatch_table[DETECT_DNS_RCODE].desc = "Match the DNS header rcode flag.";
+ sigmatch_table[DETECT_DNS_RCODE].url = "/rules/dns-keywords.html#dns-rcode";
+ sigmatch_table[DETECT_DNS_RCODE].Setup = DetectDnsRcodeSetup;
+ sigmatch_table[DETECT_DNS_RCODE].Free = DetectDnsRcodeFree;
+ sigmatch_table[DETECT_DNS_RCODE].Match = NULL;
+ sigmatch_table[DETECT_DNS_RCODE].AppLayerTxMatch = DetectDnsRcodeMatch;
DetectAppLayerInspectEngineRegister(
"dns.rcode", ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL);
SCReturnInt(-1);
}
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNS_RRTYPE, (SigMatchCtx *)detect,
- dns_rrtype_list_id) == NULL) {
+ if (SigMatchAppendSMToList(
+ de_ctx, s, DETECT_DNS_RRTYPE, (SigMatchCtx *)detect, dns_rrtype_list_id) == NULL) {
DetectDnsRrtypeFree(de_ctx, detect);
SCReturnInt(-1);
}
void DetectDnsRrtypeRegister(void)
{
- sigmatch_table[DETECT_AL_DNS_RRTYPE].name = "dns.rrtype";
- sigmatch_table[DETECT_AL_DNS_RRTYPE].desc = "Match the DNS rrtype in message body.";
- sigmatch_table[DETECT_AL_DNS_RRTYPE].url = "/rules/dns-keywords.html#dns-rrtype";
- sigmatch_table[DETECT_AL_DNS_RRTYPE].Setup = DetectDnsRrtypeSetup;
- sigmatch_table[DETECT_AL_DNS_RRTYPE].Free = DetectDnsRrtypeFree;
- sigmatch_table[DETECT_AL_DNS_RRTYPE].Match = NULL;
- sigmatch_table[DETECT_AL_DNS_RRTYPE].AppLayerTxMatch = DetectDnsRrtypeMatch;
+ sigmatch_table[DETECT_DNS_RRTYPE].name = "dns.rrtype";
+ sigmatch_table[DETECT_DNS_RRTYPE].desc = "Match the DNS rrtype in message body.";
+ sigmatch_table[DETECT_DNS_RRTYPE].url = "/rules/dns-keywords.html#dns-rrtype";
+ sigmatch_table[DETECT_DNS_RRTYPE].Setup = DetectDnsRrtypeSetup;
+ sigmatch_table[DETECT_DNS_RRTYPE].Free = DetectDnsRrtypeFree;
+ sigmatch_table[DETECT_DNS_RRTYPE].Match = NULL;
+ sigmatch_table[DETECT_DNS_RRTYPE].AppLayerTxMatch = DetectDnsRrtypeMatch;
DetectAppLayerInspectEngineRegister(
"dns.rrtype", ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL);
int pd = 0;
for ( ; sm != NULL; sm = sm->next) {
- if (sm->type == DETECT_AL_APP_LAYER_PROTOCOL) {
+ if (sm->type == DETECT_APP_LAYER_PROTOCOL) {
pd = 1;
} else {
/* flowbits are supported for dp only sigs, as long
// fallthrough
case DETECT_STREAM_EVENT:
// fallthrough
- case DETECT_AL_APP_LAYER_EVENT:
+ case DETECT_APP_LAYER_EVENT:
// fallthrough
case DETECT_ENGINE_EVENT:
s->mask |= SIG_MASK_REQUIRE_ENGINE_EVENT;
}
goto no_match_discontinue;
- } else if (smd->type == DETECT_AL_URILEN) {
+ } else if (smd->type == DETECT_URILEN) {
SCLogDebug("inspecting uri len");
int r;
/* sorted by prefilter priority. Higher in this list means it will be
* picked over ones lower in the list */
- DETECT_AL_APP_LAYER_PROTOCOL,
+ DETECT_APP_LAYER_PROTOCOL,
DETECT_ACK,
DETECT_SEQ,
DETECT_WINDOW,
DETECT_ASN1,
DETECT_LUA,
DETECT_ISDATAAT,
- DETECT_AL_URILEN,
+ DETECT_URILEN,
DETECT_ABSENT,
/* end of content inspection */
DETECT_REQUIRES,
- DETECT_AL_TLS_VERSION,
- DETECT_AL_TLS_SUBJECT,
- DETECT_AL_TLS_ISSUERDN,
- DETECT_AL_TLS_NOTBEFORE,
- DETECT_AL_TLS_NOTAFTER,
- DETECT_AL_TLS_EXPIRED,
- DETECT_AL_TLS_VALID,
- DETECT_AL_TLS_FINGERPRINT,
- DETECT_AL_TLS_STORE,
- DETECT_AL_TLS_CHAIN_LEN,
+ DETECT_TLS_VERSION,
+ DETECT_TLS_SUBJECT,
+ DETECT_TLS_ISSUERDN,
+ DETECT_TLS_NOTBEFORE,
+ DETECT_TLS_NOTAFTER,
+ DETECT_TLS_EXPIRED,
+ DETECT_TLS_VALID,
+ DETECT_TLS_FINGERPRINT,
+ DETECT_TLS_STORE,
+ DETECT_TLS_CHAIN_LEN,
DETECT_TLS_ALPN,
- DETECT_AL_HTTP_COOKIE,
+ DETECT_HTTP_COOKIE_CM,
DETECT_HTTP_COOKIE,
- DETECT_AL_HTTP_METHOD,
+ DETECT_HTTP_METHOD_CM,
DETECT_HTTP_METHOD,
- DETECT_AL_HTTP_PROTOCOL,
- DETECT_AL_HTTP_START,
- DETECT_AL_HTTP_CLIENT_BODY,
+ DETECT_HTTP_PROTOCOL,
+ DETECT_HTTP_START,
+ DETECT_HTTP_CLIENT_BODY,
DETECT_HTTP_REQUEST_BODY,
- DETECT_AL_HTTP_SERVER_BODY,
+ DETECT_HTTP_SERVER_BODY,
DETECT_HTTP_RESPONSE_BODY,
- DETECT_AL_HTTP_HEADER,
+ DETECT_HTTP_HEADER_CM,
DETECT_HTTP_HEADER,
- DETECT_AL_HTTP_HEADER_NAMES,
- DETECT_AL_HTTP_HEADER_ACCEPT,
- DETECT_AL_HTTP_HEADER_ACCEPT_LANG,
- DETECT_AL_HTTP_HEADER_ACCEPT_ENC,
- DETECT_AL_HTTP_HEADER_CONNECTION,
- DETECT_AL_HTTP_HEADER_CONTENT_LEN,
- DETECT_AL_HTTP_HEADER_CONTENT_TYPE,
- DETECT_AL_HTTP_HEADER_LOCATION,
- DETECT_AL_HTTP_HEADER_SERVER,
- DETECT_AL_HTTP_HEADER_REFERER,
- DETECT_AL_HTTP_RAW_HEADER,
+ DETECT_HTTP_HEADER_NAMES,
+ DETECT_HTTP_HEADER_ACCEPT,
+ DETECT_HTTP_HEADER_ACCEPT_LANG,
+ DETECT_HTTP_HEADER_ACCEPT_ENC,
+ DETECT_HTTP_HEADER_CONNECTION,
+ DETECT_HTTP_HEADER_CONTENT_LEN,
+ DETECT_HTTP_HEADER_CONTENT_TYPE,
+ DETECT_HTTP_HEADER_LOCATION,
+ DETECT_HTTP_HEADER_SERVER,
+ DETECT_HTTP_HEADER_REFERER,
+ DETECT_HTTP_RAW_HEADER_CM,
DETECT_HTTP_RAW_HEADER,
- DETECT_AL_HTTP_URI,
+ DETECT_HTTP_URI_CM,
DETECT_HTTP_URI,
DETECT_HTTP_URI_RAW,
- DETECT_AL_HTTP_RAW_URI,
- DETECT_AL_HTTP_STAT_MSG,
+ DETECT_HTTP_RAW_URI,
+ DETECT_HTTP_STAT_MSG_CM,
DETECT_HTTP_STAT_MSG,
- DETECT_AL_HTTP_STAT_CODE,
+ DETECT_HTTP_STAT_CODE_CM,
DETECT_HTTP_STAT_CODE,
- DETECT_AL_HTTP_USER_AGENT,
+ DETECT_HTTP_USER_AGENT,
DETECT_HTTP_UA,
- DETECT_AL_HTTP_HOST,
+ DETECT_HTTP_HOST_CM,
DETECT_HTTP_HOST,
- DETECT_AL_HTTP_RAW_HOST,
+ DETECT_HTTP_RAW_HOST,
DETECT_HTTP_HOST_RAW,
- DETECT_AL_HTTP_REQUEST_LINE,
- DETECT_AL_HTTP_RESPONSE_LINE,
- DETECT_AL_NFS_PROCEDURE,
- DETECT_AL_NFS_VERSION,
- DETECT_AL_SSH_PROTOCOL,
- DETECT_AL_SSH_PROTOVERSION,
- DETECT_AL_SSH_SOFTWARE,
- DETECT_AL_SSH_SOFTWAREVERSION,
- DETECT_AL_SSH_HASSH,
- DETECT_AL_SSH_HASSH_SERVER,
- DETECT_AL_SSH_HASSH_STRING,
- DETECT_AL_SSH_HASSH_SERVER_STRING,
- DETECT_AL_SSL_VERSION,
- DETECT_AL_SSL_STATE,
+ DETECT_HTTP_REQUEST_LINE,
+ DETECT_HTTP_RESPONSE_LINE,
+ DETECT_NFS_PROCEDURE,
+ DETECT_NFS_VERSION,
+ DETECT_SSH_PROTOCOL,
+ DETECT_SSH_PROTOVERSION,
+ DETECT_SSH_SOFTWARE,
+ DETECT_SSH_SOFTWAREVERSION,
+ DETECT_SSH_HASSH,
+ DETECT_SSH_HASSH_SERVER,
+ DETECT_SSH_HASSH_STRING,
+ DETECT_SSH_HASSH_SERVER_STRING,
+ DETECT_SSL_VERSION,
+ DETECT_SSL_STATE,
DETECT_FILE_DATA,
DETECT_PKT_DATA,
- DETECT_AL_APP_LAYER_EVENT,
+ DETECT_APP_LAYER_EVENT,
DETECT_HTTP2_FRAMETYPE,
DETECT_HTTP2_ERRORCODE,
DETECT_L3PROTO,
DETECT_IPREP,
- DETECT_AL_DNS_QUERY,
- DETECT_AL_DNS_OPCODE,
- DETECT_AL_DNS_RCODE,
- DETECT_AL_DNS_RRTYPE,
- DETECT_AL_DNS_ANSWER_NAME,
- DETECT_AL_DNS_QUERY_NAME,
- DETECT_AL_TLS_SNI,
- DETECT_AL_TLS_CERTS,
- DETECT_AL_TLS_CERT_ISSUER,
- DETECT_AL_TLS_CERT_SUBJECT,
- DETECT_AL_TLS_CERT_SERIAL,
- DETECT_AL_TLS_CERT_FINGERPRINT,
- DETECT_AL_TLS_SUBJECTALTNAME,
- DETECT_AL_TLS_RANDOM_TIME,
- DETECT_AL_TLS_RANDOM_BYTES,
- DETECT_AL_TLS_RANDOM,
-
- DETECT_AL_TLS_JA3_HASH,
- DETECT_AL_TLS_JA3_STRING,
- DETECT_AL_TLS_JA3S_HASH,
- DETECT_AL_TLS_JA3S_STRING,
-
- DETECT_AL_MODBUS,
-
- DETECT_AL_DNP3DATA,
- DETECT_AL_DNP3FUNC,
- DETECT_AL_DNP3IND,
- DETECT_AL_DNP3OBJ,
-
- DETECT_AL_KRB5_ERRCODE,
- DETECT_AL_KRB5_MSGTYPE,
- DETECT_AL_KRB5_CNAME,
- DETECT_AL_KRB5_SNAME,
- DETECT_AL_KRB5_TICKET_ENCRYPTION,
-
- DETECT_AL_SIP_METHOD,
- DETECT_AL_SIP_URI,
- DETECT_AL_SIP_PROTOCOL,
- DETECT_AL_SIP_STAT_CODE,
- DETECT_AL_SIP_STAT_MSG,
- DETECT_AL_SIP_REQUEST_LINE,
- DETECT_AL_SIP_RESPONSE_LINE,
+ DETECT_DNS_QUERY,
+ DETECT_DNS_OPCODE,
+ DETECT_DNS_RCODE,
+ DETECT_DNS_RRTYPE,
+ DETECT_DNS_ANSWER_NAME,
+ DETECT_DNS_QUERY_NAME,
+ DETECT_TLS_SNI,
+ DETECT_TLS_CERTS,
+ DETECT_TLS_CERT_ISSUER,
+ DETECT_TLS_CERT_SUBJECT,
+ DETECT_TLS_CERT_SERIAL,
+ DETECT_TLS_CERT_FINGERPRINT,
+ DETECT_TLS_SUBJECTALTNAME,
+ DETECT_TLS_RANDOM_TIME,
+ DETECT_TLS_RANDOM_BYTES,
+ DETECT_TLS_RANDOM,
+
+ DETECT_TLS_JA3_HASH,
+ DETECT_TLS_JA3_STRING,
+ DETECT_TLS_JA3S_HASH,
+ DETECT_TLS_JA3S_STRING,
+
+ DETECT_MODBUS,
+
+ DETECT_DNP3DATA,
+ DETECT_DNP3FUNC,
+ DETECT_DNP3IND,
+ DETECT_DNP3OBJ,
+
+ DETECT_KRB5_ERRCODE,
+ DETECT_KRB5_MSGTYPE,
+ DETECT_KRB5_CNAME,
+ DETECT_KRB5_SNAME,
+ DETECT_KRB5_TICKET_ENCRYPTION,
+
+ DETECT_SIP_METHOD,
+ DETECT_SIP_URI,
+ DETECT_SIP_PROTOCOL,
+ DETECT_SIP_STAT_CODE,
+ DETECT_SIP_STAT_MSG,
+ DETECT_SIP_REQUEST_LINE,
+ DETECT_SIP_RESPONSE_LINE,
DETECT_TEMPLATE,
DETECT_TEMPLATE2,
DETECT_IPV4HDR,
DETECT_TCPMSS,
DETECT_FTPDATA,
DETECT_TARGET,
- DETECT_AL_QUIC_VERSION,
- DETECT_AL_QUIC_SNI,
- DETECT_AL_QUIC_UA,
- DETECT_AL_QUIC_CYU_HASH,
- DETECT_AL_QUIC_CYU_STRING,
+ DETECT_QUIC_VERSION,
+ DETECT_QUIC_SNI,
+ DETECT_QUIC_UA,
+ DETECT_QUIC_CYU_HASH,
+ DETECT_QUIC_CYU_STRING,
DETECT_BYPASS,
DETECT_TRANSFORM_HEADER_LOWERCASE,
DETECT_TRANSFORM_FROM_BASE64,
- DETECT_AL_IKE_EXCH_TYPE,
- DETECT_AL_IKE_SPI_INITIATOR,
- DETECT_AL_IKE_SPI_RESPONDER,
- DETECT_AL_IKE_VENDOR,
- DETECT_AL_IKE_CHOSEN_SA,
- DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH,
- DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH,
- DETECT_AL_IKE_NONCE,
- DETECT_AL_IKE_KEY_EXCHANGE,
-
- DETECT_AL_JA4_HASH,
+ DETECT_IKE_EXCH_TYPE,
+ DETECT_IKE_SPI_INITIATOR,
+ DETECT_IKE_SPI_RESPONDER,
+ DETECT_IKE_VENDOR,
+ DETECT_IKE_CHOSEN_SA,
+ DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH,
+ DETECT_IKE_NONCE_PAYLOAD_LENGTH,
+ DETECT_IKE_NONCE,
+ DETECT_IKE_KEY_EXCHANGE,
+
+ DETECT_JA4_HASH,
DETECT_VLAN_ID,
DETECT_VLAN_LAYERS,
#define BUFFER_NAME "http_accept_enc"
#define BUFFER_DESC "http accept encoding header"
#define HEADER_NAME "Accept-Encoding"
-#define KEYWORD_ID DETECT_AL_HTTP_HEADER_ACCEPT_ENC
+#define KEYWORD_ID DETECT_HTTP_HEADER_ACCEPT_ENC
#define KEYWORD_TOSERVER 1
#include "detect-http-headers-stub.h"
#define BUFFER_NAME "http_accept_lang"
#define BUFFER_DESC "http accept language header"
#define HEADER_NAME "Accept-Language"
-#define KEYWORD_ID DETECT_AL_HTTP_HEADER_ACCEPT_LANG
+#define KEYWORD_ID DETECT_HTTP_HEADER_ACCEPT_LANG
#define KEYWORD_TOSERVER 1
#include "detect-http-headers-stub.h"
#define BUFFER_NAME "http_accept"
#define BUFFER_DESC "http accept header"
#define HEADER_NAME "Accept"
-#define KEYWORD_ID DETECT_AL_HTTP_HEADER_ACCEPT
+#define KEYWORD_ID DETECT_HTTP_HEADER_ACCEPT
#define KEYWORD_TOSERVER 1
#include "detect-http-headers-stub.h"
void DetectHttpClientBodyRegister(void)
{
/* http_client_body content modifier */
- sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].name = "http_client_body";
- sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].desc = "content modifier to match only on HTTP request-body";
- sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].url = "/rules/http-keywords.html#http-client-body";
- sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].Setup = DetectHttpClientBodySetup;
+ sigmatch_table[DETECT_HTTP_CLIENT_BODY].name = "http_client_body";
+ sigmatch_table[DETECT_HTTP_CLIENT_BODY].desc =
+ "content modifier to match only on HTTP request-body";
+ sigmatch_table[DETECT_HTTP_CLIENT_BODY].url = "/rules/http-keywords.html#http-client-body";
+ sigmatch_table[DETECT_HTTP_CLIENT_BODY].Setup = DetectHttpClientBodySetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].RegisterTests = DetectHttpClientBodyRegisterTests;
+ sigmatch_table[DETECT_HTTP_CLIENT_BODY].RegisterTests = DetectHttpClientBodyRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_NOOPT ;
- sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].alternative = DETECT_HTTP_REQUEST_BODY;
+ sigmatch_table[DETECT_HTTP_CLIENT_BODY].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_HTTP_CLIENT_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_CLIENT_BODY].alternative = DETECT_HTTP_REQUEST_BODY;
/* http.request_body sticky buffer */
sigmatch_table[DETECT_HTTP_REQUEST_BODY].name = "http.request_body";
*/
int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
- return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, DETECT_AL_HTTP_CLIENT_BODY,
- g_http_client_body_buffer_id, ALPROTO_HTTP1);
+ return DetectEngineContentModifierBufferSetup(
+ de_ctx, s, arg, DETECT_HTTP_CLIENT_BODY, g_http_client_body_buffer_id, ALPROTO_HTTP1);
}
/**
#define BUFFER_NAME "http_connection"
#define BUFFER_DESC "http connection header"
#define HEADER_NAME "Connection"
-#define KEYWORD_ID DETECT_AL_HTTP_HEADER_CONNECTION
+#define KEYWORD_ID DETECT_HTTP_HEADER_CONNECTION
#define KEYWORD_TOSERVER 1
#define KEYWORD_TOCLIENT 1
#define BUFFER_NAME "http_content_len"
#define BUFFER_DESC "http content length header"
#define HEADER_NAME "Content-Length"
-#define KEYWORD_ID DETECT_AL_HTTP_HEADER_CONTENT_LEN
+#define KEYWORD_ID DETECT_HTTP_HEADER_CONTENT_LEN
#define KEYWORD_TOSERVER 1
#define KEYWORD_TOCLIENT 1
#define BUFFER_NAME "http_content_type"
#define BUFFER_DESC "http content type header"
#define HEADER_NAME "Content-Type"
-#define KEYWORD_ID DETECT_AL_HTTP_HEADER_CONTENT_TYPE
+#define KEYWORD_ID DETECT_HTTP_HEADER_CONTENT_TYPE
#define KEYWORD_TOSERVER 1
#define KEYWORD_TOCLIENT 1
void DetectHttpCookieRegister(void)
{
/* http_cookie content modifier */
- sigmatch_table[DETECT_AL_HTTP_COOKIE].name = "http_cookie";
- sigmatch_table[DETECT_AL_HTTP_COOKIE].desc = "content modifier to match only on the HTTP cookie-buffer";
- sigmatch_table[DETECT_AL_HTTP_COOKIE].url = "/rules/http-keywords.html#http-cookie";
- sigmatch_table[DETECT_AL_HTTP_COOKIE].Setup = DetectHttpCookieSetup;
+ sigmatch_table[DETECT_HTTP_COOKIE_CM].name = "http_cookie";
+ sigmatch_table[DETECT_HTTP_COOKIE_CM].desc =
+ "content modifier to match only on the HTTP cookie-buffer";
+ sigmatch_table[DETECT_HTTP_COOKIE_CM].url = "/rules/http-keywords.html#http-cookie";
+ sigmatch_table[DETECT_HTTP_COOKIE_CM].Setup = DetectHttpCookieSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_COOKIE].RegisterTests = DetectHttpCookieRegisterTests;
+ sigmatch_table[DETECT_HTTP_COOKIE_CM].RegisterTests = DetectHttpCookieRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_COOKIE].alternative = DETECT_HTTP_COOKIE;
+ sigmatch_table[DETECT_HTTP_COOKIE_CM].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_HTTP_COOKIE_CM].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_COOKIE_CM].alternative = DETECT_HTTP_COOKIE;
/* http.cookie sticky buffer */
sigmatch_table[DETECT_HTTP_COOKIE].name = "http.cookie";
static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, str, DETECT_AL_HTTP_COOKIE, g_http_cookie_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, str, DETECT_HTTP_COOKIE_CM, g_http_cookie_buffer_id, ALPROTO_HTTP1);
}
/**
*/
void DetectHttpHeaderNamesRegister(void)
{
- sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].alias = KEYWORD_NAME_LEGACY;
- sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].desc = BUFFER_NAME " sticky buffer";
- sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].Setup = DetectHttpHeaderNamesSetup;
+ sigmatch_table[DETECT_HTTP_HEADER_NAMES].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_HTTP_HEADER_NAMES].alias = KEYWORD_NAME_LEGACY;
+ sigmatch_table[DETECT_HTTP_HEADER_NAMES].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_HTTP_HEADER_NAMES].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_HTTP_HEADER_NAMES].Setup = DetectHttpHeaderNamesSetup;
- sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_HTTP_HEADER_NAMES].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
/* http1 */
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
static int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, arg, DETECT_AL_HTTP_HEADER, g_http_header_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, arg, DETECT_HTTP_HEADER_CM, g_http_header_buffer_id, ALPROTO_HTTP1);
}
/**
void DetectHttpHeaderRegister(void)
{
/* http_header content modifier */
- sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header";
- sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer";
- sigmatch_table[DETECT_AL_HTTP_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header";
- sigmatch_table[DETECT_AL_HTTP_HEADER].Setup = DetectHttpHeaderSetup;
+ sigmatch_table[DETECT_HTTP_HEADER_CM].name = "http_header";
+ sigmatch_table[DETECT_HTTP_HEADER_CM].desc =
+ "content modifier to match only on the HTTP header-buffer";
+ sigmatch_table[DETECT_HTTP_HEADER_CM].url =
+ "/rules/http-keywords.html#http-header-and-http-raw-header";
+ sigmatch_table[DETECT_HTTP_HEADER_CM].Setup = DetectHttpHeaderSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_HEADER].RegisterTests = DetectHttpHeaderRegisterTests;
+ sigmatch_table[DETECT_HTTP_HEADER_CM].RegisterTests = DetectHttpHeaderRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_NOOPT ;
- sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_HEADER].alternative = DETECT_HTTP_HEADER;
+ sigmatch_table[DETECT_HTTP_HEADER_CM].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_HTTP_HEADER_CM].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_HEADER_CM].alternative = DETECT_HTTP_HEADER;
/* http.header sticky buffer */
sigmatch_table[DETECT_HTTP_HEADER].name = "http.header";
void DetectHttpHHRegister(void)
{
/* http_host content modifier */
- sigmatch_table[DETECT_AL_HTTP_HOST].name = "http_host";
- sigmatch_table[DETECT_AL_HTTP_HOST].desc = "content modifier to match on the HTTP hostname";
- sigmatch_table[DETECT_AL_HTTP_HOST].url = "/rules/http-keywords.html#http-host-and-http-raw-host";
- sigmatch_table[DETECT_AL_HTTP_HOST].Setup = DetectHttpHHSetup;
+ sigmatch_table[DETECT_HTTP_HOST_CM].name = "http_host";
+ sigmatch_table[DETECT_HTTP_HOST_CM].desc = "content modifier to match on the HTTP hostname";
+ sigmatch_table[DETECT_HTTP_HOST_CM].url =
+ "/rules/http-keywords.html#http-host-and-http-raw-host";
+ sigmatch_table[DETECT_HTTP_HOST_CM].Setup = DetectHttpHHSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_HOST].RegisterTests = DetectHttpHHRegisterTests;
+ sigmatch_table[DETECT_HTTP_HOST_CM].RegisterTests = DetectHttpHHRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_HOST].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_HOST].alternative = DETECT_HTTP_HOST;
+ sigmatch_table[DETECT_HTTP_HOST_CM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_HOST_CM].alternative = DETECT_HTTP_HOST;
/* http.host sticky buffer */
sigmatch_table[DETECT_HTTP_HOST].name = "http.host";
g_http_host_buffer_id = DetectBufferTypeGetByName("http_host");
/* http_raw_host content modifier */
- sigmatch_table[DETECT_AL_HTTP_RAW_HOST].name = "http_raw_host";
- sigmatch_table[DETECT_AL_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header or the raw hostname from the HTTP uri";
- sigmatch_table[DETECT_AL_HTTP_RAW_HOST].url = "/rules/http-keywords.html#http-host-and-http-raw-host";
- sigmatch_table[DETECT_AL_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup;
- sigmatch_table[DETECT_AL_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW;
+ sigmatch_table[DETECT_HTTP_RAW_HOST].name = "http_raw_host";
+ sigmatch_table[DETECT_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header "
+ "or the raw hostname from the HTTP uri";
+ sigmatch_table[DETECT_HTTP_RAW_HOST].url =
+ "/rules/http-keywords.html#http-host-and-http-raw-host";
+ sigmatch_table[DETECT_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup;
+ sigmatch_table[DETECT_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW;
/* http.host sticky buffer */
sigmatch_table[DETECT_HTTP_HOST_RAW].name = "http.host.raw";
static int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, arg, DETECT_AL_HTTP_HOST, g_http_host_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, arg, DETECT_HTTP_HOST_CM, g_http_host_buffer_id, ALPROTO_HTTP1);
}
static bool DetectHttpHostValidateCallback(const Signature *s, const char **sigerror)
int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, arg, DETECT_AL_HTTP_RAW_HOST, g_http_raw_host_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, arg, DETECT_HTTP_RAW_HOST, g_http_raw_host_buffer_id, ALPROTO_HTTP1);
}
/**
#define BUFFER_NAME "http.location"
#define BUFFER_DESC "http location header"
#define HEADER_NAME "Location"
-#define KEYWORD_ID DETECT_AL_HTTP_HEADER_LOCATION
+#define KEYWORD_ID DETECT_HTTP_HEADER_LOCATION
#define KEYWORD_TOCLIENT 1
#include "detect-http-headers-stub.h"
void DetectHttpMethodRegister(void)
{
/* http_method content modifier */
- sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method";
- sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer";
- sigmatch_table[DETECT_AL_HTTP_METHOD].url = "/rules/http-keywords.html#http-method";
- sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL;
- sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup;
+ sigmatch_table[DETECT_HTTP_METHOD_CM].name = "http_method";
+ sigmatch_table[DETECT_HTTP_METHOD_CM].desc =
+ "content modifier to match only on the HTTP method-buffer";
+ sigmatch_table[DETECT_HTTP_METHOD_CM].url = "/rules/http-keywords.html#http-method";
+ sigmatch_table[DETECT_HTTP_METHOD_CM].Match = NULL;
+ sigmatch_table[DETECT_HTTP_METHOD_CM].Setup = DetectHttpMethodSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests;
+ sigmatch_table[DETECT_HTTP_METHOD_CM].RegisterTests = DetectHttpMethodRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_METHOD].alternative = DETECT_HTTP_METHOD;
+ sigmatch_table[DETECT_HTTP_METHOD_CM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_METHOD_CM].alternative = DETECT_HTTP_METHOD;
/* http.method sticky buffer */
sigmatch_table[DETECT_HTTP_METHOD].name = "http.method";
static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, str, DETECT_AL_HTTP_METHOD, g_http_method_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, str, DETECT_HTTP_METHOD_CM, g_http_method_buffer_id, ALPROTO_HTTP1);
}
/**
*/
void DetectHttpProtocolRegister(void)
{
- sigmatch_table[DETECT_AL_HTTP_PROTOCOL].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_HTTP_PROTOCOL].alias = KEYWORD_NAME_LEGACY;
- sigmatch_table[DETECT_AL_HTTP_PROTOCOL].desc = BUFFER_NAME " sticky buffer";
- sigmatch_table[DETECT_AL_HTTP_PROTOCOL].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_HTTP_PROTOCOL].Setup = DetectHttpProtocolSetup;
- sigmatch_table[DETECT_AL_HTTP_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_HTTP_PROTOCOL].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_HTTP_PROTOCOL].alias = KEYWORD_NAME_LEGACY;
+ sigmatch_table[DETECT_HTTP_PROTOCOL].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_HTTP_PROTOCOL].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_HTTP_PROTOCOL].Setup = DetectHttpProtocolSetup;
+ sigmatch_table[DETECT_HTTP_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
GetData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_LINE);
void DetectHttpRawHeaderRegister(void)
{
/* http_raw_header content modifier */
- sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].name = "http_raw_header";
- sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].desc = "content modifier to match the raw HTTP header buffer";
- sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header";
- sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetup;
+ sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].name = "http_raw_header";
+ sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].desc =
+ "content modifier to match the raw HTTP header buffer";
+ sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].url =
+ "/rules/http-keywords.html#http-header-and-http-raw-header";
+ sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].Setup = DetectHttpRawHeaderSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].RegisterTests = DetectHttpRawHeaderRegisterTests;
+ sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].RegisterTests = DetectHttpRawHeaderRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].alternative = DETECT_HTTP_RAW_HEADER;
+ sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].flags |=
+ SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].alternative = DETECT_HTTP_RAW_HEADER;
/* http.header.raw sticky buffer */
sigmatch_table[DETECT_HTTP_RAW_HEADER].name = "http.header.raw";
int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, arg, DETECT_AL_HTTP_RAW_HEADER, g_http_raw_header_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, arg, DETECT_HTTP_RAW_HEADER_CM, g_http_raw_header_buffer_id, ALPROTO_HTTP1);
}
/**
#define BUFFER_NAME "http_referer"
#define BUFFER_DESC "http referer header"
#define HEADER_NAME "Referer"
-#define KEYWORD_ID DETECT_AL_HTTP_HEADER_REFERER
+#define KEYWORD_ID DETECT_HTTP_HEADER_REFERER
#define KEYWORD_TOSERVER 1
#include "detect-http-headers-stub.h"
*/
void DetectHttpRequestLineRegister(void)
{
- sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].name = "http.request_line";
- sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].alias = "http_request_line";
- sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].desc = "sticky buffer to match on the HTTP request line";
- sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].url = "/rules/http-keywords.html#http-request-line";
- sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].Match = NULL;
- sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].Setup = DetectHttpRequestLineSetup;
+ sigmatch_table[DETECT_HTTP_REQUEST_LINE].name = "http.request_line";
+ sigmatch_table[DETECT_HTTP_REQUEST_LINE].alias = "http_request_line";
+ sigmatch_table[DETECT_HTTP_REQUEST_LINE].desc =
+ "sticky buffer to match on the HTTP request line";
+ sigmatch_table[DETECT_HTTP_REQUEST_LINE].url = "/rules/http-keywords.html#http-request-line";
+ sigmatch_table[DETECT_HTTP_REQUEST_LINE].Match = NULL;
+ sigmatch_table[DETECT_HTTP_REQUEST_LINE].Setup = DetectHttpRequestLineSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].RegisterTests = DetectHttpRequestLineRegisterTests;
+ sigmatch_table[DETECT_HTTP_REQUEST_LINE].RegisterTests = DetectHttpRequestLineRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_HTTP_REQUEST_LINE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister("http_request_line", ALPROTO_HTTP1, SIG_FLAG_TOSERVER,
HTP_REQUEST_PROGRESS_LINE, DetectEngineInspectBufferGeneric, GetData);
*/
void DetectHttpResponseLineRegister(void)
{
- sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].name = "http.response_line";
- sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].alias = "http_response_line";
- sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].desc = "content modifier to match only on the HTTP response line";
- sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].url = "/rules/http-keywords.html#http-response-line";
- sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Setup = DetectHttpResponseLineSetup;
+ sigmatch_table[DETECT_HTTP_RESPONSE_LINE].name = "http.response_line";
+ sigmatch_table[DETECT_HTTP_RESPONSE_LINE].alias = "http_response_line";
+ sigmatch_table[DETECT_HTTP_RESPONSE_LINE].desc =
+ "content modifier to match only on the HTTP response line";
+ sigmatch_table[DETECT_HTTP_RESPONSE_LINE].url = "/rules/http-keywords.html#http-response-line";
+ sigmatch_table[DETECT_HTTP_RESPONSE_LINE].Setup = DetectHttpResponseLineSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].RegisterTests = DetectHttpResponseLineRegisterTests;
+ sigmatch_table[DETECT_HTTP_RESPONSE_LINE].RegisterTests = DetectHttpResponseLineRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_HTTP_RESPONSE_LINE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister("http_response_line", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT,
HTP_RESPONSE_PROGRESS_LINE, DetectEngineInspectBufferGeneric, GetData);
void DetectHttpServerBodyRegister(void)
{
/* http_server_body content modifier */
- sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].name = "http_server_body";
- sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].desc = "content modifier to match on the HTTP response-body";
- sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].url = "/rules/http-keywords.html#http-server-body";
- sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].Setup = DetectHttpServerBodySetup;
+ sigmatch_table[DETECT_HTTP_SERVER_BODY].name = "http_server_body";
+ sigmatch_table[DETECT_HTTP_SERVER_BODY].desc =
+ "content modifier to match on the HTTP response-body";
+ sigmatch_table[DETECT_HTTP_SERVER_BODY].url = "/rules/http-keywords.html#http-server-body";
+ sigmatch_table[DETECT_HTTP_SERVER_BODY].Setup = DetectHttpServerBodySetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].RegisterTests = DetectHttpServerBodyRegisterTests;
+ sigmatch_table[DETECT_HTTP_SERVER_BODY].RegisterTests = DetectHttpServerBodyRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].alternative = DETECT_HTTP_RESPONSE_BODY;
+ sigmatch_table[DETECT_HTTP_SERVER_BODY].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_HTTP_SERVER_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_SERVER_BODY].alternative = DETECT_HTTP_RESPONSE_BODY;
/* http.request_body sticky buffer */
sigmatch_table[DETECT_HTTP_RESPONSE_BODY].name = "http.response_body";
int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, arg, DETECT_AL_HTTP_SERVER_BODY, g_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, arg, DETECT_HTTP_SERVER_BODY, g_buffer_id, ALPROTO_HTTP1);
}
/**
#define BUFFER_NAME "http.server"
#define BUFFER_DESC "http server header"
#define HEADER_NAME "Server"
-#define KEYWORD_ID DETECT_AL_HTTP_HEADER_SERVER
+#define KEYWORD_ID DETECT_HTTP_HEADER_SERVER
#define KEYWORD_TOCLIENT 1
#include "detect-http-headers-stub.h"
*/
void DetectHttpStartRegister(void)
{
- sigmatch_table[DETECT_AL_HTTP_START].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_HTTP_START].alias = KEYWORD_NAME_LEGACY;
- sigmatch_table[DETECT_AL_HTTP_START].desc = BUFFER_NAME " sticky buffer";
- sigmatch_table[DETECT_AL_HTTP_START].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_HTTP_START].Setup = DetectHttpStartSetup;
- sigmatch_table[DETECT_AL_HTTP_START].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_HTTP_START].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_HTTP_START].alias = KEYWORD_NAME_LEGACY;
+ sigmatch_table[DETECT_HTTP_START].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_HTTP_START].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_HTTP_START].Setup = DetectHttpStartSetup;
+ sigmatch_table[DETECT_HTTP_START].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
GetBuffer1ForTX, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS);
void DetectHttpStatCodeRegister (void)
{
/* http_stat_code content modifier */
- sigmatch_table[DETECT_AL_HTTP_STAT_CODE].name = "http_stat_code";
- sigmatch_table[DETECT_AL_HTTP_STAT_CODE].desc = "content modifier to match only on HTTP stat-code-buffer";
- sigmatch_table[DETECT_AL_HTTP_STAT_CODE].url = "/rules/http-keywords.html#http-stat-code";
- sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Setup = DetectHttpStatCodeSetup;
+ sigmatch_table[DETECT_HTTP_STAT_CODE_CM].name = "http_stat_code";
+ sigmatch_table[DETECT_HTTP_STAT_CODE_CM].desc =
+ "content modifier to match only on HTTP stat-code-buffer";
+ sigmatch_table[DETECT_HTTP_STAT_CODE_CM].url = "/rules/http-keywords.html#http-stat-code";
+ sigmatch_table[DETECT_HTTP_STAT_CODE_CM].Setup = DetectHttpStatCodeSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_STAT_CODE].RegisterTests = DetectHttpStatCodeRegisterTests;
+ sigmatch_table[DETECT_HTTP_STAT_CODE_CM].RegisterTests = DetectHttpStatCodeRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_STAT_CODE].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_STAT_CODE].alternative = DETECT_HTTP_STAT_CODE;
+ sigmatch_table[DETECT_HTTP_STAT_CODE_CM].flags |=
+ SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_STAT_CODE_CM].alternative = DETECT_HTTP_STAT_CODE;
/* http.stat_code content modifier */
sigmatch_table[DETECT_HTTP_STAT_CODE].name = "http.stat_code";
static int DetectHttpStatCodeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, arg, DETECT_AL_HTTP_STAT_CODE, g_http_stat_code_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, arg, DETECT_HTTP_STAT_CODE_CM, g_http_stat_code_buffer_id, ALPROTO_HTTP1);
}
/**
void DetectHttpStatMsgRegister (void)
{
/* http_stat_msg content modifier */
- sigmatch_table[DETECT_AL_HTTP_STAT_MSG].name = "http_stat_msg";
- sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "content modifier to match on HTTP stat-msg-buffer";
- sigmatch_table[DETECT_AL_HTTP_STAT_MSG].url = "/rules/http-keywords.html#http-stat-msg";
- sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetup;
+ sigmatch_table[DETECT_HTTP_STAT_MSG_CM].name = "http_stat_msg";
+ sigmatch_table[DETECT_HTTP_STAT_MSG_CM].desc =
+ "content modifier to match on HTTP stat-msg-buffer";
+ sigmatch_table[DETECT_HTTP_STAT_MSG_CM].url = "/rules/http-keywords.html#http-stat-msg";
+ sigmatch_table[DETECT_HTTP_STAT_MSG_CM].Setup = DetectHttpStatMsgSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_STAT_MSG].RegisterTests = DetectHttpStatMsgRegisterTests;
+ sigmatch_table[DETECT_HTTP_STAT_MSG_CM].RegisterTests = DetectHttpStatMsgRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_STAT_MSG].alternative = DETECT_HTTP_STAT_MSG;
+ sigmatch_table[DETECT_HTTP_STAT_MSG_CM].flags |=
+ SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_STAT_MSG_CM].alternative = DETECT_HTTP_STAT_MSG;
/* http.stat_msg sticky buffer */
sigmatch_table[DETECT_HTTP_STAT_MSG].name = "http.stat_msg";
static int DetectHttpStatMsgSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, arg, DETECT_AL_HTTP_STAT_MSG, g_http_stat_msg_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, arg, DETECT_HTTP_STAT_MSG_CM, g_http_stat_msg_buffer_id, ALPROTO_HTTP1);
}
/**
void DetectHttpUARegister(void)
{
/* http_user_agent content modifier */
- sigmatch_table[DETECT_AL_HTTP_USER_AGENT].name = "http_user_agent";
- sigmatch_table[DETECT_AL_HTTP_USER_AGENT].desc = "content modifier to match only on the HTTP User-Agent header";
- sigmatch_table[DETECT_AL_HTTP_USER_AGENT].url = "/rules/http-keywords.html#http-user-agent";
- sigmatch_table[DETECT_AL_HTTP_USER_AGENT].Setup = DetectHttpUASetup;
+ sigmatch_table[DETECT_HTTP_USER_AGENT].name = "http_user_agent";
+ sigmatch_table[DETECT_HTTP_USER_AGENT].desc =
+ "content modifier to match only on the HTTP User-Agent header";
+ sigmatch_table[DETECT_HTTP_USER_AGENT].url = "/rules/http-keywords.html#http-user-agent";
+ sigmatch_table[DETECT_HTTP_USER_AGENT].Setup = DetectHttpUASetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_USER_AGENT].RegisterTests = DetectHttpUARegisterTests;
+ sigmatch_table[DETECT_HTTP_USER_AGENT].RegisterTests = DetectHttpUARegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_USER_AGENT].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_HTTP_USER_AGENT].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_USER_AGENT].alternative = DETECT_HTTP_UA;
+ sigmatch_table[DETECT_HTTP_USER_AGENT].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_HTTP_USER_AGENT].flags |= SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_USER_AGENT].alternative = DETECT_HTTP_UA;
/* http.user_agent sticky buffer */
sigmatch_table[DETECT_HTTP_UA].name = "http.user_agent";
int DetectHttpUASetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, arg, DETECT_AL_HTTP_USER_AGENT, g_http_ua_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, arg, DETECT_HTTP_USER_AGENT, g_http_ua_buffer_id, ALPROTO_HTTP1);
}
/**
void DetectHttpUriRegister (void)
{
/* http_uri content modifier */
- sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri";
- sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer";
- sigmatch_table[DETECT_AL_HTTP_URI].url = "/rules/http-keywords.html#http-uri-and-http-uri-raw";
- sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup;
+ sigmatch_table[DETECT_HTTP_URI_CM].name = "http_uri";
+ sigmatch_table[DETECT_HTTP_URI_CM].desc =
+ "content modifier to match specifically and only on the HTTP uri-buffer";
+ sigmatch_table[DETECT_HTTP_URI_CM].url = "/rules/http-keywords.html#http-uri-and-http-uri-raw";
+ sigmatch_table[DETECT_HTTP_URI_CM].Setup = DetectHttpUriSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests;
+ sigmatch_table[DETECT_HTTP_URI_CM].RegisterTests = DetectHttpUriRegisterTests;
#endif
- sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_URI].alternative = DETECT_HTTP_URI;
+ sigmatch_table[DETECT_HTTP_URI_CM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_URI_CM].alternative = DETECT_HTTP_URI;
/* http.uri sticky buffer */
sigmatch_table[DETECT_HTTP_URI].name = "http.uri";
g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
/* http_raw_uri content modifier */
- sigmatch_table[DETECT_AL_HTTP_RAW_URI].name = "http_raw_uri";
- sigmatch_table[DETECT_AL_HTTP_RAW_URI].desc = "content modifier to match on the raw HTTP uri";
- sigmatch_table[DETECT_AL_HTTP_RAW_URI].url = "/rules/http-keywords.html#http_uri-and-http_raw-uri";
- sigmatch_table[DETECT_AL_HTTP_RAW_URI].Setup = DetectHttpRawUriSetup;
- sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER;
- sigmatch_table[DETECT_AL_HTTP_RAW_URI].alternative = DETECT_HTTP_URI_RAW;
+ sigmatch_table[DETECT_HTTP_RAW_URI].name = "http_raw_uri";
+ sigmatch_table[DETECT_HTTP_RAW_URI].desc = "content modifier to match on the raw HTTP uri";
+ sigmatch_table[DETECT_HTTP_RAW_URI].url = "/rules/http-keywords.html#http_uri-and-http_raw-uri";
+ sigmatch_table[DETECT_HTTP_RAW_URI].Setup = DetectHttpRawUriSetup;
+ sigmatch_table[DETECT_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER;
+ sigmatch_table[DETECT_HTTP_RAW_URI].alternative = DETECT_HTTP_URI_RAW;
/* http.uri.raw sticky buffer */
sigmatch_table[DETECT_HTTP_URI_RAW].name = "http.uri.raw";
int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, str, DETECT_AL_HTTP_URI, g_http_uri_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, str, DETECT_HTTP_URI_CM, g_http_uri_buffer_id, ALPROTO_HTTP1);
}
static bool DetectHttpUriValidateCallback(const Signature *s, const char **sigerror)
static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
return DetectEngineContentModifierBufferSetup(
- de_ctx, s, arg, DETECT_AL_HTTP_RAW_URI, g_http_raw_uri_buffer_id, ALPROTO_HTTP1);
+ de_ctx, s, arg, DETECT_HTTP_RAW_URI, g_http_raw_uri_buffer_id, ALPROTO_HTTP1);
}
static bool DetectHttpRawUriValidateCallback(const Signature *s, const char **sigerror)
*/
void DetectIkeChosenSaRegister(void)
{
- sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].name = "ike.chosen_sa_attribute";
- sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].desc = "match IKE chosen SA Attribute";
- sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].url =
- "/rules/ike-keywords.html#ike-chosen_sa_attribute";
- sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].AppLayerTxMatch = DetectIkeChosenSaMatch;
- sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].Setup = DetectIkeChosenSaSetup;
- sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].Free = DetectIkeChosenSaFree;
+ sigmatch_table[DETECT_IKE_CHOSEN_SA].name = "ike.chosen_sa_attribute";
+ sigmatch_table[DETECT_IKE_CHOSEN_SA].desc = "match IKE chosen SA Attribute";
+ sigmatch_table[DETECT_IKE_CHOSEN_SA].url = "/rules/ike-keywords.html#ike-chosen_sa_attribute";
+ sigmatch_table[DETECT_IKE_CHOSEN_SA].AppLayerTxMatch = DetectIkeChosenSaMatch;
+ sigmatch_table[DETECT_IKE_CHOSEN_SA].Setup = DetectIkeChosenSaSetup;
+ sigmatch_table[DETECT_IKE_CHOSEN_SA].Free = DetectIkeChosenSaFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].RegisterTests = IKEChosenSaRegisterTests;
+ sigmatch_table[DETECT_IKE_CHOSEN_SA].RegisterTests = IKEChosenSaRegisterTests;
#endif
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
/* okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_IKE_CHOSEN_SA, (SigMatchCtx *)dd,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_IKE_CHOSEN_SA, (SigMatchCtx *)dd,
g_ike_chosen_sa_buffer_id) == NULL) {
goto error;
}
*/
void DetectIkeExchTypeRegister(void)
{
- sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].name = "ike.exchtype";
- sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].desc = "match IKE exchange type";
- sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].url = "/rules/ike-keywords.html#ike-exchtype";
- sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].Match = NULL;
- sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].AppLayerTxMatch = DetectIkeExchTypeMatch;
- sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].Setup = DetectIkeExchTypeSetup;
- sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].Free = DetectIkeExchTypeFree;
+ sigmatch_table[DETECT_IKE_EXCH_TYPE].name = "ike.exchtype";
+ sigmatch_table[DETECT_IKE_EXCH_TYPE].desc = "match IKE exchange type";
+ sigmatch_table[DETECT_IKE_EXCH_TYPE].url = "/rules/ike-keywords.html#ike-exchtype";
+ sigmatch_table[DETECT_IKE_EXCH_TYPE].Match = NULL;
+ sigmatch_table[DETECT_IKE_EXCH_TYPE].AppLayerTxMatch = DetectIkeExchTypeMatch;
+ sigmatch_table[DETECT_IKE_EXCH_TYPE].Setup = DetectIkeExchTypeSetup;
+ sigmatch_table[DETECT_IKE_EXCH_TYPE].Free = DetectIkeExchTypeFree;
DetectAppLayerInspectEngineRegister("ike.exchtype", ALPROTO_IKE, SIG_FLAG_TOSERVER, 1,
DetectEngineInspectGenericList, NULL);
/* okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_IKE_EXCH_TYPE, (SigMatchCtx *)ike_exch_type,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_IKE_EXCH_TYPE, (SigMatchCtx *)ike_exch_type,
g_ike_exch_type_buffer_id) == NULL) {
goto error;
}
*/
void DetectIkeKeyExchangePayloadLengthRegister(void)
{
- sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].name =
- "ike.key_exchange_payload_length";
- sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].desc =
+ sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].name = "ike.key_exchange_payload_length";
+ sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].desc =
"match IKE key exchange payload length";
- sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].url =
+ sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].url =
"/rules/ike-keywords.html#ike-key-exchange-payload-length";
- sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].AppLayerTxMatch =
+ sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].AppLayerTxMatch =
DetectIkeKeyExchangePayloadLengthMatch;
- sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].Setup =
+ sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].Setup =
DetectIkeKeyExchangePayloadLengthSetup;
- sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].Free =
+ sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].Free =
DetectIkeKeyExchangePayloadLengthFree;
DetectAppLayerInspectEngineRegister("ike.key_exchange_payload_length", ALPROTO_IKE,
/* okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH,
(SigMatchCtx *)key_exchange_payload_length,
g_ike_key_exch_payload_length_buffer_id) == NULL) {
goto error;
void DetectIkeKeyExchangeRegister(void)
{
// register key_exchange
- sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE].name = KEYWORD_NAME_KEY_EXCHANGE;
- sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE].url =
- "/rules/" KEYWORD_DOC_KEY_EXCHANGE sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE].desc =
+ sigmatch_table[DETECT_IKE_KEY_EXCHANGE].name = KEYWORD_NAME_KEY_EXCHANGE;
+ sigmatch_table[DETECT_IKE_KEY_EXCHANGE].url =
+ "/rules/" KEYWORD_DOC_KEY_EXCHANGE sigmatch_table[DETECT_IKE_KEY_EXCHANGE].desc =
"sticky buffer to match on the IKE key_exchange_payload";
- sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE].Setup = DetectKeyExchangeSetup;
- sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE].flags |=
- SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_IKE_KEY_EXCHANGE].Setup = DetectKeyExchangeSetup;
+ sigmatch_table[DETECT_IKE_KEY_EXCHANGE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister(BUFFER_NAME_KEY_EXCHANGE, ALPROTO_IKE, SIG_FLAG_TOSERVER, 1,
DetectEngineInspectBufferGeneric, GetKeyExchangeData);
*/
void DetectIkeNoncePayloadLengthRegister(void)
{
- sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].name = "ike.nonce_payload_length";
- sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].desc = "match IKE nonce payload length";
- sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].url =
+ sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].name = "ike.nonce_payload_length";
+ sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].desc = "match IKE nonce payload length";
+ sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].url =
"/rules/ike-keywords.html#ike-nonce-payload-length";
- sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].AppLayerTxMatch =
+ sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].AppLayerTxMatch =
DetectIkeNoncePayloadLengthMatch;
- sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].Setup = DetectIkeNoncePayloadLengthSetup;
- sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].Free = DetectIkeNoncePayloadLengthFree;
+ sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].Setup = DetectIkeNoncePayloadLengthSetup;
+ sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].Free = DetectIkeNoncePayloadLengthFree;
DetectAppLayerInspectEngineRegister("ike.nonce_payload_length", ALPROTO_IKE, SIG_FLAG_TOSERVER,
1, DetectEngineInspectGenericList, NULL);
/* okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_IKE_NONCE_PAYLOAD_LENGTH,
(SigMatchCtx *)nonce_payload_length,
g_ike_nonce_payload_length_buffer_id) == NULL) {
goto error;
void DetectIkeNonceRegister(void)
{
// register nonce
- sigmatch_table[DETECT_AL_IKE_NONCE].name = KEYWORD_NAME_NONCE;
- sigmatch_table[DETECT_AL_IKE_NONCE].url =
- "/rules/" KEYWORD_DOC_NONCE sigmatch_table[DETECT_AL_IKE_NONCE].desc =
+ sigmatch_table[DETECT_IKE_NONCE].name = KEYWORD_NAME_NONCE;
+ sigmatch_table[DETECT_IKE_NONCE].url =
+ "/rules/" KEYWORD_DOC_NONCE sigmatch_table[DETECT_IKE_NONCE].desc =
"sticky buffer to match on the IKE nonce_payload";
- sigmatch_table[DETECT_AL_IKE_NONCE].Setup = DetectNonceSetup;
- sigmatch_table[DETECT_AL_IKE_NONCE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_IKE_NONCE].Setup = DetectNonceSetup;
+ sigmatch_table[DETECT_IKE_NONCE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister(BUFFER_NAME_NONCE, ALPROTO_IKE, SIG_FLAG_TOSERVER, 1,
DetectEngineInspectBufferGeneric, GetNonceData);
void DetectIkeSpiRegister(void)
{
// register initiator
- sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].name = KEYWORD_NAME_INITIATOR;
- sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].url =
- "/rules/" KEYWORD_DOC_INITIATOR sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].desc =
+ sigmatch_table[DETECT_IKE_SPI_INITIATOR].name = KEYWORD_NAME_INITIATOR;
+ sigmatch_table[DETECT_IKE_SPI_INITIATOR].url =
+ "/rules/" KEYWORD_DOC_INITIATOR sigmatch_table[DETECT_IKE_SPI_INITIATOR].desc =
"sticky buffer to match on the IKE spi initiator";
- sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].Setup = DetectSpiInitiatorSetup;
- sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].flags |=
- SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_IKE_SPI_INITIATOR].Setup = DetectSpiInitiatorSetup;
+ sigmatch_table[DETECT_IKE_SPI_INITIATOR].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister(BUFFER_NAME_INITIATOR, ALPROTO_IKE, SIG_FLAG_TOSERVER, 1,
DetectEngineInspectBufferGeneric, GetInitiatorData);
SCLogDebug("registering " BUFFER_NAME_INITIATOR " rule option");
// register responder
- sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].name = KEYWORD_NAME_RESPONDER;
- sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].url =
- "/rules/" KEYWORD_DOC_RESPONDER sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].desc =
+ sigmatch_table[DETECT_IKE_SPI_RESPONDER].name = KEYWORD_NAME_RESPONDER;
+ sigmatch_table[DETECT_IKE_SPI_RESPONDER].url =
+ "/rules/" KEYWORD_DOC_RESPONDER sigmatch_table[DETECT_IKE_SPI_RESPONDER].desc =
"sticky buffer to match on the IKE spi responder";
- sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].Setup = DetectSpiResponderSetup;
- sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].flags |=
- SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_IKE_SPI_RESPONDER].Setup = DetectSpiResponderSetup;
+ sigmatch_table[DETECT_IKE_SPI_RESPONDER].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister(BUFFER_NAME_RESPONDER, ALPROTO_IKE, SIG_FLAG_TOCLIENT, 1,
DetectEngineInspectBufferGeneric, GetResponderData);
*/
void DetectIkeVendorRegister(void)
{
- sigmatch_table[DETECT_AL_IKE_VENDOR].name = "ike.vendor";
- sigmatch_table[DETECT_AL_IKE_VENDOR].desc = "match IKE Vendor";
- sigmatch_table[DETECT_AL_IKE_VENDOR].url = "/rules/ike-keywords.html#ike-vendor";
- sigmatch_table[DETECT_AL_IKE_VENDOR].Setup = DetectIkeVendorSetup;
- sigmatch_table[DETECT_AL_IKE_VENDOR].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_IKE_VENDOR].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_IKE_VENDOR].name = "ike.vendor";
+ sigmatch_table[DETECT_IKE_VENDOR].desc = "match IKE Vendor";
+ sigmatch_table[DETECT_IKE_VENDOR].url = "/rules/ike-keywords.html#ike-vendor";
+ sigmatch_table[DETECT_IKE_VENDOR].Setup = DetectIkeVendorSetup;
+ sigmatch_table[DETECT_IKE_VENDOR].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_IKE_VENDOR].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerMultiRegister(
"ike.vendor", ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, IkeVendorGetData, 1, 1);
*/
void DetectJa4HashRegister(void)
{
- sigmatch_table[DETECT_AL_JA4_HASH].name = "ja4.hash";
- sigmatch_table[DETECT_AL_JA4_HASH].alias = "ja4_hash";
- sigmatch_table[DETECT_AL_JA4_HASH].desc = "sticky buffer to match the JA4 hash buffer";
- sigmatch_table[DETECT_AL_JA4_HASH].url = "/rules/ja4-keywords.html#ja4-hash";
+ sigmatch_table[DETECT_JA4_HASH].name = "ja4.hash";
+ sigmatch_table[DETECT_JA4_HASH].alias = "ja4_hash";
+ sigmatch_table[DETECT_JA4_HASH].desc = "sticky buffer to match the JA4 hash buffer";
+ sigmatch_table[DETECT_JA4_HASH].url = "/rules/ja4-keywords.html#ja4-hash";
#ifdef HAVE_JA4
- sigmatch_table[DETECT_AL_JA4_HASH].Setup = DetectJa4HashSetup;
+ sigmatch_table[DETECT_JA4_HASH].Setup = DetectJa4HashSetup;
#else /* HAVE_JA4 */
- sigmatch_table[DETECT_AL_JA4_HASH].Setup = DetectJA4SetupNoSupport;
+ sigmatch_table[DETECT_JA4_HASH].Setup = DetectJA4SetupNoSupport;
#endif /* HAVE_JA4 */
- sigmatch_table[DETECT_AL_JA4_HASH].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_JA4_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_JA4_HASH].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_JA4_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
#ifdef HAVE_JA4
DetectAppLayerInspectEngineRegister("ja4.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
/* check if JA4 enabling had an effect */
if (!RunmodeIsUnittests() && !SSLJA4IsEnabled()) {
- if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_JA4_HASH)) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_JA4_HASH)) {
SCLogError("JA4 support is not enabled");
}
return -2;
void DetectKrb5CNameRegister(void)
{
- sigmatch_table[DETECT_AL_KRB5_CNAME].name = "krb5.cname";
- sigmatch_table[DETECT_AL_KRB5_CNAME].alias = "krb5_cname";
- sigmatch_table[DETECT_AL_KRB5_CNAME].url = "/rules/kerberos-keywords.html#krb5-cname";
- sigmatch_table[DETECT_AL_KRB5_CNAME].Setup = DetectKrb5CNameSetup;
- sigmatch_table[DETECT_AL_KRB5_CNAME].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
- sigmatch_table[DETECT_AL_KRB5_CNAME].desc = "sticky buffer to match on Kerberos 5 client name";
+ sigmatch_table[DETECT_KRB5_CNAME].name = "krb5.cname";
+ sigmatch_table[DETECT_KRB5_CNAME].alias = "krb5_cname";
+ sigmatch_table[DETECT_KRB5_CNAME].url = "/rules/kerberos-keywords.html#krb5-cname";
+ sigmatch_table[DETECT_KRB5_CNAME].Setup = DetectKrb5CNameSetup;
+ sigmatch_table[DETECT_KRB5_CNAME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_KRB5_CNAME].desc = "sticky buffer to match on Kerberos 5 client name";
DetectAppLayerMultiRegister(
"krb5_cname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0, GetKrb5CNameData, 2, 1);
*/
void DetectKrb5ErrCodeRegister(void)
{
- sigmatch_table[DETECT_AL_KRB5_ERRCODE].name = "krb5_err_code";
- sigmatch_table[DETECT_AL_KRB5_ERRCODE].desc = "match Kerberos 5 error code";
- sigmatch_table[DETECT_AL_KRB5_ERRCODE].url = "/rules/kerberos-keywords.html#krb5-err-code";
- sigmatch_table[DETECT_AL_KRB5_ERRCODE].Match = NULL;
- sigmatch_table[DETECT_AL_KRB5_ERRCODE].AppLayerTxMatch = DetectKrb5ErrCodeMatch;
- sigmatch_table[DETECT_AL_KRB5_ERRCODE].Setup = DetectKrb5ErrCodeSetup;
- sigmatch_table[DETECT_AL_KRB5_ERRCODE].Free = DetectKrb5ErrCodeFree;
+ sigmatch_table[DETECT_KRB5_ERRCODE].name = "krb5_err_code";
+ sigmatch_table[DETECT_KRB5_ERRCODE].desc = "match Kerberos 5 error code";
+ sigmatch_table[DETECT_KRB5_ERRCODE].url = "/rules/kerberos-keywords.html#krb5-err-code";
+ sigmatch_table[DETECT_KRB5_ERRCODE].Match = NULL;
+ sigmatch_table[DETECT_KRB5_ERRCODE].AppLayerTxMatch = DetectKrb5ErrCodeMatch;
+ sigmatch_table[DETECT_KRB5_ERRCODE].Setup = DetectKrb5ErrCodeSetup;
+ sigmatch_table[DETECT_KRB5_ERRCODE].Free = DetectKrb5ErrCodeFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_KRB5_ERRCODE].RegisterTests = DetectKrb5ErrCodeRegisterTests;
+ sigmatch_table[DETECT_KRB5_ERRCODE].RegisterTests = DetectKrb5ErrCodeRegisterTests;
#endif
DetectAppLayerInspectEngineRegister("krb5_err_code", ALPROTO_KRB5, SIG_FLAG_TOSERVER, 0,
if (krb5d == NULL)
goto error;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_KRB5_ERRCODE, (SigMatchCtx *)krb5d,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_KRB5_ERRCODE, (SigMatchCtx *)krb5d,
g_krb5_err_code_list_id) == NULL) {
goto error;
}
*/
void DetectKrb5MsgTypeRegister(void)
{
- sigmatch_table[DETECT_AL_KRB5_MSGTYPE].name = "krb5_msg_type";
- sigmatch_table[DETECT_AL_KRB5_MSGTYPE].desc = "match Kerberos 5 message type";
- sigmatch_table[DETECT_AL_KRB5_MSGTYPE].url = "/rules/kerberos-keywords.html#krb5-msg-type";
- sigmatch_table[DETECT_AL_KRB5_MSGTYPE].Match = NULL;
- sigmatch_table[DETECT_AL_KRB5_MSGTYPE].AppLayerTxMatch = DetectKrb5MsgTypeMatch;
- sigmatch_table[DETECT_AL_KRB5_MSGTYPE].Setup = DetectKrb5MsgTypeSetup;
- sigmatch_table[DETECT_AL_KRB5_MSGTYPE].Free = DetectKrb5MsgTypeFree;
+ sigmatch_table[DETECT_KRB5_MSGTYPE].name = "krb5_msg_type";
+ sigmatch_table[DETECT_KRB5_MSGTYPE].desc = "match Kerberos 5 message type";
+ sigmatch_table[DETECT_KRB5_MSGTYPE].url = "/rules/kerberos-keywords.html#krb5-msg-type";
+ sigmatch_table[DETECT_KRB5_MSGTYPE].Match = NULL;
+ sigmatch_table[DETECT_KRB5_MSGTYPE].AppLayerTxMatch = DetectKrb5MsgTypeMatch;
+ sigmatch_table[DETECT_KRB5_MSGTYPE].Setup = DetectKrb5MsgTypeSetup;
+ sigmatch_table[DETECT_KRB5_MSGTYPE].Free = DetectKrb5MsgTypeFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_KRB5_MSGTYPE].RegisterTests = DetectKrb5MsgTypeRegisterTests;
+ sigmatch_table[DETECT_KRB5_MSGTYPE].RegisterTests = DetectKrb5MsgTypeRegisterTests;
#endif
DetectAppLayerInspectEngineRegister("krb5_msg_type", ALPROTO_KRB5, SIG_FLAG_TOSERVER, 0,
if (krb5d == NULL)
goto error;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_KRB5_MSGTYPE, (SigMatchCtx *)krb5d,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_KRB5_MSGTYPE, (SigMatchCtx *)krb5d,
g_krb5_msg_type_list_id) == NULL) {
goto error;
}
void DetectKrb5SNameRegister(void)
{
- sigmatch_table[DETECT_AL_KRB5_SNAME].name = "krb5.sname";
- sigmatch_table[DETECT_AL_KRB5_SNAME].alias = "krb5_sname";
- sigmatch_table[DETECT_AL_KRB5_SNAME].url = "/rules/kerberos-keywords.html#krb5-sname";
- sigmatch_table[DETECT_AL_KRB5_SNAME].Setup = DetectKrb5SNameSetup;
- sigmatch_table[DETECT_AL_KRB5_SNAME].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
- sigmatch_table[DETECT_AL_KRB5_SNAME].desc = "sticky buffer to match on Kerberos 5 server name";
+ sigmatch_table[DETECT_KRB5_SNAME].name = "krb5.sname";
+ sigmatch_table[DETECT_KRB5_SNAME].alias = "krb5_sname";
+ sigmatch_table[DETECT_KRB5_SNAME].url = "/rules/kerberos-keywords.html#krb5-sname";
+ sigmatch_table[DETECT_KRB5_SNAME].Setup = DetectKrb5SNameSetup;
+ sigmatch_table[DETECT_KRB5_SNAME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_KRB5_SNAME].desc = "sticky buffer to match on Kerberos 5 server name";
DetectAppLayerMultiRegister(
"krb5_sname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0, GetKrb5SNameData, 2, 1);
if (krb5d == NULL)
goto error;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_KRB5_TICKET_ENCRYPTION, (SigMatchCtx *)krb5d,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_KRB5_TICKET_ENCRYPTION, (SigMatchCtx *)krb5d,
g_krb5_ticket_encryption_list_id) == NULL) {
goto error;
}
void DetectKrb5TicketEncryptionRegister(void)
{
- sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].name = "krb5.ticket_encryption";
- sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].desc = "match Kerberos 5 ticket encryption";
- sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].url =
+ sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].name = "krb5.ticket_encryption";
+ sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].desc = "match Kerberos 5 ticket encryption";
+ sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].url =
"/rules/kerberos-keywords.html#krb5-ticket-encryption";
- sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].Match = NULL;
- sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].AppLayerTxMatch =
- DetectKrb5TicketEncryptionMatch;
- sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].Setup = DetectKrb5TicketEncryptionSetup;
- sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].Free = DetectKrb5TicketEncryptionFree;
+ sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].Match = NULL;
+ sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].AppLayerTxMatch = DetectKrb5TicketEncryptionMatch;
+ sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].Setup = DetectKrb5TicketEncryptionSetup;
+ sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].Free = DetectKrb5TicketEncryptionFree;
// Tickets are only from server to client
DetectAppLayerInspectEngineRegister("krb5_ticket_encryption", ALPROTO_KRB5, SIG_FLAG_TOCLIENT,
/* Okay so far so good, lets get this into a SigMatch and put it in the Signature. */
if (SigMatchAppendSMToList(
- de_ctx, s, DETECT_AL_MODBUS, (SigMatchCtx *)modbus, g_modbus_buffer_id) == NULL) {
+ de_ctx, s, DETECT_MODBUS, (SigMatchCtx *)modbus, g_modbus_buffer_id) == NULL) {
goto error;
}
*/
void DetectModbusRegister(void)
{
- sigmatch_table[DETECT_AL_MODBUS].name = "modbus";
- sigmatch_table[DETECT_AL_MODBUS].desc = "match on various properties of Modbus requests";
- sigmatch_table[DETECT_AL_MODBUS].url = "/rules/modbus-keyword.html#modbus-keyword";
- sigmatch_table[DETECT_AL_MODBUS].Match = NULL;
- sigmatch_table[DETECT_AL_MODBUS].Setup = DetectModbusSetup;
- sigmatch_table[DETECT_AL_MODBUS].Free = DetectModbusFree;
- sigmatch_table[DETECT_AL_MODBUS].AppLayerTxMatch = DetectModbusMatch;
+ sigmatch_table[DETECT_MODBUS].name = "modbus";
+ sigmatch_table[DETECT_MODBUS].desc = "match on various properties of Modbus requests";
+ sigmatch_table[DETECT_MODBUS].url = "/rules/modbus-keyword.html#modbus-keyword";
+ sigmatch_table[DETECT_MODBUS].Match = NULL;
+ sigmatch_table[DETECT_MODBUS].Setup = DetectModbusSetup;
+ sigmatch_table[DETECT_MODBUS].Free = DetectModbusFree;
+ sigmatch_table[DETECT_MODBUS].AppLayerTxMatch = DetectModbusMatch;
DetectAppLayerInspectEngineRegister(
"modbus", ALPROTO_MODBUS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL);
*/
void DetectNfsProcedureRegister (void)
{
- sigmatch_table[DETECT_AL_NFS_PROCEDURE].name = "nfs_procedure";
- sigmatch_table[DETECT_AL_NFS_PROCEDURE].desc = "match NFS procedure";
- sigmatch_table[DETECT_AL_NFS_PROCEDURE].url = "/rules/nfs-keywords.html#procedure";
- sigmatch_table[DETECT_AL_NFS_PROCEDURE].Match = NULL;
- sigmatch_table[DETECT_AL_NFS_PROCEDURE].AppLayerTxMatch = DetectNfsProcedureMatch;
- sigmatch_table[DETECT_AL_NFS_PROCEDURE].Setup = DetectNfsProcedureSetup;
- sigmatch_table[DETECT_AL_NFS_PROCEDURE].Free = DetectNfsProcedureFree;
+ sigmatch_table[DETECT_NFS_PROCEDURE].name = "nfs_procedure";
+ sigmatch_table[DETECT_NFS_PROCEDURE].desc = "match NFS procedure";
+ sigmatch_table[DETECT_NFS_PROCEDURE].url = "/rules/nfs-keywords.html#procedure";
+ sigmatch_table[DETECT_NFS_PROCEDURE].Match = NULL;
+ sigmatch_table[DETECT_NFS_PROCEDURE].AppLayerTxMatch = DetectNfsProcedureMatch;
+ sigmatch_table[DETECT_NFS_PROCEDURE].Setup = DetectNfsProcedureSetup;
+ sigmatch_table[DETECT_NFS_PROCEDURE].Free = DetectNfsProcedureFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_NFS_PROCEDURE].RegisterTests = DetectNfsProcedureRegisterTests;
+ sigmatch_table[DETECT_NFS_PROCEDURE].RegisterTests = DetectNfsProcedureRegisterTests;
#endif
DetectAppLayerInspectEngineRegister(
* and put it in the Signature. */
SCLogDebug("low %u hi %u", dd->arg1, dd->arg2);
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_NFS_PROCEDURE, (SigMatchCtx *)dd,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_NFS_PROCEDURE, (SigMatchCtx *)dd,
g_nfs_request_buffer_id) == NULL) {
DetectNfsProcedureFree(de_ctx, dd);
return -1;
*/
void DetectNfsVersionRegister (void)
{
- sigmatch_table[DETECT_AL_NFS_VERSION].name = "nfs.version";
- sigmatch_table[DETECT_AL_NFS_VERSION].alias = "nfs_version";
- sigmatch_table[DETECT_AL_NFS_VERSION].desc = "match NFS version";
- sigmatch_table[DETECT_AL_NFS_VERSION].url = "/rules/nfs-keywords.html#version";
- sigmatch_table[DETECT_AL_NFS_VERSION].AppLayerTxMatch = DetectNfsVersionMatch;
- sigmatch_table[DETECT_AL_NFS_VERSION].Setup = DetectNfsVersionSetup;
- sigmatch_table[DETECT_AL_NFS_VERSION].Free = DetectNfsVersionFree;
+ sigmatch_table[DETECT_NFS_VERSION].name = "nfs.version";
+ sigmatch_table[DETECT_NFS_VERSION].alias = "nfs_version";
+ sigmatch_table[DETECT_NFS_VERSION].desc = "match NFS version";
+ sigmatch_table[DETECT_NFS_VERSION].url = "/rules/nfs-keywords.html#version";
+ sigmatch_table[DETECT_NFS_VERSION].AppLayerTxMatch = DetectNfsVersionMatch;
+ sigmatch_table[DETECT_NFS_VERSION].Setup = DetectNfsVersionSetup;
+ sigmatch_table[DETECT_NFS_VERSION].Free = DetectNfsVersionFree;
// unit tests were the same as DetectNfsProcedureRegisterTests
DetectAppLayerInspectEngineRegister(
"nfs_request", ALPROTO_NFS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL);
* and put it in the Signature. */
SCLogDebug("low %u hi %u", dd->arg1, dd->arg2);
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_NFS_VERSION, (SigMatchCtx *)dd,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_NFS_VERSION, (SigMatchCtx *)dd,
g_nfs_request_buffer_id) == NULL) {
goto error;
}
void DetectQuicCyuHashRegister(void)
{
/* quic.cyu.hash sticky buffer */
- sigmatch_table[DETECT_AL_QUIC_CYU_HASH].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_QUIC_CYU_HASH].desc = "sticky buffer to match on the QUIC CYU hash";
- sigmatch_table[DETECT_AL_QUIC_CYU_HASH].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_QUIC_CYU_HASH].Setup = DetectQuicCyuHashSetup;
- sigmatch_table[DETECT_AL_QUIC_CYU_HASH].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_QUIC_CYU_HASH].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_QUIC_CYU_HASH].desc = "sticky buffer to match on the QUIC CYU hash";
+ sigmatch_table[DETECT_QUIC_CYU_HASH].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_QUIC_CYU_HASH].Setup = DetectQuicCyuHashSetup;
+ sigmatch_table[DETECT_QUIC_CYU_HASH].flags |= SIGMATCH_NOOPT;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_QUIC_CYU_HASH].RegisterTests = DetectQuicCyuHashRegisterTests;
+ sigmatch_table[DETECT_QUIC_CYU_HASH].RegisterTests = DetectQuicCyuHashRegisterTests;
#endif
DetectAppLayerMultiRegister(
void DetectQuicCyuStringRegister(void)
{
/* quic.cyu.string sticky buffer */
- sigmatch_table[DETECT_AL_QUIC_CYU_STRING].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_QUIC_CYU_STRING].desc =
- "sticky buffer to match on the QUIC CYU string";
- sigmatch_table[DETECT_AL_QUIC_CYU_STRING].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_QUIC_CYU_STRING].Setup = DetectQuicCyuStringSetup;
- sigmatch_table[DETECT_AL_QUIC_CYU_STRING].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_QUIC_CYU_STRING].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_QUIC_CYU_STRING].desc = "sticky buffer to match on the QUIC CYU string";
+ sigmatch_table[DETECT_QUIC_CYU_STRING].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_QUIC_CYU_STRING].Setup = DetectQuicCyuStringSetup;
+ sigmatch_table[DETECT_QUIC_CYU_STRING].flags |= SIGMATCH_NOOPT;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_QUIC_CYU_STRING].RegisterTests = DetectQuicCyuStringRegisterTests;
+ sigmatch_table[DETECT_QUIC_CYU_STRING].RegisterTests = DetectQuicCyuStringRegisterTests;
#endif
DetectAppLayerMultiRegister(
*/
void DetectQuicSniRegister(void)
{
- sigmatch_table[DETECT_AL_QUIC_SNI].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_QUIC_SNI].desc = "match Quic sni";
- sigmatch_table[DETECT_AL_QUIC_SNI].url = "/rules/quic-keywords.html#quic-sni";
- sigmatch_table[DETECT_AL_QUIC_SNI].Setup = DetectQuicSniSetup;
- sigmatch_table[DETECT_AL_QUIC_SNI].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_QUIC_SNI].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_QUIC_SNI].desc = "match Quic sni";
+ sigmatch_table[DETECT_QUIC_SNI].url = "/rules/quic-keywords.html#quic-sni";
+ sigmatch_table[DETECT_QUIC_SNI].Setup = DetectQuicSniSetup;
+ sigmatch_table[DETECT_QUIC_SNI].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_QUIC_SNI].RegisterTests = DetectQuicSniRegisterTests;
+ sigmatch_table[DETECT_QUIC_SNI].RegisterTests = DetectQuicSniRegisterTests;
#endif
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
*/
void DetectQuicUaRegister(void)
{
- sigmatch_table[DETECT_AL_QUIC_UA].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_QUIC_UA].desc = "match Quic ua";
- sigmatch_table[DETECT_AL_QUIC_UA].url = "/rules/quic-keywords.html#quic-ua";
- sigmatch_table[DETECT_AL_QUIC_UA].Setup = DetectQuicUaSetup;
- sigmatch_table[DETECT_AL_QUIC_UA].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_QUIC_UA].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_QUIC_UA].desc = "match Quic ua";
+ sigmatch_table[DETECT_QUIC_UA].url = "/rules/quic-keywords.html#quic-ua";
+ sigmatch_table[DETECT_QUIC_UA].Setup = DetectQuicUaSetup;
+ sigmatch_table[DETECT_QUIC_UA].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_QUIC_UA].RegisterTests = DetectQuicUaRegisterTests;
+ sigmatch_table[DETECT_QUIC_UA].RegisterTests = DetectQuicUaRegisterTests;
#endif
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
*/
void DetectQuicVersionRegister(void)
{
- sigmatch_table[DETECT_AL_QUIC_VERSION].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_QUIC_VERSION].desc = "match Quic version";
- sigmatch_table[DETECT_AL_QUIC_VERSION].url = "/rules/quic-keywords.html#quic-version";
- sigmatch_table[DETECT_AL_QUIC_VERSION].Setup = DetectQuicVersionSetup;
- sigmatch_table[DETECT_AL_QUIC_VERSION].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_QUIC_VERSION].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_QUIC_VERSION].desc = "match Quic version";
+ sigmatch_table[DETECT_QUIC_VERSION].url = "/rules/quic-keywords.html#quic-version";
+ sigmatch_table[DETECT_QUIC_VERSION].Setup = DetectQuicVersionSetup;
+ sigmatch_table[DETECT_QUIC_VERSION].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_QUIC_VERSION].RegisterTests = DetectQuicVersionRegisterTests;
+ sigmatch_table[DETECT_QUIC_VERSION].RegisterTests = DetectQuicVersionRegisterTests;
#endif
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
void DetectSipMethodRegister(void)
{
/* sip.method sticky buffer */
- sigmatch_table[DETECT_AL_SIP_METHOD].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_SIP_METHOD].desc = "sticky buffer to match on the SIP method buffer";
- sigmatch_table[DETECT_AL_SIP_METHOD].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_SIP_METHOD].Setup = DetectSipMethodSetup;
- sigmatch_table[DETECT_AL_SIP_METHOD].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_SIP_METHOD].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_SIP_METHOD].desc = "sticky buffer to match on the SIP method buffer";
+ sigmatch_table[DETECT_SIP_METHOD].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_SIP_METHOD].Setup = DetectSipMethodSetup;
+ sigmatch_table[DETECT_SIP_METHOD].flags |= SIGMATCH_NOOPT;
DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectBufferGeneric, GetData);
void DetectSipUriRegister(void)
{
- sigmatch_table[DETECT_AL_SIP_URI].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_SIP_URI].desc = "sticky buffer to match on the SIP URI";
- sigmatch_table[DETECT_AL_SIP_URI].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_SIP_URI].Setup = DetectSipUriSetup;
- sigmatch_table[DETECT_AL_SIP_URI].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_SIP_URI].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_SIP_URI].desc = "sticky buffer to match on the SIP URI";
+ sigmatch_table[DETECT_SIP_URI].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_SIP_URI].Setup = DetectSipUriSetup;
+ sigmatch_table[DETECT_SIP_URI].flags |= SIGMATCH_NOOPT;
DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectBufferGeneric, GetData);
/* Check if Hassh is disabled */
if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
- if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER_STRING)) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_SSH_HASSH_SERVER_STRING)) {
SCLogError("hassh support is not enabled");
}
return -2;
*/
void DetectSshHasshServerStringRegister(void)
{
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].alias = KEYWORD_ALIAS;
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].desc = BUFFER_NAME " sticky buffer";
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].Setup = DetectSshHasshServerStringSetup;
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].alias = KEYWORD_ALIAS;
+ sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].Setup = DetectSshHasshServerStringSetup;
+ sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].flags |=
+ SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
GetSshData, ALPROTO_SSH, SshStateBannerDone);
/* Check if Hassh is disabled */
if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
- if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER)) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_SSH_HASSH_SERVER)) {
SCLogError("hassh support is not enabled");
}
return -2;
*/
void DetectSshHasshServerRegister(void)
{
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].alias = KEYWORD_ALIAS;
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].desc = BUFFER_NAME " sticky buffer";
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].Setup = DetectSshHasshServerSetup;
- sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_SSH_HASSH_SERVER].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_SSH_HASSH_SERVER].alias = KEYWORD_ALIAS;
+ sigmatch_table[DETECT_SSH_HASSH_SERVER].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_SSH_HASSH_SERVER].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_SSH_HASSH_SERVER].Setup = DetectSshHasshServerSetup;
+ sigmatch_table[DETECT_SSH_HASSH_SERVER].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister,
GetSshData, ALPROTO_SSH, SshStateBannerDone);
/* Check if Hassh is disabled */
if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
- if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_STRING)) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_SSH_HASSH_STRING)) {
SCLogError("hassh support is not enabled");
}
return -2;
*/
void DetectSshHasshStringRegister(void)
{
- sigmatch_table[DETECT_AL_SSH_HASSH_STRING].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_SSH_HASSH_STRING].alias = KEYWORD_ALIAS;
- sigmatch_table[DETECT_AL_SSH_HASSH_STRING].desc = BUFFER_NAME " sticky buffer";
- sigmatch_table[DETECT_AL_SSH_HASSH_STRING].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_SSH_HASSH_STRING].Setup = DetectSshHasshStringSetup;
- sigmatch_table[DETECT_AL_SSH_HASSH_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_SSH_HASSH_STRING].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_SSH_HASSH_STRING].alias = KEYWORD_ALIAS;
+ sigmatch_table[DETECT_SSH_HASSH_STRING].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_SSH_HASSH_STRING].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_SSH_HASSH_STRING].Setup = DetectSshHasshStringSetup;
+ sigmatch_table[DETECT_SSH_HASSH_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
GetSshData, ALPROTO_SSH, SshStateBannerDone);
/* Check if Hassh is disabled */
if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
- if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH)) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_SSH_HASSH)) {
SCLogError("hassh support is not enabled");
}
return -2;
*/
void DetectSshHasshRegister(void)
{
- sigmatch_table[DETECT_AL_SSH_HASSH].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_SSH_HASSH].alias = KEYWORD_ALIAS;
- sigmatch_table[DETECT_AL_SSH_HASSH].desc = BUFFER_NAME " sticky buffer";
- sigmatch_table[DETECT_AL_SSH_HASSH].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_SSH_HASSH].Setup = DetectSshHasshSetup;
- sigmatch_table[DETECT_AL_SSH_HASSH].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_SSH_HASSH].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_SSH_HASSH].alias = KEYWORD_ALIAS;
+ sigmatch_table[DETECT_SSH_HASSH].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_SSH_HASSH].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_SSH_HASSH].Setup = DetectSshHasshSetup;
+ sigmatch_table[DETECT_SSH_HASSH].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
GetSshData, ALPROTO_SSH, SshStateBannerDone),
*/
void DetectSshVersionRegister(void)
{
- sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion";
- sigmatch_table[DETECT_AL_SSH_PROTOVERSION].desc = "obsolete keyword, use now ssh.proto";
- sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup;
+ sigmatch_table[DETECT_SSH_PROTOVERSION].name = "ssh.protoversion";
+ sigmatch_table[DETECT_SSH_PROTOVERSION].desc = "obsolete keyword, use now ssh.proto";
+ sigmatch_table[DETECT_SSH_PROTOVERSION].Setup = DetectSshVersionSetup;
}
void DetectSshProtocolRegister(void)
{
- sigmatch_table[DETECT_AL_SSH_PROTOCOL].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_SSH_PROTOCOL].alias = KEYWORD_NAME_LEGACY;
- sigmatch_table[DETECT_AL_SSH_PROTOCOL].desc = BUFFER_NAME " sticky buffer";
- sigmatch_table[DETECT_AL_SSH_PROTOCOL].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_SSH_PROTOCOL].Setup = DetectSshProtocolSetup;
- sigmatch_table[DETECT_AL_SSH_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_SSH_PROTOCOL].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_SSH_PROTOCOL].alias = KEYWORD_NAME_LEGACY;
+ sigmatch_table[DETECT_SSH_PROTOCOL].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_SSH_PROTOCOL].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_SSH_PROTOCOL].Setup = DetectSshProtocolSetup;
+ sigmatch_table[DETECT_SSH_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
GetSshData, ALPROTO_SSH, SshStateBannerDone),
*/
void DetectSshSoftwareVersionRegister(void)
{
- sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion";
- sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].desc = "obsolete keyword, use now ssh.software";
- sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup;
+ sigmatch_table[DETECT_SSH_SOFTWAREVERSION].name = "ssh.softwareversion";
+ sigmatch_table[DETECT_SSH_SOFTWAREVERSION].desc = "obsolete keyword, use now ssh.software";
+ sigmatch_table[DETECT_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup;
}
void DetectSshSoftwareRegister(void)
{
- sigmatch_table[DETECT_AL_SSH_SOFTWARE].name = KEYWORD_NAME;
- sigmatch_table[DETECT_AL_SSH_SOFTWARE].alias = KEYWORD_NAME_LEGACY;
- sigmatch_table[DETECT_AL_SSH_SOFTWARE].desc = BUFFER_NAME " sticky buffer";
- sigmatch_table[DETECT_AL_SSH_SOFTWARE].url = "/rules/" KEYWORD_DOC;
- sigmatch_table[DETECT_AL_SSH_SOFTWARE].Setup = DetectSshSoftwareSetup;
- sigmatch_table[DETECT_AL_SSH_SOFTWARE].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_SSH_SOFTWARE].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_SSH_SOFTWARE].alias = KEYWORD_NAME_LEGACY;
+ sigmatch_table[DETECT_SSH_SOFTWARE].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_SSH_SOFTWARE].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_SSH_SOFTWARE].Setup = DetectSshSoftwareSetup;
+ sigmatch_table[DETECT_SSH_SOFTWARE].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister,
GetSshData, ALPROTO_SSH, SshStateBannerDone),
*/
void DetectSslStateRegister(void)
{
- sigmatch_table[DETECT_AL_SSL_STATE].name = "ssl_state";
- sigmatch_table[DETECT_AL_SSL_STATE].desc = "match the state of the SSL connection";
- sigmatch_table[DETECT_AL_SSL_STATE].url = "/rules/tls-keywords.html#ssl-state";
- sigmatch_table[DETECT_AL_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch;
- sigmatch_table[DETECT_AL_SSL_STATE].Setup = DetectSslStateSetup;
- sigmatch_table[DETECT_AL_SSL_STATE].Free = DetectSslStateFree;
+ sigmatch_table[DETECT_SSL_STATE].name = "ssl_state";
+ sigmatch_table[DETECT_SSL_STATE].desc = "match the state of the SSL connection";
+ sigmatch_table[DETECT_SSL_STATE].url = "/rules/tls-keywords.html#ssl-state";
+ sigmatch_table[DETECT_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch;
+ sigmatch_table[DETECT_SSL_STATE].Setup = DetectSslStateSetup;
+ sigmatch_table[DETECT_SSL_STATE].Free = DetectSslStateFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_SSL_STATE].RegisterTests = DetectSslStateRegisterTests;
+ sigmatch_table[DETECT_SSL_STATE].RegisterTests = DetectSslStateRegisterTests;
#endif
DetectSetupParseRegexes(PARSE_REGEX1, &parse_regex1);
DetectSetupParseRegexes(PARSE_REGEX2, &parse_regex2);
if (ssd == NULL)
goto error;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_SSL_STATE, (SigMatchCtx *)ssd,
- g_tls_generic_list_id) == NULL) {
+ if (SigMatchAppendSMToList(
+ de_ctx, s, DETECT_SSL_STATE, (SigMatchCtx *)ssd, g_tls_generic_list_id) == NULL) {
goto error;
}
return 0;
*/
void DetectSslVersionRegister(void)
{
- sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version";
- sigmatch_table[DETECT_AL_SSL_VERSION].desc = "match version of SSL/TLS record";
- sigmatch_table[DETECT_AL_SSL_VERSION].url = "/rules/tls-keywords.html#ssl-version";
- sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch;
- sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup;
- sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree;
+ sigmatch_table[DETECT_SSL_VERSION].name = "ssl_version";
+ sigmatch_table[DETECT_SSL_VERSION].desc = "match version of SSL/TLS record";
+ sigmatch_table[DETECT_SSL_VERSION].url = "/rules/tls-keywords.html#ssl-version";
+ sigmatch_table[DETECT_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch;
+ sigmatch_table[DETECT_SSL_VERSION].Setup = DetectSslVersionSetup;
+ sigmatch_table[DETECT_SSL_VERSION].Free = DetectSslVersionFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests;
+ sigmatch_table[DETECT_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests;
#endif
g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic");
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_SSL_VERSION, (SigMatchCtx *)ssl,
- g_tls_generic_list_id) == NULL) {
+ if (SigMatchAppendSMToList(
+ de_ctx, s, DETECT_SSL_VERSION, (SigMatchCtx *)ssl, g_tls_generic_list_id) == NULL) {
goto error;
}
return 0;
*/
void DetectTlsFingerprintRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].name = "tls.cert_fingerprint";
- sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].alias = "tls_cert_fingerprint";
- sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].desc =
+ sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].name = "tls.cert_fingerprint";
+ sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].alias = "tls_cert_fingerprint";
+ sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].desc =
"sticky buffer to match the TLS cert fingerprint buffer";
- sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].url = "/rules/tls-keywords.html#tls-cert-fingerprint";
- sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
+ sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].url =
+ "/rules/tls-keywords.html#tls-cert-fingerprint";
+ sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].RegisterTests = DetectTlsFingerprintRegisterTests;
+ sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].RegisterTests = DetectTlsFingerprintRegisterTests;
#endif
- sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister("tls.cert_fingerprint", ALPROTO_TLS, SIG_FLAG_TOCLIENT,
TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData);
*/
void DetectTlsIssuerRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls.cert_issuer";
- sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].alias = "tls_cert_issuer";
- sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].desc =
+ sigmatch_table[DETECT_TLS_CERT_ISSUER].name = "tls.cert_issuer";
+ sigmatch_table[DETECT_TLS_CERT_ISSUER].alias = "tls_cert_issuer";
+ sigmatch_table[DETECT_TLS_CERT_ISSUER].desc =
"sticky buffer to match specifically and only on the TLS cert issuer buffer";
- sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].url = "/rules/tls-keywords.html#tls-cert-issuer";
- sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Setup = DetectTlsIssuerSetup;
+ sigmatch_table[DETECT_TLS_CERT_ISSUER].url = "/rules/tls-keywords.html#tls-cert-issuer";
+ sigmatch_table[DETECT_TLS_CERT_ISSUER].Setup = DetectTlsIssuerSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests;
+ sigmatch_table[DETECT_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests;
#endif
- sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_CERT_ISSUER].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister("tls.cert_issuer", ALPROTO_TLS, SIG_FLAG_TOSERVER,
TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData);
*/
void DetectTlsSerialRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].name = "tls.cert_serial";
- sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].alias = "tls_cert_serial";
- sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].desc =
+ sigmatch_table[DETECT_TLS_CERT_SERIAL].name = "tls.cert_serial";
+ sigmatch_table[DETECT_TLS_CERT_SERIAL].alias = "tls_cert_serial";
+ sigmatch_table[DETECT_TLS_CERT_SERIAL].desc =
"sticky buffer to match the TLS cert serial buffer";
- sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].url = "/rules/tls-keywords.html#tls-cert-serial";
- sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].Setup = DetectTlsSerialSetup;
+ sigmatch_table[DETECT_TLS_CERT_SERIAL].url = "/rules/tls-keywords.html#tls-cert-serial";
+ sigmatch_table[DETECT_TLS_CERT_SERIAL].Setup = DetectTlsSerialSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].RegisterTests = DetectTlsSerialRegisterTests;
+ sigmatch_table[DETECT_TLS_CERT_SERIAL].RegisterTests = DetectTlsSerialRegisterTests;
#endif
- sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_CERT_SERIAL].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_CERT_SERIAL].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister("tls.cert_serial", ALPROTO_TLS, SIG_FLAG_TOCLIENT,
TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData);
*/
void DetectTlsSubjectRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls.cert_subject";
- sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].alias = "tls_cert_subject";
- sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc =
+ sigmatch_table[DETECT_TLS_CERT_SUBJECT].name = "tls.cert_subject";
+ sigmatch_table[DETECT_TLS_CERT_SUBJECT].alias = "tls_cert_subject";
+ sigmatch_table[DETECT_TLS_CERT_SUBJECT].desc =
"sticky buffer to match specifically and only on the TLS cert subject buffer";
- sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].url = "/rules/tls-keywords.html#tls-cert-subject";
- sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup;
+ sigmatch_table[DETECT_TLS_CERT_SUBJECT].url = "/rules/tls-keywords.html#tls-cert-subject";
+ sigmatch_table[DETECT_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
+ sigmatch_table[DETECT_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
#endif
- sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_CERT_SUBJECT].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister("tls.cert_subject", ALPROTO_TLS, SIG_FLAG_TOSERVER,
TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData);
*/
void DetectTlsValidityRegister (void)
{
- sigmatch_table[DETECT_AL_TLS_NOTBEFORE].name = "tls_cert_notbefore";
- sigmatch_table[DETECT_AL_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field";
- sigmatch_table[DETECT_AL_TLS_NOTBEFORE].url = "/rules/tls-keywords.html#tls-cert-notbefore";
- sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch;
- sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup;
- sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Free = DetectTlsValidityFree;
+ sigmatch_table[DETECT_TLS_NOTBEFORE].name = "tls_cert_notbefore";
+ sigmatch_table[DETECT_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field";
+ sigmatch_table[DETECT_TLS_NOTBEFORE].url = "/rules/tls-keywords.html#tls-cert-notbefore";
+ sigmatch_table[DETECT_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch;
+ sigmatch_table[DETECT_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup;
+ sigmatch_table[DETECT_TLS_NOTBEFORE].Free = DetectTlsValidityFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_TLS_NOTBEFORE].RegisterTests = TlsNotBeforeRegisterTests;
+ sigmatch_table[DETECT_TLS_NOTBEFORE].RegisterTests = TlsNotBeforeRegisterTests;
#endif
- sigmatch_table[DETECT_AL_TLS_NOTAFTER].name = "tls_cert_notafter";
- sigmatch_table[DETECT_AL_TLS_NOTAFTER].desc = "match TLS certificate notAfter field";
- sigmatch_table[DETECT_AL_TLS_NOTAFTER].url = "/rules/tls-keywords.html#tls-cert-notafter";
- sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch;
- sigmatch_table[DETECT_AL_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup;
- sigmatch_table[DETECT_AL_TLS_NOTAFTER].Free = DetectTlsValidityFree;
+ sigmatch_table[DETECT_TLS_NOTAFTER].name = "tls_cert_notafter";
+ sigmatch_table[DETECT_TLS_NOTAFTER].desc = "match TLS certificate notAfter field";
+ sigmatch_table[DETECT_TLS_NOTAFTER].url = "/rules/tls-keywords.html#tls-cert-notafter";
+ sigmatch_table[DETECT_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch;
+ sigmatch_table[DETECT_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup;
+ sigmatch_table[DETECT_TLS_NOTAFTER].Free = DetectTlsValidityFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_TLS_NOTAFTER].RegisterTests = TlsNotAfterRegisterTests;
+ sigmatch_table[DETECT_TLS_NOTAFTER].RegisterTests = TlsNotAfterRegisterTests;
#endif
- sigmatch_table[DETECT_AL_TLS_EXPIRED].name = "tls_cert_expired";
- sigmatch_table[DETECT_AL_TLS_EXPIRED].desc = "match expired TLS certificates";
- sigmatch_table[DETECT_AL_TLS_EXPIRED].url = "/rules/tls-keywords.html#tls-cert-expired";
- sigmatch_table[DETECT_AL_TLS_EXPIRED].AppLayerTxMatch = DetectTlsValidityMatch;
- sigmatch_table[DETECT_AL_TLS_EXPIRED].Setup = DetectTlsExpiredSetup;
- sigmatch_table[DETECT_AL_TLS_EXPIRED].Free = DetectTlsValidityFree;
- sigmatch_table[DETECT_AL_TLS_EXPIRED].flags = SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_EXPIRED].name = "tls_cert_expired";
+ sigmatch_table[DETECT_TLS_EXPIRED].desc = "match expired TLS certificates";
+ sigmatch_table[DETECT_TLS_EXPIRED].url = "/rules/tls-keywords.html#tls-cert-expired";
+ sigmatch_table[DETECT_TLS_EXPIRED].AppLayerTxMatch = DetectTlsValidityMatch;
+ sigmatch_table[DETECT_TLS_EXPIRED].Setup = DetectTlsExpiredSetup;
+ sigmatch_table[DETECT_TLS_EXPIRED].Free = DetectTlsValidityFree;
+ sigmatch_table[DETECT_TLS_EXPIRED].flags = SIGMATCH_NOOPT;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_TLS_EXPIRED].RegisterTests = TlsExpiredRegisterTests;
+ sigmatch_table[DETECT_TLS_EXPIRED].RegisterTests = TlsExpiredRegisterTests;
#endif
- sigmatch_table[DETECT_AL_TLS_VALID].name = "tls_cert_valid";
- sigmatch_table[DETECT_AL_TLS_VALID].desc = "match valid TLS certificates";
- sigmatch_table[DETECT_AL_TLS_VALID].url = "/rules/tls-keywords.html#tls-cert-valid";
- sigmatch_table[DETECT_AL_TLS_VALID].AppLayerTxMatch = DetectTlsValidityMatch;
- sigmatch_table[DETECT_AL_TLS_VALID].Setup = DetectTlsValidSetup;
- sigmatch_table[DETECT_AL_TLS_VALID].Free = DetectTlsValidityFree;
- sigmatch_table[DETECT_AL_TLS_VALID].flags = SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_VALID].name = "tls_cert_valid";
+ sigmatch_table[DETECT_TLS_VALID].desc = "match valid TLS certificates";
+ sigmatch_table[DETECT_TLS_VALID].url = "/rules/tls-keywords.html#tls-cert-valid";
+ sigmatch_table[DETECT_TLS_VALID].AppLayerTxMatch = DetectTlsValidityMatch;
+ sigmatch_table[DETECT_TLS_VALID].Setup = DetectTlsValidSetup;
+ sigmatch_table[DETECT_TLS_VALID].Free = DetectTlsValidityFree;
+ sigmatch_table[DETECT_TLS_VALID].flags = SIGMATCH_NOOPT;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_TLS_VALID].RegisterTests = TlsValidRegisterTests;
+ sigmatch_table[DETECT_TLS_VALID].RegisterTests = TlsValidRegisterTests;
#endif
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
dd->epoch = 0;
dd->epoch2 = 0;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_EXPIRED, (SigMatchCtx *)dd,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_TLS_EXPIRED, (SigMatchCtx *)dd,
g_tls_validity_buffer_id) == NULL) {
goto error;
}
dd->epoch = 0;
dd->epoch2 = 0;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_VALID, (SigMatchCtx *)dd,
- g_tls_validity_buffer_id) == NULL) {
+ if (SigMatchAppendSMToList(
+ de_ctx, s, DETECT_TLS_VALID, (SigMatchCtx *)dd, g_tls_validity_buffer_id) == NULL) {
goto error;
}
return 0;
goto error;
}
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_NOTAFTER, (SigMatchCtx *)dd,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_TLS_NOTAFTER, (SigMatchCtx *)dd,
g_tls_validity_buffer_id) == NULL) {
goto error;
}
*/
void DetectTlsCertsRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_CERTS].name = "tls.certs";
- sigmatch_table[DETECT_AL_TLS_CERTS].desc = "sticky buffer to match the TLS certificate buffer";
- sigmatch_table[DETECT_AL_TLS_CERTS].url = "/rules/tls-keywords.html#tls-certs";
- sigmatch_table[DETECT_AL_TLS_CERTS].Setup = DetectTlsCertsSetup;
+ sigmatch_table[DETECT_TLS_CERTS].name = "tls.certs";
+ sigmatch_table[DETECT_TLS_CERTS].desc = "sticky buffer to match the TLS certificate buffer";
+ sigmatch_table[DETECT_TLS_CERTS].url = "/rules/tls-keywords.html#tls-certs";
+ sigmatch_table[DETECT_TLS_CERTS].Setup = DetectTlsCertsSetup;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_TLS_CERTS].RegisterTests = DetectTlsCertsRegisterTests;
+ sigmatch_table[DETECT_TLS_CERTS].RegisterTests = DetectTlsCertsRegisterTests;
#endif
- sigmatch_table[DETECT_AL_TLS_CERTS].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_CERTS].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_CERTS].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_CERTS].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerMultiRegister("tls.certs", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY,
TlsCertsGetData, 2, 1);
static int g_tls_cert_buffer_id = 0;
#define BUFFER_NAME "tls_validity"
-#define KEYWORD_ID DETECT_AL_TLS_CHAIN_LEN
+#define KEYWORD_ID DETECT_TLS_CHAIN_LEN
#define KEYWORD_NAME "tls.cert_chain_len"
#define KEYWORD_DESC "match TLS certificate chain length"
#define KEYWORD_URL "/rules/tls-keywords.html#tls-cert-chain-len"
*/
void DetectTlsJa3HashRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_JA3_HASH].name = "ja3.hash";
- sigmatch_table[DETECT_AL_TLS_JA3_HASH].alias = "ja3_hash";
- sigmatch_table[DETECT_AL_TLS_JA3_HASH].desc = "sticky buffer to match the JA3 hash buffer";
- sigmatch_table[DETECT_AL_TLS_JA3_HASH].url = "/rules/ja3-keywords.html#ja3-hash";
+ sigmatch_table[DETECT_TLS_JA3_HASH].name = "ja3.hash";
+ sigmatch_table[DETECT_TLS_JA3_HASH].alias = "ja3_hash";
+ sigmatch_table[DETECT_TLS_JA3_HASH].desc = "sticky buffer to match the JA3 hash buffer";
+ sigmatch_table[DETECT_TLS_JA3_HASH].url = "/rules/ja3-keywords.html#ja3-hash";
#ifdef HAVE_JA3
- sigmatch_table[DETECT_AL_TLS_JA3_HASH].Setup = DetectTlsJa3HashSetup;
+ sigmatch_table[DETECT_TLS_JA3_HASH].Setup = DetectTlsJa3HashSetup;
#else /* HAVE_JA3 */
- sigmatch_table[DETECT_AL_TLS_JA3_HASH].Setup = DetectJA3SetupNoSupport;
+ sigmatch_table[DETECT_TLS_JA3_HASH].Setup = DetectJA3SetupNoSupport;
#endif /* HAVE_JA3 */
- sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
#ifdef HAVE_JA3
DetectAppLayerInspectEngineRegister("ja3.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
/* Check if JA3 is disabled */
if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) {
- if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3_HASH)) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_TLS_JA3_HASH)) {
SCLogError("ja3 support is not enabled");
}
return -2;
*/
void DetectTlsJa3StringRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_JA3_STRING].name = "ja3.string";
- sigmatch_table[DETECT_AL_TLS_JA3_STRING].alias = "ja3_string";
- sigmatch_table[DETECT_AL_TLS_JA3_STRING].desc = "sticky buffer to match the JA3 string buffer";
- sigmatch_table[DETECT_AL_TLS_JA3_STRING].url = "/rules/ja3-keywords.html#ja3-string";
+ sigmatch_table[DETECT_TLS_JA3_STRING].name = "ja3.string";
+ sigmatch_table[DETECT_TLS_JA3_STRING].alias = "ja3_string";
+ sigmatch_table[DETECT_TLS_JA3_STRING].desc = "sticky buffer to match the JA3 string buffer";
+ sigmatch_table[DETECT_TLS_JA3_STRING].url = "/rules/ja3-keywords.html#ja3-string";
#ifdef HAVE_JA3
- sigmatch_table[DETECT_AL_TLS_JA3_STRING].Setup = DetectTlsJa3StringSetup;
+ sigmatch_table[DETECT_TLS_JA3_STRING].Setup = DetectTlsJa3StringSetup;
#else /* HAVE_JA3 */
- sigmatch_table[DETECT_AL_TLS_JA3_STRING].Setup = DetectJA3SetupNoSupport;
+ sigmatch_table[DETECT_TLS_JA3_STRING].Setup = DetectJA3SetupNoSupport;
#endif /* HAVE_JA3 */
- sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
#ifdef HAVE_JA3
DetectAppLayerInspectEngineRegister("ja3.string", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
/* Check if JA3 is disabled */
if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) {
- if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3_STRING)) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_TLS_JA3_STRING)) {
SCLogError("ja3(s) support is not enabled");
}
return -2;
*/
void DetectTlsJa3SHashRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_JA3S_HASH].name = "ja3s.hash";
- sigmatch_table[DETECT_AL_TLS_JA3S_HASH].desc = "sticky buffer to match the JA3S hash buffer";
- sigmatch_table[DETECT_AL_TLS_JA3S_HASH].url = "/rules/ja3-keywords.html#ja3s-hash";
+ sigmatch_table[DETECT_TLS_JA3S_HASH].name = "ja3s.hash";
+ sigmatch_table[DETECT_TLS_JA3S_HASH].desc = "sticky buffer to match the JA3S hash buffer";
+ sigmatch_table[DETECT_TLS_JA3S_HASH].url = "/rules/ja3-keywords.html#ja3s-hash";
#ifdef HAVE_JA3
- sigmatch_table[DETECT_AL_TLS_JA3S_HASH].Setup = DetectTlsJa3SHashSetup;
+ sigmatch_table[DETECT_TLS_JA3S_HASH].Setup = DetectTlsJa3SHashSetup;
#else /* HAVE_JA3 */
- sigmatch_table[DETECT_AL_TLS_JA3S_HASH].Setup = DetectJA3SetupNoSupport;
+ sigmatch_table[DETECT_TLS_JA3S_HASH].Setup = DetectJA3SetupNoSupport;
#endif /* HAVE_JA3 */
- sigmatch_table[DETECT_AL_TLS_JA3S_HASH].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_JA3S_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_JA3S_HASH].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_JA3S_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
#ifdef HAVE_JA3
DetectAppLayerInspectEngineRegister("ja3s.hash", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0,
/* Check if JA3 is disabled */
if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) {
- if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3S_HASH)) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_TLS_JA3S_HASH)) {
SCLogError("ja3(s) support is not enabled");
}
return -2;
*/
void DetectTlsJa3SStringRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_JA3S_STRING].name = "ja3s.string";
- sigmatch_table[DETECT_AL_TLS_JA3S_STRING].desc =
- "sticky buffer to match the JA3S string buffer";
- sigmatch_table[DETECT_AL_TLS_JA3S_STRING].url = "/rules/ja3-keywords.html#ja3s-string";
+ sigmatch_table[DETECT_TLS_JA3S_STRING].name = "ja3s.string";
+ sigmatch_table[DETECT_TLS_JA3S_STRING].desc = "sticky buffer to match the JA3S string buffer";
+ sigmatch_table[DETECT_TLS_JA3S_STRING].url = "/rules/ja3-keywords.html#ja3s-string";
#ifdef HAVE_JA3
- sigmatch_table[DETECT_AL_TLS_JA3S_STRING].Setup = DetectTlsJa3SStringSetup;
+ sigmatch_table[DETECT_TLS_JA3S_STRING].Setup = DetectTlsJa3SStringSetup;
#else /* HAVE_JA3 */
- sigmatch_table[DETECT_AL_TLS_JA3S_STRING].Setup = DetectJA3SetupNoSupport;
+ sigmatch_table[DETECT_TLS_JA3S_STRING].Setup = DetectJA3SetupNoSupport;
#endif /* HAVE_JA3 */
- sigmatch_table[DETECT_AL_TLS_JA3S_STRING].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_JA3S_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_JA3S_STRING].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_JA3S_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
#ifdef HAVE_JA3
DetectAppLayerInspectEngineRegister("ja3s.string", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0,
/* Check if JA3 is disabled */
if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) {
- if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3S_STRING)) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_TLS_JA3S_STRING)) {
SCLogError("ja3(s) support is not enabled");
}
return -2;
void DetectTlsRandomTimeRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_RANDOM_TIME].name = "tls.random_time";
- sigmatch_table[DETECT_AL_TLS_RANDOM_TIME].desc = "sticky buffer to match specifically and only "
- "on the first 4 bytes of a TLS random buffer";
- sigmatch_table[DETECT_AL_TLS_RANDOM_TIME].url = "/rules/tls-keywords.html#tls-random-time";
- sigmatch_table[DETECT_AL_TLS_RANDOM_TIME].Setup = DetectTlsRandomTimeSetup;
- sigmatch_table[DETECT_AL_TLS_RANDOM_TIME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_RANDOM_TIME].name = "tls.random_time";
+ sigmatch_table[DETECT_TLS_RANDOM_TIME].desc = "sticky buffer to match specifically and only "
+ "on the first 4 bytes of a TLS random buffer";
+ sigmatch_table[DETECT_TLS_RANDOM_TIME].url = "/rules/tls-keywords.html#tls-random-time";
+ sigmatch_table[DETECT_TLS_RANDOM_TIME].Setup = DetectTlsRandomTimeSetup;
+ sigmatch_table[DETECT_TLS_RANDOM_TIME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
/* Register engine for Server random */
DetectAppLayerInspectEngineRegister("tls.random_time", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
void DetectTlsRandomBytesRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_RANDOM_BYTES].name = "tls.random_bytes";
- sigmatch_table[DETECT_AL_TLS_RANDOM_BYTES].desc =
+ sigmatch_table[DETECT_TLS_RANDOM_BYTES].name = "tls.random_bytes";
+ sigmatch_table[DETECT_TLS_RANDOM_BYTES].desc =
"sticky buffer to match specifically and only on the last 28 bytes of a TLS random "
"buffer";
- sigmatch_table[DETECT_AL_TLS_RANDOM_BYTES].url = "/rules/tls-keywords.html#tls-random-bytes";
- sigmatch_table[DETECT_AL_TLS_RANDOM_BYTES].Setup = DetectTlsRandomBytesSetup;
- sigmatch_table[DETECT_AL_TLS_RANDOM_BYTES].flags |=
- SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_RANDOM_BYTES].url = "/rules/tls-keywords.html#tls-random-bytes";
+ sigmatch_table[DETECT_TLS_RANDOM_BYTES].Setup = DetectTlsRandomBytesSetup;
+ sigmatch_table[DETECT_TLS_RANDOM_BYTES].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
/* Register engine for Server random */
DetectAppLayerInspectEngineRegister("tls.random_bytes", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
DetectTlsRandomTimeRegister();
DetectTlsRandomBytesRegister();
- sigmatch_table[DETECT_AL_TLS_RANDOM].name = "tls.random";
- sigmatch_table[DETECT_AL_TLS_RANDOM].desc =
+ sigmatch_table[DETECT_TLS_RANDOM].name = "tls.random";
+ sigmatch_table[DETECT_TLS_RANDOM].desc =
"sticky buffer to match specifically and only on a TLS random buffer";
- sigmatch_table[DETECT_AL_TLS_RANDOM].url = "/rules/tls-keywords.html#tls-random";
- sigmatch_table[DETECT_AL_TLS_RANDOM].Setup = DetectTlsRandomSetup;
- sigmatch_table[DETECT_AL_TLS_RANDOM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_RANDOM].url = "/rules/tls-keywords.html#tls-random";
+ sigmatch_table[DETECT_TLS_RANDOM].Setup = DetectTlsRandomSetup;
+ sigmatch_table[DETECT_TLS_RANDOM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
/* Register engine for Server random */
DetectAppLayerInspectEngineRegister("tls.random", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
*/
void DetectTlsSniRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_SNI].name = "tls.sni";
- sigmatch_table[DETECT_AL_TLS_SNI].alias = "tls_sni";
- sigmatch_table[DETECT_AL_TLS_SNI].desc =
+ sigmatch_table[DETECT_TLS_SNI].name = "tls.sni";
+ sigmatch_table[DETECT_TLS_SNI].alias = "tls_sni";
+ sigmatch_table[DETECT_TLS_SNI].desc =
"sticky buffer to match specifically and only on the TLS SNI buffer";
- sigmatch_table[DETECT_AL_TLS_SNI].url = "/rules/tls-keywords.html#tls-sni";
- sigmatch_table[DETECT_AL_TLS_SNI].Setup = DetectTlsSniSetup;
- sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_SNI].url = "/rules/tls-keywords.html#tls-sni";
+ sigmatch_table[DETECT_TLS_SNI].Setup = DetectTlsSniSetup;
+ sigmatch_table[DETECT_TLS_SNI].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister("tls.sni", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0,
DetectEngineInspectBufferGeneric, GetData);
*/
void DetectTlsSubjectAltNameRegister(void)
{
- sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].name = "tls.subjectaltname";
- sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].desc =
+ sigmatch_table[DETECT_TLS_SUBJECTALTNAME].name = "tls.subjectaltname";
+ sigmatch_table[DETECT_TLS_SUBJECTALTNAME].desc =
"sticky buffer to match the TLS Subject Alternative Name buffer";
- sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].url =
- "/rules/tls-keywords.html#tls-subjectaltname";
- sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].Setup = DetectTlsSubjectAltNameSetup;
- sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].flags |= SIGMATCH_NOOPT;
- sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+ sigmatch_table[DETECT_TLS_SUBJECTALTNAME].url = "/rules/tls-keywords.html#tls-subjectaltname";
+ sigmatch_table[DETECT_TLS_SUBJECTALTNAME].Setup = DetectTlsSubjectAltNameSetup;
+ sigmatch_table[DETECT_TLS_SUBJECTALTNAME].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_SUBJECTALTNAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerMultiRegister("tls.subjectaltname", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0,
TlsSubjectAltNameGetData, 2, TLS_STATE_CERT_READY);
*/
void DetectTlsVersionRegister (void)
{
- sigmatch_table[DETECT_AL_TLS_VERSION].name = "tls.version";
- sigmatch_table[DETECT_AL_TLS_VERSION].desc = "match on TLS/SSL version";
- sigmatch_table[DETECT_AL_TLS_VERSION].url = "/rules/tls-keywords.html#tls-version";
- sigmatch_table[DETECT_AL_TLS_VERSION].AppLayerTxMatch = DetectTlsVersionMatch;
- sigmatch_table[DETECT_AL_TLS_VERSION].Setup = DetectTlsVersionSetup;
- sigmatch_table[DETECT_AL_TLS_VERSION].Free = DetectTlsVersionFree;
+ sigmatch_table[DETECT_TLS_VERSION].name = "tls.version";
+ sigmatch_table[DETECT_TLS_VERSION].desc = "match on TLS/SSL version";
+ sigmatch_table[DETECT_TLS_VERSION].url = "/rules/tls-keywords.html#tls-version";
+ sigmatch_table[DETECT_TLS_VERSION].AppLayerTxMatch = DetectTlsVersionMatch;
+ sigmatch_table[DETECT_TLS_VERSION].Setup = DetectTlsVersionSetup;
+ sigmatch_table[DETECT_TLS_VERSION].Free = DetectTlsVersionFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_TLS_VERSION].RegisterTests = DetectTlsVersionRegisterTests;
+ sigmatch_table[DETECT_TLS_VERSION].RegisterTests = DetectTlsVersionRegisterTests;
#endif
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_VERSION, (SigMatchCtx *)tls,
- g_tls_generic_list_id) == NULL) {
+ if (SigMatchAppendSMToList(
+ de_ctx, s, DETECT_TLS_VERSION, (SigMatchCtx *)tls, g_tls_generic_list_id) == NULL) {
goto error;
}
*/
void DetectTlsRegister (void)
{
- sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject";
- sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field";
- sigmatch_table[DETECT_AL_TLS_SUBJECT].url = "/rules/tls-keywords.html#tls-subject";
- sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch;
- sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup;
- sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree;
- sigmatch_table[DETECT_AL_TLS_SUBJECT].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION;
- sigmatch_table[DETECT_AL_TLS_SUBJECT].alternative = DETECT_AL_TLS_CERT_SUBJECT;
-
- sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn";
- sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field";
- sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = "/rules/tls-keywords.html#tls-issuerdn";
- sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch;
- sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup;
- sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree;
- sigmatch_table[DETECT_AL_TLS_ISSUERDN].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION;
- sigmatch_table[DETECT_AL_TLS_ISSUERDN].alternative = DETECT_AL_TLS_CERT_ISSUER;
-
- sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint";
- sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint";
- sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = "/rules/tls-keywords.html#tls-fingerprint";
- sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
- sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree;
- sigmatch_table[DETECT_AL_TLS_FINGERPRINT].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION;
- sigmatch_table[DETECT_AL_TLS_FINGERPRINT].alternative = DETECT_AL_TLS_CERT_FINGERPRINT;
-
- sigmatch_table[DETECT_AL_TLS_STORE].name = "tls_store";
- sigmatch_table[DETECT_AL_TLS_STORE].alias = "tls.store";
- sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk";
- sigmatch_table[DETECT_AL_TLS_STORE].url = "/rules/tls-keywords.html#tls-store";
- sigmatch_table[DETECT_AL_TLS_STORE].Match = DetectTlsStorePostMatch;
- sigmatch_table[DETECT_AL_TLS_STORE].Setup = DetectTlsStoreSetup;
- sigmatch_table[DETECT_AL_TLS_STORE].flags |= SIGMATCH_NOOPT;
+ sigmatch_table[DETECT_TLS_SUBJECT].name = "tls.subject";
+ sigmatch_table[DETECT_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field";
+ sigmatch_table[DETECT_TLS_SUBJECT].url = "/rules/tls-keywords.html#tls-subject";
+ sigmatch_table[DETECT_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch;
+ sigmatch_table[DETECT_TLS_SUBJECT].Setup = DetectTlsSubjectSetup;
+ sigmatch_table[DETECT_TLS_SUBJECT].Free = DetectTlsSubjectFree;
+ sigmatch_table[DETECT_TLS_SUBJECT].flags = SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION;
+ sigmatch_table[DETECT_TLS_SUBJECT].alternative = DETECT_TLS_CERT_SUBJECT;
+
+ sigmatch_table[DETECT_TLS_ISSUERDN].name = "tls.issuerdn";
+ sigmatch_table[DETECT_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field";
+ sigmatch_table[DETECT_TLS_ISSUERDN].url = "/rules/tls-keywords.html#tls-issuerdn";
+ sigmatch_table[DETECT_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch;
+ sigmatch_table[DETECT_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup;
+ sigmatch_table[DETECT_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree;
+ sigmatch_table[DETECT_TLS_ISSUERDN].flags =
+ SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION;
+ sigmatch_table[DETECT_TLS_ISSUERDN].alternative = DETECT_TLS_CERT_ISSUER;
+
+ sigmatch_table[DETECT_TLS_FINGERPRINT].name = "tls.fingerprint";
+ sigmatch_table[DETECT_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint";
+ sigmatch_table[DETECT_TLS_FINGERPRINT].url = "/rules/tls-keywords.html#tls-fingerprint";
+ sigmatch_table[DETECT_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
+ sigmatch_table[DETECT_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree;
+ sigmatch_table[DETECT_TLS_FINGERPRINT].flags =
+ SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION;
+ sigmatch_table[DETECT_TLS_FINGERPRINT].alternative = DETECT_TLS_CERT_FINGERPRINT;
+
+ sigmatch_table[DETECT_TLS_STORE].name = "tls_store";
+ sigmatch_table[DETECT_TLS_STORE].alias = "tls.store";
+ sigmatch_table[DETECT_TLS_STORE].desc = "store TLS/SSL certificate on disk";
+ sigmatch_table[DETECT_TLS_STORE].url = "/rules/tls-keywords.html#tls-store";
+ sigmatch_table[DETECT_TLS_STORE].Match = DetectTlsStorePostMatch;
+ sigmatch_table[DETECT_TLS_STORE].Setup = DetectTlsStoreSetup;
+ sigmatch_table[DETECT_TLS_STORE].flags |= SIGMATCH_NOOPT;
DetectSetupParseRegexes(PARSE_REGEX, &subject_parse_regex);
DetectSetupParseRegexes(PARSE_REGEX, &issuerdn_parse_regex);
* and put it in the Signature. */
if (SigMatchAppendSMToList(
- de_ctx, s, DETECT_AL_TLS_SUBJECT, (SigMatchCtx *)tls, g_tls_cert_list_id) == NULL) {
+ de_ctx, s, DETECT_TLS_SUBJECT, (SigMatchCtx *)tls, g_tls_cert_list_id) == NULL) {
goto error;
}
return 0;
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_ISSUERDN, (SigMatchCtx *)tls,
- g_tls_cert_list_id) == NULL) {
+ if (SigMatchAppendSMToList(
+ de_ctx, s, DETECT_TLS_ISSUERDN, (SigMatchCtx *)tls, g_tls_cert_list_id) == NULL) {
goto error;
}
return 0;
return -1;
}
- if (DetectEngineContentModifierBufferSetup(de_ctx, s, NULL, DETECT_AL_TLS_CERT_FINGERPRINT,
+ if (DetectEngineContentModifierBufferSetup(de_ctx, s, NULL, DETECT_TLS_CERT_FINGERPRINT,
g_tls_cert_fingerprint_list_id, ALPROTO_TLS) < 0)
return -1;
s->flags |= SIG_FLAG_TLSSTORE;
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_STORE, NULL, DETECT_SM_LIST_POSTMATCH) ==
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_TLS_STORE, NULL, DETECT_SM_LIST_POSTMATCH) ==
NULL) {
return -1;
}
void DetectUrilenRegister(void)
{
- sigmatch_table[DETECT_AL_URILEN].name = "urilen";
- sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri";
- sigmatch_table[DETECT_AL_URILEN].url = "/rules/http-keywords.html#urilen";
- sigmatch_table[DETECT_AL_URILEN].Match = NULL;
- sigmatch_table[DETECT_AL_URILEN].Setup = DetectUrilenSetup;
- sigmatch_table[DETECT_AL_URILEN].Free = DetectUrilenFree;
+ sigmatch_table[DETECT_URILEN].name = "urilen";
+ sigmatch_table[DETECT_URILEN].desc = "match on the length of the HTTP uri";
+ sigmatch_table[DETECT_URILEN].url = "/rules/http-keywords.html#urilen";
+ sigmatch_table[DETECT_URILEN].Match = NULL;
+ sigmatch_table[DETECT_URILEN].Setup = DetectUrilenSetup;
+ sigmatch_table[DETECT_URILEN].Free = DetectUrilenFree;
#ifdef UNITTESTS
- sigmatch_table[DETECT_AL_URILEN].RegisterTests = DetectUrilenRegisterTests;
+ sigmatch_table[DETECT_URILEN].RegisterTests = DetectUrilenRegisterTests;
#endif
g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
goto error;
if (urilend->raw_buffer) {
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_URILEN, (SigMatchCtx *)urilend,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_URILEN, (SigMatchCtx *)urilend,
g_http_raw_uri_buffer_id) == NULL) {
goto error;
}
} else {
- if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_URILEN, (SigMatchCtx *)urilend,
+ if (SigMatchAppendSMToList(de_ctx, s, DETECT_URILEN, (SigMatchCtx *)urilend,
g_http_uri_buffer_id) == NULL) {
goto error;
}
bool found = false;
for (SigMatch *sm = s->init_data->buffers[x].head; sm != NULL; sm = sm->next) {
- if (sm->type != DETECT_AL_URILEN)
+ if (sm->type != DETECT_URILEN)
continue;
DetectUrilenData *dd = (DetectUrilenData *)sm->ctx;
projects / thirdparty / suricata.git / commitdiff
