From: Philippe Antoine Date: Tue, 22 Apr 2025 12:31:47 +0000 (+0200) Subject: detect/multi-buf: helper with more explicit direction X-Git-Tag: suricata-8.0.0-rc1~422 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=808f8a877a6e5fae2ca9d85098bcdac0dd5de57b;p=thirdparty%2Fsuricata.git detect/multi-buf: helper with more explicit direction --- diff --git a/rust/src/detect/mod.rs b/rust/src/detect/mod.rs index a79aee9b75..6623f03cd5 100644 --- a/rust/src/detect/mod.rs +++ b/rust/src/detect/mod.rs @@ -182,8 +182,7 @@ extern "C" { ) -> *mut c_void; // in detect-engine-helper.h pub fn DetectHelperMultiBufferMpmRegister( - name: *const libc::c_char, desc: *const libc::c_char, alproto: AppProto, toclient: bool, - toserver: bool, + name: *const libc::c_char, desc: *const libc::c_char, alproto: AppProto, dir: u8, get_multi_data: unsafe extern "C" fn( *mut DetectEngineThreadCtx, *const c_void, @@ -194,8 +193,7 @@ extern "C" { ) -> bool, ) -> c_int; pub fn DetectHelperMultiBufferProgressMpmRegister( - name: *const libc::c_char, desc: *const libc::c_char, alproto: AppProto, toclient: bool, - toserver: bool, + name: *const libc::c_char, desc: *const libc::c_char, alproto: AppProto, dir: u8, get_multi_data: unsafe extern "C" fn( *mut DetectEngineThreadCtx, *const c_void, diff --git a/rust/src/dns/detect.rs b/rust/src/dns/detect.rs index c750b85599..b30bc496a8 100644 --- a/rust/src/dns/detect.rs +++ b/rust/src/dns/detect.rs @@ -16,7 +16,7 @@ */ use super::dns::{DNSRcode, DNSRecordType, DNSTransaction, ALPROTO_DNS}; -use crate::core::DetectEngineThreadCtx; +use crate::core::{DetectEngineThreadCtx, STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::uint::{ detect_match_uint, detect_parse_uint_enum, DetectUintData, SCDetectU16Free, SCDetectU8Free, SCDetectU8Parse, @@ -333,10 +333,9 @@ pub unsafe extern "C" fn SCDetectDNSRegister() { b"dns.answer.name\0".as_ptr() as *const libc::c_char, b"dns answer name\0".as_ptr() as *const libc::c_char, ALPROTO_DNS, - true, + STREAM_TOSERVER | STREAM_TOCLIENT, /* Register also in the TO_SERVER direction, even though this is not normal, it could be provided as part of a request. */ - true, dns_tx_get_answer_name, 1, // response complete ); @@ -367,10 +366,9 @@ pub unsafe extern "C" fn SCDetectDNSRegister() { b"dns.query.name\0".as_ptr() as *const libc::c_char, b"dns query name\0".as_ptr() as *const libc::c_char, ALPROTO_DNS, - true, + STREAM_TOSERVER | STREAM_TOCLIENT, /* Register in both directions as the query is usually echoed back in the response. */ - true, dns_tx_get_query_name, 1, // request or response complete ); @@ -421,8 +419,7 @@ pub unsafe extern "C" fn SCDetectDNSRegister() { b"dns_query\0".as_ptr() as *const libc::c_char, b"dns request query\0".as_ptr() as *const libc::c_char, ALPROTO_DNS, - false, // only toserver - true, + STREAM_TOSERVER, dns_tx_get_query, // reuse, will be called only toserver 1, // request complete ); diff --git a/rust/src/ldap/detect.rs b/rust/src/ldap/detect.rs index a5fdb03009..9ac843893f 100644 --- a/rust/src/ldap/detect.rs +++ b/rust/src/ldap/detect.rs @@ -16,7 +16,7 @@ */ use super::ldap::{LdapTransaction, ALPROTO_LDAP}; -use crate::core::DetectEngineThreadCtx; +use crate::core::{DetectEngineThreadCtx, STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::uint::{ detect_match_uint, detect_parse_uint_enum, DetectUintData, SCDetectU32Free, SCDetectU32Parse, SCDetectU8Free, @@ -707,8 +707,7 @@ pub unsafe extern "C" fn SCDetectLdapRegister() { b"ldap.responses.dn\0".as_ptr() as *const libc::c_char, b"LDAP RESPONSES DISTINGUISHED_NAME\0".as_ptr() as *const libc::c_char, ALPROTO_LDAP, - true, //to client - false, //to server + STREAM_TOCLIENT, ldap_tx_get_responses_dn, ); let kw = SCSigTableAppLiteElmt { @@ -739,8 +738,7 @@ pub unsafe extern "C" fn SCDetectLdapRegister() { b"ldap.responses.message\0".as_ptr() as *const libc::c_char, b"LDAP RESPONSES DISTINGUISHED_NAME\0".as_ptr() as *const libc::c_char, ALPROTO_LDAP, - true, //to client - false, //to server + STREAM_TOCLIENT, ldap_tx_get_responses_msg, ); let kw = SigTableElmtStickyBuffer { @@ -754,8 +752,7 @@ pub unsafe extern "C" fn SCDetectLdapRegister() { b"ldap.request.attribute_type\0".as_ptr() as *const libc::c_char, b"LDAP REQUEST ATTRIBUTE TYPE\0".as_ptr() as *const libc::c_char, ALPROTO_LDAP, - false, //to client - true, //to server + STREAM_TOSERVER, ldap_tx_get_req_attribute_type, ); let kw = SigTableElmtStickyBuffer { @@ -769,8 +766,7 @@ pub unsafe extern "C" fn SCDetectLdapRegister() { b"ldap.responses.attribute_type\0".as_ptr() as *const libc::c_char, b"LDAP RESPONSES ATTRIBUTE TYPE\0".as_ptr() as *const libc::c_char, ALPROTO_LDAP, - true, //to client - false, //to server + STREAM_TOCLIENT, ldap_tx_get_resp_attribute_type, ); } diff --git a/rust/src/mqtt/detect.rs b/rust/src/mqtt/detect.rs index 7b05042235..500300da75 100644 --- a/rust/src/mqtt/detect.rs +++ b/rust/src/mqtt/detect.rs @@ -17,7 +17,7 @@ // written by Sascha Steinbiss -use crate::core::DetectEngineThreadCtx; +use crate::core::{DetectEngineThreadCtx, STREAM_TOSERVER}; use crate::detect::uint::{ detect_match_uint, detect_parse_uint, detect_parse_uint_enum, DetectUintData, DetectUintMode, SCDetectU8Free, SCDetectU8Parse, @@ -1090,8 +1090,7 @@ pub unsafe extern "C" fn SCDetectMqttRegister() { keyword_name, b"unsubscribe topic query\0".as_ptr() as *const libc::c_char, ALPROTO_MQTT, - false, // only to server - true, + STREAM_TOSERVER, unsub_topic_get_data, ); @@ -1131,8 +1130,7 @@ pub unsafe extern "C" fn SCDetectMqttRegister() { keyword_name, b"subscribe topic query\0".as_ptr() as *const libc::c_char, ALPROTO_MQTT, - false, // only to server - true, + STREAM_TOSERVER, sub_topic_get_data, ); diff --git a/rust/src/sdp/detect.rs b/rust/src/sdp/detect.rs index b505b68625..e26b3bf3eb 100644 --- a/rust/src/sdp/detect.rs +++ b/rust/src/sdp/detect.rs @@ -17,7 +17,7 @@ // written by Giuseppe Longo -use crate::core::DetectEngineThreadCtx; +use crate::core::{DetectEngineThreadCtx, STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::{ helper_keyword_register_sticky_buffer, DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperGetData, DetectHelperMultiBufferMpmRegister, @@ -886,8 +886,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() { b"sdp.bandwidth\0".as_ptr() as *const libc::c_char, b"sdp.bandwidth\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, +STREAM_TOSERVER | STREAM_TOCLIENT, sip_bandwidth_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -901,8 +900,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() { b"sdp.time\0".as_ptr() as *const libc::c_char, b"sdp.time\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, +STREAM_TOSERVER | STREAM_TOCLIENT, sdp_time_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -916,8 +914,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() { b"sdp.repeat_time\0".as_ptr() as *const libc::c_char, b"sdp.repeat_time\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, +STREAM_TOSERVER | STREAM_TOCLIENT, sdp_repeat_time_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -961,8 +958,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() { b"sdp.attribute\0".as_ptr() as *const libc::c_char, b"sdp.attribute\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, +STREAM_TOSERVER | STREAM_TOCLIENT, sip_attribute_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -978,8 +974,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() { b"sdp.media.media\0".as_ptr() as *const libc::c_char, b"sdp.media.media\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, +STREAM_TOSERVER | STREAM_TOCLIENT, sip_media_desc_media_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -993,8 +988,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() { b"sdp.media.media_info\0".as_ptr() as *const libc::c_char, b"sdp.media.media_info\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, +STREAM_TOSERVER | STREAM_TOCLIENT, sip_media_desc_session_info_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -1008,8 +1002,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() { b"sdp.media.connection_data\0".as_ptr() as *const libc::c_char, b"sdp.media.connection_data\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, +STREAM_TOSERVER | STREAM_TOCLIENT, sip_media_desc_connection_data_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -1023,8 +1016,7 @@ pub unsafe extern "C" fn SCDetectSdpRegister() { b"sdp.media.encryption_key\0".as_ptr() as *const libc::c_char, b"sdp.media.encryption_key\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, +STREAM_TOSERVER | STREAM_TOCLIENT, sip_media_desc_encryption_key_get_data, ); } diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs index c1b6e7b56f..371f517d0c 100644 --- a/rust/src/sip/detect.rs +++ b/rust/src/sip/detect.rs @@ -17,7 +17,7 @@ // written by Giuseppe Longo -use crate::core::DetectEngineThreadCtx; +use crate::core::{DetectEngineThreadCtx, STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::{ helper_keyword_register_sticky_buffer, DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperGetData, DetectHelperMultiBufferMpmRegister, @@ -576,8 +576,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() { b"sip.from\0".as_ptr() as *const libc::c_char, b"sip.from\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, + STREAM_TOSERVER | STREAM_TOCLIENT, sip_from_hdr_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -591,8 +590,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() { b"sip.to\0".as_ptr() as *const libc::c_char, b"sip.to\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, + STREAM_TOSERVER | STREAM_TOCLIENT, sip_to_hdr_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -606,8 +604,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() { b"sip.via\0".as_ptr() as *const libc::c_char, b"sip.via\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, + STREAM_TOSERVER | STREAM_TOCLIENT, sip_via_hdr_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -621,8 +618,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() { b"sip.ua\0".as_ptr() as *const libc::c_char, b"sip.ua\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, + STREAM_TOSERVER | STREAM_TOCLIENT, sip_ua_hdr_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -636,8 +632,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() { b"sip.content_type\0".as_ptr() as *const libc::c_char, b"sip.content_type\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, + STREAM_TOSERVER | STREAM_TOCLIENT, sip_content_type_hdr_get_data, ); let kw = SigTableElmtStickyBuffer { @@ -651,8 +646,7 @@ pub unsafe extern "C" fn SCDetectSipRegister() { b"sip.content_length\0".as_ptr() as *const libc::c_char, b"sip.content_length\0".as_ptr() as *const libc::c_char, ALPROTO_SIP, - true, - true, + STREAM_TOSERVER | STREAM_TOCLIENT, sip_content_length_hdr_get_data, ); } diff --git a/src/detect-email.c b/src/detect-email.c index 09a721a99a..4f35bb2660 100644 --- a/src/detect-email.c +++ b/src/detect-email.c @@ -414,10 +414,8 @@ void DetectEmailRegister(void) kw.Setup = (int (*)(void *, void *, const char *))DetectMimeEmailUrlSetup; kw.flags = SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectHelperKeywordRegister(&kw); - g_mime_email_url_buffer_id = - DetectHelperMultiBufferMpmRegister("email.url", "MIME EMAIL URL", ALPROTO_SMTP, false, - true, // to server - GetMimeEmailUrlData); + g_mime_email_url_buffer_id = DetectHelperMultiBufferMpmRegister( + "email.url", "MIME EMAIL URL", ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailUrlData); kw.name = "email.received"; kw.desc = "'Received' field from an email"; @@ -426,7 +424,5 @@ void DetectEmailRegister(void) kw.flags = SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectHelperKeywordRegister(&kw); g_mime_email_received_buffer_id = DetectHelperMultiBufferMpmRegister("email.received", - "MIME EMAIL RECEIVED", ALPROTO_SMTP, false, - true, // to server - GetMimeEmailReceivedData); + "MIME EMAIL RECEIVED", ALPROTO_SMTP, STREAM_TOSERVER, GetMimeEmailReceivedData); } diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c index 58f64dca40..23fa22077d 100644 --- a/src/detect-engine-helper.c +++ b/src/detect-engine-helper.c @@ -81,12 +81,12 @@ int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto a } int DetectHelperMultiBufferProgressMpmRegister(const char *name, const char *desc, AppProto alproto, - bool toclient, bool toserver, InspectionMultiBufferGetDataPtr GetData, int progress) + uint8_t direction, InspectionMultiBufferGetDataPtr GetData, int progress) { - if (toserver) { + if (direction & STREAM_TOSERVER) { DetectAppLayerMultiRegister(name, alproto, SIG_FLAG_TOSERVER, progress, GetData, 2); } - if (toclient) { + if (direction & STREAM_TOCLIENT) { DetectAppLayerMultiRegister(name, alproto, SIG_FLAG_TOCLIENT, progress, GetData, 2); } DetectBufferTypeSupportsMultiInstance(name); @@ -95,10 +95,9 @@ int DetectHelperMultiBufferProgressMpmRegister(const char *name, const char *des } int DetectHelperMultiBufferMpmRegister(const char *name, const char *desc, AppProto alproto, - bool toclient, bool toserver, InspectionMultiBufferGetDataPtr GetData) + uint8_t direction, InspectionMultiBufferGetDataPtr GetData) { - return DetectHelperMultiBufferProgressMpmRegister( - name, desc, alproto, toclient, toserver, GetData, 0); + return DetectHelperMultiBufferProgressMpmRegister(name, desc, alproto, direction, GetData, 0); } int SCDetectHelperNewKeywordId(void) diff --git a/src/detect-engine-helper.h b/src/detect-engine-helper.h index 36b1c43694..547b1f2cf4 100644 --- a/src/detect-engine-helper.h +++ b/src/detect-engine-helper.h @@ -42,9 +42,9 @@ InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, bool toclient, bool toserver, InspectionBufferGetDataPtr GetData); int DetectHelperMultiBufferMpmRegister(const char *name, const char *desc, AppProto alproto, - bool toclient, bool toserver, InspectionMultiBufferGetDataPtr GetData); + uint8_t direction, InspectionMultiBufferGetDataPtr GetData); int DetectHelperMultiBufferProgressMpmRegister(const char *name, const char *desc, AppProto alproto, - bool toclient, bool toserver, InspectionMultiBufferGetDataPtr GetData, int progress); + uint8_t direction, InspectionMultiBufferGetDataPtr GetData, int progress); int DetectHelperTransformRegister(const SCTransformTableElmt *kw); const uint8_t *InspectionBufferPtr(InspectionBuffer *buf); diff --git a/src/detect-smtp.c b/src/detect-smtp.c index af07e706ed..1a5aa03b42 100644 --- a/src/detect-smtp.c +++ b/src/detect-smtp.c @@ -158,8 +158,6 @@ void SCDetectSMTPRegister(void) kw.Setup = (int (*)(void *, void *, const char *))DetectSmtpRcptToSetup; kw.flags = SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectHelperKeywordRegister(&kw); - g_smtp_rcpt_to_buffer_id = - DetectHelperMultiBufferMpmRegister("smtp.rcpt_to", "SMTP RCPT TO", ALPROTO_SMTP, false, - true, // to server - GetSmtpRcptToData); + g_smtp_rcpt_to_buffer_id = DetectHelperMultiBufferMpmRegister( + "smtp.rcpt_to", "SMTP RCPT TO", ALPROTO_SMTP, STREAM_TOSERVER, GetSmtpRcptToData); }