From: Victor Julien Date: Sun, 8 Oct 2017 10:37:41 +0000 (+0200) Subject: detect: move keyword registration into own file X-Git-Tag: suricata-4.1.0-beta1~473 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c37432491602bc76ba340b7ba29a34a507b74420;p=thirdparty%2Fsuricata.git detect: move keyword registration into own file --- diff --git a/src/Makefile.am b/src/Makefile.am index abd73aef48..0c0c959e70 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -142,6 +142,7 @@ detect-engine-prefilter.c detect-engine-prefilter.h \ detect-engine-prefilter-common.c detect-engine-prefilter-common.h \ detect-engine-proto.c detect-engine-proto.h \ detect-engine-profile.c detect-engine-profile.h \ +detect-engine-register.c detect-engine-register.h \ detect-engine-siggroup.c detect-engine-siggroup.h \ detect-engine-sigorder.c detect-engine-sigorder.h \ detect-engine-state.c detect-engine-state.h \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c new file mode 100644 index 0000000000..f91852d5d2 --- /dev/null +++ b/src/detect-engine-register.c @@ -0,0 +1,503 @@ +/* Copyright (C) 2007-2017 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien + */ + +#include "suricata-common.h" +#include "suricata.h" +#include "debug.h" +#include "detect.h" +#include "flow.h" +#include "flow-private.h" +#include "flow-bit.h" + +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-profile.h" + +#include "detect-engine-alert.h" +#include "detect-engine-siggroup.h" +#include "detect-engine-address.h" +#include "detect-engine-proto.h" +#include "detect-engine-port.h" +#include "detect-engine-mpm.h" +#include "detect-engine-iponly.h" +#include "detect-engine-threshold.h" +#include "detect-engine-prefilter.h" + +#include "detect-engine-payload.h" +#include "detect-engine-dcepayload.h" +#include "detect-engine-uri.h" +#include "detect-dns-query.h" +#include "detect-tls-sni.h" +#include "detect-tls-cert-fingerprint.h" +#include "detect-tls-cert-issuer.h" +#include "detect-tls-cert-subject.h" +#include "detect-tls-cert-serial.h" +#include "detect-engine-state.h" +#include "detect-engine-analyzer.h" +#include "detect-engine-filedata-smtp.h" + +#include "detect-http-cookie.h" +#include "detect-http-method.h" +#include "detect-http-ua.h" +#include "detect-http-hh.h" +#include "detect-http-hrh.h" + +#include "detect-nfs-procedure.h" +#include "detect-nfs-version.h" + +#include "detect-engine-event.h" +#include "decode.h" + +#include "detect-base64-decode.h" +#include "detect-base64-data.h" +#include "detect-ipopts.h" +#include "detect-flags.h" +#include "detect-fragbits.h" +#include "detect-fragoffset.h" +#include "detect-gid.h" +#include "detect-ack.h" +#include "detect-seq.h" +#include "detect-content.h" +#include "detect-uricontent.h" +#include "detect-pcre.h" +#include "detect-depth.h" +#include "detect-nocase.h" +#include "detect-rawbytes.h" +#include "detect-bytetest.h" +#include "detect-bytejump.h" +#include "detect-sameip.h" +#include "detect-l3proto.h" +#include "detect-ipproto.h" +#include "detect-within.h" +#include "detect-distance.h" +#include "detect-offset.h" +#include "detect-sid.h" +#include "detect-prefilter.h" +#include "detect-priority.h" +#include "detect-classtype.h" +#include "detect-reference.h" +#include "detect-tag.h" +#include "detect-threshold.h" +#include "detect-metadata.h" +#include "detect-msg.h" +#include "detect-rev.h" +#include "detect-flow.h" +#include "detect-window.h" +#include "detect-ftpbounce.h" +#include "detect-isdataat.h" +#include "detect-id.h" +#include "detect-rpc.h" +#include "detect-asn1.h" +#include "detect-filename.h" +#include "detect-fileext.h" +#include "detect-filestore.h" +#include "detect-filemagic.h" +#include "detect-filemd5.h" +#include "detect-filesha1.h" +#include "detect-filesha256.h" +#include "detect-filesize.h" +#include "detect-dsize.h" +#include "detect-flowvar.h" +#include "detect-flowint.h" +#include "detect-pktvar.h" +#include "detect-noalert.h" +#include "detect-flowbits.h" +#include "detect-hostbits.h" +#include "detect-xbits.h" +#include "detect-csum.h" +#include "detect-stream_size.h" +#include "detect-engine-sigorder.h" +#include "detect-ttl.h" +#include "detect-fast-pattern.h" +#include "detect-itype.h" +#include "detect-icode.h" +#include "detect-icmp-id.h" +#include "detect-icmp-seq.h" +#include "detect-dce-iface.h" +#include "detect-dce-opnum.h" +#include "detect-dce-stub-data.h" +#include "detect-urilen.h" +#include "detect-detection-filter.h" +#include "detect-http-client-body.h" +#include "detect-http-server-body.h" +#include "detect-http-header.h" +#include "detect-http-header-names.h" +#include "detect-http-headers.h" +#include "detect-http-raw-header.h" +#include "detect-http-uri.h" +#include "detect-http-protocol.h" +#include "detect-http-start.h" +#include "detect-http-raw-uri.h" +#include "detect-http-stat-msg.h" +#include "detect-http-request-line.h" +#include "detect-http-response-line.h" +#include "detect-engine-hcbd.h" +#include "detect-engine-hsbd.h" +#include "detect-engine-hrhd.h" +#include "detect-engine-hmd.h" +#include "detect-engine-hcd.h" +#include "detect-engine-hrud.h" +#include "detect-engine-hsmd.h" +#include "detect-engine-hscd.h" +#include "detect-engine-hua.h" +#include "detect-engine-hhhd.h" +#include "detect-engine-hrhhd.h" +#include "detect-byte-extract.h" +#include "detect-file-data.h" +#include "detect-pkt-data.h" +#include "detect-replace.h" +#include "detect-tos.h" +#include "detect-app-layer-event.h" +#include "detect-lua.h" +#include "detect-iprep.h" +#include "detect-geoip.h" +#include "detect-app-layer-protocol.h" +#include "detect-template.h" +#include "detect-target.h" +#include "detect-template-buffer.h" +#include "detect-bypass.h" +#include "detect-engine-content-inspection.h" + +#include "util-rule-vars.h" + +#include "app-layer.h" +#include "app-layer-protos.h" +#include "app-layer-htp.h" +#include "app-layer-smtp.h" +#include "app-layer-template.h" +#include "detect-tls.h" +#include "detect-tls-cert-validity.h" +#include "detect-tls-version.h" +#include "detect-ssh-proto.h" +#include "detect-ssh-proto-version.h" +#include "detect-ssh-software.h" +#include "detect-ssh-software-version.h" +#include "detect-http-stat-code.h" +#include "detect-ssl-version.h" +#include "detect-ssl-state.h" +#include "detect-modbus.h" +#include "detect-cipservice.h" +#include "detect-dnp3.h" + +#include "action-globals.h" +#include "tm-threads.h" + +#include "pkt-var.h" + +#include "conf.h" +#include "conf-yaml-loader.h" + +#include "stream-tcp.h" +#include "stream-tcp-inline.h" + +#include "util-lua.h" +#include "util-var-name.h" +#include "util-classification-config.h" +#include "util-threshold-config.h" +#include "util-print.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" +#include "util-debug.h" +#include "util-hashlist.h" +#include "util-cuda.h" +#include "util-privs.h" +#include "util-profiling.h" +#include "util-validate.h" +#include "util-optimize.h" +#include "util-path.h" +#include "util-mpm-ac.h" +#include "runmodes.h" + +static void PrintFeatureList(const SigTableElmt *e, char sep) +{ + const uint8_t flags = e->flags; + + int prev = 0; + if (flags & SIGMATCH_NOOPT) { + printf("No option"); + prev = 1; + } + if (flags & SIGMATCH_IPONLY_COMPAT) { + if (prev == 1) + printf("%c", sep); + printf("compatible with IP only rule"); + prev = 1; + } + if (flags & SIGMATCH_DEONLY_COMPAT) { + if (prev == 1) + printf("%c", sep); + printf("compatible with decoder event only rule"); + prev = 1; + } + if (e->SupportsPrefilter) { + if (prev == 1) + printf("%c", sep); + printf("prefilter"); + prev = 1; + } + if (prev == 0) { + printf("none"); + } +} + +static void SigMultilinePrint(int i, const char *prefix) +{ + if (sigmatch_table[i].desc) { + printf("%sDescription: %s\n", prefix, sigmatch_table[i].desc); + } + printf("%sFeatures: ", prefix); + PrintFeatureList(&sigmatch_table[i], ','); + if (sigmatch_table[i].url) { + printf("\n%sDocumentation: %s", prefix, sigmatch_table[i].url); + } + printf("\n"); +} + +void SigTableList(const char *keyword) +{ + size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt); + size_t i; + + if (keyword == NULL) { + printf("=====Supported keywords=====\n"); + for (i = 0; i < size; i++) { + if (sigmatch_table[i].name != NULL) { + if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) { + printf("- %s (not built-in)\n", sigmatch_table[i].name); + } else { + printf("- %s\n", sigmatch_table[i].name); + } + } + } + } else if (strcmp("csv", keyword) == 0) { + printf("name;description;app layer;features;documentation\n"); + for (i = 0; i < size; i++) { + if (sigmatch_table[i].name != NULL) { + if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) { + continue; + } + printf("%s;", sigmatch_table[i].name); + if (sigmatch_table[i].desc) { + printf("%s", sigmatch_table[i].desc); + } + /* Build feature */ + printf(";Unset;"); // this used to be alproto + PrintFeatureList(&sigmatch_table[i], ':'); + printf(";"); + if (sigmatch_table[i].url) { + printf("%s", sigmatch_table[i].url); + } + printf(";"); + printf("\n"); + } + } + } else if (strcmp("all", keyword) == 0) { + for (i = 0; i < size; i++) { + if (sigmatch_table[i].name != NULL) { + printf("%s:\n", sigmatch_table[i].name); + SigMultilinePrint(i, "\t"); + } + } + } else { + for (i = 0; i < size; i++) { + if ((sigmatch_table[i].name != NULL) && + strcmp(sigmatch_table[i].name, keyword) == 0) { + printf("= %s =\n", sigmatch_table[i].name); + if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) { + printf("Not built-in\n"); + return; + } + SigMultilinePrint(i, ""); + return; + } + } + } + return; +} + +void SigTableSetup(void) +{ + memset(sigmatch_table, 0, sizeof(sigmatch_table)); + + DetectSidRegister(); + DetectPriorityRegister(); + DetectPrefilterRegister(); + DetectRevRegister(); + DetectClasstypeRegister(); + DetectReferenceRegister(); + DetectTagRegister(); + DetectThresholdRegister(); + DetectMetadataRegister(); + DetectMsgRegister(); + DetectAckRegister(); + DetectSeqRegister(); + DetectContentRegister(); + DetectUricontentRegister(); + + /* NOTE: the order of these currently affects inspect + * engine registration order and ultimately the order + * of inspect engines in the rule. Which in turn affects + * state keeping */ + DetectHttpUriRegister(); + DetectHttpRequestLineRegister(); + DetectHttpClientBodyRegister(); + DetectHttpResponseLineRegister(); + DetectHttpServerBodyRegister(); + DetectHttpHeaderRegister(); + DetectHttpHeaderNamesRegister(); + DetectHttpHeadersRegister(); + DetectHttpProtocolRegister(); + DetectHttpStartRegister(); + DetectHttpRawHeaderRegister(); + DetectHttpMethodRegister(); + DetectHttpCookieRegister(); + DetectHttpRawUriRegister(); + + DetectFilenameRegister(); + DetectFileextRegister(); + DetectFilestoreRegister(); + DetectFilemagicRegister(); + DetectFileMd5Register(); + DetectFileSha1Register(); + DetectFileSha256Register(); + DetectFilesizeRegister(); + + DetectHttpUARegister(); + DetectHttpHHRegister(); + DetectHttpHRHRegister(); + + DetectHttpStatMsgRegister(); + DetectHttpStatCodeRegister(); + + DetectDnsQueryRegister(); + DetectModbusRegister(); + DetectCipServiceRegister(); + DetectEnipCommandRegister(); + DetectDNP3Register(); + + DetectTlsSniRegister(); + DetectTlsIssuerRegister(); + DetectTlsSubjectRegister(); + DetectTlsSerialRegister(); + DetectTlsFingerprintRegister(); + + DetectAppLayerEventRegister(); + /* end of order dependent regs */ + + DetectPcreRegister(); + DetectDepthRegister(); + DetectNocaseRegister(); + DetectRawbytesRegister(); + DetectBytetestRegister(); + DetectBytejumpRegister(); + DetectSameipRegister(); + DetectGeoipRegister(); + DetectL3ProtoRegister(); + DetectIPProtoRegister(); + DetectWithinRegister(); + DetectDistanceRegister(); + DetectOffsetRegister(); + DetectReplaceRegister(); + DetectFlowRegister(); + DetectWindowRegister(); + DetectRpcRegister(); + DetectFtpbounceRegister(); + DetectIsdataatRegister(); + DetectIdRegister(); + DetectDsizeRegister(); + DetectFlowvarRegister(); + DetectFlowintRegister(); + DetectPktvarRegister(); + DetectNoalertRegister(); + DetectFlowbitsRegister(); + DetectHostbitsRegister(); + DetectXbitsRegister(); + DetectEngineEventRegister(); + DetectIpOptsRegister(); + DetectFlagsRegister(); + DetectFragBitsRegister(); + DetectFragOffsetRegister(); + DetectGidRegister(); + DetectMarkRegister(); + DetectCsumRegister(); + DetectStreamSizeRegister(); + DetectTtlRegister(); + DetectTosRegister(); + DetectFastPatternRegister(); + DetectITypeRegister(); + DetectICodeRegister(); + DetectIcmpIdRegister(); + DetectIcmpSeqRegister(); + DetectDceIfaceRegister(); + DetectDceOpnumRegister(); + DetectDceStubDataRegister(); + DetectTlsRegister(); + DetectTlsValidityRegister(); + DetectTlsVersionRegister(); + DetectNfsProcedureRegister(); + DetectNfsVersionRegister(); + DetectUrilenRegister(); + DetectDetectionFilterRegister(); + DetectAsn1Register(); + DetectSshProtocolRegister(); + DetectSshVersionRegister(); + DetectSshSoftwareRegister(); + DetectSshSoftwareVersionRegister(); + DetectSslStateRegister(); + DetectSslVersionRegister(); + DetectByteExtractRegister(); + DetectFiledataRegister(); + DetectPktDataRegister(); + DetectLuaRegister(); + DetectIPRepRegister(); + DetectAppLayerProtocolRegister(); + DetectBase64DecodeRegister(); + DetectBase64DataRegister(); + DetectTemplateRegister(); + DetectTargetRegister(); + DetectTemplateBufferRegister(); + DetectBypassRegister(); + + /* close keyword registration */ + DetectBufferTypeFinalizeRegistration(); +} + +void SigTableRegisterTests(void) +{ + /* register the tests */ + int i = 0; + for (i = 0; i < DETECT_TBLSIZE; i++) { + g_ut_modules++; + if (sigmatch_table[i].RegisterTests != NULL) { + sigmatch_table[i].RegisterTests(); + g_ut_covered++; + } else { + SCLogDebug("detection plugin %s has no unittest " + "registration function.", sigmatch_table[i].name); + + if (coverage_unittests) + SCLogWarning(SC_WARN_NO_UNITTESTS, "detection plugin %s has no unittest " + "registration function.", sigmatch_table[i].name); + } + } +} diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h new file mode 100644 index 0000000000..d41e3f2785 --- /dev/null +++ b/src/detect-engine-register.h @@ -0,0 +1,210 @@ +/* Copyright (C) 2007-2017 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien + */ + +#ifndef __DETECT_ENGINE_REGISTER_H__ +#define __DETECT_ENGINE_REGISTER_H__ + +enum { + DETECT_SID, + DETECT_PRIORITY, + DETECT_REV, + DETECT_CLASSTYPE, + + /* sorted by prefilter priority. Higher in this list means it will be + * picked over ones lower in the list */ + DETECT_AL_APP_LAYER_PROTOCOL, + DETECT_ACK, + DETECT_SEQ, + DETECT_WINDOW, + DETECT_IPOPTS, + DETECT_FLAGS, + DETECT_FRAGBITS, + DETECT_FRAGOFFSET, + DETECT_TTL, + DETECT_TOS, + DETECT_ITYPE, + DETECT_ICODE, + DETECT_ICMP_ID, + DETECT_ICMP_SEQ, + DETECT_DSIZE, + + DETECT_FLOW, + /* end prefilter sort */ + + DETECT_THRESHOLD, + DETECT_METADATA, + DETECT_REFERENCE, + DETECT_TAG, + DETECT_MSG, + DETECT_CONTENT, + DETECT_URICONTENT, + DETECT_PCRE, + DETECT_DEPTH, + DETECT_DISTANCE, + DETECT_WITHIN, + DETECT_OFFSET, + DETECT_REPLACE, + DETECT_NOCASE, + DETECT_FAST_PATTERN, + DETECT_RAWBYTES, + DETECT_BYTETEST, + DETECT_BYTEJUMP, + DETECT_SAMEIP, + DETECT_GEOIP, + DETECT_IPPROTO, + DETECT_FTPBOUNCE, + DETECT_ISDATAAT, + DETECT_ID, + DETECT_RPC, + DETECT_FLOWVAR, + DETECT_FLOWVAR_POSTMATCH, + DETECT_FLOWINT, + DETECT_PKTVAR, + DETECT_NOALERT, + DETECT_FLOWBITS, + DETECT_HOSTBITS, + DETECT_IPV4_CSUM, + DETECT_TCPV4_CSUM, + DETECT_TCPV6_CSUM, + DETECT_UDPV4_CSUM, + DETECT_UDPV6_CSUM, + DETECT_ICMPV4_CSUM, + DETECT_ICMPV6_CSUM, + DETECT_STREAM_SIZE, + DETECT_DETECTION_FILTER, + + DETECT_DECODE_EVENT, + DETECT_GID, + DETECT_MARK, + + DETECT_AL_TLS_VERSION, + DETECT_AL_TLS_SUBJECT, + DETECT_AL_TLS_ISSUERDN, + DETECT_AL_TLS_NOTBEFORE, + DETECT_AL_TLS_NOTAFTER, + DETECT_AL_TLS_EXPIRED, + DETECT_AL_TLS_VALID, + DETECT_AL_TLS_FINGERPRINT, + DETECT_AL_TLS_STORE, + + DETECT_AL_HTTP_COOKIE, + DETECT_AL_HTTP_METHOD, + DETECT_AL_HTTP_PROTOCOL, + DETECT_AL_HTTP_START, + DETECT_AL_URILEN, + DETECT_AL_HTTP_CLIENT_BODY, + DETECT_AL_HTTP_SERVER_BODY, + DETECT_AL_HTTP_HEADER, + DETECT_AL_HTTP_HEADER_NAMES, + DETECT_AL_HTTP_HEADER_ACCEPT, + DETECT_AL_HTTP_HEADER_ACCEPT_LANG, + DETECT_AL_HTTP_HEADER_ACCEPT_ENC, + DETECT_AL_HTTP_HEADER_CONNECTION, + DETECT_AL_HTTP_HEADER_CONTENT_LEN, + DETECT_AL_HTTP_HEADER_CONTENT_TYPE, + DETECT_AL_HTTP_HEADER_REFERER, + DETECT_AL_HTTP_RAW_HEADER, + DETECT_AL_HTTP_URI, + DETECT_AL_HTTP_RAW_URI, + DETECT_AL_HTTP_STAT_MSG, + DETECT_AL_HTTP_STAT_CODE, + DETECT_AL_HTTP_USER_AGENT, + DETECT_AL_HTTP_HOST, + DETECT_AL_HTTP_RAW_HOST, + DETECT_AL_HTTP_REQUEST_LINE, + DETECT_AL_HTTP_RESPONSE_LINE, + DETECT_AL_NFS_PROCEDURE, + DETECT_AL_NFS_VERSION, + DETECT_AL_SSH_PROTOCOL, + DETECT_AL_SSH_PROTOVERSION, + DETECT_AL_SSH_SOFTWARE, + DETECT_AL_SSH_SOFTWAREVERSION, + DETECT_AL_SSL_VERSION, + DETECT_AL_SSL_STATE, + DETECT_BYTE_EXTRACT, + DETECT_FILE_DATA, + DETECT_PKT_DATA, + DETECT_AL_APP_LAYER_EVENT, + + DETECT_DCE_IFACE, + DETECT_DCE_OPNUM, + DETECT_DCE_STUB_DATA, + + DETECT_ASN1, + + DETECT_ENGINE_EVENT, + DETECT_STREAM_EVENT, + + DETECT_FILENAME, + DETECT_FILEEXT, + DETECT_FILESTORE, + DETECT_FILEMAGIC, + DETECT_FILEMD5, + DETECT_FILESHA1, + DETECT_FILESHA256, + DETECT_FILESIZE, + + DETECT_L3PROTO, + DETECT_LUA, + DETECT_IPREP, + + DETECT_AL_DNS_QUERY, + DETECT_AL_TLS_SNI, + DETECT_AL_TLS_CERT_ISSUER, + DETECT_AL_TLS_CERT_SUBJECT, + DETECT_AL_TLS_CERT_SERIAL, + DETECT_AL_TLS_CERT_FINGERPRINT, + + DETECT_AL_MODBUS, + DETECT_CIPSERVICE, + DETECT_ENIPCOMMAND, + + DETECT_AL_DNP3DATA, + DETECT_AL_DNP3FUNC, + DETECT_AL_DNP3IND, + DETECT_AL_DNP3OBJ, + + DETECT_XBITS, + DETECT_BASE64_DECODE, + DETECT_BASE64_DATA, + + DETECT_TEMPLATE, + DETECT_TARGET, + DETECT_AL_TEMPLATE_BUFFER, + + DETECT_BYPASS, + + DETECT_PREFILTER, + + /* make sure this stays last */ + DETECT_TBLSIZE, +}; + +/* Table with all SigMatch registrations */ +SigTableElmt sigmatch_table[DETECT_TBLSIZE]; + +void SigTableList(const char *keyword); +void SigTableSetup(void); +void SigTableRegisterTests(void); + +#endif /* __DETECT_ENGINE_REGISTER_H__ */ diff --git a/src/detect.c b/src/detect.c index 69e0187d67..a4316fa3d5 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2014 Open Information Security Foundation +/* Copyright (C) 2007-2017 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -25,12 +25,22 @@ #include "suricata-common.h" #include "suricata.h" +#include "tm-threads.h" #include "debug.h" -#include "detect.h" +#include "decode.h" #include "flow.h" -#include "flow-private.h" -#include "flow-bit.h" +#include "stream-tcp.h" +#include "app-layer.h" +#include "app-layer-parser.h" +#include "app-layer-protos.h" + +#include "pkt-var.h" + +#include "conf.h" +#include "conf-yaml-loader.h" +#include "action-globals.h" +#include "detect.h" #include "detect-parse.h" #include "detect-engine.h" #include "detect-engine-profile.h" @@ -45,114 +55,13 @@ #include "detect-engine-threshold.h" #include "detect-engine-prefilter.h" -#include "detect-engine-payload.h" -#include "detect-engine-dcepayload.h" -#include "detect-engine-uri.h" -#include "detect-dns-query.h" -#include "detect-tls-sni.h" -#include "detect-tls-cert-issuer.h" -#include "detect-tls-cert-subject.h" -#include "detect-tls-cert-serial.h" -#include "detect-tls-cert-fingerprint.h" #include "detect-engine-state.h" #include "detect-engine-analyzer.h" +#include "detect-engine-payload.h" #include "detect-engine-filedata-smtp.h" -#include "detect-http-cookie.h" -#include "detect-http-method.h" -#include "detect-http-ua.h" -#include "detect-http-hh.h" -#include "detect-http-hrh.h" - -#include "detect-nfs-procedure.h" -#include "detect-nfs-version.h" - #include "detect-engine-event.h" -#include "decode.h" - -#include "detect-base64-decode.h" -#include "detect-base64-data.h" -#include "detect-ipopts.h" -#include "detect-flags.h" -#include "detect-fragbits.h" -#include "detect-fragoffset.h" -#include "detect-gid.h" -#include "detect-ack.h" -#include "detect-seq.h" -#include "detect-content.h" -#include "detect-uricontent.h" -#include "detect-pcre.h" -#include "detect-depth.h" -#include "detect-nocase.h" -#include "detect-rawbytes.h" -#include "detect-bytetest.h" -#include "detect-bytejump.h" -#include "detect-sameip.h" -#include "detect-l3proto.h" -#include "detect-ipproto.h" -#include "detect-within.h" -#include "detect-distance.h" -#include "detect-offset.h" -#include "detect-sid.h" -#include "detect-prefilter.h" -#include "detect-priority.h" -#include "detect-classtype.h" -#include "detect-reference.h" -#include "detect-tag.h" -#include "detect-threshold.h" -#include "detect-metadata.h" -#include "detect-msg.h" -#include "detect-rev.h" -#include "detect-flow.h" -#include "detect-window.h" -#include "detect-ftpbounce.h" -#include "detect-isdataat.h" -#include "detect-id.h" -#include "detect-rpc.h" -#include "detect-asn1.h" -#include "detect-filename.h" -#include "detect-fileext.h" -#include "detect-filestore.h" -#include "detect-filemagic.h" -#include "detect-filemd5.h" -#include "detect-filesha1.h" -#include "detect-filesha256.h" -#include "detect-filesize.h" -#include "detect-dsize.h" -#include "detect-flowvar.h" -#include "detect-flowint.h" -#include "detect-pktvar.h" -#include "detect-noalert.h" -#include "detect-flowbits.h" -#include "detect-hostbits.h" -#include "detect-xbits.h" -#include "detect-csum.h" -#include "detect-stream_size.h" #include "detect-engine-sigorder.h" -#include "detect-ttl.h" -#include "detect-fast-pattern.h" -#include "detect-itype.h" -#include "detect-icode.h" -#include "detect-icmp-id.h" -#include "detect-icmp-seq.h" -#include "detect-dce-iface.h" -#include "detect-dce-opnum.h" -#include "detect-dce-stub-data.h" -#include "detect-urilen.h" -#include "detect-detection-filter.h" -#include "detect-http-client-body.h" -#include "detect-http-server-body.h" -#include "detect-http-header.h" -#include "detect-http-header-names.h" -#include "detect-http-headers.h" -#include "detect-http-raw-header.h" -#include "detect-http-uri.h" -#include "detect-http-protocol.h" -#include "detect-http-start.h" -#include "detect-http-raw-uri.h" -#include "detect-http-stat-msg.h" -#include "detect-http-request-line.h" -#include "detect-http-response-line.h" #include "detect-engine-hcbd.h" #include "detect-engine-hsbd.h" #include "detect-engine-hrhd.h" @@ -164,72 +73,21 @@ #include "detect-engine-hua.h" #include "detect-engine-hhhd.h" #include "detect-engine-hrhhd.h" -#include "detect-byte-extract.h" -#include "detect-file-data.h" -#include "detect-pkt-data.h" -#include "detect-replace.h" -#include "detect-tos.h" -#include "detect-app-layer-event.h" -#include "detect-lua.h" -#include "detect-iprep.h" -#include "detect-geoip.h" -#include "detect-app-layer-protocol.h" -#include "detect-template.h" -#include "detect-target.h" -#include "detect-template-buffer.h" -#include "detect-bypass.h" #include "detect-engine-content-inspection.h" -#include "util-rule-vars.h" - -#include "app-layer.h" -#include "app-layer-protos.h" -#include "app-layer-htp.h" -#include "app-layer-smtp.h" -#include "app-layer-template.h" -#include "detect-tls.h" -#include "detect-tls-cert-validity.h" -#include "detect-tls-version.h" -#include "detect-ssh-proto.h" -#include "detect-ssh-proto-version.h" -#include "detect-ssh-software.h" -#include "detect-ssh-software-version.h" -#include "detect-http-stat-code.h" -#include "detect-ssl-version.h" -#include "detect-ssl-state.h" -#include "detect-modbus.h" -#include "detect-cipservice.h" -#include "detect-dnp3.h" - -#include "action-globals.h" -#include "tm-threads.h" - -#include "pkt-var.h" - -#include "conf.h" -#include "conf-yaml-loader.h" - -#include "stream-tcp.h" -#include "stream-tcp-inline.h" +#include "detect-filestore.h" +#include "detect-flowvar.h" +#include "detect-replace.h" -#include "util-lua.h" +#include "util-rule-vars.h" #include "util-var-name.h" #include "util-classification-config.h" #include "util-threshold-config.h" #include "util-print.h" -#include "util-unittest.h" -#include "util-unittest-helper.h" #include "util-debug.h" -#include "util-hashlist.h" -#include "util-cuda.h" -#include "util-privs.h" -#include "util-profiling.h" #include "util-validate.h" -#include "util-optimize.h" #include "util-path.h" -#include "util-mpm-ac.h" #include "util-detect.h" -#include "runmodes.h" #ifdef HAVE_GLOB_H #include @@ -1602,280 +1460,6 @@ void DisableDetectFlowFileFlags(Flow *f) DetectPostInspectFileFlagsUpdate(f, NULL /* no sgh */, STREAM_TOCLIENT); } -static void PrintFeatureList(const SigTableElmt *e, char sep) -{ - const uint8_t flags = e->flags; - - int prev = 0; - if (flags & SIGMATCH_NOOPT) { - printf("No option"); - prev = 1; - } - if (flags & SIGMATCH_IPONLY_COMPAT) { - if (prev == 1) - printf("%c", sep); - printf("compatible with IP only rule"); - prev = 1; - } - if (flags & SIGMATCH_DEONLY_COMPAT) { - if (prev == 1) - printf("%c", sep); - printf("compatible with decoder event only rule"); - prev = 1; - } - if (e->SupportsPrefilter) { - if (prev == 1) - printf("%c", sep); - printf("prefilter"); - prev = 1; - } - if (prev == 0) { - printf("none"); - } -} - -static void SigMultilinePrint(int i, const char *prefix) -{ - if (sigmatch_table[i].desc) { - printf("%sDescription: %s\n", prefix, sigmatch_table[i].desc); - } - printf("%sFeatures: ", prefix); - PrintFeatureList(&sigmatch_table[i], ','); - if (sigmatch_table[i].url) { - printf("\n%sDocumentation: %s", prefix, sigmatch_table[i].url); - } - printf("\n"); -} - -void SigTableList(const char *keyword) -{ - size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt); - size_t i; - - if (keyword == NULL) { - printf("=====Supported keywords=====\n"); - for (i = 0; i < size; i++) { - if (sigmatch_table[i].name != NULL) { - if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) { - printf("- %s (not built-in)\n", sigmatch_table[i].name); - } else { - printf("- %s\n", sigmatch_table[i].name); - } - } - } - } else if (strcmp("csv", keyword) == 0) { - printf("name;description;app layer;features;documentation\n"); - for (i = 0; i < size; i++) { - if (sigmatch_table[i].name != NULL) { - if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) { - continue; - } - printf("%s;", sigmatch_table[i].name); - if (sigmatch_table[i].desc) { - printf("%s", sigmatch_table[i].desc); - } - /* Build feature */ - printf(";Unset;"); // this used to be alproto - PrintFeatureList(&sigmatch_table[i], ':'); - printf(";"); - if (sigmatch_table[i].url) { - printf("%s", sigmatch_table[i].url); - } - printf(";"); - printf("\n"); - } - } - } else if (strcmp("all", keyword) == 0) { - for (i = 0; i < size; i++) { - if (sigmatch_table[i].name != NULL) { - printf("%s:\n", sigmatch_table[i].name); - SigMultilinePrint(i, "\t"); - } - } - } else { - for (i = 0; i < size; i++) { - if ((sigmatch_table[i].name != NULL) && - strcmp(sigmatch_table[i].name, keyword) == 0) { - printf("= %s =\n", sigmatch_table[i].name); - if (sigmatch_table[i].flags & SIGMATCH_NOT_BUILT) { - printf("Not built-in\n"); - return; - } - SigMultilinePrint(i, ""); - return; - } - } - } - return; -} - -void SigTableSetup(void) -{ - memset(sigmatch_table, 0, sizeof(sigmatch_table)); - - DetectSidRegister(); - DetectPriorityRegister(); - DetectPrefilterRegister(); - DetectRevRegister(); - DetectClasstypeRegister(); - DetectReferenceRegister(); - DetectTagRegister(); - DetectThresholdRegister(); - DetectMetadataRegister(); - DetectMsgRegister(); - DetectAckRegister(); - DetectSeqRegister(); - DetectContentRegister(); - DetectUricontentRegister(); - - /* NOTE: the order of these currently affects inspect - * engine registration order and ultimately the order - * of inspect engines in the rule. Which in turn affects - * state keeping */ - DetectHttpUriRegister(); - DetectHttpRequestLineRegister(); - DetectHttpClientBodyRegister(); - DetectHttpResponseLineRegister(); - DetectHttpServerBodyRegister(); - DetectHttpHeaderRegister(); - DetectHttpHeaderNamesRegister(); - DetectHttpHeadersRegister(); - DetectHttpProtocolRegister(); - DetectHttpStartRegister(); - DetectHttpRawHeaderRegister(); - DetectHttpMethodRegister(); - DetectHttpCookieRegister(); - DetectHttpRawUriRegister(); - - DetectFilenameRegister(); - DetectFileextRegister(); - DetectFilestoreRegister(); - DetectFilemagicRegister(); - DetectFileMd5Register(); - DetectFileSha1Register(); - DetectFileSha256Register(); - DetectFilesizeRegister(); - - DetectHttpUARegister(); - DetectHttpHHRegister(); - DetectHttpHRHRegister(); - - DetectHttpStatMsgRegister(); - DetectHttpStatCodeRegister(); - - DetectDnsQueryRegister(); - DetectModbusRegister(); - DetectCipServiceRegister(); - DetectEnipCommandRegister(); - DetectDNP3Register(); - - DetectTlsSniRegister(); - DetectTlsIssuerRegister(); - DetectTlsSubjectRegister(); - DetectTlsSerialRegister(); - DetectTlsFingerprintRegister(); - - DetectAppLayerEventRegister(); - /* end of order dependent regs */ - - DetectPcreRegister(); - DetectDepthRegister(); - DetectNocaseRegister(); - DetectRawbytesRegister(); - DetectBytetestRegister(); - DetectBytejumpRegister(); - DetectSameipRegister(); - DetectGeoipRegister(); - DetectL3ProtoRegister(); - DetectIPProtoRegister(); - DetectWithinRegister(); - DetectDistanceRegister(); - DetectOffsetRegister(); - DetectReplaceRegister(); - DetectFlowRegister(); - DetectWindowRegister(); - DetectRpcRegister(); - DetectFtpbounceRegister(); - DetectIsdataatRegister(); - DetectIdRegister(); - DetectDsizeRegister(); - DetectFlowvarRegister(); - DetectFlowintRegister(); - DetectPktvarRegister(); - DetectNoalertRegister(); - DetectFlowbitsRegister(); - DetectHostbitsRegister(); - DetectXbitsRegister(); - DetectEngineEventRegister(); - DetectIpOptsRegister(); - DetectFlagsRegister(); - DetectFragBitsRegister(); - DetectFragOffsetRegister(); - DetectGidRegister(); - DetectMarkRegister(); - DetectCsumRegister(); - DetectStreamSizeRegister(); - DetectTtlRegister(); - DetectTosRegister(); - DetectFastPatternRegister(); - DetectITypeRegister(); - DetectICodeRegister(); - DetectIcmpIdRegister(); - DetectIcmpSeqRegister(); - DetectDceIfaceRegister(); - DetectDceOpnumRegister(); - DetectDceStubDataRegister(); - DetectTlsRegister(); - DetectTlsValidityRegister(); - DetectTlsVersionRegister(); - DetectNfsProcedureRegister(); - DetectNfsVersionRegister(); - DetectUrilenRegister(); - DetectDetectionFilterRegister(); - DetectAsn1Register(); - DetectSshProtocolRegister(); - DetectSshVersionRegister(); - DetectSshSoftwareRegister(); - DetectSshSoftwareVersionRegister(); - DetectSslStateRegister(); - DetectSslVersionRegister(); - DetectByteExtractRegister(); - DetectFiledataRegister(); - DetectPktDataRegister(); - DetectLuaRegister(); - DetectIPRepRegister(); - DetectAppLayerProtocolRegister(); - DetectBase64DecodeRegister(); - DetectBase64DataRegister(); - DetectTemplateRegister(); - DetectTargetRegister(); - DetectTemplateBufferRegister(); - DetectBypassRegister(); - - /* close keyword registration */ - DetectBufferTypeFinalizeRegistration(); -} - -void SigTableRegisterTests(void) -{ - /* register the tests */ - int i = 0; - for (i = 0; i < DETECT_TBLSIZE; i++) { - g_ut_modules++; - if (sigmatch_table[i].RegisterTests != NULL) { - sigmatch_table[i].RegisterTests(); - g_ut_covered++; - } else { - SCLogDebug("detection plugin %s has no unittest " - "registration function.", sigmatch_table[i].name); - - if (coverage_unittests) - SCLogWarning(SC_WARN_NO_UNITTESTS, "detection plugin %s has no unittest " - "registration function.", sigmatch_table[i].name); - } - } -} - /* * TESTS */ diff --git a/src/detect.h b/src/detect.h index fcb871788a..bde1460e0c 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1204,184 +1204,6 @@ typedef struct DetectEngineMasterCtx_ { /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */ -enum { - DETECT_SID, - DETECT_PRIORITY, - DETECT_REV, - DETECT_CLASSTYPE, - - /* sorted by prefilter priority. Higher in this list means it will be - * picked over ones lower in the list */ - DETECT_AL_APP_LAYER_PROTOCOL, - DETECT_ACK, - DETECT_SEQ, - DETECT_WINDOW, - DETECT_IPOPTS, - DETECT_FLAGS, - DETECT_FRAGBITS, - DETECT_FRAGOFFSET, - DETECT_TTL, - DETECT_TOS, - DETECT_ITYPE, - DETECT_ICODE, - DETECT_ICMP_ID, - DETECT_ICMP_SEQ, - DETECT_DSIZE, - - DETECT_FLOW, - /* end prefilter sort */ - - DETECT_THRESHOLD, - DETECT_METADATA, - DETECT_REFERENCE, - DETECT_TAG, - DETECT_MSG, - DETECT_CONTENT, - DETECT_URICONTENT, - DETECT_PCRE, - DETECT_DEPTH, - DETECT_DISTANCE, - DETECT_WITHIN, - DETECT_OFFSET, - DETECT_REPLACE, - DETECT_NOCASE, - DETECT_FAST_PATTERN, - DETECT_RAWBYTES, - DETECT_BYTETEST, - DETECT_BYTEJUMP, - DETECT_SAMEIP, - DETECT_GEOIP, - DETECT_IPPROTO, - DETECT_FTPBOUNCE, - DETECT_ISDATAAT, - DETECT_ID, - DETECT_RPC, - DETECT_FLOWVAR, - DETECT_FLOWVAR_POSTMATCH, - DETECT_FLOWINT, - DETECT_PKTVAR, - DETECT_NOALERT, - DETECT_FLOWBITS, - DETECT_HOSTBITS, - DETECT_IPV4_CSUM, - DETECT_TCPV4_CSUM, - DETECT_TCPV6_CSUM, - DETECT_UDPV4_CSUM, - DETECT_UDPV6_CSUM, - DETECT_ICMPV4_CSUM, - DETECT_ICMPV6_CSUM, - DETECT_STREAM_SIZE, - DETECT_DETECTION_FILTER, - - DETECT_DECODE_EVENT, - DETECT_GID, - DETECT_MARK, - - DETECT_AL_TLS_VERSION, - DETECT_AL_TLS_SUBJECT, - DETECT_AL_TLS_ISSUERDN, - DETECT_AL_TLS_NOTBEFORE, - DETECT_AL_TLS_NOTAFTER, - DETECT_AL_TLS_EXPIRED, - DETECT_AL_TLS_VALID, - DETECT_AL_TLS_FINGERPRINT, - DETECT_AL_TLS_STORE, - - DETECT_AL_HTTP_COOKIE, - DETECT_AL_HTTP_METHOD, - DETECT_AL_HTTP_PROTOCOL, - DETECT_AL_HTTP_START, - DETECT_AL_URILEN, - DETECT_AL_HTTP_CLIENT_BODY, - DETECT_AL_HTTP_SERVER_BODY, - DETECT_AL_HTTP_HEADER, - DETECT_AL_HTTP_HEADER_NAMES, - DETECT_AL_HTTP_HEADER_ACCEPT, - DETECT_AL_HTTP_HEADER_ACCEPT_LANG, - DETECT_AL_HTTP_HEADER_ACCEPT_ENC, - DETECT_AL_HTTP_HEADER_CONNECTION, - DETECT_AL_HTTP_HEADER_CONTENT_LEN, - DETECT_AL_HTTP_HEADER_CONTENT_TYPE, - DETECT_AL_HTTP_HEADER_REFERER, - DETECT_AL_HTTP_RAW_HEADER, - DETECT_AL_HTTP_URI, - DETECT_AL_HTTP_RAW_URI, - DETECT_AL_HTTP_STAT_MSG, - DETECT_AL_HTTP_STAT_CODE, - DETECT_AL_HTTP_USER_AGENT, - DETECT_AL_HTTP_HOST, - DETECT_AL_HTTP_RAW_HOST, - DETECT_AL_HTTP_REQUEST_LINE, - DETECT_AL_HTTP_RESPONSE_LINE, - DETECT_AL_NFS_PROCEDURE, - DETECT_AL_NFS_VERSION, - DETECT_AL_SSH_PROTOCOL, - DETECT_AL_SSH_PROTOVERSION, - DETECT_AL_SSH_SOFTWARE, - DETECT_AL_SSH_SOFTWAREVERSION, - DETECT_AL_SSL_VERSION, - DETECT_AL_SSL_STATE, - DETECT_BYTE_EXTRACT, - DETECT_FILE_DATA, - DETECT_PKT_DATA, - DETECT_AL_APP_LAYER_EVENT, - - DETECT_DCE_IFACE, - DETECT_DCE_OPNUM, - DETECT_DCE_STUB_DATA, - - DETECT_ASN1, - - DETECT_ENGINE_EVENT, - DETECT_STREAM_EVENT, - - DETECT_FILENAME, - DETECT_FILEEXT, - DETECT_FILESTORE, - DETECT_FILEMAGIC, - DETECT_FILEMD5, - DETECT_FILESHA1, - DETECT_FILESHA256, - DETECT_FILESIZE, - - DETECT_L3PROTO, - DETECT_LUA, - DETECT_IPREP, - - DETECT_AL_DNS_QUERY, - DETECT_AL_TLS_SNI, - DETECT_AL_TLS_CERT_ISSUER, - DETECT_AL_TLS_CERT_SUBJECT, - DETECT_AL_TLS_CERT_SERIAL, - DETECT_AL_TLS_CERT_FINGERPRINT, - DETECT_AL_MODBUS, - DETECT_CIPSERVICE, - DETECT_ENIPCOMMAND, - - DETECT_AL_DNP3DATA, - DETECT_AL_DNP3FUNC, - DETECT_AL_DNP3IND, - DETECT_AL_DNP3OBJ, - - DETECT_XBITS, - DETECT_BASE64_DECODE, - DETECT_BASE64_DATA, - - DETECT_TEMPLATE, - DETECT_TARGET, - DETECT_AL_TEMPLATE_BUFFER, - - DETECT_BYPASS, - - DETECT_PREFILTER, - - /* make sure this stays last */ - DETECT_TBLSIZE, -}; - -/* Table with all SigMatch registrations */ -SigTableElmt sigmatch_table[DETECT_TBLSIZE]; - /* detection api */ TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq); @@ -1392,7 +1214,6 @@ void SigMatchSignaturesBuildMatchArray(DetectEngineThreadCtx *, uint16_t); void SigMatchFree(SigMatch *sm); -void SigTableRegisterTests(void); void SigRegisterTests(void); void DetectSimdRegisterTests(void); void TmModuleDetectRegister (void); @@ -1402,8 +1223,6 @@ void SigAddressPrepareBidirectionals (DetectEngineCtx *); void DisableDetectFlowFileFlags(Flow *f); char *DetectLoadCompleteSigPath(const DetectEngineCtx *, const char *sig_file); int SigLoadSignatures (DetectEngineCtx *, char *, int); -void SigTableList(const char *keyword); -void SigTableSetup(void); void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p); @@ -1422,6 +1241,7 @@ int SigMatchSignaturesRunPostMatch(ThreadVars *tv, void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t); #include "detect-engine-build.h" +#include "detect-engine-register.h" #endif /* __DETECT_H__ */ diff --git a/src/tests/detect.c b/src/tests/detect.c index 7ca5948b63..7f3577499d 100644 --- a/src/tests/detect.c +++ b/src/tests/detect.c @@ -23,6 +23,8 @@ #include "../pkt-var.h" #include "../flow-util.h" #include "../stream-tcp-reassemble.h" +#include "../util-unittest.h" +#include "../util-unittest-helper.h" static const char *dummy_conf_string = "%YAML 1.1\n"