From: Philippe Antoine Date: Tue, 7 May 2024 14:13:07 +0000 (+0200) Subject: detect/websocket: move keywords to rust X-Git-Tag: suricata-8.0.0-beta1~1158 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ce1eea4ad65e4df37e911cd56ac4f8725c61bda7;p=thirdparty%2Fsuricata.git detect/websocket: move keywords to rust Ticket: 4863 --- diff --git a/rust/src/websocket/detect.rs b/rust/src/websocket/detect.rs index 44737ae6f0..b4457125a6 100644 --- a/rust/src/websocket/detect.rs +++ b/rust/src/websocket/detect.rs @@ -15,9 +15,15 @@ * 02110-1301, USA. */ -use super::websocket::WebSocketTransaction; +use super::websocket::{WebSocketTransaction, ALPROTO_WEBSOCKET}; use crate::detect::uint::{ - detect_parse_uint, detect_parse_uint_enum, DetectUintData, DetectUintMode, + detect_parse_uint, detect_parse_uint_enum, rs_detect_u32_free, rs_detect_u32_match, + rs_detect_u32_parse, rs_detect_u8_free, rs_detect_u8_match, DetectUintData, DetectUintMode, +}; +use crate::detect::{ + DetectBufferSetActiveList, DetectHelperBufferMpmRegister, DetectHelperBufferRegister, + DetectHelperGetData, DetectHelperKeywordRegister, DetectSignatureSetAppProto, SCSigTableElmt, + SigMatchAppendSMToList, SIGMATCH_INFO_STICKY_BUFFER, SIGMATCH_NOOPT, }; use crate::websocket::parser::WebSocketOpcode; @@ -28,39 +34,9 @@ use nom7::multi::many1; use nom7::IResult; use std::ffi::CStr; +use std::os::raw::{c_int, c_void}; -#[no_mangle] -pub unsafe extern "C" fn SCWebSocketGetOpcode(tx: &mut WebSocketTransaction) -> u8 { - return tx.pdu.opcode; -} - -#[no_mangle] -pub unsafe extern "C" fn SCWebSocketGetFlags(tx: &mut WebSocketTransaction) -> u8 { - return tx.pdu.flags; -} - -#[no_mangle] -pub unsafe extern "C" fn SCWebSocketGetPayload( - tx: &WebSocketTransaction, buffer: *mut *const u8, buffer_len: *mut u32, -) -> bool { - *buffer = tx.pdu.payload.as_ptr(); - *buffer_len = tx.pdu.payload.len() as u32; - return true; -} - -#[no_mangle] -pub unsafe extern "C" fn SCWebSocketGetMask( - tx: &mut WebSocketTransaction, value: *mut u32, -) -> bool { - if let Some(xorkey) = tx.pdu.mask { - *value = xorkey; - return true; - } - return false; -} - -#[no_mangle] -pub unsafe extern "C" fn SCWebSocketParseOpcode( +unsafe extern "C" fn websocket_parse_opcode( ustr: *const std::os::raw::c_char, ) -> *mut DetectUintData { let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe @@ -120,8 +96,7 @@ fn parse_flags(s: &str) -> Option> { return None; } -#[no_mangle] -pub unsafe extern "C" fn SCWebSocketParseFlags( +unsafe extern "C" fn websocket_parse_flags( ustr: *const std::os::raw::c_char, ) -> *mut DetectUintData { let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe @@ -133,3 +108,248 @@ pub unsafe extern "C" fn SCWebSocketParseFlags( } return std::ptr::null_mut(); } + +static mut G_WEBSOCKET_OPCODE_KW_ID: c_int = 0; +static mut G_WEBSOCKET_OPCODE_BUFFER_ID: c_int = 0; +static mut G_WEBSOCKET_MASK_KW_ID: c_int = 0; +static mut G_WEBSOCKET_MASK_BUFFER_ID: c_int = 0; +static mut G_WEBSOCKET_FLAGS_KW_ID: c_int = 0; +static mut G_WEBSOCKET_FLAGS_BUFFER_ID: c_int = 0; +static mut G_WEBSOCKET_PAYLOAD_BUFFER_ID: c_int = 0; + +unsafe extern "C" fn websocket_detect_opcode_setup( + de: *mut c_void, s: *mut c_void, raw: *const libc::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) != 0 { + return -1; + } + let ctx = websocket_parse_opcode(raw) as *mut c_void; + if ctx.is_null() { + return -1; + } + if SigMatchAppendSMToList( + de, + s, + G_WEBSOCKET_OPCODE_KW_ID, + ctx, + G_WEBSOCKET_OPCODE_BUFFER_ID, + ) + .is_null() + { + websocket_detect_opcode_free(std::ptr::null_mut(), ctx); + return -1; + } + return 0; +} + +unsafe extern "C" fn websocket_detect_opcode_match( + _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void, + _sig: *const c_void, ctx: *const c_void, +) -> c_int { + let tx = cast_pointer!(tx, WebSocketTransaction); + let ctx = cast_pointer!(ctx, DetectUintData); + return rs_detect_u8_match(tx.pdu.opcode, ctx); +} + +unsafe extern "C" fn websocket_detect_opcode_free(_de: *mut c_void, ctx: *mut c_void) { + // Just unbox... + let ctx = cast_pointer!(ctx, DetectUintData); + rs_detect_u8_free(ctx); +} + +unsafe extern "C" fn websocket_detect_mask_setup( + de: *mut c_void, s: *mut c_void, raw: *const libc::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) != 0 { + return -1; + } + let ctx = rs_detect_u32_parse(raw) as *mut c_void; + if ctx.is_null() { + return -1; + } + if SigMatchAppendSMToList( + de, + s, + G_WEBSOCKET_MASK_KW_ID, + ctx, + G_WEBSOCKET_MASK_BUFFER_ID, + ) + .is_null() + { + websocket_detect_mask_free(std::ptr::null_mut(), ctx); + return -1; + } + return 0; +} + +unsafe extern "C" fn websocket_detect_mask_match( + _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void, + _sig: *const c_void, ctx: *const c_void, +) -> c_int { + let tx = cast_pointer!(tx, WebSocketTransaction); + let ctx = cast_pointer!(ctx, DetectUintData); + if let Some(xorkey) = tx.pdu.mask { + return rs_detect_u32_match(xorkey, ctx); + } + return 0; +} + +unsafe extern "C" fn websocket_detect_mask_free(_de: *mut c_void, ctx: *mut c_void) { + // Just unbox... + let ctx = cast_pointer!(ctx, DetectUintData); + rs_detect_u32_free(ctx); +} + +unsafe extern "C" fn websocket_detect_flags_setup( + de: *mut c_void, s: *mut c_void, raw: *const libc::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) != 0 { + return -1; + } + let ctx = websocket_parse_flags(raw) as *mut c_void; + if ctx.is_null() { + return -1; + } + if SigMatchAppendSMToList( + de, + s, + G_WEBSOCKET_FLAGS_KW_ID, + ctx, + G_WEBSOCKET_FLAGS_BUFFER_ID, + ) + .is_null() + { + websocket_detect_flags_free(std::ptr::null_mut(), ctx); + return -1; + } + return 0; +} + +unsafe extern "C" fn websocket_detect_flags_match( + _de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void, + _sig: *const c_void, ctx: *const c_void, +) -> c_int { + let tx = cast_pointer!(tx, WebSocketTransaction); + let ctx = cast_pointer!(ctx, DetectUintData); + return rs_detect_u8_match(tx.pdu.flags, ctx); +} + +unsafe extern "C" fn websocket_detect_flags_free(_de: *mut c_void, ctx: *mut c_void) { + // Just unbox... + let ctx = cast_pointer!(ctx, DetectUintData); + rs_detect_u8_free(ctx); +} + +pub unsafe extern "C" fn websocket_detect_payload_setup( + de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char, +) -> c_int { + if DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) != 0 { + return -1; + } + if DetectBufferSetActiveList(de, s, G_WEBSOCKET_PAYLOAD_BUFFER_ID) < 0 { + return -1; + } + return 0; +} + +pub unsafe extern "C" fn websocket_detect_payload_get( + tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, +) -> bool { + let tx = cast_pointer!(tx, WebSocketTransaction); + *buffer = tx.pdu.payload.as_ptr(); + *buffer_len = tx.pdu.payload.len() as u32; + return true; +} + +pub unsafe extern "C" fn websocket_detect_payload_get_data( + de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, + tx: *const c_void, list_id: c_int, +) -> *mut c_void { + return DetectHelperGetData( + de, + transforms, + flow, + flow_flags, + tx, + list_id, + websocket_detect_payload_get, + ); +} + +#[no_mangle] +pub unsafe extern "C" fn ScDetectWebsocketRegister() { + let kw = SCSigTableElmt { + name: b"websocket.opcode\0".as_ptr() as *const libc::c_char, + desc: b"match WebSocket opcode\0".as_ptr() as *const libc::c_char, + url: b"/rules/websocket-keywords.html#websocket-opcode\0".as_ptr() as *const libc::c_char, + AppLayerTxMatch: Some(websocket_detect_opcode_match), + Setup: websocket_detect_opcode_setup, + Free: Some(websocket_detect_opcode_free), + flags: 0, + }; + unsafe { + G_WEBSOCKET_OPCODE_KW_ID = DetectHelperKeywordRegister(&kw); + G_WEBSOCKET_OPCODE_BUFFER_ID = DetectHelperBufferRegister( + b"websocket.opcode\0".as_ptr() as *const libc::c_char, + ALPROTO_WEBSOCKET, + true, + true, + ); + } + let kw = SCSigTableElmt { + name: b"websocket.mask\0".as_ptr() as *const libc::c_char, + desc: b"match WebSocket mask\0".as_ptr() as *const libc::c_char, + url: b"/rules/websocket-keywords.html#websocket-mask\0".as_ptr() as *const libc::c_char, + AppLayerTxMatch: Some(websocket_detect_mask_match), + Setup: websocket_detect_mask_setup, + Free: Some(websocket_detect_mask_free), + flags: 0, + }; + unsafe { + G_WEBSOCKET_MASK_KW_ID = DetectHelperKeywordRegister(&kw); + G_WEBSOCKET_MASK_BUFFER_ID = DetectHelperBufferRegister( + b"websocket.mask\0".as_ptr() as *const libc::c_char, + ALPROTO_WEBSOCKET, + true, + true, + ); + } + let kw = SCSigTableElmt { + name: b"websocket.flags\0".as_ptr() as *const libc::c_char, + desc: b"match WebSocket flags\0".as_ptr() as *const libc::c_char, + url: b"/rules/websocket-keywords.html#websocket-flags\0".as_ptr() as *const libc::c_char, + AppLayerTxMatch: Some(websocket_detect_flags_match), + Setup: websocket_detect_flags_setup, + Free: Some(websocket_detect_flags_free), + flags: 0, + }; + unsafe { + G_WEBSOCKET_FLAGS_KW_ID = DetectHelperKeywordRegister(&kw); + G_WEBSOCKET_FLAGS_BUFFER_ID = DetectHelperBufferRegister( + b"websocket.flags\0".as_ptr() as *const libc::c_char, + ALPROTO_WEBSOCKET, + true, + true, + ); + } + let kw = SCSigTableElmt { + name: b"websocket.payload\0".as_ptr() as *const libc::c_char, + desc: b"match WebSocket payload\0".as_ptr() as *const libc::c_char, + url: b"/rules/websocket-keywords.html#websocket-payload\0".as_ptr() as *const libc::c_char, + Setup: websocket_detect_payload_setup, + flags: SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER, + AppLayerTxMatch: None, + Free: None, + }; + unsafe { + let _g_ws_payload_kw_id = DetectHelperKeywordRegister(&kw); + G_WEBSOCKET_PAYLOAD_BUFFER_ID = DetectHelperBufferMpmRegister( + b"websocket.payload\0".as_ptr() as *const libc::c_char, + b"WebSocket payload\0".as_ptr() as *const libc::c_char, + ALPROTO_WEBSOCKET, + true, + true, + websocket_detect_payload_get_data, + ); + } +} diff --git a/rust/src/websocket/websocket.rs b/rust/src/websocket/websocket.rs index c5e1720b31..26747525fb 100644 --- a/rust/src/websocket/websocket.rs +++ b/rust/src/websocket/websocket.rs @@ -32,7 +32,7 @@ use std::ffi::CString; use std::io::Read; use std::os::raw::{c_char, c_int, c_void}; -static mut ALPROTO_WEBSOCKET: AppProto = ALPROTO_UNKNOWN; +pub(super) static mut ALPROTO_WEBSOCKET: AppProto = ALPROTO_UNKNOWN; static mut WEBSOCKET_MAX_PAYLOAD_SIZE: u32 = 0xFFFF; diff --git a/src/Makefile.am b/src/Makefile.am index 5aeb194ca2..47e4d73bfa 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -367,7 +367,6 @@ noinst_HEADERS = \ detect-urilen.h \ detect-within.h \ detect-xbits.h \ - detect-websocket.h \ device-storage.h \ feature.h \ flow-bit.h \ @@ -986,7 +985,6 @@ libsuricata_c_a_SOURCES = \ detect-urilen.c \ detect-within.c \ detect-xbits.c \ - detect-websocket.c \ device-storage.c \ feature.c \ flow-bit.c \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index f76eadf17a..399dc62011 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -235,7 +235,6 @@ #include "detect-quic-cyu-hash.h" #include "detect-quic-cyu-string.h" #include "detect-ja4-hash.h" -#include "detect-websocket.h" #include "detect-bypass.h" #include "detect-ftpdata.h" @@ -753,7 +752,6 @@ void SigTableSetup(void) DetectQuicCyuHashRegister(); DetectQuicCyuStringRegister(); DetectJa4HashRegister(); - DetectWebsocketRegister(); DetectBypassRegister(); DetectConfigRegister(); @@ -776,6 +774,7 @@ void SigTableSetup(void) ScDetectSNMPRegister(); ScDetectDHCPRegister(); + ScDetectWebsocketRegister(); /* close keyword registration */ DetectBufferTypeCloseRegistration(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index abdffa255b..c783869fa3 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -331,10 +331,6 @@ enum DetectKeywordId { DETECT_AL_QUIC_UA, DETECT_AL_QUIC_CYU_HASH, DETECT_AL_QUIC_CYU_STRING, - DETECT_WEBSOCKET_MASK, - DETECT_WEBSOCKET_OPCODE, - DETECT_WEBSOCKET_FLAGS, - DETECT_WEBSOCKET_PAYLOAD, DETECT_BYPASS, diff --git a/src/detect-websocket.c b/src/detect-websocket.c deleted file mode 100644 index 91f650c85c..0000000000 --- a/src/detect-websocket.c +++ /dev/null @@ -1,251 +0,0 @@ -/* Copyright (C) 2023 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Philippe Antoine - */ - -#include "suricata-common.h" -#include "detect.h" -#include "detect-parse.h" -#include "detect-engine.h" -#include "detect-engine-content-inspection.h" -#include "detect-engine-uint.h" -#include "detect-engine-prefilter.h" -#include "detect-websocket.h" - -#include "rust.h" - -static int websocket_tx_id = 0; -static int websocket_payload_id = 0; - -/** - * \internal - * \brief this function will free memory associated with DetectWebSocketOpcodeData - * - * \param de pointer to DetectWebSocketOpcodeData - */ -static void DetectWebSocketOpcodeFree(DetectEngineCtx *de_ctx, void *de_ptr) -{ - rs_detect_u8_free(de_ptr); -} - -/** - * \internal - * \brief Function to match opcode of a websocket tx - * - * \param det_ctx Pointer to the pattern matcher thread. - * \param f Pointer to the current flow. - * \param flags Flags. - * \param state App layer state. - * \param txv Pointer to the transaction. - * \param s Pointer to the Signature. - * \param ctx Pointer to the sigmatch that we will cast into DetectWebSocketOpcodeData. - * - * \retval 0 no match. - * \retval 1 match. - */ -static int DetectWebSocketOpcodeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, - void *state, void *txv, const Signature *s, const SigMatchCtx *ctx) -{ - const DetectU8Data *de = (const DetectU8Data *)ctx; - uint8_t opc = SCWebSocketGetOpcode(txv); - return DetectU8Match(opc, de); -} - -/** - * \internal - * \brief this function is used to add the parsed sigmatch into the current signature - * - * \param de_ctx pointer to the Detection Engine Context - * \param s pointer to the Current Signature - * \param rawstr pointer to the user provided options - * - * \retval 0 on Success - * \retval -1 on Failure - */ -static int DetectWebSocketOpcodeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) -{ - if (DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) < 0) - return -1; - - DetectU8Data *de = SCWebSocketParseOpcode(rawstr); - if (de == NULL) - return -1; - - if (SigMatchAppendSMToList( - de_ctx, s, DETECT_WEBSOCKET_OPCODE, (SigMatchCtx *)de, websocket_tx_id) == NULL) { - DetectWebSocketOpcodeFree(de_ctx, de); - return -1; - } - - return 0; -} - -/** - * \internal - * \brief this function will free memory associated with DetectWebSocketMaskData - * - * \param de pointer to DetectWebSocketMaskData - */ -static void DetectWebSocketMaskFree(DetectEngineCtx *de_ctx, void *de_ptr) -{ - rs_detect_u32_free(de_ptr); -} - -static int DetectWebSocketMaskMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, - void *state, void *txv, const Signature *s, const SigMatchCtx *ctx) -{ - uint32_t val; - const DetectU32Data *du32 = (const DetectU32Data *)ctx; - if (SCWebSocketGetMask(txv, &val)) { - return DetectU32Match(val, du32); - } - return 0; -} - -static int DetectWebSocketMaskSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) -{ - if (DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) < 0) - return -1; - - DetectU32Data *du32 = DetectU32Parse(rawstr); - if (du32 == NULL) - return -1; - - if (SigMatchAppendSMToList( - de_ctx, s, DETECT_WEBSOCKET_MASK, (SigMatchCtx *)du32, websocket_tx_id) == NULL) { - DetectWebSocketMaskFree(de_ctx, du32); - return -1; - } - - return 0; -} - -static void DetectWebSocketFlagsFree(DetectEngineCtx *de_ctx, void *de_ptr) -{ - rs_detect_u8_free(de_ptr); -} - -static int DetectWebSocketFlagsMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, - void *state, void *txv, const Signature *s, const SigMatchCtx *ctx) -{ - const DetectU8Data *de = (const DetectU8Data *)ctx; - uint8_t val = SCWebSocketGetFlags(txv); - return DetectU8Match(val, de); -} - -static int DetectWebSocketFlagsSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) -{ - if (DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) < 0) - return -1; - - DetectU8Data *de = SCWebSocketParseFlags(rawstr); - if (de == NULL) - return -1; - - if (SigMatchAppendSMToList( - de_ctx, s, DETECT_WEBSOCKET_FLAGS, (SigMatchCtx *)de, websocket_tx_id) == NULL) { - DetectWebSocketOpcodeFree(de_ctx, de); - return -1; - } - - return 0; -} - -static int DetectWebSocketPayloadSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rulestr) -{ - if (DetectBufferSetActiveList(de_ctx, s, websocket_payload_id) < 0) - return -1; - - if (DetectSignatureSetAppProto(s, ALPROTO_WEBSOCKET) != 0) - return -1; - - return 0; -} - -static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, - const int list_id) -{ - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const uint8_t *b = NULL; - uint32_t b_len = 0; - - if (!SCWebSocketGetPayload(txv, &b, &b_len)) - return NULL; - if (b == NULL || b_len == 0) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b, b_len); - InspectionBufferApplyTransforms(buffer, transforms); - } - return buffer; -} - -/** - * \brief Registration function for websocket.opcode: keyword - */ -void DetectWebsocketRegister(void) -{ - sigmatch_table[DETECT_WEBSOCKET_OPCODE].name = "websocket.opcode"; - sigmatch_table[DETECT_WEBSOCKET_OPCODE].desc = "match WebSocket opcode"; - sigmatch_table[DETECT_WEBSOCKET_OPCODE].url = "/rules/websocket-keywords.html#websocket-opcode"; - sigmatch_table[DETECT_WEBSOCKET_OPCODE].AppLayerTxMatch = DetectWebSocketOpcodeMatch; - sigmatch_table[DETECT_WEBSOCKET_OPCODE].Setup = DetectWebSocketOpcodeSetup; - sigmatch_table[DETECT_WEBSOCKET_OPCODE].Free = DetectWebSocketOpcodeFree; - - DetectAppLayerInspectEngineRegister("websocket.tx", ALPROTO_WEBSOCKET, SIG_FLAG_TOSERVER, 1, - DetectEngineInspectGenericList, NULL); - DetectAppLayerInspectEngineRegister("websocket.tx", ALPROTO_WEBSOCKET, SIG_FLAG_TOCLIENT, 1, - DetectEngineInspectGenericList, NULL); - - websocket_tx_id = DetectBufferTypeGetByName("websocket.tx"); - - sigmatch_table[DETECT_WEBSOCKET_MASK].name = "websocket.mask"; - sigmatch_table[DETECT_WEBSOCKET_MASK].desc = "match WebSocket mask"; - sigmatch_table[DETECT_WEBSOCKET_MASK].url = "/rules/websocket-keywords.html#websocket-mask"; - sigmatch_table[DETECT_WEBSOCKET_MASK].AppLayerTxMatch = DetectWebSocketMaskMatch; - sigmatch_table[DETECT_WEBSOCKET_MASK].Setup = DetectWebSocketMaskSetup; - sigmatch_table[DETECT_WEBSOCKET_MASK].Free = DetectWebSocketMaskFree; - - sigmatch_table[DETECT_WEBSOCKET_FLAGS].name = "websocket.flags"; - sigmatch_table[DETECT_WEBSOCKET_FLAGS].desc = "match WebSocket flags"; - sigmatch_table[DETECT_WEBSOCKET_FLAGS].url = "/rules/websocket-keywords.html#websocket-flags"; - sigmatch_table[DETECT_WEBSOCKET_FLAGS].AppLayerTxMatch = DetectWebSocketFlagsMatch; - sigmatch_table[DETECT_WEBSOCKET_FLAGS].Setup = DetectWebSocketFlagsSetup; - sigmatch_table[DETECT_WEBSOCKET_FLAGS].Free = DetectWebSocketFlagsFree; - - sigmatch_table[DETECT_WEBSOCKET_PAYLOAD].name = "websocket.payload"; - sigmatch_table[DETECT_WEBSOCKET_PAYLOAD].desc = "match WebSocket payload"; - sigmatch_table[DETECT_WEBSOCKET_PAYLOAD].url = - "/rules/websocket-keywords.html#websocket-payload"; - sigmatch_table[DETECT_WEBSOCKET_PAYLOAD].Setup = DetectWebSocketPayloadSetup; - sigmatch_table[DETECT_WEBSOCKET_PAYLOAD].flags |= SIGMATCH_NOOPT; - DetectAppLayerInspectEngineRegister("websocket.payload", ALPROTO_WEBSOCKET, SIG_FLAG_TOSERVER, - 0, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerInspectEngineRegister("websocket.payload", ALPROTO_WEBSOCKET, SIG_FLAG_TOCLIENT, - 0, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister("websocket.payload", SIG_FLAG_TOSERVER, 2, - PrefilterGenericMpmRegister, GetData, ALPROTO_WEBSOCKET, 1); - DetectAppLayerMpmRegister("websocket.payload", SIG_FLAG_TOCLIENT, 2, - PrefilterGenericMpmRegister, GetData, ALPROTO_WEBSOCKET, 1); - websocket_payload_id = DetectBufferTypeGetByName("websocket.payload"); -} diff --git a/src/detect-websocket.h b/src/detect-websocket.h deleted file mode 100644 index 54e8a22ae4..0000000000 --- a/src/detect-websocket.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2023 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Philippe Antoine - */ - -#ifndef __DETECT_WEBSOCKET_H__ -#define __DETECT_WEBSOCKET_H__ - -void DetectWebsocketRegister(void); - -#endif /* __DETECT_WEBSOCKET_H__ */