From 9bb51ec99c2dca0af4d97fa3eee5822f217569e2 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Wed, 15 Feb 2012 19:16:34 +0530 Subject: [PATCH 1/2] feature #414 - support listing supported keywords. Remove support for dummy keywords __address__, __proto__, __port__. Remove support for recursive keyword and all references to it --- src/detect-engine-address.c | 11 -------- src/detect-engine-address.h | 3 ++ src/detect-engine-port.c | 11 -------- src/detect-engine-port.h | 4 +- src/detect-engine-proto.c | 15 ----------- src/detect-engine-proto.h | 3 +- src/detect-pcre.c | 33 ++---------------------- src/detect-recursive.c | 58 ------------------------------------------- src/detect-recursive.h | 31 ----------------------- src/detect.c | 40 +++++++++++++++++------------ src/detect.h | 53 ++++++++++++++++----------------------- src/suricata.c | 21 ++++++++++++++- 12 files changed, 74 insertions(+), 209 deletions(-) diff --git a/src/detect-engine-address.c b/src/detect-engine-address.c index ac49abe..5603c83 100644 --- a/src/detect-engine-address.c +++ b/src/detect-engine-address.c @@ -44,17 +44,6 @@ #include "util-debug.h" #include "util-print.h" -void DetectAddressTests(void); - -void DetectAddressRegister(void) -{ - sigmatch_table[DETECT_ADDRESS].name = "__address__"; - sigmatch_table[DETECT_ADDRESS].Match = NULL; - sigmatch_table[DETECT_ADDRESS].Setup = NULL; - sigmatch_table[DETECT_ADDRESS].Free = NULL; - sigmatch_table[DETECT_ADDRESS].RegisterTests = DetectAddressTests; -} - /* prototypes */ void DetectAddressPrint(DetectAddress *); static int DetectAddressCutNot(DetectAddress *, DetectAddress **); diff --git a/src/detect-engine-address.h b/src/detect-engine-address.h index 628f208..6a924a9 100644 --- a/src/detect-engine-address.h +++ b/src/detect-engine-address.h @@ -55,4 +55,7 @@ int DetectAddressCmp(DetectAddress *, DetectAddress *); int DetectAddressMatchIPv4(DetectMatchAddressIPv4 *, uint16_t, Address *); int DetectAddressMatchIPv6(DetectMatchAddressIPv6 *, uint16_t, Address *); + +void DetectAddressTests(void); + #endif /* __DETECT_ADDRESS_H__ */ diff --git a/src/detect-engine-port.c b/src/detect-engine-port.c index 481cd91..666dcd4 100644 --- a/src/detect-engine-port.c +++ b/src/detect-engine-port.c @@ -47,7 +47,6 @@ #include "util-debug.h" #include "util-error.h" -void DetectPortTests(void); static int DetectPortCutNot(DetectPort *, DetectPort **); static int DetectPortCut(DetectEngineCtx *, DetectPort *, DetectPort *, DetectPort **); @@ -59,16 +58,6 @@ static uint32_t detect_port_memory = 0; static uint32_t detect_port_init_cnt = 0; static uint32_t detect_port_free_cnt = 0; -/** DetectPort module registration */ -void DetectPortRegister(void) { - sigmatch_table[DETECT_PORT].name = "__port__"; - sigmatch_table[DETECT_PORT].Match = NULL; - sigmatch_table[DETECT_PORT].Setup = NULL; - sigmatch_table[DETECT_PORT].Free = NULL; - sigmatch_table[DETECT_PORT].RegisterTests = DetectPortTests; -} - - /** * \brief Alloc a DetectPort structure and update counters * diff --git a/src/detect-engine-port.h b/src/detect-engine-port.h index d526fd4..7d79021 100644 --- a/src/detect-engine-port.h +++ b/src/detect-engine-port.h @@ -25,8 +25,6 @@ #define __DETECT_PORT_H__ /* prototypes */ -void DetectPortRegister (void); - int DetectPortParse(DetectPort **head, char *str); DetectPort *DetectPortCopy(DetectEngineCtx *, DetectPort *); @@ -62,5 +60,7 @@ void DetectPortPrintList(DetectPort *head); int DetectPortCmp(DetectPort *, DetectPort *); void DetectPortFree(DetectPort *); +void DetectPortTests(void); + #endif /* __DETECT_PORT_H__ */ diff --git a/src/detect-engine-proto.c b/src/detect-engine-proto.c index f903e04..fcee714 100644 --- a/src/detect-engine-proto.c +++ b/src/detect-engine-proto.c @@ -44,21 +44,6 @@ #include "util-unittest-helper.h" #include "util-debug.h" -/*Prototypes*/ -void DetectProtoTests (void); - -/** - * \brief To register the protocol detection function - */ -void DetectProtoRegister (void) -{ - sigmatch_table[DETECT_PROTO].name = "__proto__"; - sigmatch_table[DETECT_PROTO].Match = NULL; - sigmatch_table[DETECT_PROTO].Setup = NULL; - sigmatch_table[DETECT_PROTO].Free = NULL; - sigmatch_table[DETECT_PROTO].RegisterTests = DetectProtoTests; -} - /** * \brief Function to initialize the protocol detection and * allocate memory to the DetectProto structure. diff --git a/src/detect-engine-proto.h b/src/detect-engine-proto.h index b7c1fc1..d9f6a3a 100644 --- a/src/detect-engine-proto.h +++ b/src/detect-engine-proto.h @@ -37,9 +37,10 @@ typedef struct DetectProto_ { } DetectProto; /* prototypes */ -void DetectProtoRegister (void); int DetectProtoParse(DetectProto *dp, char *str); int DetectProtoContainsProto(DetectProto *, int); +void DetectProtoTests(void); + #endif /* __DETECT_PROTO_H__ */ diff --git a/src/detect-pcre.c b/src/detect-pcre.c index af7a748..714c9b7 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -93,24 +93,6 @@ void DetectPcreRegister (void) { sigmatch_table[DETECT_PCRE].flags |= SIGMATCH_PAYLOAD; - sigmatch_table[DETECT_PCRE_HTTPCOOKIE].name = "__pcre_http_cookie__"; /* not a real keyword */ - sigmatch_table[DETECT_PCRE_HTTPCOOKIE].Match = NULL; - sigmatch_table[DETECT_PCRE_HTTPCOOKIE].AppLayerMatch = DetectPcreALMatchCookie; - sigmatch_table[DETECT_PCRE_HTTPCOOKIE].alproto = ALPROTO_HTTP; - sigmatch_table[DETECT_PCRE_HTTPCOOKIE].Setup = NULL; - sigmatch_table[DETECT_PCRE_HTTPCOOKIE].Free = DetectPcreFree; - sigmatch_table[DETECT_PCRE_HTTPCOOKIE].RegisterTests = NULL; - sigmatch_table[DETECT_PCRE_HTTPCOOKIE].flags |= SIGMATCH_PAYLOAD; - - sigmatch_table[DETECT_PCRE_HTTPMETHOD].name = "__pcre_http_method__"; /* not a real keyword */ - sigmatch_table[DETECT_PCRE_HTTPMETHOD].Match = NULL; - sigmatch_table[DETECT_PCRE_HTTPMETHOD].AppLayerMatch = DetectPcreALMatchMethod; - sigmatch_table[DETECT_PCRE_HTTPMETHOD].alproto = ALPROTO_HTTP; - sigmatch_table[DETECT_PCRE_HTTPMETHOD].Setup = NULL; - sigmatch_table[DETECT_PCRE_HTTPMETHOD].Free = DetectPcreFree; - sigmatch_table[DETECT_PCRE_HTTPMETHOD].RegisterTests = NULL; - sigmatch_table[DETECT_PCRE_HTTPMETHOD].flags |= SIGMATCH_PAYLOAD; - const char *eb; int eo; int opts = 0; @@ -490,10 +472,7 @@ int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, Signature *s, //if (pe->flags & DETECT_PCRE_HTTP_BODY_AL) // SCReturnInt(0); - if (s->flags & SIG_FLAG_RECURSIVE) { - ptr = payload + det_ctx->buffer_offset; - len = payload_len - det_ctx->buffer_offset; - } else if (pe->flags & DETECT_PCRE_RELATIVE) { + if (pe->flags & DETECT_PCRE_RELATIVE) { ptr = payload + det_ctx->buffer_offset; len = payload_len - det_ctx->buffer_offset; } else { @@ -587,10 +566,7 @@ int DetectPcrePacketPayloadMatch(DetectEngineThreadCtx *det_ctx, Packet *p, Sign if (pe->flags & DETECT_PCRE_HTTP_CLIENT_BODY) SCReturnInt(0); - if (s->flags & SIG_FLAG_RECURSIVE) { - ptr = p->payload + det_ctx->buffer_offset; - len = p->payload_len - det_ctx->buffer_offset; - } else if (pe->flags & DETECT_PCRE_RELATIVE) { + if (pe->flags & DETECT_PCRE_RELATIVE) { ptr = p->payload + det_ctx->buffer_offset; len = p->payload_len - det_ctx->buffer_offset; if (ptr == NULL || len == 0) @@ -680,10 +656,7 @@ int DetectPcrePayloadDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, if (pe->flags & DETECT_PCRE_HTTP_CLIENT_BODY) SCReturnInt(0); - if (s->flags & SIG_FLAG_RECURSIVE) { - ptr = data + det_ctx->buffer_offset; - len = data_len - det_ctx->buffer_offset; - } else if (pe->flags & DETECT_PCRE_RELATIVE) { + if (pe->flags & DETECT_PCRE_RELATIVE) { ptr = data + det_ctx->buffer_offset; len = data_len - det_ctx->buffer_offset; if (ptr == NULL || len == 0) diff --git a/src/detect-recursive.c b/src/detect-recursive.c index 9ce3a38..e69de29 100644 --- a/src/detect-recursive.c +++ b/src/detect-recursive.c @@ -1,58 +0,0 @@ -/* Copyright (C) 2007-2010 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Victor Julien - * - * Implements recursive keyword support - * - * Used to capture variables recursively in a payload, - * used for example to extract http_uri for uricontent. - * - * Note: non Snort compatible. - */ - -#include "suricata-common.h" -#include "decode.h" -#include "detect.h" -#include "flow-var.h" - -static int DetectRecursiveSetup (DetectEngineCtx *, Signature *, char *); - -void DetectRecursiveRegister (void) { - sigmatch_table[DETECT_RECURSIVE].name = "recursive"; - sigmatch_table[DETECT_RECURSIVE].Match = NULL; - sigmatch_table[DETECT_RECURSIVE].Setup = DetectRecursiveSetup; - sigmatch_table[DETECT_RECURSIVE].Free = NULL; - sigmatch_table[DETECT_RECURSIVE].RegisterTests = NULL; - - sigmatch_table[DETECT_RECURSIVE].flags |= SIGMATCH_NOOPT; -} - -static int DetectRecursiveSetup (DetectEngineCtx *de_ctx, Signature *s, char *nullstr) -{ - if (nullstr != NULL) { - printf("DetectRecursiveSetup: recursive has no value\n"); - return -1; - } - - s->flags |= SIG_FLAG_RECURSIVE; - return 0; -} - diff --git a/src/detect-recursive.h b/src/detect-recursive.h index 0f7c08a..e69de29 100644 --- a/src/detect-recursive.h +++ b/src/detect-recursive.h @@ -1,31 +0,0 @@ -/* Copyright (C) 2007-2010 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Victor Julien - */ - -#ifndef __DETECT_RECURSIVE_H__ -#define __DETECT_RECURSIVE_H__ - -/* prototypes */ -void DetectRecursiveRegister (void); - -#endif /* __DETECT_RECURSIVE_H__ */ - diff --git a/src/detect.c b/src/detect.c index 0af421b..ccbe562 100644 --- a/src/detect.c +++ b/src/detect.c @@ -65,7 +65,6 @@ #include "detect-pcre.h" #include "detect-depth.h" #include "detect-nocase.h" -#include "detect-recursive.h" #include "detect-rawbytes.h" #include "detect-bytetest.h" #include "detect-bytejump.h" @@ -2204,8 +2203,6 @@ static int SignatureCreateMask(Signature *s) { case DETECT_AL_HTTP_RAW_HEADER: case DETECT_AL_HTTP_URI: case DETECT_AL_HTTP_RAW_URI: - case DETECT_PCRE_HTTPBODY: - case DETECT_PCRE_HTTPHEADER: s->mask |= SIG_MASK_REQUIRE_HTTP_STATE; SCLogDebug("sig requires dce http state"); break; @@ -4433,13 +4430,23 @@ int SigGroupCleanup (DetectEngineCtx *de_ctx) { return 0; } +void SigTableList(void) +{ + size_t size = sizeof(sigmatch_table) / sizeof(SigTableElmt); + + size_t i; + printf("=====Supported keywords=====\n"); + for (i = 0; i < size; i++) { + if (sigmatch_table[i].name != NULL) + printf("- %s\n", sigmatch_table[i].name); + } + + return; +} + void SigTableSetup(void) { memset(sigmatch_table, 0, sizeof(sigmatch_table)); - DetectAddressRegister(); - DetectProtoRegister(); - DetectPortRegister(); - DetectSidRegister(); DetectPriorityRegister(); DetectRevRegister(); @@ -4456,7 +4463,6 @@ void SigTableSetup(void) { DetectPcreRegister(); DetectDepthRegister(); DetectNocaseRegister(); - DetectRecursiveRegister(); DetectRawbytesRegister(); DetectBytetestRegister(); DetectBytejumpRegister(); @@ -4629,7 +4635,7 @@ static int SigTest01Real (int mpm_type) { Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP); int result = 0; - char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"; + char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)"; if (UTHPacketMatchSigMpm(p, sig, mpm_type) == 0) { result = 0; goto end; @@ -4915,7 +4921,7 @@ static int SigTest06Real (int mpm_type) { de_ctx->mpm_matcher = mpm_type; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)"); if (de_ctx->sig_list == NULL) { result = 0; goto end; @@ -5008,7 +5014,7 @@ static int SigTest07Real (int mpm_type) { de_ctx->mpm_matcher = mpm_type; de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)"); if (de_ctx->sig_list == NULL) { result = 0; goto end; @@ -8651,7 +8657,7 @@ static int SigTestMemory01 (void) { de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)"); if (de_ctx->sig_list == NULL) { result = 0; goto end; @@ -8692,12 +8698,12 @@ static int SigTestMemory02 (void) { } de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)"); if (de_ctx->sig_list == NULL) { result = 0; goto end; } - de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:2;)"); + de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)"); if (de_ctx->sig_list->next == NULL) { result = 0; goto end; @@ -8735,17 +8741,17 @@ static int SigTestMemory03 (void) { } de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:1;)"); + de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)"); if (de_ctx->sig_list == NULL) { result = 0; goto end; } - de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:2;)"); + de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)"); if (de_ctx->sig_list->next == NULL) { result = 0; goto end; } - de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; recursive; sid:3;)"); + de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)"); if (de_ctx->sig_list->next->next == NULL) { result = 0; goto end; diff --git a/src/detect.h b/src/detect.h index d2790f4..b7603b9 100644 --- a/src/detect.h +++ b/src/detect.h @@ -230,36 +230,34 @@ typedef struct DetectPort_ { } DetectPort; /* Signature flags */ -#define SIG_FLAG_RECURSIVE (1) /**< recursive capturing enabled */ +#define SIG_FLAG_SRC_ANY (1) /**< source is any */ +#define SIG_FLAG_DST_ANY (1<<1) /**< destination is any */ +#define SIG_FLAG_SP_ANY (1<<2) /**< source port is any */ +#define SIG_FLAG_DP_ANY (1<<3) /**< destination port is any */ -#define SIG_FLAG_SRC_ANY (1<<1) /**< source is any */ -#define SIG_FLAG_DST_ANY (1<<2) /**< destination is any */ -#define SIG_FLAG_SP_ANY (1<<3) /**< source port is any */ -#define SIG_FLAG_DP_ANY (1<<4) /**< destination port is any */ +#define SIG_FLAG_NOALERT (1<<4) /**< no alert flag is set */ +#define SIG_FLAG_DSIZE (1<<5) /**< signature has a dsize setting */ +#define SIG_FLAG_APPLAYER (1<<6) /**< signature applies to app layer instead of packets */ +#define SIG_FLAG_IPONLY (1<<7) /**< ip only signature */ -#define SIG_FLAG_NOALERT (1<<5) /**< no alert flag is set */ -#define SIG_FLAG_DSIZE (1<<6) /**< signature has a dsize setting */ -#define SIG_FLAG_APPLAYER (1<<7) /**< signature applies to app layer instead of packets */ -#define SIG_FLAG_IPONLY (1<<8) /**< ip only signature */ +#define SIG_FLAG_STATE_MATCH (1<<8) /**< signature has matches that require stateful inspection */ -#define SIG_FLAG_STATE_MATCH (1<<9) /**< signature has matches that require stateful inspection */ +#define SIG_FLAG_REQUIRE_PACKET (1<<9) /**< signature is requiring packet match */ +#define SIG_FLAG_REQUIRE_STREAM (1<<10) /**< signature is requiring stream match */ -#define SIG_FLAG_REQUIRE_PACKET (1<<10) /**< signature is requiring packet match */ -#define SIG_FLAG_REQUIRE_STREAM (1<<11) /**< signature is requiring stream match */ +#define SIG_FLAG_MPM_PACKET (1<<11) +#define SIG_FLAG_MPM_PACKET_NEG (1<<12) +#define SIG_FLAG_MPM_STREAM (1<<13) +#define SIG_FLAG_MPM_STREAM_NEG (1<<14) +#define SIG_FLAG_MPM_HTTP (1<<15) +#define SIG_FLAG_MPM_HTTP_NEG (1<<16) -#define SIG_FLAG_MPM_PACKET (1<<12) -#define SIG_FLAG_MPM_PACKET_NEG (1<<13) -#define SIG_FLAG_MPM_STREAM (1<<14) -#define SIG_FLAG_MPM_STREAM_NEG (1<<15) -#define SIG_FLAG_MPM_HTTP (1<<16) -#define SIG_FLAG_MPM_HTTP_NEG (1<<17) +#define SIG_FLAG_REQUIRE_FLOWVAR (1<<17) /**< signature can only match if a flowbit, flowvar or flowint is available. */ -#define SIG_FLAG_REQUIRE_FLOWVAR (1<<18) /**< signature can only match if a flowbit, flowvar or flowint is available. */ +#define SIG_FLAG_FILESTORE (1<<18) /**< signature has filestore keyword */ -#define SIG_FLAG_FILESTORE (1<<19) /**< signature has filestore keyword */ - -#define SIG_FLAG_TOSERVER (1<<20) -#define SIG_FLAG_TOCLIENT (1<<21) +#define SIG_FLAG_TOSERVER (1<<19) +#define SIG_FLAG_TOCLIENT (1<<20) /* signature init flags */ #define SIG_FLAG_INIT_DEONLY 1 /**< decode event only signature */ @@ -949,10 +947,6 @@ enum { DETECT_CONTENT, DETECT_URICONTENT, DETECT_PCRE, - DETECT_PCRE_HTTPBODY, - DETECT_PCRE_HTTPCOOKIE, - DETECT_PCRE_HTTPHEADER, - DETECT_PCRE_HTTPMETHOD, DETECT_ACK, DETECT_SEQ, DETECT_DEPTH, @@ -962,7 +956,6 @@ enum { DETECT_REPLACE, DETECT_NOCASE, DETECT_FAST_PATTERN, - DETECT_RECURSIVE, DETECT_RAWBYTES, DETECT_BYTETEST, DETECT_BYTEJUMP, @@ -997,9 +990,6 @@ enum { DETECT_ICMP_SEQ, DETECT_DETECTION_FILTER, - DETECT_ADDRESS, - DETECT_PROTO, - DETECT_PORT, DETECT_DECODE_EVENT, DETECT_IPOPTS, DETECT_FLAGS, @@ -1064,6 +1054,7 @@ int SigGroupCleanup (DetectEngineCtx *de_ctx); void SigAddressPrepareBidirectionals (DetectEngineCtx *); int SigLoadSignatures (DetectEngineCtx *, char *, int); +void SigTableList(void); void SigTableSetup(void); int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p); diff --git a/src/suricata.c b/src/suricata.c index 5fe8aa1..5244ff5 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -52,6 +52,9 @@ #include "detect-parse.h" #include "detect-engine.h" +#include "detect-engine-address.h" +#include "detect-engine-proto.h" +#include "detect-engine-port.h" #include "detect-engine-mpm.h" #include "detect-engine-sigorder.h" #include "detect-engine-payload.h" @@ -434,6 +437,7 @@ void usage(const char *progname) printf("\t-u : run the unittests and exit\n"); printf("\t-U, --unittest-filter=REGEX : filter unittests with a regex\n"); printf("\t--list-unittests : list unit tests\n"); + printf("\t--list-keywords : list all keywords implemented by the engine\n"); printf("\t--fatal-unittests : enable fatal failure on unittest error\n"); #endif /* UNITTESTS */ #ifdef __SC_CUDA_SUPPORT__ @@ -610,6 +614,7 @@ int main(int argc, char **argv) int list_unittests = 0; int list_cuda_cards = 0; int list_runmodes = 0; + int list_keywords = 0; const char *runmode_custom_mode = NULL; int daemon = 0; #ifndef OS_WIN32 @@ -686,6 +691,7 @@ int main(int argc, char **argv) {"list-unittests", 0, &list_unittests, 1}, {"list-cuda-cards", 0, &list_cuda_cards, 1}, {"list-runmodes", 0, &list_runmodes, 1}, + {"list-keywords", 0, &list_keywords, 1}, {"runmode", required_argument, NULL, 0}, {"engine-analysis", 0, &engine_analysis, 1}, #ifdef OS_WIN32 @@ -835,6 +841,8 @@ int main(int argc, char **argv) } else if (strcmp((long_opts[option_index]).name, "list-runmodes") == 0) { RunModeListRunmodes(); exit(EXIT_SUCCESS); + } else if (strcmp((long_opts[option_index]).name, "list-keywords") == 0) { + // do nothing } else if (strcmp((long_opts[option_index]).name, "runmode") == 0) { runmode_custom_mode = optarg; } else if(strcmp((long_opts[option_index]).name, "engine-analysis") == 0) { @@ -1170,7 +1178,8 @@ int main(int argc, char **argv) } } - } else if (run_mode != RUNMODE_UNITTEST){ + } else if (run_mode != RUNMODE_UNITTEST && + !list_keywords){ SCLogError(SC_ERR_OPENING_FILE, "Configuration file has not been provided"); usage(argv[0]); exit(EXIT_FAILURE); @@ -1256,7 +1265,7 @@ int main(int argc, char **argv) DefragInit(); if (run_mode == RUNMODE_UNKNOWN) { - if (!engine_analysis) { + if (!engine_analysis && !list_keywords) { usage(argv[0]); exit(EXIT_FAILURE); } @@ -1287,8 +1296,13 @@ int main(int argc, char **argv) /* hardcoded initialization code */ MpmTableSetup(); /* load the pattern matchers */ SigTableSetup(); /* load the rule keywords */ + if (list_keywords) { + SigTableList(); + exit(EXIT_FAILURE); + } TmqhSetup(); + CIDRInit(); SigParsePrepare(); //PatternMatchPrepare(mpm_ctx, MPM_B2G); @@ -1446,6 +1460,9 @@ int main(int argc, char **argv) SMTPParserRegisterTests(); MagicRegisterTests(); UtilMiscRegisterTests(); + DetectAddressTests(); + DetectProtoTests(); + DetectPortTests(); if (list_unittests) { UtListTests(regex_arg); } -- 1.7.1