aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/suricata/src/detect-engine-apt-event.c
blob: 5ca416892dc627fe1e3b8d148971d79ef4b352f9 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

/* Copyright (C) 2007-2013 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/** \file
 *
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
 */

#include "suricata-common.h"
#include "suricata.h"

#include "app-layer-parser.h"
#include "detect-app-layer-event.h"
#include "detect-engine-state.h"
#include "stream.h"
#include "detect-engine-apt-event.h"
#include "util-profiling.h"
#include "util-unittest.h"

int DetectEngineAptEventInspect(ThreadVars *tv,
                                DetectEngineCtx *de_ctx,
                                DetectEngineThreadCtx *det_ctx,
                                Signature *s, Flow *f, uint8_t flags,
                                void *alstate,
                                void *tx, uint64_t tx_id)
{
    AppLayerDecoderEvents *decoder_events = NULL;
    int r = 0;
    AppProto alproto;
    SigMatch *sm;
    DetectAppLayerEventData *aled = NULL;

    alproto = f->alproto;
    decoder_events = AppLayerParserGetEventsByTx(f->proto, alproto, alstate, tx_id);
    if (decoder_events == NULL)
        goto end;

    for (sm = s->sm_lists[DETECT_SM_LIST_APP_EVENT]; sm != NULL; sm = sm->next) {
        aled = (DetectAppLayerEventData *)sm->ctx;
        KEYWORD_PROFILING_START;
        if (AppLayerDecoderEventsIsEventSet(decoder_events, aled->event_id)) {
            KEYWORD_PROFILING_END(det_ctx, sm->type, 1);
            continue;
        }

        KEYWORD_PROFILING_END(det_ctx, sm->type, 0);
        goto end;
    }

    r = 1;

 end:
    if (r == 1) {
        return DETECT_ENGINE_INSPECT_SIG_MATCH;
    } else {
        if (AppLayerParserGetStateProgress(f->proto, alproto, tx, flags) ==
            AppLayerParserGetStateProgressCompletionStatus(f->proto, alproto, flags))
        {
            return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
        } else {
            return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
        }
    }
}