From 95e8427bae8a3ae0c61ad078bb7e1b3a269fa53a Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Mon, 20 Jan 2025 09:35:01 -0500 Subject: [PATCH] gen: Remove _AL_ usage in detect keywords This commit removes the `_AL_` usage in detect keywords for improved readability. Some of the HTTP rule keywords already had counterparts without using "_AL_". These rule keywords are the legacy content modifier keywords that now have sticky buffer equivalents. For these, "_AL_" was removed and a suffix was added to the #define: src/detect-engine-register.h:151: DETECT_HTTP_COOKIE_CM src/detect-engine-register.h:153: DETECT_HTTP_METHOD_CM src/detect-engine-register.h:161: DETECT_HTTP_HEADER_CM src/detect-engine-register.h:173: DETECT_HTTP_RAW_HEADER_CM src/detect-engine-register.h:175: DETECT_HTTP_URI_CM src/detect-engine-register.h:179: DETECT_HTTP_STAT_MSG_CM src/detect-engine-register.h:181: DETECT_HTTP_STAT_CODE_CM src/detect-engine-register.h:185: DETECT_HTTP_HOST_CM --- src/detect-app-layer-event.c | 22 +- src/detect-app-layer-protocol.c | 36 ++- src/detect-dnp3.c | 84 +++---- src/detect-dns-answer-name.c | 12 +- src/detect-dns-opcode.c | 17 +- src/detect-dns-query-name.c | 12 +- src/detect-dns-query.c | 16 +- src/detect-dns-rcode.c | 16 +- src/detect-dns-rrtype.c | 18 +- src/detect-engine-build.c | 4 +- src/detect-engine-content-inspection.c | 2 +- src/detect-engine-register.h | 220 +++++++++---------- src/detect-http-accept-enc.c | 2 +- src/detect-http-accept-lang.c | 2 +- src/detect-http-accept.c | 2 +- src/detect-http-client-body.c | 21 +- src/detect-http-connection.c | 2 +- src/detect-http-content-len.c | 2 +- src/detect-http-content-type.c | 2 +- src/detect-http-cookie.c | 19 +- src/detect-http-header-names.c | 12 +- src/detect-http-header.c | 20 +- src/detect-http-host.c | 33 +-- src/detect-http-location.c | 2 +- src/detect-http-method.c | 19 +- src/detect-http-protocol.c | 12 +- src/detect-http-raw-header.c | 19 +- src/detect-http-referer.c | 2 +- src/detect-http-request-line.c | 17 +- src/detect-http-response-line.c | 15 +- src/detect-http-server-body.c | 19 +- src/detect-http-server.c | 2 +- src/detect-http-start.c | 12 +- src/detect-http-stat-code.c | 18 +- src/detect-http-stat-msg.c | 18 +- src/detect-http-ua.c | 19 +- src/detect-http-uri.c | 31 +-- src/detect-ike-chosen-sa.c | 17 +- src/detect-ike-exch-type.c | 16 +- src/detect-ike-key-exchange-payload-length.c | 15 +- src/detect-ike-key-exchange-payload.c | 11 +- src/detect-ike-nonce-payload-length.c | 14 +- src/detect-ike-nonce-payload.c | 10 +- src/detect-ike-spi.c | 22 +- src/detect-ike-vendor.c | 12 +- src/detect-ja4-hash.c | 18 +- src/detect-krb5-cname.c | 12 +- src/detect-krb5-errcode.c | 18 +- src/detect-krb5-msgtype.c | 18 +- src/detect-krb5-sname.c | 12 +- src/detect-krb5-ticket-encryption.c | 17 +- src/detect-modbus.c | 16 +- src/detect-nfs-procedure.c | 18 +- src/detect-nfs-version.c | 16 +- src/detect-quic-cyu-hash.c | 12 +- src/detect-quic-cyu-string.c | 13 +- src/detect-quic-sni.c | 12 +- src/detect-quic-ua.c | 12 +- src/detect-quic-version.c | 12 +- src/detect-sip-method.c | 10 +- src/detect-sip-uri.c | 10 +- src/detect-ssh-hassh-server-string.c | 15 +- src/detect-ssh-hassh-server.c | 14 +- src/detect-ssh-hassh-string.c | 14 +- src/detect-ssh-hassh.c | 14 +- src/detect-ssh-proto-version.c | 6 +- src/detect-ssh-proto.c | 12 +- src/detect-ssh-software-version.c | 6 +- src/detect-ssh-software.c | 12 +- src/detect-ssl-state.c | 18 +- src/detect-ssl-version.c | 18 +- src/detect-tls-cert-fingerprint.c | 17 +- src/detect-tls-cert-issuer.c | 16 +- src/detect-tls-cert-serial.c | 16 +- src/detect-tls-cert-subject.c | 16 +- src/detect-tls-cert-validity.c | 68 +++--- src/detect-tls-certs.c | 16 +- src/detect-tls-ja3-hash.c | 18 +- src/detect-tls-ja3-string.c | 18 +- src/detect-tls-ja3s-hash.c | 16 +- src/detect-tls-ja3s-string.c | 17 +- src/detect-tls-random.c | 33 ++- src/detect-tls-sni.c | 14 +- src/detect-tls-subjectaltname.c | 13 +- src/detect-tls-version.c | 18 +- src/detect-tls.c | 78 +++---- src/detect-urilen.c | 20 +- 87 files changed, 827 insertions(+), 820 deletions(-) diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c index ce10c289d317..8dd9229f074e 100644 --- a/src/detect-app-layer-event.c +++ b/src/detect-app-layer-event.c @@ -70,13 +70,13 @@ static int g_applayer_events_list_id = 0; */ void DetectAppLayerEventRegister(void) { - sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event"; - sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "match on events generated by the App Layer Parsers and the protocol detection engine"; - sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event"; - sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Match = - DetectAppLayerEventPktMatch; - sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetup; - sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Free = DetectAppLayerEventFree; + sigmatch_table[DETECT_APP_LAYER_EVENT].name = "app-layer-event"; + sigmatch_table[DETECT_APP_LAYER_EVENT].desc = + "match on events generated by the App Layer Parsers and the protocol detection engine"; + sigmatch_table[DETECT_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event"; + sigmatch_table[DETECT_APP_LAYER_EVENT].Match = DetectAppLayerEventPktMatch; + sigmatch_table[DETECT_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetup; + sigmatch_table[DETECT_APP_LAYER_EVENT].Free = DetectAppLayerEventFree; DetectAppLayerInspectEngineRegister("app-layer-events", ALPROTO_UNKNOWN, SIG_FLAG_TOSERVER, 0, DetectEngineAptEventInspect, NULL); @@ -226,7 +226,7 @@ static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const } } if (OutdatedEvent(arg)) { - if (SigMatchStrictEnabled(DETECT_AL_APP_LAYER_EVENT)) { + if (SigMatchStrictEnabled(DETECT_APP_LAYER_EVENT)) { SCLogError("app-layer-event keyword no longer supports event \"%s\"", arg); return -1; } else { @@ -253,7 +253,7 @@ static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const r = DetectEngineGetEventInfo(event_name, &event_id, &event_type); } if (r < 0) { - if (SigMatchStrictEnabled(DETECT_AL_APP_LAYER_EVENT)) { + if (SigMatchStrictEnabled(DETECT_APP_LAYER_EVENT)) { SCLogError("app-layer-event keyword's " "protocol \"%s\" doesn't have event \"%s\" registered", alproto_name, event_name); @@ -274,7 +274,7 @@ static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const SCLogDebug("data->event_id %u", data->event_id); if (event_type == APP_LAYER_EVENT_TYPE_PACKET) { - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_APP_LAYER_EVENT, (SigMatchCtx *)data, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_APP_LAYER_EVENT, (SigMatchCtx *)data, DETECT_SM_LIST_MATCH) == NULL) { goto error; } @@ -282,7 +282,7 @@ static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const if (DetectSignatureSetAppProto(s, data->alproto) != 0) goto error; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_APP_LAYER_EVENT, (SigMatchCtx *)data, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_APP_LAYER_EVENT, (SigMatchCtx *)data, g_applayer_events_list_id) == NULL) { goto error; } diff --git a/src/detect-app-layer-protocol.c b/src/detect-app-layer-protocol.c index c706e5567b57..96270318f3f2 100644 --- a/src/detect-app-layer-protocol.c +++ b/src/detect-app-layer-protocol.c @@ -215,7 +215,7 @@ static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx, SigMatch *tsm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; for ( ; tsm != NULL; tsm = tsm->next) { - if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) { + if (tsm->type == DETECT_APP_LAYER_PROTOCOL) { const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx; if (HasConflicts(data, them)) { @@ -227,7 +227,7 @@ static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx, } } - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_APP_LAYER_PROTOCOL, (SigMatchCtx *)data, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_APP_LAYER_PROTOCOL, (SigMatchCtx *)data, DETECT_SM_LIST_MATCH) == NULL) { goto error; } @@ -331,8 +331,8 @@ PrefilterPacketAppProtoCompare(PrefilterPacketHeaderValue v, void *smctx) static int PrefilterSetupAppProto(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { - return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_AL_APP_LAYER_PROTOCOL, - SIG_MASK_REQUIRE_FLOW, PrefilterPacketAppProtoSet, PrefilterPacketAppProtoCompare, + return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_APP_LAYER_PROTOCOL, SIG_MASK_REQUIRE_FLOW, + PrefilterPacketAppProtoSet, PrefilterPacketAppProtoCompare, PrefilterPacketAppProtoMatch); } @@ -347,26 +347,20 @@ static bool PrefilterAppProtoIsPrefilterable(const Signature *s) void DetectAppLayerProtocolRegister(void) { - sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].name = "app-layer-protocol"; - sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol"; - sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol"; - sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Match = - DetectAppLayerProtocolPacketMatch; - sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Setup = - DetectAppLayerProtocolSetup; - sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Free = - DetectAppLayerProtocolFree; + sigmatch_table[DETECT_APP_LAYER_PROTOCOL].name = "app-layer-protocol"; + sigmatch_table[DETECT_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol"; + sigmatch_table[DETECT_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol"; + sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Match = DetectAppLayerProtocolPacketMatch; + sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Setup = DetectAppLayerProtocolSetup; + sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Free = DetectAppLayerProtocolFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].RegisterTests = - DetectAppLayerProtocolRegisterTests; + sigmatch_table[DETECT_APP_LAYER_PROTOCOL].RegisterTests = DetectAppLayerProtocolRegisterTests; #endif - sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].flags = - (SIGMATCH_QUOTES_OPTIONAL|SIGMATCH_HANDLE_NEGATION); + sigmatch_table[DETECT_APP_LAYER_PROTOCOL].flags = + (SIGMATCH_QUOTES_OPTIONAL | SIGMATCH_HANDLE_NEGATION); - sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].SetupPrefilter = - PrefilterSetupAppProto; - sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].SupportsPrefilter = - PrefilterAppProtoIsPrefilterable; + sigmatch_table[DETECT_APP_LAYER_PROTOCOL].SetupPrefilter = PrefilterSetupAppProto; + sigmatch_table[DETECT_APP_LAYER_PROTOCOL].SupportsPrefilter = PrefilterAppProtoIsPrefilterable; } /**********************************Unittests***********************************/ diff --git a/src/detect-dnp3.c b/src/detect-dnp3.c index 807c189611d8..c1e5a5e5bb97 100644 --- a/src/detect-dnp3.c +++ b/src/detect-dnp3.c @@ -221,8 +221,8 @@ static int DetectDNP3FuncSetup(DetectEngineCtx *de_ctx, Signature *s, const char } dnp3->function_code = function_code; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNP3FUNC, (SigMatchCtx *)dnp3, - g_dnp3_match_buffer_id) == NULL) { + if (SigMatchAppendSMToList( + de_ctx, s, DETECT_DNP3FUNC, (SigMatchCtx *)dnp3, g_dnp3_match_buffer_id) == NULL) { goto error; } @@ -299,8 +299,8 @@ static int DetectDNP3IndSetup(DetectEngineCtx *de_ctx, Signature *s, const char } detect->ind_flags = flags; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNP3IND, (SigMatchCtx *)detect, - g_dnp3_match_buffer_id) == NULL) { + if (SigMatchAppendSMToList( + de_ctx, s, DETECT_DNP3IND, (SigMatchCtx *)detect, g_dnp3_match_buffer_id) == NULL) { goto error; } @@ -366,8 +366,8 @@ static int DetectDNP3ObjSetup(DetectEngineCtx *de_ctx, Signature *s, const char detect->obj_group = group; detect->obj_variation = variation; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNP3OBJ, (SigMatchCtx *)detect, - g_dnp3_match_buffer_id) == NULL) { + if (SigMatchAppendSMToList( + de_ctx, s, DETECT_DNP3OBJ, (SigMatchCtx *)detect, g_dnp3_match_buffer_id) == NULL) { goto fail; } @@ -453,17 +453,17 @@ static void DetectDNP3FuncRegister(void) { SCEnter(); - sigmatch_table[DETECT_AL_DNP3FUNC].name = "dnp3_func"; - sigmatch_table[DETECT_AL_DNP3FUNC].alias = "dnp3.func"; - sigmatch_table[DETECT_AL_DNP3FUNC].desc = "match on the application function code found in DNP3 request and responses"; - sigmatch_table[DETECT_AL_DNP3FUNC].url = "/rules/dnp3-keywords.html#dnp3-func"; - sigmatch_table[DETECT_AL_DNP3FUNC].Match = NULL; - sigmatch_table[DETECT_AL_DNP3FUNC].AppLayerTxMatch = DetectDNP3FuncMatch; - sigmatch_table[DETECT_AL_DNP3FUNC].Setup = DetectDNP3FuncSetup; - sigmatch_table[DETECT_AL_DNP3FUNC].Free = DetectDNP3Free; + sigmatch_table[DETECT_DNP3FUNC].name = "dnp3_func"; + sigmatch_table[DETECT_DNP3FUNC].alias = "dnp3.func"; + sigmatch_table[DETECT_DNP3FUNC].desc = + "match on the application function code found in DNP3 request and responses"; + sigmatch_table[DETECT_DNP3FUNC].url = "/rules/dnp3-keywords.html#dnp3-func"; + sigmatch_table[DETECT_DNP3FUNC].Match = NULL; + sigmatch_table[DETECT_DNP3FUNC].AppLayerTxMatch = DetectDNP3FuncMatch; + sigmatch_table[DETECT_DNP3FUNC].Setup = DetectDNP3FuncSetup; + sigmatch_table[DETECT_DNP3FUNC].Free = DetectDNP3Free; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_DNP3FUNC].RegisterTests = - DetectDNP3FuncRegisterTests; + sigmatch_table[DETECT_DNP3FUNC].RegisterTests = DetectDNP3FuncRegisterTests; #endif SCReturn; } @@ -472,17 +472,17 @@ static void DetectDNP3IndRegister(void) { SCEnter(); - sigmatch_table[DETECT_AL_DNP3IND].name = "dnp3_ind"; - sigmatch_table[DETECT_AL_DNP3IND].alias = "dnp3.ind"; - sigmatch_table[DETECT_AL_DNP3IND].desc = "match on the DNP3 internal indicator flags in the response application header"; - sigmatch_table[DETECT_AL_DNP3IND].url = "/rules/dnp3-keywords.html#dnp3-ind"; - sigmatch_table[DETECT_AL_DNP3IND].Match = NULL; - sigmatch_table[DETECT_AL_DNP3IND].AppLayerTxMatch = DetectDNP3IndMatch; - sigmatch_table[DETECT_AL_DNP3IND].Setup = DetectDNP3IndSetup; - sigmatch_table[DETECT_AL_DNP3IND].Free = DetectDNP3Free; + sigmatch_table[DETECT_DNP3IND].name = "dnp3_ind"; + sigmatch_table[DETECT_DNP3IND].alias = "dnp3.ind"; + sigmatch_table[DETECT_DNP3IND].desc = + "match on the DNP3 internal indicator flags in the response application header"; + sigmatch_table[DETECT_DNP3IND].url = "/rules/dnp3-keywords.html#dnp3-ind"; + sigmatch_table[DETECT_DNP3IND].Match = NULL; + sigmatch_table[DETECT_DNP3IND].AppLayerTxMatch = DetectDNP3IndMatch; + sigmatch_table[DETECT_DNP3IND].Setup = DetectDNP3IndSetup; + sigmatch_table[DETECT_DNP3IND].Free = DetectDNP3Free; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_DNP3IND].RegisterTests = - DetectDNP3IndRegisterTests; + sigmatch_table[DETECT_DNP3IND].RegisterTests = DetectDNP3IndRegisterTests; #endif SCReturn; } @@ -491,17 +491,16 @@ static void DetectDNP3ObjRegister(void) { SCEnter(); - sigmatch_table[DETECT_AL_DNP3OBJ].name = "dnp3_obj"; - sigmatch_table[DETECT_AL_DNP3OBJ].alias = "dnp3.obj"; - sigmatch_table[DETECT_AL_DNP3OBJ].desc = "match on the DNP3 application data objects"; - sigmatch_table[DETECT_AL_DNP3OBJ].url = "/rules/dnp3-keywords.html#dnp3-obj"; - sigmatch_table[DETECT_AL_DNP3OBJ].Match = NULL; - sigmatch_table[DETECT_AL_DNP3OBJ].AppLayerTxMatch = DetectDNP3ObjMatch; - sigmatch_table[DETECT_AL_DNP3OBJ].Setup = DetectDNP3ObjSetup; - sigmatch_table[DETECT_AL_DNP3OBJ].Free = DetectDNP3Free; + sigmatch_table[DETECT_DNP3OBJ].name = "dnp3_obj"; + sigmatch_table[DETECT_DNP3OBJ].alias = "dnp3.obj"; + sigmatch_table[DETECT_DNP3OBJ].desc = "match on the DNP3 application data objects"; + sigmatch_table[DETECT_DNP3OBJ].url = "/rules/dnp3-keywords.html#dnp3-obj"; + sigmatch_table[DETECT_DNP3OBJ].Match = NULL; + sigmatch_table[DETECT_DNP3OBJ].AppLayerTxMatch = DetectDNP3ObjMatch; + sigmatch_table[DETECT_DNP3OBJ].Setup = DetectDNP3ObjSetup; + sigmatch_table[DETECT_DNP3OBJ].Free = DetectDNP3Free; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_DNP3OBJ].RegisterTests = - DetectDNP3ObjRegisterTests; + sigmatch_table[DETECT_DNP3OBJ].RegisterTests = DetectDNP3ObjRegisterTests; #endif SCReturn; } @@ -522,12 +521,13 @@ static void DetectDNP3DataRegister(void) { SCEnter(); - sigmatch_table[DETECT_AL_DNP3DATA].name = "dnp3.data"; - sigmatch_table[DETECT_AL_DNP3DATA].alias = "dnp3_data"; - sigmatch_table[DETECT_AL_DNP3DATA].desc = "make the following content options to match on the re-assembled application buffer"; - sigmatch_table[DETECT_AL_DNP3DATA].url = "/rules/dnp3-keywords.html#dnp3-data"; - sigmatch_table[DETECT_AL_DNP3DATA].Setup = DetectDNP3DataSetup; - sigmatch_table[DETECT_AL_DNP3DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_DNP3DATA].name = "dnp3.data"; + sigmatch_table[DETECT_DNP3DATA].alias = "dnp3_data"; + sigmatch_table[DETECT_DNP3DATA].desc = + "make the following content options to match on the re-assembled application buffer"; + sigmatch_table[DETECT_DNP3DATA].url = "/rules/dnp3-keywords.html#dnp3-data"; + sigmatch_table[DETECT_DNP3DATA].Setup = DetectDNP3DataSetup; + sigmatch_table[DETECT_DNP3DATA].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("dnp3_data", ALPROTO_DNP3, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetDNP3Data); diff --git a/src/detect-dns-answer-name.c b/src/detect-dns-answer-name.c index dc1272d47510..ccf4746254df 100644 --- a/src/detect-dns-answer-name.c +++ b/src/detect-dns-answer-name.c @@ -72,12 +72,12 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, void DetectDnsAnswerNameRegister(void) { static const char *keyword = "dns.answer.name"; - sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].name = keyword; - sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].desc = "DNS answer name sticky buffer"; - sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].url = "/rules/dns-keywords.html#dns-answer-name"; - sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].Setup = DetectSetup; - sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_DNS_ANSWER_NAME].name = keyword; + sigmatch_table[DETECT_DNS_ANSWER_NAME].desc = "DNS answer name sticky buffer"; + sigmatch_table[DETECT_DNS_ANSWER_NAME].url = "/rules/dns-keywords.html#dns-answer-name"; + sigmatch_table[DETECT_DNS_ANSWER_NAME].Setup = DetectSetup; + sigmatch_table[DETECT_DNS_ANSWER_NAME].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_DNS_ANSWER_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER; /* Register in the TO_SERVER direction, even though this is not normal, it could be provided as part of a request. */ diff --git a/src/detect-dns-opcode.c b/src/detect-dns-opcode.c index e069c5563266..6e9f819fc217 100644 --- a/src/detect-dns-opcode.c +++ b/src/detect-dns-opcode.c @@ -42,8 +42,8 @@ static int DetectDnsOpcodeSetup(DetectEngineCtx *de_ctx, Signature *s, return -1; } - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNS_OPCODE, (SigMatchCtx *)detect, - dns_opcode_list_id) == NULL) { + if (SigMatchAppendSMToList( + de_ctx, s, DETECT_DNS_OPCODE, (SigMatchCtx *)detect, dns_opcode_list_id) == NULL) { goto error; } @@ -72,13 +72,12 @@ static int DetectDnsOpcodeMatch(DetectEngineThreadCtx *det_ctx, void DetectDnsOpcodeRegister(void) { - sigmatch_table[DETECT_AL_DNS_OPCODE].name = "dns.opcode"; - sigmatch_table[DETECT_AL_DNS_OPCODE].desc = "Match the DNS header opcode flag."; - sigmatch_table[DETECT_AL_DNS_OPCODE].Setup = DetectDnsOpcodeSetup; - sigmatch_table[DETECT_AL_DNS_OPCODE].Free = DetectDnsOpcodeFree; - sigmatch_table[DETECT_AL_DNS_OPCODE].Match = NULL; - sigmatch_table[DETECT_AL_DNS_OPCODE].AppLayerTxMatch = - DetectDnsOpcodeMatch; + sigmatch_table[DETECT_DNS_OPCODE].name = "dns.opcode"; + sigmatch_table[DETECT_DNS_OPCODE].desc = "Match the DNS header opcode flag."; + sigmatch_table[DETECT_DNS_OPCODE].Setup = DetectDnsOpcodeSetup; + sigmatch_table[DETECT_DNS_OPCODE].Free = DetectDnsOpcodeFree; + sigmatch_table[DETECT_DNS_OPCODE].Match = NULL; + sigmatch_table[DETECT_DNS_OPCODE].AppLayerTxMatch = DetectDnsOpcodeMatch; DetectAppLayerInspectEngineRegister( "dns.opcode", ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL); diff --git a/src/detect-dns-query-name.c b/src/detect-dns-query-name.c index ca1cc79fa4bf..dea5c81c7f87 100644 --- a/src/detect-dns-query-name.c +++ b/src/detect-dns-query-name.c @@ -72,12 +72,12 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx, void DetectDnsQueryNameRegister(void) { static const char *keyword = "dns.query.name"; - sigmatch_table[DETECT_AL_DNS_QUERY_NAME].name = keyword; - sigmatch_table[DETECT_AL_DNS_QUERY_NAME].desc = "DNS query name sticky buffer"; - sigmatch_table[DETECT_AL_DNS_QUERY_NAME].url = "/rules/dns-keywords.html#dns-query-name"; - sigmatch_table[DETECT_AL_DNS_QUERY_NAME].Setup = DetectSetup; - sigmatch_table[DETECT_AL_DNS_QUERY_NAME].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_DNS_QUERY_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_DNS_QUERY_NAME].name = keyword; + sigmatch_table[DETECT_DNS_QUERY_NAME].desc = "DNS query name sticky buffer"; + sigmatch_table[DETECT_DNS_QUERY_NAME].url = "/rules/dns-keywords.html#dns-query-name"; + sigmatch_table[DETECT_DNS_QUERY_NAME].Setup = DetectSetup; + sigmatch_table[DETECT_DNS_QUERY_NAME].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_DNS_QUERY_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER; /* Register in both directions as the query is usually echoed back in the response. */ diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index ef510f15287a..f50267566480 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -96,16 +96,16 @@ static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx, */ void DetectDnsQueryRegister (void) { - sigmatch_table[DETECT_AL_DNS_QUERY].name = "dns.query"; - sigmatch_table[DETECT_AL_DNS_QUERY].alias = "dns_query"; - sigmatch_table[DETECT_AL_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer"; - sigmatch_table[DETECT_AL_DNS_QUERY].url = "/rules/dns-keywords.html#dns-query"; - sigmatch_table[DETECT_AL_DNS_QUERY].Setup = DetectDnsQuerySetup; + sigmatch_table[DETECT_DNS_QUERY].name = "dns.query"; + sigmatch_table[DETECT_DNS_QUERY].alias = "dns_query"; + sigmatch_table[DETECT_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer"; + sigmatch_table[DETECT_DNS_QUERY].url = "/rules/dns-keywords.html#dns-query"; + sigmatch_table[DETECT_DNS_QUERY].Setup = DetectDnsQuerySetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests; + sigmatch_table[DETECT_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests; #endif - sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_DNS_QUERY].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_DNS_QUERY].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerMultiRegister( "dns_query", ALPROTO_DNS, SIG_FLAG_TOSERVER, 1, DnsQueryGetData, 2, 1); diff --git a/src/detect-dns-rcode.c b/src/detect-dns-rcode.c index fa5d52e67e54..b6505b7c61be 100644 --- a/src/detect-dns-rcode.c +++ b/src/detect-dns-rcode.c @@ -42,7 +42,7 @@ static int DetectDnsRcodeSetup(DetectEngineCtx *de_ctx, Signature *s, const char } if (SigMatchAppendSMToList( - de_ctx, s, DETECT_AL_DNS_RCODE, (SigMatchCtx *)detect, dns_rcode_list_id) == NULL) { + de_ctx, s, DETECT_DNS_RCODE, (SigMatchCtx *)detect, dns_rcode_list_id) == NULL) { DetectDnsRcodeFree(de_ctx, detect); SCReturnInt(-1); } @@ -67,13 +67,13 @@ static int DetectDnsRcodeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t void DetectDnsRcodeRegister(void) { - sigmatch_table[DETECT_AL_DNS_RCODE].name = "dns.rcode"; - sigmatch_table[DETECT_AL_DNS_RCODE].desc = "Match the DNS header rcode flag."; - sigmatch_table[DETECT_AL_DNS_RCODE].url = "/rules/dns-keywords.html#dns-rcode"; - sigmatch_table[DETECT_AL_DNS_RCODE].Setup = DetectDnsRcodeSetup; - sigmatch_table[DETECT_AL_DNS_RCODE].Free = DetectDnsRcodeFree; - sigmatch_table[DETECT_AL_DNS_RCODE].Match = NULL; - sigmatch_table[DETECT_AL_DNS_RCODE].AppLayerTxMatch = DetectDnsRcodeMatch; + sigmatch_table[DETECT_DNS_RCODE].name = "dns.rcode"; + sigmatch_table[DETECT_DNS_RCODE].desc = "Match the DNS header rcode flag."; + sigmatch_table[DETECT_DNS_RCODE].url = "/rules/dns-keywords.html#dns-rcode"; + sigmatch_table[DETECT_DNS_RCODE].Setup = DetectDnsRcodeSetup; + sigmatch_table[DETECT_DNS_RCODE].Free = DetectDnsRcodeFree; + sigmatch_table[DETECT_DNS_RCODE].Match = NULL; + sigmatch_table[DETECT_DNS_RCODE].AppLayerTxMatch = DetectDnsRcodeMatch; DetectAppLayerInspectEngineRegister( "dns.rcode", ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL); diff --git a/src/detect-dns-rrtype.c b/src/detect-dns-rrtype.c index 1178d3e68af1..abfe9c7d5e73 100644 --- a/src/detect-dns-rrtype.c +++ b/src/detect-dns-rrtype.c @@ -41,8 +41,8 @@ static int DetectDnsRrtypeSetup(DetectEngineCtx *de_ctx, Signature *s, const cha SCReturnInt(-1); } - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNS_RRTYPE, (SigMatchCtx *)detect, - dns_rrtype_list_id) == NULL) { + if (SigMatchAppendSMToList( + de_ctx, s, DETECT_DNS_RRTYPE, (SigMatchCtx *)detect, dns_rrtype_list_id) == NULL) { DetectDnsRrtypeFree(de_ctx, detect); SCReturnInt(-1); } @@ -67,13 +67,13 @@ static int DetectDnsRrtypeMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t void DetectDnsRrtypeRegister(void) { - sigmatch_table[DETECT_AL_DNS_RRTYPE].name = "dns.rrtype"; - sigmatch_table[DETECT_AL_DNS_RRTYPE].desc = "Match the DNS rrtype in message body."; - sigmatch_table[DETECT_AL_DNS_RRTYPE].url = "/rules/dns-keywords.html#dns-rrtype"; - sigmatch_table[DETECT_AL_DNS_RRTYPE].Setup = DetectDnsRrtypeSetup; - sigmatch_table[DETECT_AL_DNS_RRTYPE].Free = DetectDnsRrtypeFree; - sigmatch_table[DETECT_AL_DNS_RRTYPE].Match = NULL; - sigmatch_table[DETECT_AL_DNS_RRTYPE].AppLayerTxMatch = DetectDnsRrtypeMatch; + sigmatch_table[DETECT_DNS_RRTYPE].name = "dns.rrtype"; + sigmatch_table[DETECT_DNS_RRTYPE].desc = "Match the DNS rrtype in message body."; + sigmatch_table[DETECT_DNS_RRTYPE].url = "/rules/dns-keywords.html#dns-rrtype"; + sigmatch_table[DETECT_DNS_RRTYPE].Setup = DetectDnsRrtypeSetup; + sigmatch_table[DETECT_DNS_RRTYPE].Free = DetectDnsRrtypeFree; + sigmatch_table[DETECT_DNS_RRTYPE].Match = NULL; + sigmatch_table[DETECT_DNS_RRTYPE].AppLayerTxMatch = DetectDnsRrtypeMatch; DetectAppLayerInspectEngineRegister( "dns.rrtype", ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL); diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c index 602b5f3aa410..5b1b71f9c1ed 100644 --- a/src/detect-engine-build.c +++ b/src/detect-engine-build.c @@ -299,7 +299,7 @@ static int SignatureIsPDOnly(const DetectEngineCtx *de_ctx, const Signature *s) int pd = 0; for ( ; sm != NULL; sm = sm->next) { - if (sm->type == DETECT_AL_APP_LAYER_PROTOCOL) { + if (sm->type == DETECT_APP_LAYER_PROTOCOL) { pd = 1; } else { /* flowbits are supported for dp only sigs, as long @@ -524,7 +524,7 @@ static int SignatureCreateMask(Signature *s) // fallthrough case DETECT_STREAM_EVENT: // fallthrough - case DETECT_AL_APP_LAYER_EVENT: + case DETECT_APP_LAYER_EVENT: // fallthrough case DETECT_ENGINE_EVENT: s->mask |= SIG_MASK_REQUIRE_ENGINE_EVENT; diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index e43e693b2151..dbc18c298035 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -638,7 +638,7 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx, } goto no_match_discontinue; - } else if (smd->type == DETECT_AL_URILEN) { + } else if (smd->type == DETECT_URILEN) { SCLogDebug("inspecting uri len"); int r; diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index a9e674159e36..ed90bfb392a5 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -34,7 +34,7 @@ enum DetectKeywordId { /* sorted by prefilter priority. Higher in this list means it will be * picked over ones lower in the list */ - DETECT_AL_APP_LAYER_PROTOCOL, + DETECT_APP_LAYER_PROTOCOL, DETECT_ACK, DETECT_SEQ, DETECT_WINDOW, @@ -94,7 +94,7 @@ enum DetectKeywordId { DETECT_ASN1, DETECT_LUA, DETECT_ISDATAAT, - DETECT_AL_URILEN, + DETECT_URILEN, DETECT_ABSENT, /* end of content inspection */ @@ -136,73 +136,73 @@ enum DetectKeywordId { DETECT_REQUIRES, - DETECT_AL_TLS_VERSION, - DETECT_AL_TLS_SUBJECT, - DETECT_AL_TLS_ISSUERDN, - DETECT_AL_TLS_NOTBEFORE, - DETECT_AL_TLS_NOTAFTER, - DETECT_AL_TLS_EXPIRED, - DETECT_AL_TLS_VALID, - DETECT_AL_TLS_FINGERPRINT, - DETECT_AL_TLS_STORE, - DETECT_AL_TLS_CHAIN_LEN, + DETECT_TLS_VERSION, + DETECT_TLS_SUBJECT, + DETECT_TLS_ISSUERDN, + DETECT_TLS_NOTBEFORE, + DETECT_TLS_NOTAFTER, + DETECT_TLS_EXPIRED, + DETECT_TLS_VALID, + DETECT_TLS_FINGERPRINT, + DETECT_TLS_STORE, + DETECT_TLS_CHAIN_LEN, DETECT_TLS_ALPN, - DETECT_AL_HTTP_COOKIE, + DETECT_HTTP_COOKIE_CM, DETECT_HTTP_COOKIE, - DETECT_AL_HTTP_METHOD, + DETECT_HTTP_METHOD_CM, DETECT_HTTP_METHOD, - DETECT_AL_HTTP_PROTOCOL, - DETECT_AL_HTTP_START, - DETECT_AL_HTTP_CLIENT_BODY, + DETECT_HTTP_PROTOCOL, + DETECT_HTTP_START, + DETECT_HTTP_CLIENT_BODY, DETECT_HTTP_REQUEST_BODY, - DETECT_AL_HTTP_SERVER_BODY, + DETECT_HTTP_SERVER_BODY, DETECT_HTTP_RESPONSE_BODY, - DETECT_AL_HTTP_HEADER, + DETECT_HTTP_HEADER_CM, DETECT_HTTP_HEADER, - DETECT_AL_HTTP_HEADER_NAMES, - DETECT_AL_HTTP_HEADER_ACCEPT, - DETECT_AL_HTTP_HEADER_ACCEPT_LANG, - DETECT_AL_HTTP_HEADER_ACCEPT_ENC, - DETECT_AL_HTTP_HEADER_CONNECTION, - DETECT_AL_HTTP_HEADER_CONTENT_LEN, - DETECT_AL_HTTP_HEADER_CONTENT_TYPE, - DETECT_AL_HTTP_HEADER_LOCATION, - DETECT_AL_HTTP_HEADER_SERVER, - DETECT_AL_HTTP_HEADER_REFERER, - DETECT_AL_HTTP_RAW_HEADER, + DETECT_HTTP_HEADER_NAMES, + DETECT_HTTP_HEADER_ACCEPT, + DETECT_HTTP_HEADER_ACCEPT_LANG, + DETECT_HTTP_HEADER_ACCEPT_ENC, + DETECT_HTTP_HEADER_CONNECTION, + DETECT_HTTP_HEADER_CONTENT_LEN, + DETECT_HTTP_HEADER_CONTENT_TYPE, + DETECT_HTTP_HEADER_LOCATION, + DETECT_HTTP_HEADER_SERVER, + DETECT_HTTP_HEADER_REFERER, + DETECT_HTTP_RAW_HEADER_CM, DETECT_HTTP_RAW_HEADER, - DETECT_AL_HTTP_URI, + DETECT_HTTP_URI_CM, DETECT_HTTP_URI, DETECT_HTTP_URI_RAW, - DETECT_AL_HTTP_RAW_URI, - DETECT_AL_HTTP_STAT_MSG, + DETECT_HTTP_RAW_URI, + DETECT_HTTP_STAT_MSG_CM, DETECT_HTTP_STAT_MSG, - DETECT_AL_HTTP_STAT_CODE, + DETECT_HTTP_STAT_CODE_CM, DETECT_HTTP_STAT_CODE, - DETECT_AL_HTTP_USER_AGENT, + DETECT_HTTP_USER_AGENT, DETECT_HTTP_UA, - DETECT_AL_HTTP_HOST, + DETECT_HTTP_HOST_CM, DETECT_HTTP_HOST, - DETECT_AL_HTTP_RAW_HOST, + DETECT_HTTP_RAW_HOST, DETECT_HTTP_HOST_RAW, - DETECT_AL_HTTP_REQUEST_LINE, - DETECT_AL_HTTP_RESPONSE_LINE, - DETECT_AL_NFS_PROCEDURE, - DETECT_AL_NFS_VERSION, - DETECT_AL_SSH_PROTOCOL, - DETECT_AL_SSH_PROTOVERSION, - DETECT_AL_SSH_SOFTWARE, - DETECT_AL_SSH_SOFTWAREVERSION, - DETECT_AL_SSH_HASSH, - DETECT_AL_SSH_HASSH_SERVER, - DETECT_AL_SSH_HASSH_STRING, - DETECT_AL_SSH_HASSH_SERVER_STRING, - DETECT_AL_SSL_VERSION, - DETECT_AL_SSL_STATE, + DETECT_HTTP_REQUEST_LINE, + DETECT_HTTP_RESPONSE_LINE, + DETECT_NFS_PROCEDURE, + DETECT_NFS_VERSION, + DETECT_SSH_PROTOCOL, + DETECT_SSH_PROTOVERSION, + DETECT_SSH_SOFTWARE, + DETECT_SSH_SOFTWAREVERSION, + DETECT_SSH_HASSH, + DETECT_SSH_HASSH_SERVER, + DETECT_SSH_HASSH_STRING, + DETECT_SSH_HASSH_SERVER_STRING, + DETECT_SSL_VERSION, + DETECT_SSL_STATE, DETECT_FILE_DATA, DETECT_PKT_DATA, - DETECT_AL_APP_LAYER_EVENT, + DETECT_APP_LAYER_EVENT, DETECT_HTTP2_FRAMETYPE, DETECT_HTTP2_ERRORCODE, @@ -243,48 +243,48 @@ enum DetectKeywordId { DETECT_L3PROTO, DETECT_IPREP, - DETECT_AL_DNS_QUERY, - DETECT_AL_DNS_OPCODE, - DETECT_AL_DNS_RCODE, - DETECT_AL_DNS_RRTYPE, - DETECT_AL_DNS_ANSWER_NAME, - DETECT_AL_DNS_QUERY_NAME, - DETECT_AL_TLS_SNI, - DETECT_AL_TLS_CERTS, - DETECT_AL_TLS_CERT_ISSUER, - DETECT_AL_TLS_CERT_SUBJECT, - DETECT_AL_TLS_CERT_SERIAL, - DETECT_AL_TLS_CERT_FINGERPRINT, - DETECT_AL_TLS_SUBJECTALTNAME, - DETECT_AL_TLS_RANDOM_TIME, - DETECT_AL_TLS_RANDOM_BYTES, - DETECT_AL_TLS_RANDOM, - - DETECT_AL_TLS_JA3_HASH, - DETECT_AL_TLS_JA3_STRING, - DETECT_AL_TLS_JA3S_HASH, - DETECT_AL_TLS_JA3S_STRING, - - DETECT_AL_MODBUS, - - DETECT_AL_DNP3DATA, - DETECT_AL_DNP3FUNC, - DETECT_AL_DNP3IND, - DETECT_AL_DNP3OBJ, - - DETECT_AL_KRB5_ERRCODE, - DETECT_AL_KRB5_MSGTYPE, - DETECT_AL_KRB5_CNAME, - DETECT_AL_KRB5_SNAME, - DETECT_AL_KRB5_TICKET_ENCRYPTION, - - DETECT_AL_SIP_METHOD, - DETECT_AL_SIP_URI, - DETECT_AL_SIP_PROTOCOL, - DETECT_AL_SIP_STAT_CODE, - DETECT_AL_SIP_STAT_MSG, - DETECT_AL_SIP_REQUEST_LINE, - DETECT_AL_SIP_RESPONSE_LINE, + DETECT_DNS_QUERY, + DETECT_DNS_OPCODE, + DETECT_DNS_RCODE, + DETECT_DNS_RRTYPE, + DETECT_DNS_ANSWER_NAME, + DETECT_DNS_QUERY_NAME, + DETECT_TLS_SNI, + DETECT_TLS_CERTS, + DETECT_TLS_CERT_ISSUER, + DETECT_TLS_CERT_SUBJECT, + DETECT_TLS_CERT_SERIAL, + DETECT_TLS_CERT_FINGERPRINT, + DETECT_TLS_SUBJECTALTNAME, + DETECT_TLS_RANDOM_TIME, + DETECT_TLS_RANDOM_BYTES, + DETECT_TLS_RANDOM, + + DETECT_TLS_JA3_HASH, + DETECT_TLS_JA3_STRING, + DETECT_TLS_JA3S_HASH, + DETECT_TLS_JA3S_STRING, + + DETECT_MODBUS, + + DETECT_DNP3DATA, + DETECT_DNP3FUNC, + DETECT_DNP3IND, + DETECT_DNP3OBJ, + + DETECT_KRB5_ERRCODE, + DETECT_KRB5_MSGTYPE, + DETECT_KRB5_CNAME, + DETECT_KRB5_SNAME, + DETECT_KRB5_TICKET_ENCRYPTION, + + DETECT_SIP_METHOD, + DETECT_SIP_URI, + DETECT_SIP_PROTOCOL, + DETECT_SIP_STAT_CODE, + DETECT_SIP_STAT_MSG, + DETECT_SIP_REQUEST_LINE, + DETECT_SIP_RESPONSE_LINE, DETECT_TEMPLATE, DETECT_TEMPLATE2, DETECT_IPV4HDR, @@ -296,11 +296,11 @@ enum DetectKeywordId { DETECT_TCPMSS, DETECT_FTPDATA, DETECT_TARGET, - DETECT_AL_QUIC_VERSION, - DETECT_AL_QUIC_SNI, - DETECT_AL_QUIC_UA, - DETECT_AL_QUIC_CYU_HASH, - DETECT_AL_QUIC_CYU_STRING, + DETECT_QUIC_VERSION, + DETECT_QUIC_SNI, + DETECT_QUIC_UA, + DETECT_QUIC_CYU_HASH, + DETECT_QUIC_CYU_STRING, DETECT_BYPASS, @@ -321,17 +321,17 @@ enum DetectKeywordId { DETECT_TRANSFORM_HEADER_LOWERCASE, DETECT_TRANSFORM_FROM_BASE64, - DETECT_AL_IKE_EXCH_TYPE, - DETECT_AL_IKE_SPI_INITIATOR, - DETECT_AL_IKE_SPI_RESPONDER, - DETECT_AL_IKE_VENDOR, - DETECT_AL_IKE_CHOSEN_SA, - DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH, - DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH, - DETECT_AL_IKE_NONCE, - DETECT_AL_IKE_KEY_EXCHANGE, - - DETECT_AL_JA4_HASH, + DETECT_IKE_EXCH_TYPE, + DETECT_IKE_SPI_INITIATOR, + DETECT_IKE_SPI_RESPONDER, + DETECT_IKE_VENDOR, + DETECT_IKE_CHOSEN_SA, + DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH, + DETECT_IKE_NONCE_PAYLOAD_LENGTH, + DETECT_IKE_NONCE, + DETECT_IKE_KEY_EXCHANGE, + + DETECT_JA4_HASH, DETECT_VLAN_ID, DETECT_VLAN_LAYERS, diff --git a/src/detect-http-accept-enc.c b/src/detect-http-accept-enc.c index 277e7142a278..f85712a56fdb 100644 --- a/src/detect-http-accept-enc.c +++ b/src/detect-http-accept-enc.c @@ -36,7 +36,7 @@ #define BUFFER_NAME "http_accept_enc" #define BUFFER_DESC "http accept encoding header" #define HEADER_NAME "Accept-Encoding" -#define KEYWORD_ID DETECT_AL_HTTP_HEADER_ACCEPT_ENC +#define KEYWORD_ID DETECT_HTTP_HEADER_ACCEPT_ENC #define KEYWORD_TOSERVER 1 #include "detect-http-headers-stub.h" diff --git a/src/detect-http-accept-lang.c b/src/detect-http-accept-lang.c index c83847e69a9e..d909271b529c 100644 --- a/src/detect-http-accept-lang.c +++ b/src/detect-http-accept-lang.c @@ -36,7 +36,7 @@ #define BUFFER_NAME "http_accept_lang" #define BUFFER_DESC "http accept language header" #define HEADER_NAME "Accept-Language" -#define KEYWORD_ID DETECT_AL_HTTP_HEADER_ACCEPT_LANG +#define KEYWORD_ID DETECT_HTTP_HEADER_ACCEPT_LANG #define KEYWORD_TOSERVER 1 #include "detect-http-headers-stub.h" diff --git a/src/detect-http-accept.c b/src/detect-http-accept.c index db6bec4455ca..efdfcc954980 100644 --- a/src/detect-http-accept.c +++ b/src/detect-http-accept.c @@ -36,7 +36,7 @@ #define BUFFER_NAME "http_accept" #define BUFFER_DESC "http accept header" #define HEADER_NAME "Accept" -#define KEYWORD_ID DETECT_AL_HTTP_HEADER_ACCEPT +#define KEYWORD_ID DETECT_HTTP_HEADER_ACCEPT #define KEYWORD_TOSERVER 1 #include "detect-http-headers-stub.h" diff --git a/src/detect-http-client-body.c b/src/detect-http-client-body.c index 7748bb4338a0..798a29ab66a5 100644 --- a/src/detect-http-client-body.c +++ b/src/detect-http-client-body.c @@ -85,16 +85,17 @@ static int PrefilterMpmHttpRequestBodyRegister(DetectEngineCtx *de_ctx, SigGroup void DetectHttpClientBodyRegister(void) { /* http_client_body content modifier */ - sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].name = "http_client_body"; - sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].desc = "content modifier to match only on HTTP request-body"; - sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].url = "/rules/http-keywords.html#http-client-body"; - sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].Setup = DetectHttpClientBodySetup; + sigmatch_table[DETECT_HTTP_CLIENT_BODY].name = "http_client_body"; + sigmatch_table[DETECT_HTTP_CLIENT_BODY].desc = + "content modifier to match only on HTTP request-body"; + sigmatch_table[DETECT_HTTP_CLIENT_BODY].url = "/rules/http-keywords.html#http-client-body"; + sigmatch_table[DETECT_HTTP_CLIENT_BODY].Setup = DetectHttpClientBodySetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].RegisterTests = DetectHttpClientBodyRegisterTests; + sigmatch_table[DETECT_HTTP_CLIENT_BODY].RegisterTests = DetectHttpClientBodyRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_NOOPT ; - sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_CLIENT_BODY].alternative = DETECT_HTTP_REQUEST_BODY; + sigmatch_table[DETECT_HTTP_CLIENT_BODY].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_HTTP_CLIENT_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_CLIENT_BODY].alternative = DETECT_HTTP_REQUEST_BODY; /* http.request_body sticky buffer */ sigmatch_table[DETECT_HTTP_REQUEST_BODY].name = "http.request_body"; @@ -149,8 +150,8 @@ static void DetectHttpClientBodySetupCallback(const DetectEngineCtx *de_ctx, */ int DetectHttpClientBodySetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { - return DetectEngineContentModifierBufferSetup(de_ctx, s, arg, DETECT_AL_HTTP_CLIENT_BODY, - g_http_client_body_buffer_id, ALPROTO_HTTP1); + return DetectEngineContentModifierBufferSetup( + de_ctx, s, arg, DETECT_HTTP_CLIENT_BODY, g_http_client_body_buffer_id, ALPROTO_HTTP1); } /** diff --git a/src/detect-http-connection.c b/src/detect-http-connection.c index 2db451236721..8f4061f8185c 100644 --- a/src/detect-http-connection.c +++ b/src/detect-http-connection.c @@ -36,7 +36,7 @@ #define BUFFER_NAME "http_connection" #define BUFFER_DESC "http connection header" #define HEADER_NAME "Connection" -#define KEYWORD_ID DETECT_AL_HTTP_HEADER_CONNECTION +#define KEYWORD_ID DETECT_HTTP_HEADER_CONNECTION #define KEYWORD_TOSERVER 1 #define KEYWORD_TOCLIENT 1 diff --git a/src/detect-http-content-len.c b/src/detect-http-content-len.c index b9203e2c738d..237515d5f68c 100644 --- a/src/detect-http-content-len.c +++ b/src/detect-http-content-len.c @@ -36,7 +36,7 @@ #define BUFFER_NAME "http_content_len" #define BUFFER_DESC "http content length header" #define HEADER_NAME "Content-Length" -#define KEYWORD_ID DETECT_AL_HTTP_HEADER_CONTENT_LEN +#define KEYWORD_ID DETECT_HTTP_HEADER_CONTENT_LEN #define KEYWORD_TOSERVER 1 #define KEYWORD_TOCLIENT 1 diff --git a/src/detect-http-content-type.c b/src/detect-http-content-type.c index 66d5b9567519..5e27a77875c8 100644 --- a/src/detect-http-content-type.c +++ b/src/detect-http-content-type.c @@ -36,7 +36,7 @@ #define BUFFER_NAME "http_content_type" #define BUFFER_DESC "http content type header" #define HEADER_NAME "Content-Type" -#define KEYWORD_ID DETECT_AL_HTTP_HEADER_CONTENT_TYPE +#define KEYWORD_ID DETECT_HTTP_HEADER_CONTENT_TYPE #define KEYWORD_TOSERVER 1 #define KEYWORD_TOCLIENT 1 diff --git a/src/detect-http-cookie.c b/src/detect-http-cookie.c index 013e9a276c4e..a3c0db88facf 100644 --- a/src/detect-http-cookie.c +++ b/src/detect-http-cookie.c @@ -88,16 +88,17 @@ static InspectionBuffer *GetResponseData2(DetectEngineThreadCtx *det_ctx, void DetectHttpCookieRegister(void) { /* http_cookie content modifier */ - sigmatch_table[DETECT_AL_HTTP_COOKIE].name = "http_cookie"; - sigmatch_table[DETECT_AL_HTTP_COOKIE].desc = "content modifier to match only on the HTTP cookie-buffer"; - sigmatch_table[DETECT_AL_HTTP_COOKIE].url = "/rules/http-keywords.html#http-cookie"; - sigmatch_table[DETECT_AL_HTTP_COOKIE].Setup = DetectHttpCookieSetup; + sigmatch_table[DETECT_HTTP_COOKIE_CM].name = "http_cookie"; + sigmatch_table[DETECT_HTTP_COOKIE_CM].desc = + "content modifier to match only on the HTTP cookie-buffer"; + sigmatch_table[DETECT_HTTP_COOKIE_CM].url = "/rules/http-keywords.html#http-cookie"; + sigmatch_table[DETECT_HTTP_COOKIE_CM].Setup = DetectHttpCookieSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_COOKIE].RegisterTests = DetectHttpCookieRegisterTests; + sigmatch_table[DETECT_HTTP_COOKIE_CM].RegisterTests = DetectHttpCookieRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_HTTP_COOKIE].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_COOKIE].alternative = DETECT_HTTP_COOKIE; + sigmatch_table[DETECT_HTTP_COOKIE_CM].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_HTTP_COOKIE_CM].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_COOKIE_CM].alternative = DETECT_HTTP_COOKIE; /* http.cookie sticky buffer */ sigmatch_table[DETECT_HTTP_COOKIE].name = "http.cookie"; @@ -147,7 +148,7 @@ void DetectHttpCookieRegister(void) static int DetectHttpCookieSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, str, DETECT_AL_HTTP_COOKIE, g_http_cookie_buffer_id, ALPROTO_HTTP1); + de_ctx, s, str, DETECT_HTTP_COOKIE_CM, g_http_cookie_buffer_id, ALPROTO_HTTP1); } /** diff --git a/src/detect-http-header-names.c b/src/detect-http-header-names.c index 4b863ea6b5eb..4e7bccf3c09a 100644 --- a/src/detect-http-header-names.c +++ b/src/detect-http-header-names.c @@ -211,13 +211,13 @@ static int DetectHttpHeaderNamesSetup(DetectEngineCtx *de_ctx, Signature *s, con */ void DetectHttpHeaderNamesRegister(void) { - sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].alias = KEYWORD_NAME_LEGACY; - sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].desc = BUFFER_NAME " sticky buffer"; - sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].Setup = DetectHttpHeaderNamesSetup; + sigmatch_table[DETECT_HTTP_HEADER_NAMES].name = KEYWORD_NAME; + sigmatch_table[DETECT_HTTP_HEADER_NAMES].alias = KEYWORD_NAME_LEGACY; + sigmatch_table[DETECT_HTTP_HEADER_NAMES].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_HTTP_HEADER_NAMES].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_HTTP_HEADER_NAMES].Setup = DetectHttpHeaderNamesSetup; - sigmatch_table[DETECT_AL_HTTP_HEADER_NAMES].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_HTTP_HEADER_NAMES].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; /* http1 */ DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 6861c0986f0b..f0b4d59f700a 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -380,7 +380,7 @@ static int PrefilterMpmHttpHeaderResponseRegister(DetectEngineCtx *de_ctx, SigGr static int DetectHttpHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, arg, DETECT_AL_HTTP_HEADER, g_http_header_buffer_id, ALPROTO_HTTP1); + de_ctx, s, arg, DETECT_HTTP_HEADER_CM, g_http_header_buffer_id, ALPROTO_HTTP1); } /** @@ -407,16 +407,18 @@ static int DetectHttpHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, co void DetectHttpHeaderRegister(void) { /* http_header content modifier */ - sigmatch_table[DETECT_AL_HTTP_HEADER].name = "http_header"; - sigmatch_table[DETECT_AL_HTTP_HEADER].desc = "content modifier to match only on the HTTP header-buffer"; - sigmatch_table[DETECT_AL_HTTP_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header"; - sigmatch_table[DETECT_AL_HTTP_HEADER].Setup = DetectHttpHeaderSetup; + sigmatch_table[DETECT_HTTP_HEADER_CM].name = "http_header"; + sigmatch_table[DETECT_HTTP_HEADER_CM].desc = + "content modifier to match only on the HTTP header-buffer"; + sigmatch_table[DETECT_HTTP_HEADER_CM].url = + "/rules/http-keywords.html#http-header-and-http-raw-header"; + sigmatch_table[DETECT_HTTP_HEADER_CM].Setup = DetectHttpHeaderSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_HEADER].RegisterTests = DetectHttpHeaderRegisterTests; + sigmatch_table[DETECT_HTTP_HEADER_CM].RegisterTests = DetectHttpHeaderRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_NOOPT ; - sigmatch_table[DETECT_AL_HTTP_HEADER].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_HEADER].alternative = DETECT_HTTP_HEADER; + sigmatch_table[DETECT_HTTP_HEADER_CM].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_HTTP_HEADER_CM].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_HEADER_CM].alternative = DETECT_HTTP_HEADER; /* http.header sticky buffer */ sigmatch_table[DETECT_HTTP_HEADER].name = "http.header"; diff --git a/src/detect-http-host.c b/src/detect-http-host.c index 4b420bc2932d..9f6fe9d962b6 100644 --- a/src/detect-http-host.c +++ b/src/detect-http-host.c @@ -89,15 +89,16 @@ static int g_http_host_buffer_id = 0; void DetectHttpHHRegister(void) { /* http_host content modifier */ - sigmatch_table[DETECT_AL_HTTP_HOST].name = "http_host"; - sigmatch_table[DETECT_AL_HTTP_HOST].desc = "content modifier to match on the HTTP hostname"; - sigmatch_table[DETECT_AL_HTTP_HOST].url = "/rules/http-keywords.html#http-host-and-http-raw-host"; - sigmatch_table[DETECT_AL_HTTP_HOST].Setup = DetectHttpHHSetup; + sigmatch_table[DETECT_HTTP_HOST_CM].name = "http_host"; + sigmatch_table[DETECT_HTTP_HOST_CM].desc = "content modifier to match on the HTTP hostname"; + sigmatch_table[DETECT_HTTP_HOST_CM].url = + "/rules/http-keywords.html#http-host-and-http-raw-host"; + sigmatch_table[DETECT_HTTP_HOST_CM].Setup = DetectHttpHHSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_HOST].RegisterTests = DetectHttpHHRegisterTests; + sigmatch_table[DETECT_HTTP_HOST_CM].RegisterTests = DetectHttpHHRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_HOST].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_HOST].alternative = DETECT_HTTP_HOST; + sigmatch_table[DETECT_HTTP_HOST_CM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_HOST_CM].alternative = DETECT_HTTP_HOST; /* http.host sticky buffer */ sigmatch_table[DETECT_HTTP_HOST].name = "http.host"; @@ -127,12 +128,14 @@ void DetectHttpHHRegister(void) g_http_host_buffer_id = DetectBufferTypeGetByName("http_host"); /* http_raw_host content modifier */ - sigmatch_table[DETECT_AL_HTTP_RAW_HOST].name = "http_raw_host"; - sigmatch_table[DETECT_AL_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header or the raw hostname from the HTTP uri"; - sigmatch_table[DETECT_AL_HTTP_RAW_HOST].url = "/rules/http-keywords.html#http-host-and-http-raw-host"; - sigmatch_table[DETECT_AL_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup; - sigmatch_table[DETECT_AL_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW; + sigmatch_table[DETECT_HTTP_RAW_HOST].name = "http_raw_host"; + sigmatch_table[DETECT_HTTP_RAW_HOST].desc = "content modifier to match on the HTTP host header " + "or the raw hostname from the HTTP uri"; + sigmatch_table[DETECT_HTTP_RAW_HOST].url = + "/rules/http-keywords.html#http-host-and-http-raw-host"; + sigmatch_table[DETECT_HTTP_RAW_HOST].Setup = DetectHttpHRHSetup; + sigmatch_table[DETECT_HTTP_RAW_HOST].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_RAW_HOST].alternative = DETECT_HTTP_HOST_RAW; /* http.host sticky buffer */ sigmatch_table[DETECT_HTTP_HOST_RAW].name = "http.host.raw"; @@ -175,7 +178,7 @@ void DetectHttpHHRegister(void) static int DetectHttpHHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, arg, DETECT_AL_HTTP_HOST, g_http_host_buffer_id, ALPROTO_HTTP1); + de_ctx, s, arg, DETECT_HTTP_HOST_CM, g_http_host_buffer_id, ALPROTO_HTTP1); } static bool DetectHttpHostValidateCallback(const Signature *s, const char **sigerror) @@ -314,7 +317,7 @@ static InspectionBuffer *GetRawData2(DetectEngineThreadCtx *det_ctx, int DetectHttpHRHSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, arg, DETECT_AL_HTTP_RAW_HOST, g_http_raw_host_buffer_id, ALPROTO_HTTP1); + de_ctx, s, arg, DETECT_HTTP_RAW_HOST, g_http_raw_host_buffer_id, ALPROTO_HTTP1); } /** diff --git a/src/detect-http-location.c b/src/detect-http-location.c index bd4eb15dc9c3..cbe36d245a4d 100644 --- a/src/detect-http-location.c +++ b/src/detect-http-location.c @@ -38,7 +38,7 @@ #define BUFFER_NAME "http.location" #define BUFFER_DESC "http location header" #define HEADER_NAME "Location" -#define KEYWORD_ID DETECT_AL_HTTP_HEADER_LOCATION +#define KEYWORD_ID DETECT_HTTP_HEADER_LOCATION #define KEYWORD_TOCLIENT 1 #include "detect-http-headers-stub.h" diff --git a/src/detect-http-method.c b/src/detect-http-method.c index 220265e6c8f6..2d2e1809a45e 100644 --- a/src/detect-http-method.c +++ b/src/detect-http-method.c @@ -80,16 +80,17 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, void DetectHttpMethodRegister(void) { /* http_method content modifier */ - sigmatch_table[DETECT_AL_HTTP_METHOD].name = "http_method"; - sigmatch_table[DETECT_AL_HTTP_METHOD].desc = "content modifier to match only on the HTTP method-buffer"; - sigmatch_table[DETECT_AL_HTTP_METHOD].url = "/rules/http-keywords.html#http-method"; - sigmatch_table[DETECT_AL_HTTP_METHOD].Match = NULL; - sigmatch_table[DETECT_AL_HTTP_METHOD].Setup = DetectHttpMethodSetup; + sigmatch_table[DETECT_HTTP_METHOD_CM].name = "http_method"; + sigmatch_table[DETECT_HTTP_METHOD_CM].desc = + "content modifier to match only on the HTTP method-buffer"; + sigmatch_table[DETECT_HTTP_METHOD_CM].url = "/rules/http-keywords.html#http-method"; + sigmatch_table[DETECT_HTTP_METHOD_CM].Match = NULL; + sigmatch_table[DETECT_HTTP_METHOD_CM].Setup = DetectHttpMethodSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_METHOD].RegisterTests = DetectHttpMethodRegisterTests; + sigmatch_table[DETECT_HTTP_METHOD_CM].RegisterTests = DetectHttpMethodRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_METHOD].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_METHOD].alternative = DETECT_HTTP_METHOD; + sigmatch_table[DETECT_HTTP_METHOD_CM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_METHOD_CM].alternative = DETECT_HTTP_METHOD; /* http.method sticky buffer */ sigmatch_table[DETECT_HTTP_METHOD].name = "http.method"; @@ -135,7 +136,7 @@ void DetectHttpMethodRegister(void) static int DetectHttpMethodSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, str, DETECT_AL_HTTP_METHOD, g_http_method_buffer_id, ALPROTO_HTTP1); + de_ctx, s, str, DETECT_HTTP_METHOD_CM, g_http_method_buffer_id, ALPROTO_HTTP1); } /** diff --git a/src/detect-http-protocol.c b/src/detect-http-protocol.c index 39c643716c80..6ef48b9b011a 100644 --- a/src/detect-http-protocol.c +++ b/src/detect-http-protocol.c @@ -158,12 +158,12 @@ static bool DetectHttpProtocolValidateCallback(const Signature *s, const char ** */ void DetectHttpProtocolRegister(void) { - sigmatch_table[DETECT_AL_HTTP_PROTOCOL].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_HTTP_PROTOCOL].alias = KEYWORD_NAME_LEGACY; - sigmatch_table[DETECT_AL_HTTP_PROTOCOL].desc = BUFFER_NAME " sticky buffer"; - sigmatch_table[DETECT_AL_HTTP_PROTOCOL].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_HTTP_PROTOCOL].Setup = DetectHttpProtocolSetup; - sigmatch_table[DETECT_AL_HTTP_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + sigmatch_table[DETECT_HTTP_PROTOCOL].name = KEYWORD_NAME; + sigmatch_table[DETECT_HTTP_PROTOCOL].alias = KEYWORD_NAME_LEGACY; + sigmatch_table[DETECT_HTTP_PROTOCOL].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_HTTP_PROTOCOL].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_HTTP_PROTOCOL].Setup = DetectHttpProtocolSetup; + sigmatch_table[DETECT_HTTP_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_LINE); diff --git a/src/detect-http-raw-header.c b/src/detect-http-raw-header.c index 9b1951f57c30..95f2a282d291 100644 --- a/src/detect-http-raw-header.c +++ b/src/detect-http-raw-header.c @@ -79,15 +79,18 @@ static int PrefilterMpmHttpHeaderRawResponseRegister(DetectEngineCtx *de_ctx, Si void DetectHttpRawHeaderRegister(void) { /* http_raw_header content modifier */ - sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].name = "http_raw_header"; - sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].desc = "content modifier to match the raw HTTP header buffer"; - sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].url = "/rules/http-keywords.html#http-header-and-http-raw-header"; - sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetup; + sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].name = "http_raw_header"; + sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].desc = + "content modifier to match the raw HTTP header buffer"; + sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].url = + "/rules/http-keywords.html#http-header-and-http-raw-header"; + sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].Setup = DetectHttpRawHeaderSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].RegisterTests = DetectHttpRawHeaderRegisterTests; + sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].RegisterTests = DetectHttpRawHeaderRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].alternative = DETECT_HTTP_RAW_HEADER; + sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].flags |= + SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_RAW_HEADER_CM].alternative = DETECT_HTTP_RAW_HEADER; /* http.header.raw sticky buffer */ sigmatch_table[DETECT_HTTP_RAW_HEADER].name = "http.header.raw"; @@ -143,7 +146,7 @@ void DetectHttpRawHeaderRegister(void) int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, arg, DETECT_AL_HTTP_RAW_HEADER, g_http_raw_header_buffer_id, ALPROTO_HTTP1); + de_ctx, s, arg, DETECT_HTTP_RAW_HEADER_CM, g_http_raw_header_buffer_id, ALPROTO_HTTP1); } /** diff --git a/src/detect-http-referer.c b/src/detect-http-referer.c index 5ade2071a314..292778869ae3 100644 --- a/src/detect-http-referer.c +++ b/src/detect-http-referer.c @@ -36,7 +36,7 @@ #define BUFFER_NAME "http_referer" #define BUFFER_DESC "http referer header" #define HEADER_NAME "Referer" -#define KEYWORD_ID DETECT_AL_HTTP_HEADER_REFERER +#define KEYWORD_ID DETECT_HTTP_HEADER_REFERER #define KEYWORD_TOSERVER 1 #include "detect-http-headers-stub.h" diff --git a/src/detect-http-request-line.c b/src/detect-http-request-line.c index 4ad17bc3d137..ffa665752aeb 100644 --- a/src/detect-http-request-line.c +++ b/src/detect-http-request-line.c @@ -99,16 +99,17 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, */ void DetectHttpRequestLineRegister(void) { - sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].name = "http.request_line"; - sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].alias = "http_request_line"; - sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].desc = "sticky buffer to match on the HTTP request line"; - sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].url = "/rules/http-keywords.html#http-request-line"; - sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].Match = NULL; - sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].Setup = DetectHttpRequestLineSetup; + sigmatch_table[DETECT_HTTP_REQUEST_LINE].name = "http.request_line"; + sigmatch_table[DETECT_HTTP_REQUEST_LINE].alias = "http_request_line"; + sigmatch_table[DETECT_HTTP_REQUEST_LINE].desc = + "sticky buffer to match on the HTTP request line"; + sigmatch_table[DETECT_HTTP_REQUEST_LINE].url = "/rules/http-keywords.html#http-request-line"; + sigmatch_table[DETECT_HTTP_REQUEST_LINE].Match = NULL; + sigmatch_table[DETECT_HTTP_REQUEST_LINE].Setup = DetectHttpRequestLineSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].RegisterTests = DetectHttpRequestLineRegisterTests; + sigmatch_table[DETECT_HTTP_REQUEST_LINE].RegisterTests = DetectHttpRequestLineRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_REQUEST_LINE].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_HTTP_REQUEST_LINE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("http_request_line", ALPROTO_HTTP1, SIG_FLAG_TOSERVER, HTP_REQUEST_PROGRESS_LINE, DetectEngineInspectBufferGeneric, GetData); diff --git a/src/detect-http-response-line.c b/src/detect-http-response-line.c index 2604fdc7cbd9..ffa02368dee4 100644 --- a/src/detect-http-response-line.c +++ b/src/detect-http-response-line.c @@ -99,15 +99,16 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, */ void DetectHttpResponseLineRegister(void) { - sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].name = "http.response_line"; - sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].alias = "http_response_line"; - sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].desc = "content modifier to match only on the HTTP response line"; - sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].url = "/rules/http-keywords.html#http-response-line"; - sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].Setup = DetectHttpResponseLineSetup; + sigmatch_table[DETECT_HTTP_RESPONSE_LINE].name = "http.response_line"; + sigmatch_table[DETECT_HTTP_RESPONSE_LINE].alias = "http_response_line"; + sigmatch_table[DETECT_HTTP_RESPONSE_LINE].desc = + "content modifier to match only on the HTTP response line"; + sigmatch_table[DETECT_HTTP_RESPONSE_LINE].url = "/rules/http-keywords.html#http-response-line"; + sigmatch_table[DETECT_HTTP_RESPONSE_LINE].Setup = DetectHttpResponseLineSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].RegisterTests = DetectHttpResponseLineRegisterTests; + sigmatch_table[DETECT_HTTP_RESPONSE_LINE].RegisterTests = DetectHttpResponseLineRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_RESPONSE_LINE].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_HTTP_RESPONSE_LINE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("http_response_line", ALPROTO_HTTP1, SIG_FLAG_TOCLIENT, HTP_RESPONSE_PROGRESS_LINE, DetectEngineInspectBufferGeneric, GetData); diff --git a/src/detect-http-server-body.c b/src/detect-http-server-body.c index 28833a8a75bf..6ef4594ec94e 100644 --- a/src/detect-http-server-body.c +++ b/src/detect-http-server-body.c @@ -68,16 +68,17 @@ static int g_buffer_id = 0; void DetectHttpServerBodyRegister(void) { /* http_server_body content modifier */ - sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].name = "http_server_body"; - sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].desc = "content modifier to match on the HTTP response-body"; - sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].url = "/rules/http-keywords.html#http-server-body"; - sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].Setup = DetectHttpServerBodySetup; + sigmatch_table[DETECT_HTTP_SERVER_BODY].name = "http_server_body"; + sigmatch_table[DETECT_HTTP_SERVER_BODY].desc = + "content modifier to match on the HTTP response-body"; + sigmatch_table[DETECT_HTTP_SERVER_BODY].url = "/rules/http-keywords.html#http-server-body"; + sigmatch_table[DETECT_HTTP_SERVER_BODY].Setup = DetectHttpServerBodySetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].RegisterTests = DetectHttpServerBodyRegisterTests; + sigmatch_table[DETECT_HTTP_SERVER_BODY].RegisterTests = DetectHttpServerBodyRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_SERVER_BODY].alternative = DETECT_HTTP_RESPONSE_BODY; + sigmatch_table[DETECT_HTTP_SERVER_BODY].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_HTTP_SERVER_BODY].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_SERVER_BODY].alternative = DETECT_HTTP_RESPONSE_BODY; /* http.request_body sticky buffer */ sigmatch_table[DETECT_HTTP_RESPONSE_BODY].name = "http.response_body"; @@ -106,7 +107,7 @@ void DetectHttpServerBodyRegister(void) int DetectHttpServerBodySetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, arg, DETECT_AL_HTTP_SERVER_BODY, g_buffer_id, ALPROTO_HTTP1); + de_ctx, s, arg, DETECT_HTTP_SERVER_BODY, g_buffer_id, ALPROTO_HTTP1); } /** diff --git a/src/detect-http-server.c b/src/detect-http-server.c index d0d598419acb..1424e5b436d7 100644 --- a/src/detect-http-server.c +++ b/src/detect-http-server.c @@ -38,7 +38,7 @@ #define BUFFER_NAME "http.server" #define BUFFER_DESC "http server header" #define HEADER_NAME "Server" -#define KEYWORD_ID DETECT_AL_HTTP_HEADER_SERVER +#define KEYWORD_ID DETECT_HTTP_HEADER_SERVER #define KEYWORD_TOCLIENT 1 #include "detect-http-headers-stub.h" diff --git a/src/detect-http-start.c b/src/detect-http-start.c index 82e6299d70ee..d650f77f81ed 100644 --- a/src/detect-http-start.c +++ b/src/detect-http-start.c @@ -182,12 +182,12 @@ static int DetectHttpStartSetup(DetectEngineCtx *de_ctx, Signature *s, const cha */ void DetectHttpStartRegister(void) { - sigmatch_table[DETECT_AL_HTTP_START].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_HTTP_START].alias = KEYWORD_NAME_LEGACY; - sigmatch_table[DETECT_AL_HTTP_START].desc = BUFFER_NAME " sticky buffer"; - sigmatch_table[DETECT_AL_HTTP_START].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_HTTP_START].Setup = DetectHttpStartSetup; - sigmatch_table[DETECT_AL_HTTP_START].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_HTTP_START].name = KEYWORD_NAME; + sigmatch_table[DETECT_HTTP_START].alias = KEYWORD_NAME_LEGACY; + sigmatch_table[DETECT_HTTP_START].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_HTTP_START].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_HTTP_START].Setup = DetectHttpStartSetup; + sigmatch_table[DETECT_HTTP_START].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetBuffer1ForTX, ALPROTO_HTTP1, HTP_REQUEST_PROGRESS_HEADERS); diff --git a/src/detect-http-stat-code.c b/src/detect-http-stat-code.c index c1a537a681aa..0b403f9960db 100644 --- a/src/detect-http-stat-code.c +++ b/src/detect-http-stat-code.c @@ -82,15 +82,17 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, void DetectHttpStatCodeRegister (void) { /* http_stat_code content modifier */ - sigmatch_table[DETECT_AL_HTTP_STAT_CODE].name = "http_stat_code"; - sigmatch_table[DETECT_AL_HTTP_STAT_CODE].desc = "content modifier to match only on HTTP stat-code-buffer"; - sigmatch_table[DETECT_AL_HTTP_STAT_CODE].url = "/rules/http-keywords.html#http-stat-code"; - sigmatch_table[DETECT_AL_HTTP_STAT_CODE].Setup = DetectHttpStatCodeSetup; + sigmatch_table[DETECT_HTTP_STAT_CODE_CM].name = "http_stat_code"; + sigmatch_table[DETECT_HTTP_STAT_CODE_CM].desc = + "content modifier to match only on HTTP stat-code-buffer"; + sigmatch_table[DETECT_HTTP_STAT_CODE_CM].url = "/rules/http-keywords.html#http-stat-code"; + sigmatch_table[DETECT_HTTP_STAT_CODE_CM].Setup = DetectHttpStatCodeSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_STAT_CODE].RegisterTests = DetectHttpStatCodeRegisterTests; + sigmatch_table[DETECT_HTTP_STAT_CODE_CM].RegisterTests = DetectHttpStatCodeRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_STAT_CODE].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_STAT_CODE].alternative = DETECT_HTTP_STAT_CODE; + sigmatch_table[DETECT_HTTP_STAT_CODE_CM].flags |= + SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_STAT_CODE_CM].alternative = DETECT_HTTP_STAT_CODE; /* http.stat_code content modifier */ sigmatch_table[DETECT_HTTP_STAT_CODE].name = "http.stat_code"; @@ -131,7 +133,7 @@ void DetectHttpStatCodeRegister (void) static int DetectHttpStatCodeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, arg, DETECT_AL_HTTP_STAT_CODE, g_http_stat_code_buffer_id, ALPROTO_HTTP1); + de_ctx, s, arg, DETECT_HTTP_STAT_CODE_CM, g_http_stat_code_buffer_id, ALPROTO_HTTP1); } /** diff --git a/src/detect-http-stat-msg.c b/src/detect-http-stat-msg.c index db2da4e712cf..2e08b8acb854 100644 --- a/src/detect-http-stat-msg.c +++ b/src/detect-http-stat-msg.c @@ -92,15 +92,17 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, void DetectHttpStatMsgRegister (void) { /* http_stat_msg content modifier */ - sigmatch_table[DETECT_AL_HTTP_STAT_MSG].name = "http_stat_msg"; - sigmatch_table[DETECT_AL_HTTP_STAT_MSG].desc = "content modifier to match on HTTP stat-msg-buffer"; - sigmatch_table[DETECT_AL_HTTP_STAT_MSG].url = "/rules/http-keywords.html#http-stat-msg"; - sigmatch_table[DETECT_AL_HTTP_STAT_MSG].Setup = DetectHttpStatMsgSetup; + sigmatch_table[DETECT_HTTP_STAT_MSG_CM].name = "http_stat_msg"; + sigmatch_table[DETECT_HTTP_STAT_MSG_CM].desc = + "content modifier to match on HTTP stat-msg-buffer"; + sigmatch_table[DETECT_HTTP_STAT_MSG_CM].url = "/rules/http-keywords.html#http-stat-msg"; + sigmatch_table[DETECT_HTTP_STAT_MSG_CM].Setup = DetectHttpStatMsgSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_STAT_MSG].RegisterTests = DetectHttpStatMsgRegisterTests; + sigmatch_table[DETECT_HTTP_STAT_MSG_CM].RegisterTests = DetectHttpStatMsgRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_STAT_MSG].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_STAT_MSG].alternative = DETECT_HTTP_STAT_MSG; + sigmatch_table[DETECT_HTTP_STAT_MSG_CM].flags |= + SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_STAT_MSG_CM].alternative = DETECT_HTTP_STAT_MSG; /* http.stat_msg sticky buffer */ sigmatch_table[DETECT_HTTP_STAT_MSG].name = "http.stat_msg"; @@ -140,7 +142,7 @@ void DetectHttpStatMsgRegister (void) static int DetectHttpStatMsgSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, arg, DETECT_AL_HTTP_STAT_MSG, g_http_stat_msg_buffer_id, ALPROTO_HTTP1); + de_ctx, s, arg, DETECT_HTTP_STAT_MSG_CM, g_http_stat_msg_buffer_id, ALPROTO_HTTP1); } /** diff --git a/src/detect-http-ua.c b/src/detect-http-ua.c index 29d3f4f256b5..2972b249dbd3 100644 --- a/src/detect-http-ua.c +++ b/src/detect-http-ua.c @@ -80,16 +80,17 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, void DetectHttpUARegister(void) { /* http_user_agent content modifier */ - sigmatch_table[DETECT_AL_HTTP_USER_AGENT].name = "http_user_agent"; - sigmatch_table[DETECT_AL_HTTP_USER_AGENT].desc = "content modifier to match only on the HTTP User-Agent header"; - sigmatch_table[DETECT_AL_HTTP_USER_AGENT].url = "/rules/http-keywords.html#http-user-agent"; - sigmatch_table[DETECT_AL_HTTP_USER_AGENT].Setup = DetectHttpUASetup; + sigmatch_table[DETECT_HTTP_USER_AGENT].name = "http_user_agent"; + sigmatch_table[DETECT_HTTP_USER_AGENT].desc = + "content modifier to match only on the HTTP User-Agent header"; + sigmatch_table[DETECT_HTTP_USER_AGENT].url = "/rules/http-keywords.html#http-user-agent"; + sigmatch_table[DETECT_HTTP_USER_AGENT].Setup = DetectHttpUASetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_USER_AGENT].RegisterTests = DetectHttpUARegisterTests; + sigmatch_table[DETECT_HTTP_USER_AGENT].RegisterTests = DetectHttpUARegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_USER_AGENT].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_HTTP_USER_AGENT].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_USER_AGENT].alternative = DETECT_HTTP_UA; + sigmatch_table[DETECT_HTTP_USER_AGENT].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_HTTP_USER_AGENT].flags |= SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_USER_AGENT].alternative = DETECT_HTTP_UA; /* http.user_agent sticky buffer */ sigmatch_table[DETECT_HTTP_UA].name = "http.user_agent"; @@ -133,7 +134,7 @@ void DetectHttpUARegister(void) int DetectHttpUASetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, arg, DETECT_AL_HTTP_USER_AGENT, g_http_ua_buffer_id, ALPROTO_HTTP1); + de_ctx, s, arg, DETECT_HTTP_USER_AGENT, g_http_ua_buffer_id, ALPROTO_HTTP1); } /** diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index 5254424471f6..04b6179fa9bb 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -90,15 +90,16 @@ static int g_http_uri_buffer_id = 0; void DetectHttpUriRegister (void) { /* http_uri content modifier */ - sigmatch_table[DETECT_AL_HTTP_URI].name = "http_uri"; - sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer"; - sigmatch_table[DETECT_AL_HTTP_URI].url = "/rules/http-keywords.html#http-uri-and-http-uri-raw"; - sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup; + sigmatch_table[DETECT_HTTP_URI_CM].name = "http_uri"; + sigmatch_table[DETECT_HTTP_URI_CM].desc = + "content modifier to match specifically and only on the HTTP uri-buffer"; + sigmatch_table[DETECT_HTTP_URI_CM].url = "/rules/http-keywords.html#http-uri-and-http-uri-raw"; + sigmatch_table[DETECT_HTTP_URI_CM].Setup = DetectHttpUriSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests; + sigmatch_table[DETECT_HTTP_URI_CM].RegisterTests = DetectHttpUriRegisterTests; #endif - sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_URI].alternative = DETECT_HTTP_URI; + sigmatch_table[DETECT_HTTP_URI_CM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_URI_CM].alternative = DETECT_HTTP_URI; /* http.uri sticky buffer */ sigmatch_table[DETECT_HTTP_URI].name = "http.uri"; @@ -132,12 +133,12 @@ void DetectHttpUriRegister (void) g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri"); /* http_raw_uri content modifier */ - sigmatch_table[DETECT_AL_HTTP_RAW_URI].name = "http_raw_uri"; - sigmatch_table[DETECT_AL_HTTP_RAW_URI].desc = "content modifier to match on the raw HTTP uri"; - sigmatch_table[DETECT_AL_HTTP_RAW_URI].url = "/rules/http-keywords.html#http_uri-and-http_raw-uri"; - sigmatch_table[DETECT_AL_HTTP_RAW_URI].Setup = DetectHttpRawUriSetup; - sigmatch_table[DETECT_AL_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_CONTENT_MODIFIER; - sigmatch_table[DETECT_AL_HTTP_RAW_URI].alternative = DETECT_HTTP_URI_RAW; + sigmatch_table[DETECT_HTTP_RAW_URI].name = "http_raw_uri"; + sigmatch_table[DETECT_HTTP_RAW_URI].desc = "content modifier to match on the raw HTTP uri"; + sigmatch_table[DETECT_HTTP_RAW_URI].url = "/rules/http-keywords.html#http_uri-and-http_raw-uri"; + sigmatch_table[DETECT_HTTP_RAW_URI].Setup = DetectHttpRawUriSetup; + sigmatch_table[DETECT_HTTP_RAW_URI].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_CONTENT_MODIFIER; + sigmatch_table[DETECT_HTTP_RAW_URI].alternative = DETECT_HTTP_URI_RAW; /* http.uri.raw sticky buffer */ sigmatch_table[DETECT_HTTP_URI_RAW].name = "http.uri.raw"; @@ -185,7 +186,7 @@ void DetectHttpUriRegister (void) int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, str, DETECT_AL_HTTP_URI, g_http_uri_buffer_id, ALPROTO_HTTP1); + de_ctx, s, str, DETECT_HTTP_URI_CM, g_http_uri_buffer_id, ALPROTO_HTTP1); } static bool DetectHttpUriValidateCallback(const Signature *s, const char **sigerror) @@ -280,7 +281,7 @@ static InspectionBuffer *GetData2(DetectEngineThreadCtx *det_ctx, static int DetectHttpRawUriSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) { return DetectEngineContentModifierBufferSetup( - de_ctx, s, arg, DETECT_AL_HTTP_RAW_URI, g_http_raw_uri_buffer_id, ALPROTO_HTTP1); + de_ctx, s, arg, DETECT_HTTP_RAW_URI, g_http_raw_uri_buffer_id, ALPROTO_HTTP1); } static bool DetectHttpRawUriValidateCallback(const Signature *s, const char **sigerror) diff --git a/src/detect-ike-chosen-sa.c b/src/detect-ike-chosen-sa.c index 4564b5c33755..6505b1bf2231 100644 --- a/src/detect-ike-chosen-sa.c +++ b/src/detect-ike-chosen-sa.c @@ -65,15 +65,14 @@ void IKEChosenSaRegisterTests(void); */ void DetectIkeChosenSaRegister(void) { - sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].name = "ike.chosen_sa_attribute"; - sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].desc = "match IKE chosen SA Attribute"; - sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].url = - "/rules/ike-keywords.html#ike-chosen_sa_attribute"; - sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].AppLayerTxMatch = DetectIkeChosenSaMatch; - sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].Setup = DetectIkeChosenSaSetup; - sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].Free = DetectIkeChosenSaFree; + sigmatch_table[DETECT_IKE_CHOSEN_SA].name = "ike.chosen_sa_attribute"; + sigmatch_table[DETECT_IKE_CHOSEN_SA].desc = "match IKE chosen SA Attribute"; + sigmatch_table[DETECT_IKE_CHOSEN_SA].url = "/rules/ike-keywords.html#ike-chosen_sa_attribute"; + sigmatch_table[DETECT_IKE_CHOSEN_SA].AppLayerTxMatch = DetectIkeChosenSaMatch; + sigmatch_table[DETECT_IKE_CHOSEN_SA].Setup = DetectIkeChosenSaSetup; + sigmatch_table[DETECT_IKE_CHOSEN_SA].Free = DetectIkeChosenSaFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_IKE_CHOSEN_SA].RegisterTests = IKEChosenSaRegisterTests; + sigmatch_table[DETECT_IKE_CHOSEN_SA].RegisterTests = IKEChosenSaRegisterTests; #endif DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); @@ -212,7 +211,7 @@ static int DetectIkeChosenSaSetup(DetectEngineCtx *de_ctx, Signature *s, const c /* okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_IKE_CHOSEN_SA, (SigMatchCtx *)dd, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_IKE_CHOSEN_SA, (SigMatchCtx *)dd, g_ike_chosen_sa_buffer_id) == NULL) { goto error; } diff --git a/src/detect-ike-exch-type.c b/src/detect-ike-exch-type.c index f77b6200a08c..887557990d4c 100644 --- a/src/detect-ike-exch-type.c +++ b/src/detect-ike-exch-type.c @@ -49,13 +49,13 @@ static int DetectIkeExchTypeMatch(DetectEngineThreadCtx *, Flow *, uint8_t, void */ void DetectIkeExchTypeRegister(void) { - sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].name = "ike.exchtype"; - sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].desc = "match IKE exchange type"; - sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].url = "/rules/ike-keywords.html#ike-exchtype"; - sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].Match = NULL; - sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].AppLayerTxMatch = DetectIkeExchTypeMatch; - sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].Setup = DetectIkeExchTypeSetup; - sigmatch_table[DETECT_AL_IKE_EXCH_TYPE].Free = DetectIkeExchTypeFree; + sigmatch_table[DETECT_IKE_EXCH_TYPE].name = "ike.exchtype"; + sigmatch_table[DETECT_IKE_EXCH_TYPE].desc = "match IKE exchange type"; + sigmatch_table[DETECT_IKE_EXCH_TYPE].url = "/rules/ike-keywords.html#ike-exchtype"; + sigmatch_table[DETECT_IKE_EXCH_TYPE].Match = NULL; + sigmatch_table[DETECT_IKE_EXCH_TYPE].AppLayerTxMatch = DetectIkeExchTypeMatch; + sigmatch_table[DETECT_IKE_EXCH_TYPE].Setup = DetectIkeExchTypeSetup; + sigmatch_table[DETECT_IKE_EXCH_TYPE].Free = DetectIkeExchTypeFree; DetectAppLayerInspectEngineRegister("ike.exchtype", ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL); @@ -116,7 +116,7 @@ static int DetectIkeExchTypeSetup(DetectEngineCtx *de_ctx, Signature *s, const c /* okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_IKE_EXCH_TYPE, (SigMatchCtx *)ike_exch_type, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_IKE_EXCH_TYPE, (SigMatchCtx *)ike_exch_type, g_ike_exch_type_buffer_id) == NULL) { goto error; } diff --git a/src/detect-ike-key-exchange-payload-length.c b/src/detect-ike-key-exchange-payload-length.c index c698ca649193..23224443cc3a 100644 --- a/src/detect-ike-key-exchange-payload-length.c +++ b/src/detect-ike-key-exchange-payload-length.c @@ -48,17 +48,16 @@ static int DetectIkeKeyExchangePayloadLengthMatch(DetectEngineThreadCtx *, Flow */ void DetectIkeKeyExchangePayloadLengthRegister(void) { - sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].name = - "ike.key_exchange_payload_length"; - sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].desc = + sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].name = "ike.key_exchange_payload_length"; + sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].desc = "match IKE key exchange payload length"; - sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].url = + sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].url = "/rules/ike-keywords.html#ike-key-exchange-payload-length"; - sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].AppLayerTxMatch = + sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].AppLayerTxMatch = DetectIkeKeyExchangePayloadLengthMatch; - sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].Setup = + sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].Setup = DetectIkeKeyExchangePayloadLengthSetup; - sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].Free = + sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].Free = DetectIkeKeyExchangePayloadLengthFree; DetectAppLayerInspectEngineRegister("ike.key_exchange_payload_length", ALPROTO_IKE, @@ -122,7 +121,7 @@ static int DetectIkeKeyExchangePayloadLengthSetup( /* okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH, (SigMatchCtx *)key_exchange_payload_length, g_ike_key_exch_payload_length_buffer_id) == NULL) { goto error; diff --git a/src/detect-ike-key-exchange-payload.c b/src/detect-ike-key-exchange-payload.c index 9d83fba33dec..2eccde22e17f 100644 --- a/src/detect-ike-key-exchange-payload.c +++ b/src/detect-ike-key-exchange-payload.c @@ -92,13 +92,12 @@ static InspectionBuffer *GetKeyExchangeData(DetectEngineThreadCtx *det_ctx, void DetectIkeKeyExchangeRegister(void) { // register key_exchange - sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE].name = KEYWORD_NAME_KEY_EXCHANGE; - sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE].url = - "/rules/" KEYWORD_DOC_KEY_EXCHANGE sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE].desc = + sigmatch_table[DETECT_IKE_KEY_EXCHANGE].name = KEYWORD_NAME_KEY_EXCHANGE; + sigmatch_table[DETECT_IKE_KEY_EXCHANGE].url = + "/rules/" KEYWORD_DOC_KEY_EXCHANGE sigmatch_table[DETECT_IKE_KEY_EXCHANGE].desc = "sticky buffer to match on the IKE key_exchange_payload"; - sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE].Setup = DetectKeyExchangeSetup; - sigmatch_table[DETECT_AL_IKE_KEY_EXCHANGE].flags |= - SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_IKE_KEY_EXCHANGE].Setup = DetectKeyExchangeSetup; + sigmatch_table[DETECT_IKE_KEY_EXCHANGE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister(BUFFER_NAME_KEY_EXCHANGE, ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, DetectEngineInspectBufferGeneric, GetKeyExchangeData); diff --git a/src/detect-ike-nonce-payload-length.c b/src/detect-ike-nonce-payload-length.c index f76fdb70d496..df6dd5d77370 100644 --- a/src/detect-ike-nonce-payload-length.c +++ b/src/detect-ike-nonce-payload-length.c @@ -48,14 +48,14 @@ static int DetectIkeNoncePayloadLengthMatch(DetectEngineThreadCtx *, Flow *, uin */ void DetectIkeNoncePayloadLengthRegister(void) { - sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].name = "ike.nonce_payload_length"; - sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].desc = "match IKE nonce payload length"; - sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].url = + sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].name = "ike.nonce_payload_length"; + sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].desc = "match IKE nonce payload length"; + sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].url = "/rules/ike-keywords.html#ike-nonce-payload-length"; - sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].AppLayerTxMatch = + sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].AppLayerTxMatch = DetectIkeNoncePayloadLengthMatch; - sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].Setup = DetectIkeNoncePayloadLengthSetup; - sigmatch_table[DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH].Free = DetectIkeNoncePayloadLengthFree; + sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].Setup = DetectIkeNoncePayloadLengthSetup; + sigmatch_table[DETECT_IKE_NONCE_PAYLOAD_LENGTH].Free = DetectIkeNoncePayloadLengthFree; DetectAppLayerInspectEngineRegister("ike.nonce_payload_length", ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL); @@ -116,7 +116,7 @@ static int DetectIkeNoncePayloadLengthSetup( /* okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_IKE_NONCE_PAYLOAD_LENGTH, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_IKE_NONCE_PAYLOAD_LENGTH, (SigMatchCtx *)nonce_payload_length, g_ike_nonce_payload_length_buffer_id) == NULL) { goto error; diff --git a/src/detect-ike-nonce-payload.c b/src/detect-ike-nonce-payload.c index a2c4ac6f9a2a..d31e35abfd72 100644 --- a/src/detect-ike-nonce-payload.c +++ b/src/detect-ike-nonce-payload.c @@ -92,12 +92,12 @@ static InspectionBuffer *GetNonceData(DetectEngineThreadCtx *det_ctx, void DetectIkeNonceRegister(void) { // register nonce - sigmatch_table[DETECT_AL_IKE_NONCE].name = KEYWORD_NAME_NONCE; - sigmatch_table[DETECT_AL_IKE_NONCE].url = - "/rules/" KEYWORD_DOC_NONCE sigmatch_table[DETECT_AL_IKE_NONCE].desc = + sigmatch_table[DETECT_IKE_NONCE].name = KEYWORD_NAME_NONCE; + sigmatch_table[DETECT_IKE_NONCE].url = + "/rules/" KEYWORD_DOC_NONCE sigmatch_table[DETECT_IKE_NONCE].desc = "sticky buffer to match on the IKE nonce_payload"; - sigmatch_table[DETECT_AL_IKE_NONCE].Setup = DetectNonceSetup; - sigmatch_table[DETECT_AL_IKE_NONCE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_IKE_NONCE].Setup = DetectNonceSetup; + sigmatch_table[DETECT_IKE_NONCE].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister(BUFFER_NAME_NONCE, ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, DetectEngineInspectBufferGeneric, GetNonceData); diff --git a/src/detect-ike-spi.c b/src/detect-ike-spi.c index 9f310b8f580a..b9e2f83923b6 100644 --- a/src/detect-ike-spi.c +++ b/src/detect-ike-spi.c @@ -130,13 +130,12 @@ static InspectionBuffer *GetResponderData(DetectEngineThreadCtx *det_ctx, void DetectIkeSpiRegister(void) { // register initiator - sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].name = KEYWORD_NAME_INITIATOR; - sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].url = - "/rules/" KEYWORD_DOC_INITIATOR sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].desc = + sigmatch_table[DETECT_IKE_SPI_INITIATOR].name = KEYWORD_NAME_INITIATOR; + sigmatch_table[DETECT_IKE_SPI_INITIATOR].url = + "/rules/" KEYWORD_DOC_INITIATOR sigmatch_table[DETECT_IKE_SPI_INITIATOR].desc = "sticky buffer to match on the IKE spi initiator"; - sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].Setup = DetectSpiInitiatorSetup; - sigmatch_table[DETECT_AL_IKE_SPI_INITIATOR].flags |= - SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_IKE_SPI_INITIATOR].Setup = DetectSpiInitiatorSetup; + sigmatch_table[DETECT_IKE_SPI_INITIATOR].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister(BUFFER_NAME_INITIATOR, ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, DetectEngineInspectBufferGeneric, GetInitiatorData); @@ -150,13 +149,12 @@ void DetectIkeSpiRegister(void) SCLogDebug("registering " BUFFER_NAME_INITIATOR " rule option"); // register responder - sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].name = KEYWORD_NAME_RESPONDER; - sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].url = - "/rules/" KEYWORD_DOC_RESPONDER sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].desc = + sigmatch_table[DETECT_IKE_SPI_RESPONDER].name = KEYWORD_NAME_RESPONDER; + sigmatch_table[DETECT_IKE_SPI_RESPONDER].url = + "/rules/" KEYWORD_DOC_RESPONDER sigmatch_table[DETECT_IKE_SPI_RESPONDER].desc = "sticky buffer to match on the IKE spi responder"; - sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].Setup = DetectSpiResponderSetup; - sigmatch_table[DETECT_AL_IKE_SPI_RESPONDER].flags |= - SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_IKE_SPI_RESPONDER].Setup = DetectSpiResponderSetup; + sigmatch_table[DETECT_IKE_SPI_RESPONDER].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister(BUFFER_NAME_RESPONDER, ALPROTO_IKE, SIG_FLAG_TOCLIENT, 1, DetectEngineInspectBufferGeneric, GetResponderData); diff --git a/src/detect-ike-vendor.c b/src/detect-ike-vendor.c index e3c09e9a44c6..ea5660508707 100644 --- a/src/detect-ike-vendor.c +++ b/src/detect-ike-vendor.c @@ -69,12 +69,12 @@ static InspectionBuffer *IkeVendorGetData(DetectEngineThreadCtx *det_ctx, */ void DetectIkeVendorRegister(void) { - sigmatch_table[DETECT_AL_IKE_VENDOR].name = "ike.vendor"; - sigmatch_table[DETECT_AL_IKE_VENDOR].desc = "match IKE Vendor"; - sigmatch_table[DETECT_AL_IKE_VENDOR].url = "/rules/ike-keywords.html#ike-vendor"; - sigmatch_table[DETECT_AL_IKE_VENDOR].Setup = DetectIkeVendorSetup; - sigmatch_table[DETECT_AL_IKE_VENDOR].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_IKE_VENDOR].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_IKE_VENDOR].name = "ike.vendor"; + sigmatch_table[DETECT_IKE_VENDOR].desc = "match IKE Vendor"; + sigmatch_table[DETECT_IKE_VENDOR].url = "/rules/ike-keywords.html#ike-vendor"; + sigmatch_table[DETECT_IKE_VENDOR].Setup = DetectIkeVendorSetup; + sigmatch_table[DETECT_IKE_VENDOR].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_IKE_VENDOR].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerMultiRegister( "ike.vendor", ALPROTO_IKE, SIG_FLAG_TOSERVER, 1, IkeVendorGetData, 1, 1); diff --git a/src/detect-ja4-hash.c b/src/detect-ja4-hash.c index ebddc6b6d060..78a9367fdaa5 100644 --- a/src/detect-ja4-hash.c +++ b/src/detect-ja4-hash.c @@ -64,17 +64,17 @@ static int g_ja4_hash_buffer_id = 0; */ void DetectJa4HashRegister(void) { - sigmatch_table[DETECT_AL_JA4_HASH].name = "ja4.hash"; - sigmatch_table[DETECT_AL_JA4_HASH].alias = "ja4_hash"; - sigmatch_table[DETECT_AL_JA4_HASH].desc = "sticky buffer to match the JA4 hash buffer"; - sigmatch_table[DETECT_AL_JA4_HASH].url = "/rules/ja4-keywords.html#ja4-hash"; + sigmatch_table[DETECT_JA4_HASH].name = "ja4.hash"; + sigmatch_table[DETECT_JA4_HASH].alias = "ja4_hash"; + sigmatch_table[DETECT_JA4_HASH].desc = "sticky buffer to match the JA4 hash buffer"; + sigmatch_table[DETECT_JA4_HASH].url = "/rules/ja4-keywords.html#ja4-hash"; #ifdef HAVE_JA4 - sigmatch_table[DETECT_AL_JA4_HASH].Setup = DetectJa4HashSetup; + sigmatch_table[DETECT_JA4_HASH].Setup = DetectJa4HashSetup; #else /* HAVE_JA4 */ - sigmatch_table[DETECT_AL_JA4_HASH].Setup = DetectJA4SetupNoSupport; + sigmatch_table[DETECT_JA4_HASH].Setup = DetectJA4SetupNoSupport; #endif /* HAVE_JA4 */ - sigmatch_table[DETECT_AL_JA4_HASH].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_JA4_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_JA4_HASH].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_JA4_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; #ifdef HAVE_JA4 DetectAppLayerInspectEngineRegister("ja4.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, @@ -121,7 +121,7 @@ static int DetectJa4HashSetup(DetectEngineCtx *de_ctx, Signature *s, const char /* check if JA4 enabling had an effect */ if (!RunmodeIsUnittests() && !SSLJA4IsEnabled()) { - if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_JA4_HASH)) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_JA4_HASH)) { SCLogError("JA4 support is not enabled"); } return -2; diff --git a/src/detect-krb5-cname.c b/src/detect-krb5-cname.c index 1411f7380806..7e7655117296 100644 --- a/src/detect-krb5-cname.c +++ b/src/detect-krb5-cname.c @@ -81,12 +81,12 @@ static InspectionBuffer *GetKrb5CNameData(DetectEngineThreadCtx *det_ctx, void DetectKrb5CNameRegister(void) { - sigmatch_table[DETECT_AL_KRB5_CNAME].name = "krb5.cname"; - sigmatch_table[DETECT_AL_KRB5_CNAME].alias = "krb5_cname"; - sigmatch_table[DETECT_AL_KRB5_CNAME].url = "/rules/kerberos-keywords.html#krb5-cname"; - sigmatch_table[DETECT_AL_KRB5_CNAME].Setup = DetectKrb5CNameSetup; - sigmatch_table[DETECT_AL_KRB5_CNAME].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER; - sigmatch_table[DETECT_AL_KRB5_CNAME].desc = "sticky buffer to match on Kerberos 5 client name"; + sigmatch_table[DETECT_KRB5_CNAME].name = "krb5.cname"; + sigmatch_table[DETECT_KRB5_CNAME].alias = "krb5_cname"; + sigmatch_table[DETECT_KRB5_CNAME].url = "/rules/kerberos-keywords.html#krb5-cname"; + sigmatch_table[DETECT_KRB5_CNAME].Setup = DetectKrb5CNameSetup; + sigmatch_table[DETECT_KRB5_CNAME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_KRB5_CNAME].desc = "sticky buffer to match on Kerberos 5 client name"; DetectAppLayerMultiRegister( "krb5_cname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0, GetKrb5CNameData, 2, 1); diff --git a/src/detect-krb5-errcode.c b/src/detect-krb5-errcode.c index 72fa14a6327d..a99196363062 100644 --- a/src/detect-krb5-errcode.c +++ b/src/detect-krb5-errcode.c @@ -57,15 +57,15 @@ static int g_krb5_err_code_list_id = 0; */ void DetectKrb5ErrCodeRegister(void) { - sigmatch_table[DETECT_AL_KRB5_ERRCODE].name = "krb5_err_code"; - sigmatch_table[DETECT_AL_KRB5_ERRCODE].desc = "match Kerberos 5 error code"; - sigmatch_table[DETECT_AL_KRB5_ERRCODE].url = "/rules/kerberos-keywords.html#krb5-err-code"; - sigmatch_table[DETECT_AL_KRB5_ERRCODE].Match = NULL; - sigmatch_table[DETECT_AL_KRB5_ERRCODE].AppLayerTxMatch = DetectKrb5ErrCodeMatch; - sigmatch_table[DETECT_AL_KRB5_ERRCODE].Setup = DetectKrb5ErrCodeSetup; - sigmatch_table[DETECT_AL_KRB5_ERRCODE].Free = DetectKrb5ErrCodeFree; + sigmatch_table[DETECT_KRB5_ERRCODE].name = "krb5_err_code"; + sigmatch_table[DETECT_KRB5_ERRCODE].desc = "match Kerberos 5 error code"; + sigmatch_table[DETECT_KRB5_ERRCODE].url = "/rules/kerberos-keywords.html#krb5-err-code"; + sigmatch_table[DETECT_KRB5_ERRCODE].Match = NULL; + sigmatch_table[DETECT_KRB5_ERRCODE].AppLayerTxMatch = DetectKrb5ErrCodeMatch; + sigmatch_table[DETECT_KRB5_ERRCODE].Setup = DetectKrb5ErrCodeSetup; + sigmatch_table[DETECT_KRB5_ERRCODE].Free = DetectKrb5ErrCodeFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_KRB5_ERRCODE].RegisterTests = DetectKrb5ErrCodeRegisterTests; + sigmatch_table[DETECT_KRB5_ERRCODE].RegisterTests = DetectKrb5ErrCodeRegisterTests; #endif DetectAppLayerInspectEngineRegister("krb5_err_code", ALPROTO_KRB5, SIG_FLAG_TOSERVER, 0, @@ -183,7 +183,7 @@ static int DetectKrb5ErrCodeSetup (DetectEngineCtx *de_ctx, Signature *s, const if (krb5d == NULL) goto error; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_KRB5_ERRCODE, (SigMatchCtx *)krb5d, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_KRB5_ERRCODE, (SigMatchCtx *)krb5d, g_krb5_err_code_list_id) == NULL) { goto error; } diff --git a/src/detect-krb5-msgtype.c b/src/detect-krb5-msgtype.c index 5325c7d32865..1ef2639a7568 100644 --- a/src/detect-krb5-msgtype.c +++ b/src/detect-krb5-msgtype.c @@ -57,15 +57,15 @@ static int g_krb5_msg_type_list_id = 0; */ void DetectKrb5MsgTypeRegister(void) { - sigmatch_table[DETECT_AL_KRB5_MSGTYPE].name = "krb5_msg_type"; - sigmatch_table[DETECT_AL_KRB5_MSGTYPE].desc = "match Kerberos 5 message type"; - sigmatch_table[DETECT_AL_KRB5_MSGTYPE].url = "/rules/kerberos-keywords.html#krb5-msg-type"; - sigmatch_table[DETECT_AL_KRB5_MSGTYPE].Match = NULL; - sigmatch_table[DETECT_AL_KRB5_MSGTYPE].AppLayerTxMatch = DetectKrb5MsgTypeMatch; - sigmatch_table[DETECT_AL_KRB5_MSGTYPE].Setup = DetectKrb5MsgTypeSetup; - sigmatch_table[DETECT_AL_KRB5_MSGTYPE].Free = DetectKrb5MsgTypeFree; + sigmatch_table[DETECT_KRB5_MSGTYPE].name = "krb5_msg_type"; + sigmatch_table[DETECT_KRB5_MSGTYPE].desc = "match Kerberos 5 message type"; + sigmatch_table[DETECT_KRB5_MSGTYPE].url = "/rules/kerberos-keywords.html#krb5-msg-type"; + sigmatch_table[DETECT_KRB5_MSGTYPE].Match = NULL; + sigmatch_table[DETECT_KRB5_MSGTYPE].AppLayerTxMatch = DetectKrb5MsgTypeMatch; + sigmatch_table[DETECT_KRB5_MSGTYPE].Setup = DetectKrb5MsgTypeSetup; + sigmatch_table[DETECT_KRB5_MSGTYPE].Free = DetectKrb5MsgTypeFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_KRB5_MSGTYPE].RegisterTests = DetectKrb5MsgTypeRegisterTests; + sigmatch_table[DETECT_KRB5_MSGTYPE].RegisterTests = DetectKrb5MsgTypeRegisterTests; #endif DetectAppLayerInspectEngineRegister("krb5_msg_type", ALPROTO_KRB5, SIG_FLAG_TOSERVER, 0, @@ -180,7 +180,7 @@ static int DetectKrb5MsgTypeSetup (DetectEngineCtx *de_ctx, Signature *s, const if (krb5d == NULL) goto error; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_KRB5_MSGTYPE, (SigMatchCtx *)krb5d, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_KRB5_MSGTYPE, (SigMatchCtx *)krb5d, g_krb5_msg_type_list_id) == NULL) { goto error; } diff --git a/src/detect-krb5-sname.c b/src/detect-krb5-sname.c index 3cd6f0e222cc..c8dd5acbe365 100644 --- a/src/detect-krb5-sname.c +++ b/src/detect-krb5-sname.c @@ -81,12 +81,12 @@ static InspectionBuffer *GetKrb5SNameData(DetectEngineThreadCtx *det_ctx, void DetectKrb5SNameRegister(void) { - sigmatch_table[DETECT_AL_KRB5_SNAME].name = "krb5.sname"; - sigmatch_table[DETECT_AL_KRB5_SNAME].alias = "krb5_sname"; - sigmatch_table[DETECT_AL_KRB5_SNAME].url = "/rules/kerberos-keywords.html#krb5-sname"; - sigmatch_table[DETECT_AL_KRB5_SNAME].Setup = DetectKrb5SNameSetup; - sigmatch_table[DETECT_AL_KRB5_SNAME].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER; - sigmatch_table[DETECT_AL_KRB5_SNAME].desc = "sticky buffer to match on Kerberos 5 server name"; + sigmatch_table[DETECT_KRB5_SNAME].name = "krb5.sname"; + sigmatch_table[DETECT_KRB5_SNAME].alias = "krb5_sname"; + sigmatch_table[DETECT_KRB5_SNAME].url = "/rules/kerberos-keywords.html#krb5-sname"; + sigmatch_table[DETECT_KRB5_SNAME].Setup = DetectKrb5SNameSetup; + sigmatch_table[DETECT_KRB5_SNAME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_KRB5_SNAME].desc = "sticky buffer to match on Kerberos 5 server name"; DetectAppLayerMultiRegister( "krb5_sname", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, 0, GetKrb5SNameData, 2, 1); diff --git a/src/detect-krb5-ticket-encryption.c b/src/detect-krb5-ticket-encryption.c index 6cdacd19a835..08331b6d5439 100644 --- a/src/detect-krb5-ticket-encryption.c +++ b/src/detect-krb5-ticket-encryption.c @@ -52,7 +52,7 @@ static int DetectKrb5TicketEncryptionSetup( if (krb5d == NULL) goto error; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_KRB5_TICKET_ENCRYPTION, (SigMatchCtx *)krb5d, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_KRB5_TICKET_ENCRYPTION, (SigMatchCtx *)krb5d, g_krb5_ticket_encryption_list_id) == NULL) { goto error; } @@ -67,15 +67,14 @@ static int DetectKrb5TicketEncryptionSetup( void DetectKrb5TicketEncryptionRegister(void) { - sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].name = "krb5.ticket_encryption"; - sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].desc = "match Kerberos 5 ticket encryption"; - sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].url = + sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].name = "krb5.ticket_encryption"; + sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].desc = "match Kerberos 5 ticket encryption"; + sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].url = "/rules/kerberos-keywords.html#krb5-ticket-encryption"; - sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].Match = NULL; - sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].AppLayerTxMatch = - DetectKrb5TicketEncryptionMatch; - sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].Setup = DetectKrb5TicketEncryptionSetup; - sigmatch_table[DETECT_AL_KRB5_TICKET_ENCRYPTION].Free = DetectKrb5TicketEncryptionFree; + sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].Match = NULL; + sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].AppLayerTxMatch = DetectKrb5TicketEncryptionMatch; + sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].Setup = DetectKrb5TicketEncryptionSetup; + sigmatch_table[DETECT_KRB5_TICKET_ENCRYPTION].Free = DetectKrb5TicketEncryptionFree; // Tickets are only from server to client DetectAppLayerInspectEngineRegister("krb5_ticket_encryption", ALPROTO_KRB5, SIG_FLAG_TOCLIENT, diff --git a/src/detect-modbus.c b/src/detect-modbus.c index e9e64c42fa57..206667a90dbf 100644 --- a/src/detect-modbus.c +++ b/src/detect-modbus.c @@ -96,7 +96,7 @@ static int DetectModbusSetup(DetectEngineCtx *de_ctx, Signature *s, const char * /* Okay so far so good, lets get this into a SigMatch and put it in the Signature. */ if (SigMatchAppendSMToList( - de_ctx, s, DETECT_AL_MODBUS, (SigMatchCtx *)modbus, g_modbus_buffer_id) == NULL) { + de_ctx, s, DETECT_MODBUS, (SigMatchCtx *)modbus, g_modbus_buffer_id) == NULL) { goto error; } @@ -119,13 +119,13 @@ static int DetectModbusMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t fl */ void DetectModbusRegister(void) { - sigmatch_table[DETECT_AL_MODBUS].name = "modbus"; - sigmatch_table[DETECT_AL_MODBUS].desc = "match on various properties of Modbus requests"; - sigmatch_table[DETECT_AL_MODBUS].url = "/rules/modbus-keyword.html#modbus-keyword"; - sigmatch_table[DETECT_AL_MODBUS].Match = NULL; - sigmatch_table[DETECT_AL_MODBUS].Setup = DetectModbusSetup; - sigmatch_table[DETECT_AL_MODBUS].Free = DetectModbusFree; - sigmatch_table[DETECT_AL_MODBUS].AppLayerTxMatch = DetectModbusMatch; + sigmatch_table[DETECT_MODBUS].name = "modbus"; + sigmatch_table[DETECT_MODBUS].desc = "match on various properties of Modbus requests"; + sigmatch_table[DETECT_MODBUS].url = "/rules/modbus-keyword.html#modbus-keyword"; + sigmatch_table[DETECT_MODBUS].Match = NULL; + sigmatch_table[DETECT_MODBUS].Setup = DetectModbusSetup; + sigmatch_table[DETECT_MODBUS].Free = DetectModbusFree; + sigmatch_table[DETECT_MODBUS].AppLayerTxMatch = DetectModbusMatch; DetectAppLayerInspectEngineRegister( "modbus", ALPROTO_MODBUS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL); diff --git a/src/detect-nfs-procedure.c b/src/detect-nfs-procedure.c index 45d8311103a6..fb63eafa5f22 100644 --- a/src/detect-nfs-procedure.c +++ b/src/detect-nfs-procedure.c @@ -63,15 +63,15 @@ static int DetectNfsProcedureMatch (DetectEngineThreadCtx *, Flow *, */ void DetectNfsProcedureRegister (void) { - sigmatch_table[DETECT_AL_NFS_PROCEDURE].name = "nfs_procedure"; - sigmatch_table[DETECT_AL_NFS_PROCEDURE].desc = "match NFS procedure"; - sigmatch_table[DETECT_AL_NFS_PROCEDURE].url = "/rules/nfs-keywords.html#procedure"; - sigmatch_table[DETECT_AL_NFS_PROCEDURE].Match = NULL; - sigmatch_table[DETECT_AL_NFS_PROCEDURE].AppLayerTxMatch = DetectNfsProcedureMatch; - sigmatch_table[DETECT_AL_NFS_PROCEDURE].Setup = DetectNfsProcedureSetup; - sigmatch_table[DETECT_AL_NFS_PROCEDURE].Free = DetectNfsProcedureFree; + sigmatch_table[DETECT_NFS_PROCEDURE].name = "nfs_procedure"; + sigmatch_table[DETECT_NFS_PROCEDURE].desc = "match NFS procedure"; + sigmatch_table[DETECT_NFS_PROCEDURE].url = "/rules/nfs-keywords.html#procedure"; + sigmatch_table[DETECT_NFS_PROCEDURE].Match = NULL; + sigmatch_table[DETECT_NFS_PROCEDURE].AppLayerTxMatch = DetectNfsProcedureMatch; + sigmatch_table[DETECT_NFS_PROCEDURE].Setup = DetectNfsProcedureSetup; + sigmatch_table[DETECT_NFS_PROCEDURE].Free = DetectNfsProcedureFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_NFS_PROCEDURE].RegisterTests = DetectNfsProcedureRegisterTests; + sigmatch_table[DETECT_NFS_PROCEDURE].RegisterTests = DetectNfsProcedureRegisterTests; #endif DetectAppLayerInspectEngineRegister( @@ -169,7 +169,7 @@ static int DetectNfsProcedureSetup (DetectEngineCtx *de_ctx, Signature *s, * and put it in the Signature. */ SCLogDebug("low %u hi %u", dd->arg1, dd->arg2); - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_NFS_PROCEDURE, (SigMatchCtx *)dd, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_NFS_PROCEDURE, (SigMatchCtx *)dd, g_nfs_request_buffer_id) == NULL) { DetectNfsProcedureFree(de_ctx, dd); return -1; diff --git a/src/detect-nfs-version.c b/src/detect-nfs-version.c index 6ed20a2288bf..c24cb65629d5 100644 --- a/src/detect-nfs-version.c +++ b/src/detect-nfs-version.c @@ -61,13 +61,13 @@ static int DetectNfsVersionMatch (DetectEngineThreadCtx *, Flow *, */ void DetectNfsVersionRegister (void) { - sigmatch_table[DETECT_AL_NFS_VERSION].name = "nfs.version"; - sigmatch_table[DETECT_AL_NFS_VERSION].alias = "nfs_version"; - sigmatch_table[DETECT_AL_NFS_VERSION].desc = "match NFS version"; - sigmatch_table[DETECT_AL_NFS_VERSION].url = "/rules/nfs-keywords.html#version"; - sigmatch_table[DETECT_AL_NFS_VERSION].AppLayerTxMatch = DetectNfsVersionMatch; - sigmatch_table[DETECT_AL_NFS_VERSION].Setup = DetectNfsVersionSetup; - sigmatch_table[DETECT_AL_NFS_VERSION].Free = DetectNfsVersionFree; + sigmatch_table[DETECT_NFS_VERSION].name = "nfs.version"; + sigmatch_table[DETECT_NFS_VERSION].alias = "nfs_version"; + sigmatch_table[DETECT_NFS_VERSION].desc = "match NFS version"; + sigmatch_table[DETECT_NFS_VERSION].url = "/rules/nfs-keywords.html#version"; + sigmatch_table[DETECT_NFS_VERSION].AppLayerTxMatch = DetectNfsVersionMatch; + sigmatch_table[DETECT_NFS_VERSION].Setup = DetectNfsVersionSetup; + sigmatch_table[DETECT_NFS_VERSION].Free = DetectNfsVersionFree; // unit tests were the same as DetectNfsProcedureRegisterTests DetectAppLayerInspectEngineRegister( "nfs_request", ALPROTO_NFS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL); @@ -154,7 +154,7 @@ static int DetectNfsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, * and put it in the Signature. */ SCLogDebug("low %u hi %u", dd->arg1, dd->arg2); - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_NFS_VERSION, (SigMatchCtx *)dd, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_NFS_VERSION, (SigMatchCtx *)dd, g_nfs_request_buffer_id) == NULL) { goto error; } diff --git a/src/detect-quic-cyu-hash.c b/src/detect-quic-cyu-hash.c index 17836d1596b5..39890d18c6d4 100644 --- a/src/detect-quic-cyu-hash.c +++ b/src/detect-quic-cyu-hash.c @@ -125,13 +125,13 @@ static bool DetectQuicHashValidateCallback(const Signature *s, const char **sige void DetectQuicCyuHashRegister(void) { /* quic.cyu.hash sticky buffer */ - sigmatch_table[DETECT_AL_QUIC_CYU_HASH].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_QUIC_CYU_HASH].desc = "sticky buffer to match on the QUIC CYU hash"; - sigmatch_table[DETECT_AL_QUIC_CYU_HASH].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_QUIC_CYU_HASH].Setup = DetectQuicCyuHashSetup; - sigmatch_table[DETECT_AL_QUIC_CYU_HASH].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_QUIC_CYU_HASH].name = KEYWORD_NAME; + sigmatch_table[DETECT_QUIC_CYU_HASH].desc = "sticky buffer to match on the QUIC CYU hash"; + sigmatch_table[DETECT_QUIC_CYU_HASH].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_QUIC_CYU_HASH].Setup = DetectQuicCyuHashSetup; + sigmatch_table[DETECT_QUIC_CYU_HASH].flags |= SIGMATCH_NOOPT; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_QUIC_CYU_HASH].RegisterTests = DetectQuicCyuHashRegisterTests; + sigmatch_table[DETECT_QUIC_CYU_HASH].RegisterTests = DetectQuicCyuHashRegisterTests; #endif DetectAppLayerMultiRegister( diff --git a/src/detect-quic-cyu-string.c b/src/detect-quic-cyu-string.c index c2460f11546c..574f0fd89c2c 100644 --- a/src/detect-quic-cyu-string.c +++ b/src/detect-quic-cyu-string.c @@ -81,14 +81,13 @@ static InspectionBuffer *QuicStringGetData(DetectEngineThreadCtx *det_ctx, void DetectQuicCyuStringRegister(void) { /* quic.cyu.string sticky buffer */ - sigmatch_table[DETECT_AL_QUIC_CYU_STRING].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_QUIC_CYU_STRING].desc = - "sticky buffer to match on the QUIC CYU string"; - sigmatch_table[DETECT_AL_QUIC_CYU_STRING].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_QUIC_CYU_STRING].Setup = DetectQuicCyuStringSetup; - sigmatch_table[DETECT_AL_QUIC_CYU_STRING].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_QUIC_CYU_STRING].name = KEYWORD_NAME; + sigmatch_table[DETECT_QUIC_CYU_STRING].desc = "sticky buffer to match on the QUIC CYU string"; + sigmatch_table[DETECT_QUIC_CYU_STRING].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_QUIC_CYU_STRING].Setup = DetectQuicCyuStringSetup; + sigmatch_table[DETECT_QUIC_CYU_STRING].flags |= SIGMATCH_NOOPT; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_QUIC_CYU_STRING].RegisterTests = DetectQuicCyuStringRegisterTests; + sigmatch_table[DETECT_QUIC_CYU_STRING].RegisterTests = DetectQuicCyuStringRegisterTests; #endif DetectAppLayerMultiRegister( diff --git a/src/detect-quic-sni.c b/src/detect-quic-sni.c index 0e4bf2d09101..ba234e1d4478 100644 --- a/src/detect-quic-sni.c +++ b/src/detect-quic-sni.c @@ -70,13 +70,13 @@ static InspectionBuffer *GetSniData(DetectEngineThreadCtx *det_ctx, */ void DetectQuicSniRegister(void) { - sigmatch_table[DETECT_AL_QUIC_SNI].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_QUIC_SNI].desc = "match Quic sni"; - sigmatch_table[DETECT_AL_QUIC_SNI].url = "/rules/quic-keywords.html#quic-sni"; - sigmatch_table[DETECT_AL_QUIC_SNI].Setup = DetectQuicSniSetup; - sigmatch_table[DETECT_AL_QUIC_SNI].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_QUIC_SNI].name = KEYWORD_NAME; + sigmatch_table[DETECT_QUIC_SNI].desc = "match Quic sni"; + sigmatch_table[DETECT_QUIC_SNI].url = "/rules/quic-keywords.html#quic-sni"; + sigmatch_table[DETECT_QUIC_SNI].Setup = DetectQuicSniSetup; + sigmatch_table[DETECT_QUIC_SNI].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_QUIC_SNI].RegisterTests = DetectQuicSniRegisterTests; + sigmatch_table[DETECT_QUIC_SNI].RegisterTests = DetectQuicSniRegisterTests; #endif DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, diff --git a/src/detect-quic-ua.c b/src/detect-quic-ua.c index 0e72770cb068..59c302e59490 100644 --- a/src/detect-quic-ua.c +++ b/src/detect-quic-ua.c @@ -70,13 +70,13 @@ static InspectionBuffer *GetUaData(DetectEngineThreadCtx *det_ctx, */ void DetectQuicUaRegister(void) { - sigmatch_table[DETECT_AL_QUIC_UA].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_QUIC_UA].desc = "match Quic ua"; - sigmatch_table[DETECT_AL_QUIC_UA].url = "/rules/quic-keywords.html#quic-ua"; - sigmatch_table[DETECT_AL_QUIC_UA].Setup = DetectQuicUaSetup; - sigmatch_table[DETECT_AL_QUIC_UA].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_QUIC_UA].name = KEYWORD_NAME; + sigmatch_table[DETECT_QUIC_UA].desc = "match Quic ua"; + sigmatch_table[DETECT_QUIC_UA].url = "/rules/quic-keywords.html#quic-ua"; + sigmatch_table[DETECT_QUIC_UA].Setup = DetectQuicUaSetup; + sigmatch_table[DETECT_QUIC_UA].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_QUIC_UA].RegisterTests = DetectQuicUaRegisterTests; + sigmatch_table[DETECT_QUIC_UA].RegisterTests = DetectQuicUaRegisterTests; #endif DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, diff --git a/src/detect-quic-version.c b/src/detect-quic-version.c index 08bf80c0022c..0d5d9f491ead 100644 --- a/src/detect-quic-version.c +++ b/src/detect-quic-version.c @@ -70,13 +70,13 @@ static InspectionBuffer *GetVersionData(DetectEngineThreadCtx *det_ctx, */ void DetectQuicVersionRegister(void) { - sigmatch_table[DETECT_AL_QUIC_VERSION].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_QUIC_VERSION].desc = "match Quic version"; - sigmatch_table[DETECT_AL_QUIC_VERSION].url = "/rules/quic-keywords.html#quic-version"; - sigmatch_table[DETECT_AL_QUIC_VERSION].Setup = DetectQuicVersionSetup; - sigmatch_table[DETECT_AL_QUIC_VERSION].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_QUIC_VERSION].name = KEYWORD_NAME; + sigmatch_table[DETECT_QUIC_VERSION].desc = "match Quic version"; + sigmatch_table[DETECT_QUIC_VERSION].url = "/rules/quic-keywords.html#quic-version"; + sigmatch_table[DETECT_QUIC_VERSION].Setup = DetectQuicVersionSetup; + sigmatch_table[DETECT_QUIC_VERSION].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_QUIC_VERSION].RegisterTests = DetectQuicVersionRegisterTests; + sigmatch_table[DETECT_QUIC_VERSION].RegisterTests = DetectQuicVersionRegisterTests; #endif DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, diff --git a/src/detect-sip-method.c b/src/detect-sip-method.c index ed22381d9ffc..a3564e7d7b71 100644 --- a/src/detect-sip-method.c +++ b/src/detect-sip-method.c @@ -127,11 +127,11 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, void DetectSipMethodRegister(void) { /* sip.method sticky buffer */ - sigmatch_table[DETECT_AL_SIP_METHOD].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SIP_METHOD].desc = "sticky buffer to match on the SIP method buffer"; - sigmatch_table[DETECT_AL_SIP_METHOD].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SIP_METHOD].Setup = DetectSipMethodSetup; - sigmatch_table[DETECT_AL_SIP_METHOD].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_SIP_METHOD].name = KEYWORD_NAME; + sigmatch_table[DETECT_SIP_METHOD].desc = "sticky buffer to match on the SIP method buffer"; + sigmatch_table[DETECT_SIP_METHOD].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_SIP_METHOD].Setup = DetectSipMethodSetup; + sigmatch_table[DETECT_SIP_METHOD].flags |= SIGMATCH_NOOPT; DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); diff --git a/src/detect-sip-uri.c b/src/detect-sip-uri.c index daf42235d8c5..9deafbb42bb0 100644 --- a/src/detect-sip-uri.c +++ b/src/detect-sip-uri.c @@ -105,11 +105,11 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, void DetectSipUriRegister(void) { - sigmatch_table[DETECT_AL_SIP_URI].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SIP_URI].desc = "sticky buffer to match on the SIP URI"; - sigmatch_table[DETECT_AL_SIP_URI].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SIP_URI].Setup = DetectSipUriSetup; - sigmatch_table[DETECT_AL_SIP_URI].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_SIP_URI].name = KEYWORD_NAME; + sigmatch_table[DETECT_SIP_URI].desc = "sticky buffer to match on the SIP URI"; + sigmatch_table[DETECT_SIP_URI].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_SIP_URI].Setup = DetectSipUriSetup; + sigmatch_table[DETECT_SIP_URI].flags |= SIGMATCH_NOOPT; DetectAppLayerInspectEngineRegister(BUFFER_NAME, ALPROTO_SIP, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); diff --git a/src/detect-ssh-hassh-server-string.c b/src/detect-ssh-hassh-server-string.c index f62c72e79c79..6aefc39682dd 100644 --- a/src/detect-ssh-hassh-server-string.c +++ b/src/detect-ssh-hassh-server-string.c @@ -107,7 +107,7 @@ static int DetectSshHasshServerStringSetup(DetectEngineCtx *de_ctx, Signature *s /* Check if Hassh is disabled */ if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) { - if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER_STRING)) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_SSH_HASSH_SERVER_STRING)) { SCLogError("hassh support is not enabled"); } return -2; @@ -122,12 +122,13 @@ static int DetectSshHasshServerStringSetup(DetectEngineCtx *de_ctx, Signature *s */ void DetectSshHasshServerStringRegister(void) { - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].alias = KEYWORD_ALIAS; - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].desc = BUFFER_NAME " sticky buffer"; - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].Setup = DetectSshHasshServerStringSetup; - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].name = KEYWORD_NAME; + sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].alias = KEYWORD_ALIAS; + sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].Setup = DetectSshHasshServerStringSetup; + sigmatch_table[DETECT_SSH_HASSH_SERVER_STRING].flags |= + SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetSshData, ALPROTO_SSH, SshStateBannerDone); diff --git a/src/detect-ssh-hassh-server.c b/src/detect-ssh-hassh-server.c index 98f7d3dc2e2f..487ea92f141a 100644 --- a/src/detect-ssh-hassh-server.c +++ b/src/detect-ssh-hassh-server.c @@ -108,7 +108,7 @@ static int DetectSshHasshServerSetup(DetectEngineCtx *de_ctx, Signature *s, cons /* Check if Hassh is disabled */ if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) { - if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER)) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_SSH_HASSH_SERVER)) { SCLogError("hassh support is not enabled"); } return -2; @@ -190,12 +190,12 @@ static void DetectSshHasshServerHashSetupCallback(const DetectEngineCtx *de_ctx, */ void DetectSshHasshServerRegister(void) { - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].alias = KEYWORD_ALIAS; - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].desc = BUFFER_NAME " sticky buffer"; - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].Setup = DetectSshHasshServerSetup; - sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + sigmatch_table[DETECT_SSH_HASSH_SERVER].name = KEYWORD_NAME; + sigmatch_table[DETECT_SSH_HASSH_SERVER].alias = KEYWORD_ALIAS; + sigmatch_table[DETECT_SSH_HASSH_SERVER].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_SSH_HASSH_SERVER].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_SSH_HASSH_SERVER].Setup = DetectSshHasshServerSetup; + sigmatch_table[DETECT_SSH_HASSH_SERVER].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetSshData, ALPROTO_SSH, SshStateBannerDone); diff --git a/src/detect-ssh-hassh-string.c b/src/detect-ssh-hassh-string.c index ad29b90ee764..9b268ee96c30 100644 --- a/src/detect-ssh-hassh-string.c +++ b/src/detect-ssh-hassh-string.c @@ -107,7 +107,7 @@ static int DetectSshHasshStringSetup(DetectEngineCtx *de_ctx, Signature *s, cons /* Check if Hassh is disabled */ if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) { - if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_STRING)) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_SSH_HASSH_STRING)) { SCLogError("hassh support is not enabled"); } return -2; @@ -122,12 +122,12 @@ static int DetectSshHasshStringSetup(DetectEngineCtx *de_ctx, Signature *s, cons */ void DetectSshHasshStringRegister(void) { - sigmatch_table[DETECT_AL_SSH_HASSH_STRING].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SSH_HASSH_STRING].alias = KEYWORD_ALIAS; - sigmatch_table[DETECT_AL_SSH_HASSH_STRING].desc = BUFFER_NAME " sticky buffer"; - sigmatch_table[DETECT_AL_SSH_HASSH_STRING].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SSH_HASSH_STRING].Setup = DetectSshHasshStringSetup; - sigmatch_table[DETECT_AL_SSH_HASSH_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + sigmatch_table[DETECT_SSH_HASSH_STRING].name = KEYWORD_NAME; + sigmatch_table[DETECT_SSH_HASSH_STRING].alias = KEYWORD_ALIAS; + sigmatch_table[DETECT_SSH_HASSH_STRING].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_SSH_HASSH_STRING].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_SSH_HASSH_STRING].Setup = DetectSshHasshStringSetup; + sigmatch_table[DETECT_SSH_HASSH_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetSshData, ALPROTO_SSH, SshStateBannerDone); diff --git a/src/detect-ssh-hassh.c b/src/detect-ssh-hassh.c index 377aa9d2c433..d8309c265cbe 100644 --- a/src/detect-ssh-hassh.c +++ b/src/detect-ssh-hassh.c @@ -108,7 +108,7 @@ static int DetectSshHasshSetup(DetectEngineCtx *de_ctx, Signature *s, const char /* Check if Hassh is disabled */ if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) { - if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH)) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_SSH_HASSH)) { SCLogError("hassh support is not enabled"); } return -2; @@ -192,12 +192,12 @@ static void DetectSshHasshHashSetupCallback(const DetectEngineCtx *de_ctx, */ void DetectSshHasshRegister(void) { - sigmatch_table[DETECT_AL_SSH_HASSH].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SSH_HASSH].alias = KEYWORD_ALIAS; - sigmatch_table[DETECT_AL_SSH_HASSH].desc = BUFFER_NAME " sticky buffer"; - sigmatch_table[DETECT_AL_SSH_HASSH].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SSH_HASSH].Setup = DetectSshHasshSetup; - sigmatch_table[DETECT_AL_SSH_HASSH].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + sigmatch_table[DETECT_SSH_HASSH].name = KEYWORD_NAME; + sigmatch_table[DETECT_SSH_HASSH].alias = KEYWORD_ALIAS; + sigmatch_table[DETECT_SSH_HASSH].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_SSH_HASSH].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_SSH_HASSH].Setup = DetectSshHasshSetup; + sigmatch_table[DETECT_SSH_HASSH].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetSshData, ALPROTO_SSH, SshStateBannerDone), diff --git a/src/detect-ssh-proto-version.c b/src/detect-ssh-proto-version.c index 06b02dbbca93..ed4814bda67b 100644 --- a/src/detect-ssh-proto-version.c +++ b/src/detect-ssh-proto-version.c @@ -38,7 +38,7 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const c */ void DetectSshVersionRegister(void) { - sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion"; - sigmatch_table[DETECT_AL_SSH_PROTOVERSION].desc = "obsolete keyword, use now ssh.proto"; - sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup; + sigmatch_table[DETECT_SSH_PROTOVERSION].name = "ssh.protoversion"; + sigmatch_table[DETECT_SSH_PROTOVERSION].desc = "obsolete keyword, use now ssh.proto"; + sigmatch_table[DETECT_SSH_PROTOVERSION].Setup = DetectSshVersionSetup; } diff --git a/src/detect-ssh-proto.c b/src/detect-ssh-proto.c index 19807511e757..5d53881abc15 100644 --- a/src/detect-ssh-proto.c +++ b/src/detect-ssh-proto.c @@ -94,12 +94,12 @@ static int DetectSshProtocolSetup(DetectEngineCtx *de_ctx, Signature *s, const c void DetectSshProtocolRegister(void) { - sigmatch_table[DETECT_AL_SSH_PROTOCOL].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SSH_PROTOCOL].alias = KEYWORD_NAME_LEGACY; - sigmatch_table[DETECT_AL_SSH_PROTOCOL].desc = BUFFER_NAME " sticky buffer"; - sigmatch_table[DETECT_AL_SSH_PROTOCOL].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SSH_PROTOCOL].Setup = DetectSshProtocolSetup; - sigmatch_table[DETECT_AL_SSH_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + sigmatch_table[DETECT_SSH_PROTOCOL].name = KEYWORD_NAME; + sigmatch_table[DETECT_SSH_PROTOCOL].alias = KEYWORD_NAME_LEGACY; + sigmatch_table[DETECT_SSH_PROTOCOL].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_SSH_PROTOCOL].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_SSH_PROTOCOL].Setup = DetectSshProtocolSetup; + sigmatch_table[DETECT_SSH_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetSshData, ALPROTO_SSH, SshStateBannerDone), diff --git a/src/detect-ssh-software-version.c b/src/detect-ssh-software-version.c index 512c6f223573..889d22cff2f0 100644 --- a/src/detect-ssh-software-version.c +++ b/src/detect-ssh-software-version.c @@ -38,7 +38,7 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s, */ void DetectSshSoftwareVersionRegister(void) { - sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion"; - sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].desc = "obsolete keyword, use now ssh.software"; - sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup; + sigmatch_table[DETECT_SSH_SOFTWAREVERSION].name = "ssh.softwareversion"; + sigmatch_table[DETECT_SSH_SOFTWAREVERSION].desc = "obsolete keyword, use now ssh.software"; + sigmatch_table[DETECT_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup; } diff --git a/src/detect-ssh-software.c b/src/detect-ssh-software.c index 0a8d5aab0d97..c7b89b5ea18c 100644 --- a/src/detect-ssh-software.c +++ b/src/detect-ssh-software.c @@ -95,12 +95,12 @@ static int DetectSshSoftwareSetup(DetectEngineCtx *de_ctx, Signature *s, const c void DetectSshSoftwareRegister(void) { - sigmatch_table[DETECT_AL_SSH_SOFTWARE].name = KEYWORD_NAME; - sigmatch_table[DETECT_AL_SSH_SOFTWARE].alias = KEYWORD_NAME_LEGACY; - sigmatch_table[DETECT_AL_SSH_SOFTWARE].desc = BUFFER_NAME " sticky buffer"; - sigmatch_table[DETECT_AL_SSH_SOFTWARE].url = "/rules/" KEYWORD_DOC; - sigmatch_table[DETECT_AL_SSH_SOFTWARE].Setup = DetectSshSoftwareSetup; - sigmatch_table[DETECT_AL_SSH_SOFTWARE].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + sigmatch_table[DETECT_SSH_SOFTWARE].name = KEYWORD_NAME; + sigmatch_table[DETECT_SSH_SOFTWARE].alias = KEYWORD_NAME_LEGACY; + sigmatch_table[DETECT_SSH_SOFTWARE].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_SSH_SOFTWARE].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_SSH_SOFTWARE].Setup = DetectSshSoftwareSetup; + sigmatch_table[DETECT_SSH_SOFTWARE].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetSshData, ALPROTO_SSH, SshStateBannerDone), diff --git a/src/detect-ssl-state.c b/src/detect-ssl-state.c index 1ad10cc387f4..72123ea285d7 100644 --- a/src/detect-ssl-state.c +++ b/src/detect-ssl-state.c @@ -72,14 +72,14 @@ static int g_tls_generic_list_id = 0; */ void DetectSslStateRegister(void) { - sigmatch_table[DETECT_AL_SSL_STATE].name = "ssl_state"; - sigmatch_table[DETECT_AL_SSL_STATE].desc = "match the state of the SSL connection"; - sigmatch_table[DETECT_AL_SSL_STATE].url = "/rules/tls-keywords.html#ssl-state"; - sigmatch_table[DETECT_AL_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch; - sigmatch_table[DETECT_AL_SSL_STATE].Setup = DetectSslStateSetup; - sigmatch_table[DETECT_AL_SSL_STATE].Free = DetectSslStateFree; + sigmatch_table[DETECT_SSL_STATE].name = "ssl_state"; + sigmatch_table[DETECT_SSL_STATE].desc = "match the state of the SSL connection"; + sigmatch_table[DETECT_SSL_STATE].url = "/rules/tls-keywords.html#ssl-state"; + sigmatch_table[DETECT_SSL_STATE].AppLayerTxMatch = DetectSslStateMatch; + sigmatch_table[DETECT_SSL_STATE].Setup = DetectSslStateSetup; + sigmatch_table[DETECT_SSL_STATE].Free = DetectSslStateFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_SSL_STATE].RegisterTests = DetectSslStateRegisterTests; + sigmatch_table[DETECT_SSL_STATE].RegisterTests = DetectSslStateRegisterTests; #endif DetectSetupParseRegexes(PARSE_REGEX1, &parse_regex1); DetectSetupParseRegexes(PARSE_REGEX2, &parse_regex2); @@ -311,8 +311,8 @@ static int DetectSslStateSetup(DetectEngineCtx *de_ctx, Signature *s, const char if (ssd == NULL) goto error; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_SSL_STATE, (SigMatchCtx *)ssd, - g_tls_generic_list_id) == NULL) { + if (SigMatchAppendSMToList( + de_ctx, s, DETECT_SSL_STATE, (SigMatchCtx *)ssd, g_tls_generic_list_id) == NULL) { goto error; } return 0; diff --git a/src/detect-ssl-version.c b/src/detect-ssl-version.c index 1326da49dd1c..febe8f638929 100644 --- a/src/detect-ssl-version.c +++ b/src/detect-ssl-version.c @@ -66,14 +66,14 @@ static int g_tls_generic_list_id = 0; */ void DetectSslVersionRegister(void) { - sigmatch_table[DETECT_AL_SSL_VERSION].name = "ssl_version"; - sigmatch_table[DETECT_AL_SSL_VERSION].desc = "match version of SSL/TLS record"; - sigmatch_table[DETECT_AL_SSL_VERSION].url = "/rules/tls-keywords.html#ssl-version"; - sigmatch_table[DETECT_AL_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch; - sigmatch_table[DETECT_AL_SSL_VERSION].Setup = DetectSslVersionSetup; - sigmatch_table[DETECT_AL_SSL_VERSION].Free = DetectSslVersionFree; + sigmatch_table[DETECT_SSL_VERSION].name = "ssl_version"; + sigmatch_table[DETECT_SSL_VERSION].desc = "match version of SSL/TLS record"; + sigmatch_table[DETECT_SSL_VERSION].url = "/rules/tls-keywords.html#ssl-version"; + sigmatch_table[DETECT_SSL_VERSION].AppLayerTxMatch = DetectSslVersionMatch; + sigmatch_table[DETECT_SSL_VERSION].Setup = DetectSslVersionSetup; + sigmatch_table[DETECT_SSL_VERSION].Free = DetectSslVersionFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests; + sigmatch_table[DETECT_SSL_VERSION].RegisterTests = DetectSslVersionRegisterTests; #endif g_tls_generic_list_id = DetectBufferTypeRegister("tls_generic"); @@ -301,8 +301,8 @@ static int DetectSslVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const c /* Okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_SSL_VERSION, (SigMatchCtx *)ssl, - g_tls_generic_list_id) == NULL) { + if (SigMatchAppendSMToList( + de_ctx, s, DETECT_SSL_VERSION, (SigMatchCtx *)ssl, g_tls_generic_list_id) == NULL) { goto error; } return 0; diff --git a/src/detect-tls-cert-fingerprint.c b/src/detect-tls-cert-fingerprint.c index 9fec32151dd6..8f6872a81871 100644 --- a/src/detect-tls-cert-fingerprint.c +++ b/src/detect-tls-cert-fingerprint.c @@ -71,17 +71,18 @@ static int g_tls_cert_fingerprint_buffer_id = 0; */ void DetectTlsFingerprintRegister(void) { - sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].name = "tls.cert_fingerprint"; - sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].alias = "tls_cert_fingerprint"; - sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].desc = + sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].name = "tls.cert_fingerprint"; + sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].alias = "tls_cert_fingerprint"; + sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].desc = "sticky buffer to match the TLS cert fingerprint buffer"; - sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].url = "/rules/tls-keywords.html#tls-cert-fingerprint"; - sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].Setup = DetectTlsFingerprintSetup; + sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].url = + "/rules/tls-keywords.html#tls-cert-fingerprint"; + sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].Setup = DetectTlsFingerprintSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].RegisterTests = DetectTlsFingerprintRegisterTests; + sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].RegisterTests = DetectTlsFingerprintRegisterTests; #endif - sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_CERT_FINGERPRINT].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("tls.cert_fingerprint", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); diff --git a/src/detect-tls-cert-issuer.c b/src/detect-tls-cert-issuer.c index 49bada4cdf6d..55411172a651 100644 --- a/src/detect-tls-cert-issuer.c +++ b/src/detect-tls-cert-issuer.c @@ -67,17 +67,17 @@ static int g_tls_cert_issuer_buffer_id = 0; */ void DetectTlsIssuerRegister(void) { - sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].name = "tls.cert_issuer"; - sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].alias = "tls_cert_issuer"; - sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].desc = + sigmatch_table[DETECT_TLS_CERT_ISSUER].name = "tls.cert_issuer"; + sigmatch_table[DETECT_TLS_CERT_ISSUER].alias = "tls_cert_issuer"; + sigmatch_table[DETECT_TLS_CERT_ISSUER].desc = "sticky buffer to match specifically and only on the TLS cert issuer buffer"; - sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].url = "/rules/tls-keywords.html#tls-cert-issuer"; - sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].Setup = DetectTlsIssuerSetup; + sigmatch_table[DETECT_TLS_CERT_ISSUER].url = "/rules/tls-keywords.html#tls-cert-issuer"; + sigmatch_table[DETECT_TLS_CERT_ISSUER].Setup = DetectTlsIssuerSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests; + sigmatch_table[DETECT_TLS_CERT_ISSUER].RegisterTests = DetectTlsIssuerRegisterTests; #endif - sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_CERT_ISSUER].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("tls.cert_issuer", ALPROTO_TLS, SIG_FLAG_TOSERVER, TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); diff --git a/src/detect-tls-cert-serial.c b/src/detect-tls-cert-serial.c index 0ac7bfdd20cc..fb4e02995433 100644 --- a/src/detect-tls-cert-serial.c +++ b/src/detect-tls-cert-serial.c @@ -71,17 +71,17 @@ static int g_tls_cert_serial_buffer_id = 0; */ void DetectTlsSerialRegister(void) { - sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].name = "tls.cert_serial"; - sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].alias = "tls_cert_serial"; - sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].desc = + sigmatch_table[DETECT_TLS_CERT_SERIAL].name = "tls.cert_serial"; + sigmatch_table[DETECT_TLS_CERT_SERIAL].alias = "tls_cert_serial"; + sigmatch_table[DETECT_TLS_CERT_SERIAL].desc = "sticky buffer to match the TLS cert serial buffer"; - sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].url = "/rules/tls-keywords.html#tls-cert-serial"; - sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].Setup = DetectTlsSerialSetup; + sigmatch_table[DETECT_TLS_CERT_SERIAL].url = "/rules/tls-keywords.html#tls-cert-serial"; + sigmatch_table[DETECT_TLS_CERT_SERIAL].Setup = DetectTlsSerialSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].RegisterTests = DetectTlsSerialRegisterTests; + sigmatch_table[DETECT_TLS_CERT_SERIAL].RegisterTests = DetectTlsSerialRegisterTests; #endif - sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_CERT_SERIAL].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_CERT_SERIAL].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_CERT_SERIAL].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("tls.cert_serial", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); diff --git a/src/detect-tls-cert-subject.c b/src/detect-tls-cert-subject.c index e0dcde30a830..7d3ca50a6190 100644 --- a/src/detect-tls-cert-subject.c +++ b/src/detect-tls-cert-subject.c @@ -67,17 +67,17 @@ static int g_tls_cert_subject_buffer_id = 0; */ void DetectTlsSubjectRegister(void) { - sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls.cert_subject"; - sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].alias = "tls_cert_subject"; - sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc = + sigmatch_table[DETECT_TLS_CERT_SUBJECT].name = "tls.cert_subject"; + sigmatch_table[DETECT_TLS_CERT_SUBJECT].alias = "tls_cert_subject"; + sigmatch_table[DETECT_TLS_CERT_SUBJECT].desc = "sticky buffer to match specifically and only on the TLS cert subject buffer"; - sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].url = "/rules/tls-keywords.html#tls-cert-subject"; - sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup; + sigmatch_table[DETECT_TLS_CERT_SUBJECT].url = "/rules/tls-keywords.html#tls-cert-subject"; + sigmatch_table[DETECT_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests; + sigmatch_table[DETECT_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests; #endif - sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_CERT_SUBJECT].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("tls.cert_subject", ALPROTO_TLS, SIG_FLAG_TOSERVER, TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData); diff --git a/src/detect-tls-cert-validity.c b/src/detect-tls-cert-validity.c index 7ccf8df6740a..b8d9f184ecb4 100644 --- a/src/detect-tls-cert-validity.c +++ b/src/detect-tls-cert-validity.c @@ -79,46 +79,46 @@ static int g_tls_validity_buffer_id = 0; */ void DetectTlsValidityRegister (void) { - sigmatch_table[DETECT_AL_TLS_NOTBEFORE].name = "tls_cert_notbefore"; - sigmatch_table[DETECT_AL_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field"; - sigmatch_table[DETECT_AL_TLS_NOTBEFORE].url = "/rules/tls-keywords.html#tls-cert-notbefore"; - sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch; - sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup; - sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Free = DetectTlsValidityFree; + sigmatch_table[DETECT_TLS_NOTBEFORE].name = "tls_cert_notbefore"; + sigmatch_table[DETECT_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field"; + sigmatch_table[DETECT_TLS_NOTBEFORE].url = "/rules/tls-keywords.html#tls-cert-notbefore"; + sigmatch_table[DETECT_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch; + sigmatch_table[DETECT_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup; + sigmatch_table[DETECT_TLS_NOTBEFORE].Free = DetectTlsValidityFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_NOTBEFORE].RegisterTests = TlsNotBeforeRegisterTests; + sigmatch_table[DETECT_TLS_NOTBEFORE].RegisterTests = TlsNotBeforeRegisterTests; #endif - sigmatch_table[DETECT_AL_TLS_NOTAFTER].name = "tls_cert_notafter"; - sigmatch_table[DETECT_AL_TLS_NOTAFTER].desc = "match TLS certificate notAfter field"; - sigmatch_table[DETECT_AL_TLS_NOTAFTER].url = "/rules/tls-keywords.html#tls-cert-notafter"; - sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch; - sigmatch_table[DETECT_AL_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup; - sigmatch_table[DETECT_AL_TLS_NOTAFTER].Free = DetectTlsValidityFree; + sigmatch_table[DETECT_TLS_NOTAFTER].name = "tls_cert_notafter"; + sigmatch_table[DETECT_TLS_NOTAFTER].desc = "match TLS certificate notAfter field"; + sigmatch_table[DETECT_TLS_NOTAFTER].url = "/rules/tls-keywords.html#tls-cert-notafter"; + sigmatch_table[DETECT_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch; + sigmatch_table[DETECT_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup; + sigmatch_table[DETECT_TLS_NOTAFTER].Free = DetectTlsValidityFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_NOTAFTER].RegisterTests = TlsNotAfterRegisterTests; + sigmatch_table[DETECT_TLS_NOTAFTER].RegisterTests = TlsNotAfterRegisterTests; #endif - sigmatch_table[DETECT_AL_TLS_EXPIRED].name = "tls_cert_expired"; - sigmatch_table[DETECT_AL_TLS_EXPIRED].desc = "match expired TLS certificates"; - sigmatch_table[DETECT_AL_TLS_EXPIRED].url = "/rules/tls-keywords.html#tls-cert-expired"; - sigmatch_table[DETECT_AL_TLS_EXPIRED].AppLayerTxMatch = DetectTlsValidityMatch; - sigmatch_table[DETECT_AL_TLS_EXPIRED].Setup = DetectTlsExpiredSetup; - sigmatch_table[DETECT_AL_TLS_EXPIRED].Free = DetectTlsValidityFree; - sigmatch_table[DETECT_AL_TLS_EXPIRED].flags = SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_EXPIRED].name = "tls_cert_expired"; + sigmatch_table[DETECT_TLS_EXPIRED].desc = "match expired TLS certificates"; + sigmatch_table[DETECT_TLS_EXPIRED].url = "/rules/tls-keywords.html#tls-cert-expired"; + sigmatch_table[DETECT_TLS_EXPIRED].AppLayerTxMatch = DetectTlsValidityMatch; + sigmatch_table[DETECT_TLS_EXPIRED].Setup = DetectTlsExpiredSetup; + sigmatch_table[DETECT_TLS_EXPIRED].Free = DetectTlsValidityFree; + sigmatch_table[DETECT_TLS_EXPIRED].flags = SIGMATCH_NOOPT; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_EXPIRED].RegisterTests = TlsExpiredRegisterTests; + sigmatch_table[DETECT_TLS_EXPIRED].RegisterTests = TlsExpiredRegisterTests; #endif - sigmatch_table[DETECT_AL_TLS_VALID].name = "tls_cert_valid"; - sigmatch_table[DETECT_AL_TLS_VALID].desc = "match valid TLS certificates"; - sigmatch_table[DETECT_AL_TLS_VALID].url = "/rules/tls-keywords.html#tls-cert-valid"; - sigmatch_table[DETECT_AL_TLS_VALID].AppLayerTxMatch = DetectTlsValidityMatch; - sigmatch_table[DETECT_AL_TLS_VALID].Setup = DetectTlsValidSetup; - sigmatch_table[DETECT_AL_TLS_VALID].Free = DetectTlsValidityFree; - sigmatch_table[DETECT_AL_TLS_VALID].flags = SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_VALID].name = "tls_cert_valid"; + sigmatch_table[DETECT_TLS_VALID].desc = "match valid TLS certificates"; + sigmatch_table[DETECT_TLS_VALID].url = "/rules/tls-keywords.html#tls-cert-valid"; + sigmatch_table[DETECT_TLS_VALID].AppLayerTxMatch = DetectTlsValidityMatch; + sigmatch_table[DETECT_TLS_VALID].Setup = DetectTlsValidSetup; + sigmatch_table[DETECT_TLS_VALID].Free = DetectTlsValidityFree; + sigmatch_table[DETECT_TLS_VALID].flags = SIGMATCH_NOOPT; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_VALID].RegisterTests = TlsValidRegisterTests; + sigmatch_table[DETECT_TLS_VALID].RegisterTests = TlsValidRegisterTests; #endif DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); @@ -434,7 +434,7 @@ static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s, dd->epoch = 0; dd->epoch2 = 0; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_EXPIRED, (SigMatchCtx *)dd, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_TLS_EXPIRED, (SigMatchCtx *)dd, g_tls_validity_buffer_id) == NULL) { goto error; } @@ -479,8 +479,8 @@ static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s, dd->epoch = 0; dd->epoch2 = 0; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_VALID, (SigMatchCtx *)dd, - g_tls_validity_buffer_id) == NULL) { + if (SigMatchAppendSMToList( + de_ctx, s, DETECT_TLS_VALID, (SigMatchCtx *)dd, g_tls_validity_buffer_id) == NULL) { goto error; } return 0; @@ -568,7 +568,7 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s, goto error; } - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_NOTAFTER, (SigMatchCtx *)dd, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_TLS_NOTAFTER, (SigMatchCtx *)dd, g_tls_validity_buffer_id) == NULL) { goto error; } diff --git a/src/detect-tls-certs.c b/src/detect-tls-certs.c index f34c5e23bfb6..a626769994ed 100644 --- a/src/detect-tls-certs.c +++ b/src/detect-tls-certs.c @@ -112,15 +112,15 @@ static InspectionBuffer *TlsCertsGetData(DetectEngineThreadCtx *det_ctx, */ void DetectTlsCertsRegister(void) { - sigmatch_table[DETECT_AL_TLS_CERTS].name = "tls.certs"; - sigmatch_table[DETECT_AL_TLS_CERTS].desc = "sticky buffer to match the TLS certificate buffer"; - sigmatch_table[DETECT_AL_TLS_CERTS].url = "/rules/tls-keywords.html#tls-certs"; - sigmatch_table[DETECT_AL_TLS_CERTS].Setup = DetectTlsCertsSetup; + sigmatch_table[DETECT_TLS_CERTS].name = "tls.certs"; + sigmatch_table[DETECT_TLS_CERTS].desc = "sticky buffer to match the TLS certificate buffer"; + sigmatch_table[DETECT_TLS_CERTS].url = "/rules/tls-keywords.html#tls-certs"; + sigmatch_table[DETECT_TLS_CERTS].Setup = DetectTlsCertsSetup; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_CERTS].RegisterTests = DetectTlsCertsRegisterTests; + sigmatch_table[DETECT_TLS_CERTS].RegisterTests = DetectTlsCertsRegisterTests; #endif - sigmatch_table[DETECT_AL_TLS_CERTS].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_CERTS].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_CERTS].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_CERTS].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerMultiRegister("tls.certs", ALPROTO_TLS, SIG_FLAG_TOCLIENT, TLS_STATE_CERT_READY, TlsCertsGetData, 2, 1); @@ -158,7 +158,7 @@ static int DetectTlsCertsSetup(DetectEngineCtx *de_ctx, Signature *s, static int g_tls_cert_buffer_id = 0; #define BUFFER_NAME "tls_validity" -#define KEYWORD_ID DETECT_AL_TLS_CHAIN_LEN +#define KEYWORD_ID DETECT_TLS_CHAIN_LEN #define KEYWORD_NAME "tls.cert_chain_len" #define KEYWORD_DESC "match TLS certificate chain length" #define KEYWORD_URL "/rules/tls-keywords.html#tls-cert-chain-len" diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c index 57b0e55edeb5..e7994fb3271e 100644 --- a/src/detect-tls-ja3-hash.c +++ b/src/detect-tls-ja3-hash.c @@ -82,17 +82,17 @@ static int g_tls_ja3_hash_buffer_id = 0; */ void DetectTlsJa3HashRegister(void) { - sigmatch_table[DETECT_AL_TLS_JA3_HASH].name = "ja3.hash"; - sigmatch_table[DETECT_AL_TLS_JA3_HASH].alias = "ja3_hash"; - sigmatch_table[DETECT_AL_TLS_JA3_HASH].desc = "sticky buffer to match the JA3 hash buffer"; - sigmatch_table[DETECT_AL_TLS_JA3_HASH].url = "/rules/ja3-keywords.html#ja3-hash"; + sigmatch_table[DETECT_TLS_JA3_HASH].name = "ja3.hash"; + sigmatch_table[DETECT_TLS_JA3_HASH].alias = "ja3_hash"; + sigmatch_table[DETECT_TLS_JA3_HASH].desc = "sticky buffer to match the JA3 hash buffer"; + sigmatch_table[DETECT_TLS_JA3_HASH].url = "/rules/ja3-keywords.html#ja3-hash"; #ifdef HAVE_JA3 - sigmatch_table[DETECT_AL_TLS_JA3_HASH].Setup = DetectTlsJa3HashSetup; + sigmatch_table[DETECT_TLS_JA3_HASH].Setup = DetectTlsJa3HashSetup; #else /* HAVE_JA3 */ - sigmatch_table[DETECT_AL_TLS_JA3_HASH].Setup = DetectJA3SetupNoSupport; + sigmatch_table[DETECT_TLS_JA3_HASH].Setup = DetectJA3SetupNoSupport; #endif /* HAVE_JA3 */ - sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; #ifdef HAVE_JA3 DetectAppLayerInspectEngineRegister("ja3.hash", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, @@ -146,7 +146,7 @@ static int DetectTlsJa3HashSetup(DetectEngineCtx *de_ctx, Signature *s, const ch /* Check if JA3 is disabled */ if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) { - if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3_HASH)) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_TLS_JA3_HASH)) { SCLogError("ja3 support is not enabled"); } return -2; diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c index 1ec289c6e9d1..dc2d41b622c8 100644 --- a/src/detect-tls-ja3-string.c +++ b/src/detect-tls-ja3-string.c @@ -78,17 +78,17 @@ static int g_tls_ja3_str_buffer_id = 0; */ void DetectTlsJa3StringRegister(void) { - sigmatch_table[DETECT_AL_TLS_JA3_STRING].name = "ja3.string"; - sigmatch_table[DETECT_AL_TLS_JA3_STRING].alias = "ja3_string"; - sigmatch_table[DETECT_AL_TLS_JA3_STRING].desc = "sticky buffer to match the JA3 string buffer"; - sigmatch_table[DETECT_AL_TLS_JA3_STRING].url = "/rules/ja3-keywords.html#ja3-string"; + sigmatch_table[DETECT_TLS_JA3_STRING].name = "ja3.string"; + sigmatch_table[DETECT_TLS_JA3_STRING].alias = "ja3_string"; + sigmatch_table[DETECT_TLS_JA3_STRING].desc = "sticky buffer to match the JA3 string buffer"; + sigmatch_table[DETECT_TLS_JA3_STRING].url = "/rules/ja3-keywords.html#ja3-string"; #ifdef HAVE_JA3 - sigmatch_table[DETECT_AL_TLS_JA3_STRING].Setup = DetectTlsJa3StringSetup; + sigmatch_table[DETECT_TLS_JA3_STRING].Setup = DetectTlsJa3StringSetup; #else /* HAVE_JA3 */ - sigmatch_table[DETECT_AL_TLS_JA3_STRING].Setup = DetectJA3SetupNoSupport; + sigmatch_table[DETECT_TLS_JA3_STRING].Setup = DetectJA3SetupNoSupport; #endif /* HAVE_JA3 */ - sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER; #ifdef HAVE_JA3 DetectAppLayerInspectEngineRegister("ja3.string", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, @@ -135,7 +135,7 @@ static int DetectTlsJa3StringSetup(DetectEngineCtx *de_ctx, Signature *s, const /* Check if JA3 is disabled */ if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) { - if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3_STRING)) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_TLS_JA3_STRING)) { SCLogError("ja3(s) support is not enabled"); } return -2; diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c index 6d3d42e5edf8..c554bb7076bc 100644 --- a/src/detect-tls-ja3s-hash.c +++ b/src/detect-tls-ja3s-hash.c @@ -82,16 +82,16 @@ static int g_tls_ja3s_hash_buffer_id = 0; */ void DetectTlsJa3SHashRegister(void) { - sigmatch_table[DETECT_AL_TLS_JA3S_HASH].name = "ja3s.hash"; - sigmatch_table[DETECT_AL_TLS_JA3S_HASH].desc = "sticky buffer to match the JA3S hash buffer"; - sigmatch_table[DETECT_AL_TLS_JA3S_HASH].url = "/rules/ja3-keywords.html#ja3s-hash"; + sigmatch_table[DETECT_TLS_JA3S_HASH].name = "ja3s.hash"; + sigmatch_table[DETECT_TLS_JA3S_HASH].desc = "sticky buffer to match the JA3S hash buffer"; + sigmatch_table[DETECT_TLS_JA3S_HASH].url = "/rules/ja3-keywords.html#ja3s-hash"; #ifdef HAVE_JA3 - sigmatch_table[DETECT_AL_TLS_JA3S_HASH].Setup = DetectTlsJa3SHashSetup; + sigmatch_table[DETECT_TLS_JA3S_HASH].Setup = DetectTlsJa3SHashSetup; #else /* HAVE_JA3 */ - sigmatch_table[DETECT_AL_TLS_JA3S_HASH].Setup = DetectJA3SetupNoSupport; + sigmatch_table[DETECT_TLS_JA3S_HASH].Setup = DetectJA3SetupNoSupport; #endif /* HAVE_JA3 */ - sigmatch_table[DETECT_AL_TLS_JA3S_HASH].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_JA3S_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_JA3S_HASH].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_JA3S_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; #ifdef HAVE_JA3 DetectAppLayerInspectEngineRegister("ja3s.hash", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0, @@ -144,7 +144,7 @@ static int DetectTlsJa3SHashSetup(DetectEngineCtx *de_ctx, Signature *s, const c /* Check if JA3 is disabled */ if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) { - if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3S_HASH)) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_TLS_JA3S_HASH)) { SCLogError("ja3(s) support is not enabled"); } return -2; diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c index 0104560627d5..ea78846f15c2 100644 --- a/src/detect-tls-ja3s-string.c +++ b/src/detect-tls-ja3s-string.c @@ -78,17 +78,16 @@ static int g_tls_ja3s_str_buffer_id = 0; */ void DetectTlsJa3SStringRegister(void) { - sigmatch_table[DETECT_AL_TLS_JA3S_STRING].name = "ja3s.string"; - sigmatch_table[DETECT_AL_TLS_JA3S_STRING].desc = - "sticky buffer to match the JA3S string buffer"; - sigmatch_table[DETECT_AL_TLS_JA3S_STRING].url = "/rules/ja3-keywords.html#ja3s-string"; + sigmatch_table[DETECT_TLS_JA3S_STRING].name = "ja3s.string"; + sigmatch_table[DETECT_TLS_JA3S_STRING].desc = "sticky buffer to match the JA3S string buffer"; + sigmatch_table[DETECT_TLS_JA3S_STRING].url = "/rules/ja3-keywords.html#ja3s-string"; #ifdef HAVE_JA3 - sigmatch_table[DETECT_AL_TLS_JA3S_STRING].Setup = DetectTlsJa3SStringSetup; + sigmatch_table[DETECT_TLS_JA3S_STRING].Setup = DetectTlsJa3SStringSetup; #else /* HAVE_JA3 */ - sigmatch_table[DETECT_AL_TLS_JA3S_STRING].Setup = DetectJA3SetupNoSupport; + sigmatch_table[DETECT_TLS_JA3S_STRING].Setup = DetectJA3SetupNoSupport; #endif /* HAVE_JA3 */ - sigmatch_table[DETECT_AL_TLS_JA3S_STRING].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_JA3S_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_JA3S_STRING].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_JA3S_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER; #ifdef HAVE_JA3 DetectAppLayerInspectEngineRegister("ja3s.string", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0, @@ -135,7 +134,7 @@ static int DetectTlsJa3SStringSetup(DetectEngineCtx *de_ctx, Signature *s, const /* Check if JA3 is disabled */ if (!RunmodeIsUnittests() && Ja3IsDisabled("rule")) { - if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_TLS_JA3S_STRING)) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_TLS_JA3S_STRING)) { SCLogError("ja3(s) support is not enabled"); } return -2; diff --git a/src/detect-tls-random.c b/src/detect-tls-random.c index 2dd5871aea0f..6993223eccfb 100644 --- a/src/detect-tls-random.c +++ b/src/detect-tls-random.c @@ -54,12 +54,12 @@ static int g_tls_random_buffer_id = 0; void DetectTlsRandomTimeRegister(void) { - sigmatch_table[DETECT_AL_TLS_RANDOM_TIME].name = "tls.random_time"; - sigmatch_table[DETECT_AL_TLS_RANDOM_TIME].desc = "sticky buffer to match specifically and only " - "on the first 4 bytes of a TLS random buffer"; - sigmatch_table[DETECT_AL_TLS_RANDOM_TIME].url = "/rules/tls-keywords.html#tls-random-time"; - sigmatch_table[DETECT_AL_TLS_RANDOM_TIME].Setup = DetectTlsRandomTimeSetup; - sigmatch_table[DETECT_AL_TLS_RANDOM_TIME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_RANDOM_TIME].name = "tls.random_time"; + sigmatch_table[DETECT_TLS_RANDOM_TIME].desc = "sticky buffer to match specifically and only " + "on the first 4 bytes of a TLS random buffer"; + sigmatch_table[DETECT_TLS_RANDOM_TIME].url = "/rules/tls-keywords.html#tls-random-time"; + sigmatch_table[DETECT_TLS_RANDOM_TIME].Setup = DetectTlsRandomTimeSetup; + sigmatch_table[DETECT_TLS_RANDOM_TIME].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; /* Register engine for Server random */ DetectAppLayerInspectEngineRegister("tls.random_time", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, @@ -80,14 +80,13 @@ void DetectTlsRandomTimeRegister(void) void DetectTlsRandomBytesRegister(void) { - sigmatch_table[DETECT_AL_TLS_RANDOM_BYTES].name = "tls.random_bytes"; - sigmatch_table[DETECT_AL_TLS_RANDOM_BYTES].desc = + sigmatch_table[DETECT_TLS_RANDOM_BYTES].name = "tls.random_bytes"; + sigmatch_table[DETECT_TLS_RANDOM_BYTES].desc = "sticky buffer to match specifically and only on the last 28 bytes of a TLS random " "buffer"; - sigmatch_table[DETECT_AL_TLS_RANDOM_BYTES].url = "/rules/tls-keywords.html#tls-random-bytes"; - sigmatch_table[DETECT_AL_TLS_RANDOM_BYTES].Setup = DetectTlsRandomBytesSetup; - sigmatch_table[DETECT_AL_TLS_RANDOM_BYTES].flags |= - SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_RANDOM_BYTES].url = "/rules/tls-keywords.html#tls-random-bytes"; + sigmatch_table[DETECT_TLS_RANDOM_BYTES].Setup = DetectTlsRandomBytesSetup; + sigmatch_table[DETECT_TLS_RANDOM_BYTES].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; /* Register engine for Server random */ DetectAppLayerInspectEngineRegister("tls.random_bytes", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, @@ -114,12 +113,12 @@ void DetectTlsRandomRegister(void) DetectTlsRandomTimeRegister(); DetectTlsRandomBytesRegister(); - sigmatch_table[DETECT_AL_TLS_RANDOM].name = "tls.random"; - sigmatch_table[DETECT_AL_TLS_RANDOM].desc = + sigmatch_table[DETECT_TLS_RANDOM].name = "tls.random"; + sigmatch_table[DETECT_TLS_RANDOM].desc = "sticky buffer to match specifically and only on a TLS random buffer"; - sigmatch_table[DETECT_AL_TLS_RANDOM].url = "/rules/tls-keywords.html#tls-random"; - sigmatch_table[DETECT_AL_TLS_RANDOM].Setup = DetectTlsRandomSetup; - sigmatch_table[DETECT_AL_TLS_RANDOM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_RANDOM].url = "/rules/tls-keywords.html#tls-random"; + sigmatch_table[DETECT_TLS_RANDOM].Setup = DetectTlsRandomSetup; + sigmatch_table[DETECT_TLS_RANDOM].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; /* Register engine for Server random */ DetectAppLayerInspectEngineRegister("tls.random", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index ce8a068a4717..1ec7400b3437 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -64,14 +64,14 @@ static int g_tls_sni_buffer_id = 0; */ void DetectTlsSniRegister(void) { - sigmatch_table[DETECT_AL_TLS_SNI].name = "tls.sni"; - sigmatch_table[DETECT_AL_TLS_SNI].alias = "tls_sni"; - sigmatch_table[DETECT_AL_TLS_SNI].desc = + sigmatch_table[DETECT_TLS_SNI].name = "tls.sni"; + sigmatch_table[DETECT_TLS_SNI].alias = "tls_sni"; + sigmatch_table[DETECT_TLS_SNI].desc = "sticky buffer to match specifically and only on the TLS SNI buffer"; - sigmatch_table[DETECT_AL_TLS_SNI].url = "/rules/tls-keywords.html#tls-sni"; - sigmatch_table[DETECT_AL_TLS_SNI].Setup = DetectTlsSniSetup; - sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_SNI].url = "/rules/tls-keywords.html#tls-sni"; + sigmatch_table[DETECT_TLS_SNI].Setup = DetectTlsSniSetup; + sigmatch_table[DETECT_TLS_SNI].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerInspectEngineRegister("tls.sni", ALPROTO_TLS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); diff --git a/src/detect-tls-subjectaltname.c b/src/detect-tls-subjectaltname.c index 350db5d6f655..f07b54dc3c72 100644 --- a/src/detect-tls-subjectaltname.c +++ b/src/detect-tls-subjectaltname.c @@ -63,14 +63,13 @@ static int g_tls_subjectaltname_buffer_id = 0; */ void DetectTlsSubjectAltNameRegister(void) { - sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].name = "tls.subjectaltname"; - sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].desc = + sigmatch_table[DETECT_TLS_SUBJECTALTNAME].name = "tls.subjectaltname"; + sigmatch_table[DETECT_TLS_SUBJECTALTNAME].desc = "sticky buffer to match the TLS Subject Alternative Name buffer"; - sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].url = - "/rules/tls-keywords.html#tls-subjectaltname"; - sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].Setup = DetectTlsSubjectAltNameSetup; - sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].flags |= SIGMATCH_NOOPT; - sigmatch_table[DETECT_AL_TLS_SUBJECTALTNAME].flags |= SIGMATCH_INFO_STICKY_BUFFER; + sigmatch_table[DETECT_TLS_SUBJECTALTNAME].url = "/rules/tls-keywords.html#tls-subjectaltname"; + sigmatch_table[DETECT_TLS_SUBJECTALTNAME].Setup = DetectTlsSubjectAltNameSetup; + sigmatch_table[DETECT_TLS_SUBJECTALTNAME].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_SUBJECTALTNAME].flags |= SIGMATCH_INFO_STICKY_BUFFER; DetectAppLayerMultiRegister("tls.subjectaltname", ALPROTO_TLS, SIG_FLAG_TOCLIENT, 0, TlsSubjectAltNameGetData, 2, TLS_STATE_CERT_READY); diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c index f3a119d5a226..3a526e9738ae 100644 --- a/src/detect-tls-version.c +++ b/src/detect-tls-version.c @@ -72,14 +72,14 @@ static int g_tls_generic_list_id = 0; */ void DetectTlsVersionRegister (void) { - sigmatch_table[DETECT_AL_TLS_VERSION].name = "tls.version"; - sigmatch_table[DETECT_AL_TLS_VERSION].desc = "match on TLS/SSL version"; - sigmatch_table[DETECT_AL_TLS_VERSION].url = "/rules/tls-keywords.html#tls-version"; - sigmatch_table[DETECT_AL_TLS_VERSION].AppLayerTxMatch = DetectTlsVersionMatch; - sigmatch_table[DETECT_AL_TLS_VERSION].Setup = DetectTlsVersionSetup; - sigmatch_table[DETECT_AL_TLS_VERSION].Free = DetectTlsVersionFree; + sigmatch_table[DETECT_TLS_VERSION].name = "tls.version"; + sigmatch_table[DETECT_TLS_VERSION].desc = "match on TLS/SSL version"; + sigmatch_table[DETECT_TLS_VERSION].url = "/rules/tls-keywords.html#tls-version"; + sigmatch_table[DETECT_TLS_VERSION].AppLayerTxMatch = DetectTlsVersionMatch; + sigmatch_table[DETECT_TLS_VERSION].Setup = DetectTlsVersionSetup; + sigmatch_table[DETECT_TLS_VERSION].Free = DetectTlsVersionFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_VERSION].RegisterTests = DetectTlsVersionRegisterTests; + sigmatch_table[DETECT_TLS_VERSION].RegisterTests = DetectTlsVersionRegisterTests; #endif DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); @@ -243,8 +243,8 @@ static int DetectTlsVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const c /* Okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_VERSION, (SigMatchCtx *)tls, - g_tls_generic_list_id) == NULL) { + if (SigMatchAppendSMToList( + de_ctx, s, DETECT_TLS_VERSION, (SigMatchCtx *)tls, g_tls_generic_list_id) == NULL) { goto error; } diff --git a/src/detect-tls.c b/src/detect-tls.c index f7c3a2f7a53e..a0e423dbe01b 100644 --- a/src/detect-tls.c +++ b/src/detect-tls.c @@ -100,39 +100,41 @@ static int g_tls_cert_fingerprint_list_id = 0; */ void DetectTlsRegister (void) { - sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject"; - sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field"; - sigmatch_table[DETECT_AL_TLS_SUBJECT].url = "/rules/tls-keywords.html#tls-subject"; - sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch; - sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup; - sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree; - sigmatch_table[DETECT_AL_TLS_SUBJECT].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION; - sigmatch_table[DETECT_AL_TLS_SUBJECT].alternative = DETECT_AL_TLS_CERT_SUBJECT; - - sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn"; - sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field"; - sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = "/rules/tls-keywords.html#tls-issuerdn"; - sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch; - sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup; - sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree; - sigmatch_table[DETECT_AL_TLS_ISSUERDN].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION; - sigmatch_table[DETECT_AL_TLS_ISSUERDN].alternative = DETECT_AL_TLS_CERT_ISSUER; - - sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint"; - sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint"; - sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = "/rules/tls-keywords.html#tls-fingerprint"; - sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup; - sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree; - sigmatch_table[DETECT_AL_TLS_FINGERPRINT].flags = SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION; - sigmatch_table[DETECT_AL_TLS_FINGERPRINT].alternative = DETECT_AL_TLS_CERT_FINGERPRINT; - - sigmatch_table[DETECT_AL_TLS_STORE].name = "tls_store"; - sigmatch_table[DETECT_AL_TLS_STORE].alias = "tls.store"; - sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk"; - sigmatch_table[DETECT_AL_TLS_STORE].url = "/rules/tls-keywords.html#tls-store"; - sigmatch_table[DETECT_AL_TLS_STORE].Match = DetectTlsStorePostMatch; - sigmatch_table[DETECT_AL_TLS_STORE].Setup = DetectTlsStoreSetup; - sigmatch_table[DETECT_AL_TLS_STORE].flags |= SIGMATCH_NOOPT; + sigmatch_table[DETECT_TLS_SUBJECT].name = "tls.subject"; + sigmatch_table[DETECT_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field"; + sigmatch_table[DETECT_TLS_SUBJECT].url = "/rules/tls-keywords.html#tls-subject"; + sigmatch_table[DETECT_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch; + sigmatch_table[DETECT_TLS_SUBJECT].Setup = DetectTlsSubjectSetup; + sigmatch_table[DETECT_TLS_SUBJECT].Free = DetectTlsSubjectFree; + sigmatch_table[DETECT_TLS_SUBJECT].flags = SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION; + sigmatch_table[DETECT_TLS_SUBJECT].alternative = DETECT_TLS_CERT_SUBJECT; + + sigmatch_table[DETECT_TLS_ISSUERDN].name = "tls.issuerdn"; + sigmatch_table[DETECT_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field"; + sigmatch_table[DETECT_TLS_ISSUERDN].url = "/rules/tls-keywords.html#tls-issuerdn"; + sigmatch_table[DETECT_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch; + sigmatch_table[DETECT_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup; + sigmatch_table[DETECT_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree; + sigmatch_table[DETECT_TLS_ISSUERDN].flags = + SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION; + sigmatch_table[DETECT_TLS_ISSUERDN].alternative = DETECT_TLS_CERT_ISSUER; + + sigmatch_table[DETECT_TLS_FINGERPRINT].name = "tls.fingerprint"; + sigmatch_table[DETECT_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint"; + sigmatch_table[DETECT_TLS_FINGERPRINT].url = "/rules/tls-keywords.html#tls-fingerprint"; + sigmatch_table[DETECT_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup; + sigmatch_table[DETECT_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree; + sigmatch_table[DETECT_TLS_FINGERPRINT].flags = + SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION; + sigmatch_table[DETECT_TLS_FINGERPRINT].alternative = DETECT_TLS_CERT_FINGERPRINT; + + sigmatch_table[DETECT_TLS_STORE].name = "tls_store"; + sigmatch_table[DETECT_TLS_STORE].alias = "tls.store"; + sigmatch_table[DETECT_TLS_STORE].desc = "store TLS/SSL certificate on disk"; + sigmatch_table[DETECT_TLS_STORE].url = "/rules/tls-keywords.html#tls-store"; + sigmatch_table[DETECT_TLS_STORE].Match = DetectTlsStorePostMatch; + sigmatch_table[DETECT_TLS_STORE].Setup = DetectTlsStoreSetup; + sigmatch_table[DETECT_TLS_STORE].flags |= SIGMATCH_NOOPT; DetectSetupParseRegexes(PARSE_REGEX, &subject_parse_regex); DetectSetupParseRegexes(PARSE_REGEX, &issuerdn_parse_regex); @@ -310,7 +312,7 @@ static int DetectTlsSubjectSetup (DetectEngineCtx *de_ctx, Signature *s, const c * and put it in the Signature. */ if (SigMatchAppendSMToList( - de_ctx, s, DETECT_AL_TLS_SUBJECT, (SigMatchCtx *)tls, g_tls_cert_list_id) == NULL) { + de_ctx, s, DETECT_TLS_SUBJECT, (SigMatchCtx *)tls, g_tls_cert_list_id) == NULL) { goto error; } return 0; @@ -499,8 +501,8 @@ static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, const /* Okay so far so good, lets get this into a SigMatch * and put it in the Signature. */ - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_ISSUERDN, (SigMatchCtx *)tls, - g_tls_cert_list_id) == NULL) { + if (SigMatchAppendSMToList( + de_ctx, s, DETECT_TLS_ISSUERDN, (SigMatchCtx *)tls, g_tls_cert_list_id) == NULL) { goto error; } return 0; @@ -551,7 +553,7 @@ static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, con return -1; } - if (DetectEngineContentModifierBufferSetup(de_ctx, s, NULL, DETECT_AL_TLS_CERT_FINGERPRINT, + if (DetectEngineContentModifierBufferSetup(de_ctx, s, NULL, DETECT_TLS_CERT_FINGERPRINT, g_tls_cert_fingerprint_list_id, ALPROTO_TLS) < 0) return -1; @@ -588,7 +590,7 @@ static int DetectTlsStoreSetup (DetectEngineCtx *de_ctx, Signature *s, const cha s->flags |= SIG_FLAG_TLSSTORE; - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_TLS_STORE, NULL, DETECT_SM_LIST_POSTMATCH) == + if (SigMatchAppendSMToList(de_ctx, s, DETECT_TLS_STORE, NULL, DETECT_SM_LIST_POSTMATCH) == NULL) { return -1; } diff --git a/src/detect-urilen.c b/src/detect-urilen.c index 67acda5d5c58..07e8e55cd2b5 100644 --- a/src/detect-urilen.c +++ b/src/detect-urilen.c @@ -60,14 +60,14 @@ static int g_http_raw_uri_buffer_id = 0; void DetectUrilenRegister(void) { - sigmatch_table[DETECT_AL_URILEN].name = "urilen"; - sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri"; - sigmatch_table[DETECT_AL_URILEN].url = "/rules/http-keywords.html#urilen"; - sigmatch_table[DETECT_AL_URILEN].Match = NULL; - sigmatch_table[DETECT_AL_URILEN].Setup = DetectUrilenSetup; - sigmatch_table[DETECT_AL_URILEN].Free = DetectUrilenFree; + sigmatch_table[DETECT_URILEN].name = "urilen"; + sigmatch_table[DETECT_URILEN].desc = "match on the length of the HTTP uri"; + sigmatch_table[DETECT_URILEN].url = "/rules/http-keywords.html#urilen"; + sigmatch_table[DETECT_URILEN].Match = NULL; + sigmatch_table[DETECT_URILEN].Setup = DetectUrilenSetup; + sigmatch_table[DETECT_URILEN].Free = DetectUrilenFree; #ifdef UNITTESTS - sigmatch_table[DETECT_AL_URILEN].RegisterTests = DetectUrilenRegisterTests; + sigmatch_table[DETECT_URILEN].RegisterTests = DetectUrilenRegisterTests; #endif g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri"); @@ -111,12 +111,12 @@ static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, const char goto error; if (urilend->raw_buffer) { - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_URILEN, (SigMatchCtx *)urilend, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_URILEN, (SigMatchCtx *)urilend, g_http_raw_uri_buffer_id) == NULL) { goto error; } } else { - if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_URILEN, (SigMatchCtx *)urilend, + if (SigMatchAppendSMToList(de_ctx, s, DETECT_URILEN, (SigMatchCtx *)urilend, g_http_uri_buffer_id) == NULL) { goto error; } @@ -156,7 +156,7 @@ void DetectUrilenApplyToContent(Signature *s, int list) bool found = false; for (SigMatch *sm = s->init_data->buffers[x].head; sm != NULL; sm = sm->next) { - if (sm->type != DETECT_AL_URILEN) + if (sm->type != DETECT_URILEN) continue; DetectUrilenData *dd = (DetectUrilenData *)sm->ctx;