/src/suricata7/src/detect-bypass.c

Source
/* Copyright (C) 2016-2022 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Giuseppe Longo <glongo@stamus-networks.com>
 *
 */

#include "suricata-common.h"
#include "threads.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "decode.h"

#include "detect.h"
#include "detect-parse.h"

#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-engine-sigorder.h"
#include "detect-bypass.h"

#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"

#include "stream-tcp.h"

#include "util-debug.h"
#include "util-spm-bm.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-device.h"

static int DetectBypassMatch(DetectEngineThreadCtx *, Packet *,
        const Signature *, const SigMatchCtx *);
static int DetectBypassSetup(DetectEngineCtx *, Signature *, const char *);

/**
 * \brief Registration function for keyword: bypass
 */
void DetectBypassRegister(void)
{
    sigmatch_table[DETECT_BYPASS].name = "bypass";
    sigmatch_table[DETECT_BYPASS].desc = "call the bypass callback when the match of a sig is complete";
    sigmatch_table[DETECT_BYPASS].url = "/rules/bypass-keyword.html";
    sigmatch_table[DETECT_BYPASS].Match = DetectBypassMatch;
    sigmatch_table[DETECT_BYPASS].Setup = DetectBypassSetup;
    sigmatch_table[DETECT_BYPASS].Free  = NULL;
    sigmatch_table[DETECT_BYPASS].flags = SIGMATCH_NOOPT;
}

static int DetectBypassSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    SigMatch *sm = NULL;

    if (s->flags & SIG_FLAG_FILESTORE) {
        SCLogError("bypass can't work with filestore keyword");
        return -1;
    }
    s->flags |= SIG_FLAG_BYPASS;

    sm = SigMatchAlloc();
    if (sm == NULL)
        return -1;

    sm->type = DETECT_BYPASS;
    sm->ctx = NULL;
    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);

    return 0;
}

static int DetectBypassMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
        const Signature *s, const SigMatchCtx *ctx)
{
    PacketBypassCallback(p);

    return 1;
}

Line	Count	Source
1		/* Copyright (C) 2016-2022 Open Information Security Foundation
2		*
3		* You can copy, redistribute or modify this Program under the terms of
4		* the GNU General Public License version 2 as published by the Free
5		* Software Foundation.
6		*
7		* This program is distributed in the hope that it will be useful,
8		* but WITHOUT ANY WARRANTY; without even the implied warranty of
9		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10		* GNU General Public License for more details.
11		*
12		* You should have received a copy of the GNU General Public License
13		* version 2 along with this program; if not, write to the Free Software
14		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15		* 02110-1301, USA.
16		*/
17
18		/**
19		* \file
20		*
21		* \author Giuseppe Longo <glongo@stamus-networks.com>
22		*
23		*/
24
25		#include "suricata-common.h"
26		#include "threads.h"
27		#include "app-layer.h"
28		#include "app-layer-parser.h"
29		#include "decode.h"
30
31		#include "detect.h"
32		#include "detect-parse.h"
33
34		#include "detect-engine.h"
35		#include "detect-engine-mpm.h"
36		#include "detect-engine-state.h"
37		#include "detect-engine-sigorder.h"
38		#include "detect-bypass.h"
39
40		#include "flow.h"
41		#include "flow-var.h"
42		#include "flow-util.h"
43
44		#include "stream-tcp.h"
45
46		#include "util-debug.h"
47		#include "util-spm-bm.h"
48		#include "util-unittest.h"
49		#include "util-unittest-helper.h"
50		#include "util-device.h"
51
52		static int DetectBypassMatch(DetectEngineThreadCtx , Packet ,
53		const Signature , const SigMatchCtx );
54		static int DetectBypassSetup(DetectEngineCtx , Signature , const char *);
55
56		/**
57		* \brief Registration function for keyword: bypass
58		*/
59		void DetectBypassRegister(void)
60	73	{
61	73	sigmatch_table[DETECT_BYPASS].name = "bypass";
62	73	sigmatch_table[DETECT_BYPASS].desc = "call the bypass callback when the match of a sig is complete";
63	73	sigmatch_table[DETECT_BYPASS].url = "/rules/bypass-keyword.html";
64	73	sigmatch_table[DETECT_BYPASS].Match = DetectBypassMatch;
65	73	sigmatch_table[DETECT_BYPASS].Setup = DetectBypassSetup;
66	73	sigmatch_table[DETECT_BYPASS].Free = NULL;
67	73	sigmatch_table[DETECT_BYPASS].flags = SIGMATCH_NOOPT;
68	73	}
69
70		static int DetectBypassSetup(DetectEngineCtx de_ctx, Signature s, const char *str)
71	4.32k	{
72	4.32k	SigMatch *sm = NULL;
73
74	4.32k	if (s->flags & SIG_FLAG_FILESTORE) {
75	111	SCLogError("bypass can't work with filestore keyword");
76	111	return -1;
77	111	}
78	4.21k	s->flags \|= SIG_FLAG_BYPASS;
79
80	4.21k	sm = SigMatchAlloc();
81	4.21k	if (sm == NULL)
82	0	return -1;
83
84	4.21k	sm->type = DETECT_BYPASS;
85	4.21k	sm->ctx = NULL;
86	4.21k	SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
87
88	4.21k	return 0;
89	4.21k	}
90
91		static int DetectBypassMatch(DetectEngineThreadCtx det_ctx, Packet p,
92		const Signature s, const SigMatchCtx ctx)
93	23	{
94	23	PacketBypassCallback(p);
95
96	23	return 1;
97	23	}

Coverage Report

Created: 2025-11-16 07:09