suricata
detect-asn1.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file detect-asn1.c
20  *
21  * Implements "asn1" keyword
22  */
23 
24 #include "suricata-common.h"
25 #include "debug.h"
26 #include "decode.h"
27 #include "rust.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "flow.h"
33 #include "detect-asn1.h"
34 
35 #include "util-unittest.h"
36 #include "util-unittest-helper.h"
37 #include "util-byte.h"
38 #include "util-debug.h"
39 
40 static int DetectAsn1Match(DetectEngineThreadCtx *, Packet *,
41  const Signature *, const SigMatchCtx *);
42 static int DetectAsn1Setup (DetectEngineCtx *, Signature *, const char *);
43 #ifdef UNITTESTS
44 static void DetectAsn1RegisterTests(void);
45 #endif
46 static void DetectAsn1Free(DetectEngineCtx *, void *);
47 
48 /**
49  * \brief Registration function for asn1
50  */
52 {
54  sigmatch_table[DETECT_ASN1].Match = DetectAsn1Match;
55  sigmatch_table[DETECT_ASN1].Setup = DetectAsn1Setup;
56  sigmatch_table[DETECT_ASN1].Free = DetectAsn1Free;
57 #ifdef UNITTESTS
58  sigmatch_table[DETECT_ASN1].RegisterTests = DetectAsn1RegisterTests;
59 #endif
60 }
61 
62 /**
63  * \brief This function will decode the asn1 data and inspect the resulting
64  * nodes to detect if any of the specified checks match this data
65  *
66  * \param det_ctx pointer to the detect engine thread context
67  * \param p pointer to the current packet
68  * \param s pointer to the signature
69  * \param ctx pointer to the sigmatch that we will cast into `DetectAsn1Data`
70  *
71  * \retval 1 match
72  * \retval 0 no match
73  */
74 static int DetectAsn1Match(DetectEngineThreadCtx *det_ctx, Packet *p,
75  const Signature *s, const SigMatchCtx *ctx)
76 {
77  uint8_t ret = 0;
78 
79  if (p->payload_len == 0) {
80  /* No error, parser done, no data in bounds to decode */
81  return 0;
82  }
83 
84  const DetectAsn1Data *ad = (const DetectAsn1Data *)ctx;
85 
86  Asn1 *asn1 = rs_asn1_decode(p->payload, p->payload_len, det_ctx->buffer_offset, ad);
87 
88  ret = rs_asn1_checks(asn1, ad);
89 
90  rs_asn1_free(asn1);
91 
92  return ret;
93 }
94 
95 /**
96  * \brief This function is used to parse asn1 options passed via asn1: keyword
97  *
98  * \param asn1str pointer to the user provided asn1 options
99  *
100  * \retval pointer to `DetectAsn1Data` on success
101  * \retval NULL on failure
102  */
103 static DetectAsn1Data *DetectAsn1Parse(const char *asn1str)
104 {
105  DetectAsn1Data *ad = rs_detect_asn1_parse(asn1str);
106 
107  if (ad == NULL) {
108  SCLogError(SC_ERR_INVALID_VALUE, "Malformed asn1 argument: %s",
109  asn1str);
110  }
111 
112  return ad;
113 }
114 
115 /**
116  * \brief this function is used to add the parsed asn1 data into
117  * the current signature
118  *
119  * \param de_ctx pointer to the detection engine context
120  * \param s pointer to the current signature
121  * \param asn1str pointer to the user provided asn1 options
122  *
123  * \retval 0 on success
124  * \retval -1 on failure
125  */
126 static int DetectAsn1Setup(DetectEngineCtx *de_ctx, Signature *s, const char *asn1str)
127 {
128  DetectAsn1Data *ad = DetectAsn1Parse(asn1str);
129  if (ad == NULL)
130  return -1;
131 
132  /* Okay so far so good, lets get this into a SigMatch
133  * and put it in the Signature. */
134  SigMatch *sm = SigMatchAlloc();
135  if (sm == NULL) {
136  DetectAsn1Free(de_ctx, ad);
137  return -1;
138  }
139 
140  sm->type = DETECT_ASN1;
141  sm->ctx = (SigMatchCtx *)ad;
142 
144 
145  return 0;
146 }
147 
148 /**
149  * \brief this function will free memory associated with `DetectAsn1Data`
150  *
151  * \param de_ctx pointer to the detection engine context
152  * \param ptr point to `DetectAsn1Data`
153  */
154 static void DetectAsn1Free(DetectEngineCtx *de_ctx, void *ptr)
155 {
156  DetectAsn1Data *ad = (DetectAsn1Data *)ptr;
157  rs_detect_asn1_free(ad);
158 }
159 
160 #ifdef UNITTESTS
161 
162 /**
163  * \test DetectAsn1TestReal01 Ensure that all works together
164  */
165 static int DetectAsn1TestReal01(void)
166 {
167  uint8_t *buf = (uint8_t *) "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
168  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
169  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
170  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
171  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
172  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
173  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
174  "Jones""\xA0\x0A\x43\x08""19590717"
175  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
176  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
177  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
178  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
179  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
180  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
181  "\x61\x11\x1A\x05""Pablo""\x1A\x01""B""\x1A\x05""Jones"
182  "\xA0\x0A\x43\x08""19590717";
183 
184  uint16_t buflen = strlen((char *)buf) - 1;
185 
186  /* Check the start with AA (this is to test the relative_offset keyword) */
187  uint8_t *buf2 = (uint8_t *) "AA\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
188  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
189  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
190  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
191  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
192  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
193  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
194  "Jones""\xA0\x0A\x43\x08""19590717"
195  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
196  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
197  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
198  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
199  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
200  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
201  "\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05""Jones"
202  "\xA0\x0A\x43\x08""19590717";
203 
204  uint16_t buflen2 = strlen((char *)buf2) - 1;
205 
206  Packet *p[2];
207 
208  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
209  FAIL_IF_NULL(p[0]);
210  p[1] = UTHBuildPacket((uint8_t *)buf2, buflen2, IPPROTO_TCP);
211  FAIL_IF_NULL(p[1]);
212 
213  const char *sigs[3];
214  sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; "
215  "content:\"Pablo\"; asn1:absolute_offset 0, "
216  "oversize_length 130; sid:1;)";
217  sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; "
218  "content:\"AA\"; asn1:relative_offset 0, "
219  "oversize_length 130; sid:2;)";
220  sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; "
221  "content:\"lalala\"; asn1: oversize_length 2000; sid:3;)";
222 
223  uint32_t sid[3] = {1, 2, 3};
224  uint32_t results[2][3] = {
225  /* packet 0 match sid 1 */
226  {1, 0, 0},
227  /* packet 1 match sid 2 */
228  {0, 1, 0}};
229  /* None of the packets should match sid 3 */
230  FAIL_IF_NOT(UTHGenericTest(p, 2, sigs, sid, (uint32_t *)results, 3) == 1);
231 
232  UTHFreePackets(p, 2);
233  PASS;
234 }
235 
236 /**
237  * \test DetectAsn1TestReal02 Ensure that all works together
238  */
239 static int DetectAsn1TestReal02(void)
240 {
241  int result = 0;
242  uint8_t *buf = (uint8_t *) "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
243  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
244  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
245  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
246  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
247  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
248  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
249  "Jones""\xA0\x0A\x43\x08""19590717"
250  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
251  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
252  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
253  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
254  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
255  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
256  "\x61\x11\x1A\x05""Pablo""\x1A\x01""B""\x1A\x05""Jones"
257  "\xA0\x0A\x43\x08""19590717";
258 
259  uint16_t buflen = strlen((char *)buf) - 1;
260 
261  /* Check the start with AA (this is to test the relative_offset keyword) */
262  uint8_t *buf2 = (uint8_t *) "AA\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
263  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
264  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
265  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
266  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
267  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
268  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
269  "Jones""\xA0\x0A\x43\x08""19590717"
270  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
271  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
272  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
273  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
274  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
275  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
276  "\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05""Jones"
277  "\xA0\x0A\x43\x08""19590717";
278 
279  uint16_t buflen2 = strlen((char *)buf2) - 1;
280 
281  Packet *p[2];
282 
283  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
284  p[1] = UTHBuildPacket((uint8_t *)buf2, buflen2, IPPROTO_TCP);
285 
286  if (p[0] == NULL || p[1] == NULL)
287  goto end;
288 
289  const char *sigs[3];
290  sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; "
291  "content:\"Pablo\"; asn1:absolute_offset 0, "
292  "oversize_length 140; sid:1;)";
293  sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; "
294  "content:\"AA\"; asn1:relative_offset 0, "
295  "oversize_length 140; sid:2;)";
296  sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; "
297  "content:\"lalala\"; asn1: oversize_length 2000; sid:3;)";
298 
299  uint32_t sid[3] = {1, 2, 3};
300 
301  uint32_t results[2][3] = {
302  {0, 0, 0},
303  {0, 0, 0}};
304  /* None of the packets should match */
305 
306  result = UTHGenericTest(p, 2, sigs, sid, (uint32_t *) results, 3);
307 
308  UTHFreePackets(p, 2);
309 end:
310  return result;
311 }
312 
313 /**
314  * \test DetectAsn1TestReal03 Ensure that all works together
315  */
316 static int DetectAsn1TestReal03(void)
317 {
318  int result = 0;
319  uint8_t buf[261] = "";
320  /* universal class, primitive type, tag_num = 9 (Data type Real) */
321  buf[0] = '\x09';
322  /* length, definite form, 2 octets */
323  buf[1] = '\x82';
324  /* length is the sum of the following octets (257): */
325  buf[2] = '\x01';
326  buf[3] = '\x01';
327 
328  /* Fill the content of the number */
329  uint16_t i = 4;
330  for (; i < 257;i++)
331  buf[i] = '\x05';
332 
333  uint16_t buflen = 261;
334 
335  /* Check the start with AA (this is to test the relative_offset keyword) */
336  uint8_t *buf2 = (uint8_t *) "AA\x03\x01\xFF";
337 
338  uint16_t buflen2 = 5;
339 
340  Packet *p[2] = { NULL, NULL };
341 
342  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
343  p[1] = UTHBuildPacket((uint8_t *)buf2, buflen2, IPPROTO_TCP);
344 
345  if (p[0] == NULL || p[1] == NULL)
346  goto end;
347 
348  const char *sigs[3];
349  /* This should match the first packet */
350  sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; "
351  "asn1:absolute_offset 0, double_overflow; sid:1;)";
352  /* This should match the second packet */
353  sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; "
354  "asn1:relative_offset 2, bitstring_overflow,"
355  "oversize_length 140; sid:2;)";
356  /* This should match no packet */
357  sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; "
358  "asn1: oversize_length 2000; sid:3;)";
359 
360  uint32_t sid[3] = {1, 2, 3};
361 
362  uint32_t results[2][3] = {{1, 0, 0},
363  {0, 1, 0}};
364 
365  result = UTHGenericTest(p, 2, sigs, sid, (uint32_t *) results, 3);
366 
367  UTHFreePackets(p, 2);
368 end:
369  return result;
370 }
371 
372 /**
373  * \test DetectAsn1TestReal04 like the real test 02, but modified the
374  * relative offset to check negative offset values, in this case
375  * start decoding from -7 bytes respect the content match "John"
376  */
377 static int DetectAsn1TestReal04(void)
378 {
379  int result = 0;
380  uint8_t *buf = (uint8_t *) "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
381  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
382  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
383  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
384  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
385  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
386  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
387  "Jones""\xA0\x0A\x43\x08""19590717"
388  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
389  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
390  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
391  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
392  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
393  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
394  "\x61\x11\x1A\x05""Pablo""\x1A\x01""B""\x1A\x05""Jones"
395  "\xA0\x0A\x43\x08""19590717";
396 
397  uint16_t buflen = strlen((char *)buf) - 1;
398 
399  /* Check the start with AA (this is to test the relative_offset keyword) */
400  uint8_t *buf2 = (uint8_t *) "AA\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01"
401  "P""\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
402  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
403  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
404  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
405  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111"
406  "\x31\x1F\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05"
407  "Jones""\xA0\x0A\x43\x08""19590717"
408  "\x60\x81\x85\x61\x10\x1A\x04""John""\x1A\x01""P"
409  "\x1A\x05""Smith""\xA0\x0A\x1A\x08""Director"
410  "\x42\x01\x33\xA1\x0A\x43\x08""19710917"
411  "\xA2\x12\x61\x10\x1A\x04""Mary""\x1A\x01""T""\x1A\x05"
412  "Smith""\xA3\x42\x31\x1F\x61\x11\x1A\x05""Ralph""\x1A\x01"
413  "T""\x1A\x05""Smith""\xA0\x0A\x43\x08""19571111""\x31\x1F"
414  "\x61\x11\x1A\x05""Susan""\x1A\x01""B""\x1A\x05""Jones"
415  "\xA0\x0A\x43\x08""19590717";
416 
417  uint16_t buflen2 = strlen((char *)buf2) - 1;
418 
419  Packet *p[2];
420 
421  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
422  p[1] = UTHBuildPacket((uint8_t *)buf2, buflen2, IPPROTO_TCP);
423 
424  if (p[0] == NULL || p[1] == NULL)
425  goto end;
426 
427  const char *sigs[3];
428  sigs[0]= "alert ip any any -> any any (msg:\"Testing id 1\"; "
429  "content:\"Pablo\"; asn1:absolute_offset 0, "
430  "oversize_length 140; sid:1;)";
431  sigs[1]= "alert ip any any -> any any (msg:\"Testing id 2\"; "
432  "content:\"John\"; asn1:relative_offset -11, "
433  "oversize_length 140; sid:2;)";
434  sigs[2]= "alert ip any any -> any any (msg:\"Testing id 3\"; "
435  "content:\"lalala\"; asn1: oversize_length 2000; sid:3;)";
436 
437  uint32_t sid[3] = {1, 2, 3};
438 
439  uint32_t results[2][3] = {
440  {0, 0, 0},
441  {0, 0, 0}};
442  /* None of the packets should match */
443 
444  result = UTHGenericTest(p, 2, sigs, sid, (uint32_t *) results, 3);
445 
446  UTHFreePackets(p, 2);
447 end:
448  return result;
449 }
450 
451 /**
452  * \brief this function registers unit tests for DetectAsn1
453  */
454 static void DetectAsn1RegisterTests(void)
455 {
456  UtRegisterTest("DetectAsn1TestReal01", DetectAsn1TestReal01);
457  UtRegisterTest("DetectAsn1TestReal02", DetectAsn1TestReal02);
458  UtRegisterTest("DetectAsn1TestReal03", DetectAsn1TestReal03);
459  UtRegisterTest("DetectAsn1TestReal04", DetectAsn1TestReal04);
460 }
461 #endif /* UNITTESTS */
util-byte.h
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1088
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
SigTableElmt_::name
const char * name
Definition: detect.h:1267
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Packet_::payload
uint8_t * payload
Definition: decode.h:567
results
struct DetectRfbSecresult_ results[]
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
rust.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:568
util-unittest.h
DETECT_ASN1
@ DETECT_ASN1
Definition: detect-engine-register.h:193
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
detect-asn1.h
DetectAsn1Register
void DetectAsn1Register(void)
Registration function for asn1.
Definition: detect-asn1.c:51
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
detect.h
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
Packet_
Definition: decode.h:427
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1235
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perfom a generic check taking care of as maximum common unittest elemen...
Definition: util-unittest-helper.c:604
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
flow.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468