suricata
detect-bytemath.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Jeff Lucovsky <jeff@lucovsky.org>
22  */
23 
24 /*
25  * Refer to the Snort manual, section 3.5.34 for details.
26  */
27 
28 #include "suricata-common.h"
29 #include "threads.h"
30 #include "decode.h"
31 
32 #include "app-layer-parser.h"
33 #include "app-layer-protos.h"
34 
35 #include "detect.h"
36 #include "detect-parse.h"
37 #include "detect-engine.h"
38 #include "detect-engine-mpm.h"
39 #include "detect-engine-state.h"
40 #include "detect-engine-build.h"
41 
42 #include "rust-bindings.h"
43 
44 #include "detect-content.h"
45 #include "detect-pcre.h"
46 #include "detect-byte.h"
47 #include "detect-bytemath.h"
48 
49 #include "flow.h"
50 #include "flow-var.h"
51 #include "flow-util.h"
52 
53 #include "util-byte.h"
54 #include "util-debug.h"
55 #include "util-unittest.h"
56 #include "util-unittest-helper.h"
57 #include "util-spm.h"
58 
59 static int DetectByteMathSetup(DetectEngineCtx *, Signature *, const char *);
60 #ifdef UNITTESTS
61 #define DETECT_BYTEMATH_ENDIAN_DEFAULT (uint8_t) BigEndian
62 #define DETECT_BYTEMATH_BASE_DEFAULT (uint8_t) BaseDec
63 
64 static void DetectByteMathRegisterTests(void);
65 #endif
66 static void DetectByteMathFree(DetectEngineCtx *, void *);
67 
68 /**
69  * \brief Registers the keyword handlers for the "byte_math" keyword.
70  */
71 void DetectBytemathRegister(void)
72 {
73  sigmatch_table[DETECT_BYTEMATH].name = "byte_math";
74  sigmatch_table[DETECT_BYTEMATH].Match = NULL;
75  sigmatch_table[DETECT_BYTEMATH].Setup = DetectByteMathSetup;
76  sigmatch_table[DETECT_BYTEMATH].Free = DetectByteMathFree;
77 #ifdef UNITTESTS
78  sigmatch_table[DETECT_BYTEMATH].RegisterTests = DetectByteMathRegisterTests;
79 #endif
80 }
81 
82 static inline bool DetectByteMathValidateNbytesOnly(const DetectByteMathData *data, int32_t nbytes)
83 {
84  return nbytes >= 1 &&
85  (((data->flags & DETECT_BYTEMATH_FLAG_STRING) && nbytes <= 10) || (nbytes <= 4));
86 }
87 
88 int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const DetectByteMathData *data,
89  const Signature *s, const uint8_t *payload, const uint32_t payload_len, uint8_t nbytes,
90  uint64_t rvalue, uint64_t *value, uint8_t endian)
91 {
92  if (payload_len == 0) {
93  return 0;
94  }
95 
96  if (!DetectByteMathValidateNbytesOnly(data, nbytes)) {
97  return 0;
98  }
99 
100  const uint8_t *ptr;
101  int32_t len;
102  uint64_t val;
103  int extbytes;
104 
105  /* Calculate the ptr value for the byte-math op and length remaining in
106  * the packet from that point.
107  */
108  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
109  SCLogDebug("relative, working with det_ctx->buffer_offset %" PRIu32 ", "
110  "data->offset %" PRIi32 "",
111  det_ctx->buffer_offset, data->offset);
112 
113  ptr = payload + det_ctx->buffer_offset;
114  len = payload_len - det_ctx->buffer_offset;
115 
116  ptr += data->offset;
117  len -= data->offset;
118 
119  /* No match if there is no relative base */
120  if (len <= 0) {
121  return 0;
122  }
123  } else {
124  SCLogDebug("absolute, data->offset %" PRIi32 "", data->offset);
125 
126  ptr = payload + data->offset;
127  len = payload_len - data->offset;
128  }
129 
130  /* Validate that the to-be-extracted is within the packet */
131  if (ptr < payload || nbytes > len) {
132  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%" PRIu32 ", nbytes=%d", payload,
133  ptr, len, nbytes);
134  return 0;
135  }
136 
137  /* Extract the byte data */
138  if (data->flags & DETECT_BYTEMATH_FLAG_STRING) {
139  extbytes = ByteExtractStringUint64(&val, data->base, nbytes, (const char *)ptr);
140  if (extbytes <= 0) {
141  if (val == 0) {
142  SCLogDebug("No Numeric value");
143  return 0;
144  } else {
145  SCLogDebug("error extracting %d bytes of string data: %d", nbytes, extbytes);
146  return -1;
147  }
148  }
149  } else {
150  ByteEndian bme = endian;
151  int endianness = (bme == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
152  extbytes = ByteExtractUint64(&val, endianness, nbytes, ptr);
153  if (extbytes != nbytes) {
154  SCLogDebug("error extracting %d bytes of numeric data: %d", nbytes, extbytes);
155  return 0;
156  }
157  }
158 
159  BUG_ON(extbytes > len);
160 
161  ptr += extbytes;
162 
163  switch (data->oper) {
164  case OperatorNone:
165  break;
166  case Addition:
167  val += rvalue;
168  break;
169  case Subtraction:
170  val -= rvalue;
171  break;
172  case Division:
173  if (rvalue == 0) {
174  SCLogDebug("avoiding division by zero");
175  return 0;
176  }
177  val /= rvalue;
178  break;
179  case Multiplication:
180  val *= rvalue;
181  break;
182  case LeftShift:
183  if (rvalue < 64) {
184  val <<= rvalue;
185  } else {
186  val = 0;
187  }
188  break;
189  case RightShift:
190  val >>= rvalue;
191  break;
192  }
193 
194  det_ctx->buffer_offset = ptr - payload;
195 
196  if (data->flags & DETECT_BYTEMATH_FLAG_BITMASK) {
197  val &= data->bitmask_val;
198  if (val && data->bitmask_shift_count) {
199  val = val >> data->bitmask_shift_count;
200  }
201  }
202 
203  *value = val;
204  return 1;
205 }
206 
207 /**
208  * \internal
209  * \brief Used to parse byte_math arg.
210  *
211  * \param arg The argument to parse.
212  * \param rvalue May be NULL. When non-null, will contain the variable
213  * name of rvalue (iff rvalue is not a scalar value)
214  *
215  * \retval bmd On success an instance containing the parsed data.
216  * On failure, NULL.
217  */
218 static DetectByteMathData *DetectByteMathParse(
219  DetectEngineCtx *de_ctx, const char *arg, char **nbytes, char **rvalue)
220 {
221  DetectByteMathData *bmd;
222  if ((bmd = SCByteMathParse(arg)) == NULL) {
223  SCLogError("invalid bytemath values");
224  return NULL;
225  }
226 
227  if (bmd->nbytes_str) {
228  if (nbytes == NULL) {
229  SCLogError("byte_math supplied with "
230  "var name for nbytes. \"nbytes\" argument supplied to "
231  "this function must be non-NULL");
232  goto error;
233  }
234  *nbytes = SCStrdup(bmd->nbytes_str);
235  if (*nbytes == NULL) {
236  goto error;
237  }
238  }
239 
240  if (bmd->rvalue_str) {
241  if (rvalue == NULL) {
242  SCLogError("byte_math supplied with "
243  "var name for rvalue. \"rvalue\" argument supplied to "
244  "this function must be non-NULL");
245  goto error;
246  }
247  *rvalue = SCStrdup(bmd->rvalue_str);
248  if (*rvalue == NULL) {
249  goto error;
250  }
251  }
252 
253  if (bmd->flags & DETECT_BYTEMATH_FLAG_BITMASK) {
254  if (bmd->bitmask_val) {
255  uint32_t bmask = bmd->bitmask_val;
256  while (!(bmask & 0x1)){
257  bmask = bmask >> 1;
258  bmd->bitmask_shift_count++;
259  }
260  }
261  }
262 
263  return bmd;
264 
265  error:
266  if (bmd != NULL)
267  DetectByteMathFree(de_ctx, bmd);
268  return NULL;
269 }
270 
271 /**
272  * \brief The setup function for the byte_math keyword for a signature.
273  *
274  * \param de_ctx Pointer to the detection engine context.
275  * \param s Pointer to signature for the current Signature being parsed
276  * from the rules.
277  * \param arg Pointer to the string holding the keyword value.
278  *
279  * \retval 0 On success.
280  * \retval -1 On failure.
281  */
282 static int DetectByteMathSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
283 {
284  SigMatch *prev_pm = NULL;
285  DetectByteMathData *data;
286  char *rvalue = NULL;
287  char *nbytes = NULL;
288  int ret = -1;
289 
290  data = DetectByteMathParse(de_ctx, arg, &nbytes, &rvalue);
291  if (data == NULL)
292  goto error;
293 
294  int sm_list;
295  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
296  if (DetectBufferGetActiveList(de_ctx, s) == -1)
297  goto error;
298 
299  sm_list = s->init_data->list;
300 
301  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
302  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
303  if (!prev_pm) {
304  SCLogError("relative specified without "
305  "previous pattern match");
306  goto error;
307  }
308  }
309  } else if (data->endian == EndianDCE) {
310  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
311  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
312  DETECT_BYTETEST, DETECT_BYTEJUMP,
313  DETECT_BYTE_EXTRACT,
314  DETECT_BYTEMATH,
315  DETECT_ISDATAAT, -1);
316  if (prev_pm == NULL) {
317  sm_list = DETECT_SM_LIST_PMATCH;
318  } else {
319  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
320  if (sm_list < 0)
321  goto error;
322  }
323  } else {
324  sm_list = DETECT_SM_LIST_PMATCH;
325  }
326 
327  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
328  goto error;
329 
330  } else if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
331  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
332  DETECT_BYTETEST, DETECT_BYTEJUMP,
333  DETECT_BYTE_EXTRACT, DETECT_BYTEMATH,
334  DETECT_ISDATAAT, -1);
335  if (prev_pm == NULL) {
336  sm_list = DETECT_SM_LIST_PMATCH;
337  } else {
338  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
339  if (sm_list < 0)
340  goto error;
341  }
342 
343  } else {
344  sm_list = DETECT_SM_LIST_PMATCH;
345  }
346 
347  if (data->endian == EndianDCE) {
348  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
349  goto error;
350 
351  if ((data->flags & DETECT_BYTEMATH_FLAG_STRING) || (data->base == BaseDec) ||
352  (data->base == BaseHex) || (data->base == BaseOct)) {
353  SCLogError("Invalid option. "
354  "A bytemath keyword with dce holds other invalid modifiers.");
355  goto error;
356  }
357  }
358 
359  if (nbytes != NULL) {
360  DetectByteIndexType index;
361  if (!DetectByteRetrieveSMVar(nbytes, s, &index)) {
362  SCLogError("unknown byte_ keyword var seen in byte_math - %s", nbytes);
363  goto error;
364  }
365  data->nbytes = index;
366  data->flags |= DETECT_BYTEMATH_FLAG_NBYTES_VAR;
367  SCFree(nbytes);
368  nbytes = NULL;
369  }
370 
371  if (rvalue != NULL) {
372  DetectByteIndexType index;
373  if (!DetectByteRetrieveSMVar(rvalue, s, &index)) {
374  SCLogError("unknown byte_ keyword var seen in byte_math - %s", rvalue);
375  goto error;
376  }
377  data->rvalue = index;
378  data->flags |= DETECT_BYTEMATH_FLAG_RVALUE_VAR;
379  SCFree(rvalue);
380  rvalue = NULL;
381  }
382 
383  SigMatch *prev_bmd_sm = DetectGetLastSMByListId(s, sm_list,
384  DETECT_BYTEMATH, -1);
385  if (prev_bmd_sm == NULL) {
386  data->local_id = 0;
387  } else {
388  data->local_id = ((DetectByteMathData *)prev_bmd_sm->ctx)->local_id + 1;
389  }
390  if (data->local_id > de_ctx->byte_extract_max_local_id) {
391  de_ctx->byte_extract_max_local_id = data->local_id;
392  }
393 
394  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BYTEMATH, (SigMatchCtx *)data, sm_list) == NULL) {
395  goto error;
396  }
397 
398  if (!(data->flags & DETECT_BYTEMATH_FLAG_RELATIVE))
399  goto okay;
400 
401  if (prev_pm == NULL)
402  goto okay;
403 
404  if (prev_pm->type == DETECT_CONTENT) {
405  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
406  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
407  } else if (prev_pm->type == DETECT_PCRE) {
408  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
409  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
410  }
411 
412  okay:
413  return 0;
414 
415  error:
416  if (rvalue)
417  SCFree(rvalue);
418  if (nbytes)
419  SCFree(nbytes);
420  DetectByteMathFree(de_ctx, data);
421  return ret;
422 }
423 
424 /**
425  * \brief Used to free instances of DetectByteMathractData.
426  *
427  * \param ptr Instance of DetectByteMathData to be freed.
428  */
429 static void DetectByteMathFree(DetectEngineCtx *de_ctx, void *ptr)
430 {
431  SCByteMathFree(ptr);
432 }
433 
434 /**
435  * \brief Lookup the SigMatch for a named byte_math variable.
436  *
437  * \param arg The name of the byte_math variable to lookup.
438  * \param s Pointer the signature to look in.
439  *
440  * \retval A pointer to the SigMatch if found, otherwise NULL.
441  */
442 SigMatch *DetectByteMathRetrieveSMVar(const char *arg, const Signature *s)
443 {
444  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
445  SigMatch *sm = s->init_data->buffers[x].head;
446  while (sm != NULL) {
447  if (sm->type == DETECT_BYTEMATH) {
448  const DetectByteMathData *bmd = (const DetectByteMathData *)sm->ctx;
449  if (strcmp(bmd->result, arg) == 0) {
450  SCLogDebug("Retrieved SM for \"%s\"", arg);
451  return sm;
452  }
453  }
454  sm = sm->next;
455  }
456  }
457 
458  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
459  SigMatch *sm = s->init_data->smlists[list];
460  while (sm != NULL) {
461  if (sm->type == DETECT_BYTEMATH) {
462  const DetectByteMathData *bmd = (const DetectByteMathData *)sm->ctx;
463  if (strcmp(bmd->result, arg) == 0) {
464  SCLogDebug("Retrieved SM for \"%s\"", arg);
465  return sm;
466  }
467  }
468  sm = sm->next;
469  }
470  }
471 
472  return NULL;
473 }
474 
475 /*************************************Unittests********************************/
476 #ifdef UNITTESTS
477 #include "detect-engine-alert.h"
478 
479 static int DetectByteMathParseTest01(void)
480 {
481 
482  DetectByteMathData *bmd = DetectByteMathParse(NULL,
483  "bytes 4, offset 2, oper +,"
484  "rvalue 10, result bar",
485  NULL, NULL);
486  FAIL_IF(bmd == NULL);
487 
488  FAIL_IF_NOT(bmd->nbytes == 4);
489  FAIL_IF_NOT(bmd->offset == 2);
490  FAIL_IF_NOT(bmd->oper == Addition);
491  FAIL_IF_NOT(bmd->rvalue == 10);
492  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
493  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
494  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
495 
496  DetectByteMathFree(NULL, bmd);
497 
498  PASS;
499 }
500 
501 static int DetectByteMathParseTest02(void)
502 {
503  /* bytes value invalid */
504  DetectByteMathData *bmd = DetectByteMathParse(NULL,
505  "bytes 257, offset 2, oper +, "
506  "rvalue 39, result bar",
507  NULL, NULL);
508 
509  FAIL_IF_NOT(bmd == NULL);
510 
511  PASS;
512 }
513 
514 static int DetectByteMathParseTest03(void)
515 {
516  /* bytes value invalid */
517  DetectByteMathData *bmd = DetectByteMathParse(NULL,
518  "bytes 11, offset 2, oper +, "
519  "rvalue 39, result bar",
520  NULL, NULL);
521  FAIL_IF_NOT(bmd == NULL);
522 
523  PASS;
524 }
525 
526 static int DetectByteMathParseTest04(void)
527 {
528  /* offset value invalid */
529  DetectByteMathData *bmd = DetectByteMathParse(NULL,
530  "bytes 4, offset 70000, oper +,"
531  " rvalue 39, result bar",
532  NULL, NULL);
533 
534  FAIL_IF_NOT(bmd == NULL);
535 
536  PASS;
537 }
538 
539 static int DetectByteMathParseTest05(void)
540 {
541  /* oper value invalid */
542  DetectByteMathData *bmd = DetectByteMathParse(NULL,
543  "bytes 11, offset 16, oper &,"
544  "rvalue 39, result bar",
545  NULL, NULL);
546  FAIL_IF_NOT(bmd == NULL);
547 
548  PASS;
549 }
550 
551 static int DetectByteMathParseTest06(void)
552 {
553  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE;
554  char *rvalue = NULL;
555 
556  DetectByteMathData *bmd = DetectByteMathParse(NULL,
557  "bytes 4, offset 0, oper +,"
558  "rvalue 248, result var, relative",
559  NULL, &rvalue);
560 
561  FAIL_IF(bmd == NULL);
562  FAIL_IF_NOT(bmd->nbytes == 4);
563  FAIL_IF_NOT(bmd->offset == 0);
564  FAIL_IF_NOT(bmd->oper == Addition);
565  FAIL_IF_NOT(bmd->rvalue == 248);
566  FAIL_IF_NOT(strcmp(bmd->result, "var") == 0);
567  FAIL_IF_NOT(bmd->flags == flags);
568  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
569  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
570 
571  DetectByteMathFree(NULL, bmd);
572 
573  PASS;
574 }
575 
576 static int DetectByteMathParseTest07(void)
577 {
578  char *rvalue = NULL;
579 
580  DetectByteMathData *bmd = DetectByteMathParse(NULL,
581  "bytes 4, offset 2, oper +,"
582  "rvalue foo, result bar",
583  NULL, &rvalue);
584  FAIL_IF_NOT(rvalue);
585  FAIL_IF_NOT(bmd->nbytes == 4);
586  FAIL_IF_NOT(bmd->offset == 2);
587  FAIL_IF_NOT(bmd->oper == Addition);
588  FAIL_IF_NOT(strcmp(rvalue, "foo") == 0);
589  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
590  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
591  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
592 
593  DetectByteMathFree(NULL, bmd);
594 
595  SCFree(rvalue);
596 
597  PASS;
598 }
599 
600 static int DetectByteMathParseTest08(void)
601 {
602  /* ensure Parse checks the pointer value when rvalue is a var */
603  DetectByteMathData *bmd = DetectByteMathParse(NULL,
604  "bytes 4, offset 2, oper +,"
605  "rvalue foo, result bar",
606  NULL, NULL);
607  FAIL_IF_NOT(bmd == NULL);
608 
609  PASS;
610 }
611 
612 static int DetectByteMathParseTest09(void)
613 {
614  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE;
615 
616  DetectByteMathData *bmd = DetectByteMathParse(NULL,
617  "bytes 4, offset 2, oper +,"
618  "rvalue 39, result bar, relative",
619  NULL, NULL);
620  FAIL_IF(bmd == NULL);
621 
622  FAIL_IF_NOT(bmd->nbytes == 4);
623  FAIL_IF_NOT(bmd->offset == 2);
624  FAIL_IF_NOT(bmd->oper == Addition);
625  FAIL_IF_NOT(bmd->rvalue == 39);
626  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
627  FAIL_IF_NOT(bmd->flags == flags);
628  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
629  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
630 
631  DetectByteMathFree(NULL, bmd);
632 
633  PASS;
634 }
635 
636 static int DetectByteMathParseTest10(void)
637 {
638  uint8_t flags = DETECT_BYTEMATH_FLAG_ENDIAN;
639 
640  DetectByteMathData *bmd = DetectByteMathParse(NULL,
641  "bytes 4, offset 2, oper +,"
642  "rvalue 39, result bar, endian"
643  " big",
644  NULL, NULL);
645 
646  FAIL_IF(bmd == NULL);
647  FAIL_IF_NOT(bmd->nbytes == 4);
648  FAIL_IF_NOT(bmd->offset == 2);
649  FAIL_IF_NOT(bmd->oper == Addition);
650  FAIL_IF_NOT(bmd->rvalue == 39);
651  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
652  FAIL_IF_NOT(bmd->flags == flags);
653  FAIL_IF_NOT(bmd->endian == BigEndian);
654  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
655 
656  DetectByteMathFree(NULL, bmd);
657 
658  PASS;
659 }
660 
661 static int DetectByteMathParseTest11(void)
662 {
663  uint8_t flags = DETECT_BYTEMATH_FLAG_ENDIAN;
664 
665  DetectByteMathData *bmd = DetectByteMathParse(NULL,
666  "bytes 4, offset 2, oper +, "
667  "rvalue 39, result bar, dce",
668  NULL, NULL);
669 
670  FAIL_IF(bmd == NULL);
671  FAIL_IF_NOT(bmd->nbytes == 4);
672  FAIL_IF_NOT(bmd->offset == 2);
673  FAIL_IF_NOT(bmd->oper == Addition);
674  FAIL_IF_NOT(bmd->rvalue == 39);
675  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
676  FAIL_IF_NOT(bmd->flags == flags);
677  FAIL_IF_NOT(bmd->endian == EndianDCE);
678  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
679 
680  DetectByteMathFree(NULL, bmd);
681 
682  PASS;
683 }
684 
685 static int DetectByteMathParseTest12(void)
686 {
687  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE | DETECT_BYTEMATH_FLAG_STRING;
688 
689  DetectByteMathData *bmd = DetectByteMathParse(NULL,
690  "bytes 4, offset 2, oper +,"
691  "rvalue 39, result bar, "
692  "relative, string dec",
693  NULL, NULL);
694 
695  FAIL_IF(bmd == NULL);
696  FAIL_IF_NOT(bmd->nbytes == 4);
697  FAIL_IF_NOT(bmd->offset == 2);
698  FAIL_IF_NOT(bmd->oper == Addition);
699  FAIL_IF_NOT(bmd->rvalue == 39);
700  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
701  FAIL_IF_NOT(bmd->flags == flags);
702  FAIL_IF_NOT(bmd->endian == BigEndian);
703  FAIL_IF_NOT(bmd->base == BaseDec);
704 
705  DetectByteMathFree(NULL, bmd);
706 
707  PASS;
708 }
709 
710 static int DetectByteMathParseTest13(void)
711 {
712  uint8_t flags = DETECT_BYTEMATH_FLAG_STRING |
713  DETECT_BYTEMATH_FLAG_RELATIVE |
714  DETECT_BYTEMATH_FLAG_BITMASK;
715 
716  DetectByteMathData *bmd = DetectByteMathParse(NULL,
717  "bytes 4, offset 2, oper +, "
718  "rvalue 39, result bar, "
719  "relative, string dec, bitmask "
720  "0x8f40",
721  NULL, NULL);
722 
723  FAIL_IF(bmd == NULL);
724  FAIL_IF_NOT(bmd->nbytes == 4);
725  FAIL_IF_NOT(bmd->offset == 2);
726  FAIL_IF_NOT(bmd->oper == Addition);
727  FAIL_IF_NOT(bmd->rvalue == 39);
728  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
729  FAIL_IF_NOT(bmd->bitmask_val == 0x8f40);
730  FAIL_IF_NOT(bmd->bitmask_shift_count == 6);
731  FAIL_IF_NOT(bmd->flags == flags);
732  FAIL_IF_NOT(bmd->endian == BigEndian);
733  FAIL_IF_NOT(bmd->base == BaseDec);
734 
735  DetectByteMathFree(NULL, bmd);
736 
737  PASS;
738 }
739 
740 
741 static int DetectByteMathParseTest14(void)
742 {
743  /* incomplete */
744  DetectByteMathData *bmd = DetectByteMathParse(NULL,
745  "bytes 4, offset 2, oper +,"
746  "rvalue foo",
747  NULL, NULL);
748 
749  FAIL_IF_NOT(bmd == NULL);
750 
751  PASS;
752 }
753 
754 static int DetectByteMathParseTest15(void)
755 {
756 
757  /* incomplete */
758  DetectByteMathData *bmd = DetectByteMathParse(NULL,
759  "bytes 4, offset 2, oper +, "
760  "result bar",
761  NULL, NULL);
762 
763  FAIL_IF_NOT(bmd == NULL);
764 
765  PASS;
766 }
767 
768 static int DetectByteMathParseTest16(void)
769 {
770  uint8_t flags = DETECT_BYTEMATH_FLAG_STRING | DETECT_BYTEMATH_FLAG_RELATIVE |
771  DETECT_BYTEMATH_FLAG_BITMASK;
772 
773  DetectByteMathData *bmd = DetectByteMathParse(NULL,
774  "bytes 4, offset -2, oper +, "
775  "rvalue 39, result bar, "
776  "relative, string dec, bitmask "
777  "0x8f40",
778  NULL, NULL);
779 
780  FAIL_IF(bmd == NULL);
781  FAIL_IF_NOT(bmd->nbytes == 4);
782  FAIL_IF_NOT(bmd->offset == -2);
783  FAIL_IF_NOT(bmd->oper == Addition);
784  FAIL_IF_NOT(bmd->rvalue == 39);
785  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
786  FAIL_IF_NOT(bmd->bitmask_val == 0x8f40);
787  FAIL_IF_NOT(bmd->bitmask_shift_count == 6);
788  FAIL_IF_NOT(bmd->flags == flags);
789  FAIL_IF_NOT(bmd->endian == BigEndian);
790  FAIL_IF_NOT(bmd->base == BaseDec);
791 
792  DetectByteMathFree(NULL, bmd);
793 
794  PASS;
795 }
796 
797 static int DetectByteMathPacket01(void)
798 {
799  uint8_t buf[] = { 0x38, 0x35, 0x6d, 0x00, 0x00, 0x01,
800  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
801  0x00, 0x00, 0x6d, 0x00, 0x01, 0x00 };
802  Flow f;
803  void *dns_state = NULL;
804  Packet *p = NULL;
805  Signature *s = NULL;
806  ThreadVars tv;
807  DetectEngineThreadCtx *det_ctx = NULL;
808  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
809 
810  memset(&tv, 0, sizeof(ThreadVars));
811  memset(&f, 0, sizeof(Flow));
812 
813  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
814  "192.168.1.5", "192.168.1.1",
815  41424, 53);
816  FAIL_IF_NULL(p);
817 
818  FLOW_INITIALIZE(&f);
819  f.flags |= FLOW_IPV4;
820  f.proto = IPPROTO_UDP;
821  f.protomap = FlowGetProtoMapping(f.proto);
822 
823  p->flow = &f;
824  p->flags |= PKT_HAS_FLOW;
825  p->flowflags |= FLOW_PKT_TOSERVER;
826  f.alproto = ALPROTO_DNS;
827 
828  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
829  FAIL_IF_NULL(de_ctx);
830 
831  de_ctx->mpm_matcher = mpm_default_matcher;
832  de_ctx->flags |= DE_QUIET;
833 
834  /*
835  * byte_extract: Extract 1 byte from offset 0 --> 0x0038
836  * byte_math: Extract 1 byte from offset 2 (0x35)
837  * Add 0x35 + 0x38 = 109 (0x6d)
838  * byte_test: Compare 2 bytes at offset 13 bytes from last
839  * match and compare with 0x6d
840  */
841  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
842  "(byte_extract: 1, 0, extracted_val, relative;"
843  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
844  "byte_test: 2, =, var, 13;"
845  "msg:\"Byte extract and byte math with byte test verification\";"
846  "sid:1;)");
847  FAIL_IF_NULL(s);
848 
849  /* this rule should not alert */
850  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
851  "(byte_extract: 1, 0, extracted_val, relative;"
852  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
853  "byte_test: 2, !=, var, 13;"
854  "msg:\"Byte extract and byte math with byte test verification\";"
855  "sid:2;)");
856  FAIL_IF_NULL(s);
857 
858  /*
859  * this rule should alert:
860  * compares offset 15 with var ... 1 (offset 15) < 0x6d (var)
861  */
862  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
863  "(byte_extract: 1, 0, extracted_val, relative;"
864  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
865  "byte_test: 2, <, var, 15;"
866  "msg:\"Byte extract and byte math with byte test verification\";"
867  "sid:3;)");
868  FAIL_IF_NULL(s);
869 
870  SigGroupBuild(de_ctx);
871  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
872  FAIL_IF_NULL(det_ctx);
873 
874  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
875  STREAM_TOSERVER, buf, sizeof(buf));
876  FAIL_IF_NOT(r == 0);
877 
878  dns_state = f.alstate;
879  FAIL_IF_NULL(dns_state);
880 
881  /* do detect */
882  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
883 
884  /* ensure sids 1 & 3 alerted */
885  FAIL_IF_NOT(PacketAlertCheck(p, 1));
886  FAIL_IF(PacketAlertCheck(p, 2));
887  FAIL_IF_NOT(PacketAlertCheck(p, 3));
888 
889  AppLayerParserThreadCtxFree(alp_tctx);
890  DetectEngineThreadCtxDeinit(&tv, det_ctx);
891  DetectEngineCtxFree(de_ctx);
892 
893  FLOW_DESTROY(&f);
894  UTHFreePacket(p);
895 
896  PASS;
897 }
898 
899 static int DetectByteMathPacket02(void)
900 {
901  uint8_t buf[] = { 0x38, 0x35, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
902  0x00, 0x70, 0x00, 0x01, 0x00 };
903  Flow f;
904  void *dns_state = NULL;
905  Packet *p = NULL;
906  Signature *s = NULL;
907  ThreadVars tv;
908  DetectEngineThreadCtx *det_ctx = NULL;
909  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
910 
911  memset(&tv, 0, sizeof(ThreadVars));
912  memset(&f, 0, sizeof(Flow));
913 
914  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP, "192.168.1.5", "192.168.1.1", 41424, 53);
915  FAIL_IF_NULL(p);
916 
917  FLOW_INITIALIZE(&f);
918  f.flags |= FLOW_IPV4;
919  f.proto = IPPROTO_UDP;
920  f.protomap = FlowGetProtoMapping(f.proto);
921 
922  p->flow = &f;
923  p->flags |= PKT_HAS_FLOW;
924  p->flowflags |= FLOW_PKT_TOSERVER;
925  f.alproto = ALPROTO_DNS;
926 
927  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
928  FAIL_IF_NULL(de_ctx);
929 
930  de_ctx->mpm_matcher = mpm_default_matcher;
931  de_ctx->flags |= DE_QUIET;
932 
933  /*
934  * byte_extract: Extract 1 byte from offset 0 --> 0x38
935  * byte_math: Extract 1 byte from offset -1 (0x38)
936  * Add 0x38 + 0x38 = 112 (0x70)
937  * byte_test: Compare 2 bytes at offset 13 bytes from last
938  * match and compare with 0x70
939  */
940  s = DetectEngineAppendSig(de_ctx,
941  "alert udp any any -> any any "
942  "(byte_extract: 1, 0, extracted_val, relative;"
943  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
944  "byte_test: 2, =, var, 13;"
945  "msg:\"Byte extract and byte math with byte test verification\";"
946  "sid:1;)");
947  FAIL_IF_NULL(s);
948 
949  /* this rule should not alert */
950  s = DetectEngineAppendSig(de_ctx,
951  "alert udp any any -> any any "
952  "(byte_extract: 1, 0, extracted_val, relative;"
953  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
954  "byte_test: 2, !=, var, 13;"
955  "msg:\"Byte extract and byte math with byte test verification\";"
956  "sid:2;)");
957  FAIL_IF_NULL(s);
958 
959  /*
960  * this rule should alert:
961  * compares offset 15 with var ... 1 (offset 15) < 0x70 (var)
962  */
963  s = DetectEngineAppendSig(de_ctx,
964  "alert udp any any -> any any "
965  "(byte_extract: 1, 0, extracted_val, relative;"
966  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
967  "byte_test: 2, <, var, 15;"
968  "msg:\"Byte extract and byte math with byte test verification\";"
969  "sid:3;)");
970  FAIL_IF_NULL(s);
971 
972  SigGroupBuild(de_ctx);
973  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
974  FAIL_IF_NULL(det_ctx);
975 
976  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER, buf, sizeof(buf));
977  FAIL_IF_NOT(r == 0);
978 
979  dns_state = f.alstate;
980  FAIL_IF_NULL(dns_state);
981 
982  /* do detect */
983  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
984 
985  /* ensure sids 1 & 3 alerted */
986  FAIL_IF_NOT(PacketAlertCheck(p, 1));
987  FAIL_IF(PacketAlertCheck(p, 2));
988  FAIL_IF_NOT(PacketAlertCheck(p, 3));
989 
990  AppLayerParserThreadCtxFree(alp_tctx);
991  DetectEngineThreadCtxDeinit(&tv, det_ctx);
992  DetectEngineCtxFree(de_ctx);
993 
994  FLOW_DESTROY(&f);
995  UTHFreePacket(p);
996 
997  PASS;
998 }
999 
1000 static int DetectByteMathContext01(void)
1001 {
1002  DetectEngineCtx *de_ctx = NULL;
1003  Signature *s = NULL;
1004  SigMatch *sm = NULL;
1005  DetectContentData *cd = NULL;
1006  DetectByteMathData *bmd = NULL;
1007 
1008  de_ctx = DetectEngineCtxInit();
1009  FAIL_IF(de_ctx == NULL);
1010 
1011  de_ctx->flags |= DE_QUIET;
1012  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1013  "(msg:\"Testing bytemath_body\"; "
1014  "content:\"|00 04 93 F3|\"; "
1015  "content:\"|00 00 00 07|\"; distance:4; within:4;"
1016  "byte_math:bytes 4, offset 0, oper +, rvalue "
1017  "248, result var, relative; sid:1;)");
1018 
1019  FAIL_IF(de_ctx->sig_list == NULL);
1020 
1021  FAIL_IF(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL);
1022 
1023  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1024  FAIL_IF(sm->type != DETECT_CONTENT);
1025  cd = (DetectContentData *)sm->ctx;
1026  FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
1027  FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
1028  FAIL_IF(cd->content_len != 4);
1029 
1030  sm = sm->next;
1031  FAIL_IF(sm->type != DETECT_CONTENT);
1032  sm = sm->next;
1033  FAIL_IF(sm->type != DETECT_BYTEMATH);
1034 
1035  FAIL_IF(sm->ctx == NULL);
1036 
1037  bmd = (DetectByteMathData *)sm->ctx;
1038  FAIL_IF_NOT(bmd->nbytes == 4);
1039  FAIL_IF_NOT(bmd->offset == 0);
1040  FAIL_IF_NOT(bmd->rvalue == 248);
1041  FAIL_IF_NOT(strcmp(bmd->result, "var") == 0);
1042  FAIL_IF_NOT(bmd->flags == DETECT_BYTEMATH_FLAG_RELATIVE);
1043  FAIL_IF_NOT(bmd->endian == BigEndian);
1044  FAIL_IF_NOT(bmd->oper == Addition);
1045  FAIL_IF_NOT(bmd->base == BaseDec);
1046 
1047  DetectEngineCtxFree(de_ctx);
1048 
1049  PASS;
1050 }
1051 
1052 static void DetectByteMathRegisterTests(void)
1053 {
1054  UtRegisterTest("DetectByteMathParseTest01", DetectByteMathParseTest01);
1055  UtRegisterTest("DetectByteMathParseTest02", DetectByteMathParseTest02);
1056  UtRegisterTest("DetectByteMathParseTest03", DetectByteMathParseTest03);
1057  UtRegisterTest("DetectByteMathParseTest04", DetectByteMathParseTest04);
1058  UtRegisterTest("DetectByteMathParseTest05", DetectByteMathParseTest05);
1059  UtRegisterTest("DetectByteMathParseTest06", DetectByteMathParseTest06);
1060  UtRegisterTest("DetectByteMathParseTest07", DetectByteMathParseTest07);
1061  UtRegisterTest("DetectByteMathParseTest08", DetectByteMathParseTest08);
1062  UtRegisterTest("DetectByteMathParseTest09", DetectByteMathParseTest09);
1063  UtRegisterTest("DetectByteMathParseTest10", DetectByteMathParseTest10);
1064  UtRegisterTest("DetectByteMathParseTest11", DetectByteMathParseTest11);
1065  UtRegisterTest("DetectByteMathParseTest12", DetectByteMathParseTest12);
1066  UtRegisterTest("DetectByteMathParseTest13", DetectByteMathParseTest13);
1067  UtRegisterTest("DetectByteMathParseTest14", DetectByteMathParseTest14);
1068  UtRegisterTest("DetectByteMathParseTest15", DetectByteMathParseTest15);
1069  UtRegisterTest("DetectByteMathParseTest16", DetectByteMathParseTest16);
1070  UtRegisterTest("DetectByteMathPacket01", DetectByteMathPacket01);
1071  UtRegisterTest("DetectByteMathPacket02", DetectByteMathPacket02);
1072  UtRegisterTest("DetectByteMathContext01", DetectByteMathContext01);
1073 }
1074 #endif /* UNITTESTS */
util-byte.h
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1737
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:535
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1122
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:116
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:586
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:127
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1264
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1294
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
SigTableElmt_::name
const char * name
Definition: detect.h:1304
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:588
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:84
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:70
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:510
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
Flow_::protomap
uint8_t protomap
Definition: flow.h:450
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2611
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1938
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:46
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:504
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine.c:1424
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:260
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1289
detect-pcre.h
DETECT_BYTEMATH_ENDIAN_DEFAULT
#define DETECT_BYTEMATH_ENDIAN_DEFAULT
Definition: detect-bytemath.c:61
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
DetectByteIndexType
uint8_t DetectByteIndexType
Definition: detect-byte.h:28
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:700
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
SignatureInitData_::list
int list
Definition: detect.h:570
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3347
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:353
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:844
DetectByteMathRetrieveSMVar
SigMatch * DetectByteMathRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_math variable.
Definition: detect-bytemath.c:442
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2285
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:352
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
Packet_
Definition: decode.h:473
detect-engine-build.h
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:670
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1272
detect-byte.h
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:919
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:72
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2144
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:141
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:83
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
Packet_::flow
struct Flow_ * flow
Definition: decode.h:512
DetectByteMathDoMatch
int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const DetectByteMathData *data, const Signature *s, const uint8_t *payload, const uint32_t payload_len, uint8_t nbytes, uint64_t rvalue, uint64_t *value, uint8_t endian)
Definition: detect-bytemath.c:88
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectByteRetrieveSMVar
bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, DetectByteIndexType *index)
Used to retrieve args from BM.
Definition: detect-byte.c:40
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1265
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:350
DETECT_BYTEMATH_BASE_DEFAULT
#define DETECT_BYTEMATH_BASE_DEFAULT
Definition: detect-bytemath.c:62
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3574
util-spm.h
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:849
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DetectBytemathRegister
void DetectBytemathRegister(void)
Registers the keyword handlers for the "byte_math" keyword.
Definition: detect-bytemath.c:71
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:591
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:805
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467
Flow_::alstate
void * alstate
Definition: flow.h:481
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:86
Flow_::flags
uint32_t flags
Definition: flow.h:426
detect-parse.h
Signature_
Signature container.
Definition: detect.h:601
SigMatch_
a single match condition for a signature
Definition: detect.h:349
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:94
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:132
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2572
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
DetectPcreData_
Definition: detect-pcre.h:42
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:85
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:606
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:436
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:592
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1296
detect-bytemath.h