suricata
detect-bytemath.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Jeff Lucovsky <jeff@lucovsky.org>
22  */
23 
24 /*
25  * Refer to the Snort manual, section 3.5.34 for details.
26  */
27 
28 #include "suricata-common.h"
29 #include "threads.h"
30 #include "decode.h"
31 
32 #include "app-layer-parser.h"
33 #include "app-layer-protos.h"
34 
35 #include "detect.h"
36 #include "detect-parse.h"
37 #include "detect-engine.h"
38 #include "detect-engine-mpm.h"
39 #include "detect-engine-state.h"
40 #include "detect-engine-build.h"
41 
42 #include "rust-bindings.h"
43 
44 #include "detect-content.h"
45 #include "detect-pcre.h"
46 #include "detect-byte.h"
47 #include "detect-bytemath.h"
48 
49 #include "flow.h"
50 #include "flow-var.h"
51 #include "flow-util.h"
52 
53 #include "util-byte.h"
54 #include "util-debug.h"
55 #include "util-unittest.h"
56 #include "util-unittest-helper.h"
57 #include "util-spm.h"
58 
59 static int DetectByteMathSetup(DetectEngineCtx *, Signature *, const char *);
60 #ifdef UNITTESTS
61 static void DetectByteMathRegisterTests(void);
62 #endif
63 static void DetectByteMathFree(DetectEngineCtx *, void *);
64 
65 #define DETECT_BYTEMATH_ENDIAN_DEFAULT (uint8_t) BigEndian
66 #define DETECT_BYTEMATH_BASE_DEFAULT (uint8_t) BaseDec
67 /**
68  * \brief Registers the keyword handlers for the "byte_math" keyword.
69  */
70 void DetectBytemathRegister(void)
71 {
72  sigmatch_table[DETECT_BYTEMATH].name = "byte_math";
73  sigmatch_table[DETECT_BYTEMATH].Match = NULL;
74  sigmatch_table[DETECT_BYTEMATH].Setup = DetectByteMathSetup;
75  sigmatch_table[DETECT_BYTEMATH].Free = DetectByteMathFree;
76 #ifdef UNITTESTS
77  sigmatch_table[DETECT_BYTEMATH].RegisterTests = DetectByteMathRegisterTests;
78 #endif
79 }
80 
81 static inline bool DetectByteMathValidateNbytesOnly(const DetectByteMathData *data, int32_t nbytes)
82 {
83  return nbytes >= 1 &&
84  (((data->flags & DETECT_BYTEMATH_FLAG_STRING) && nbytes <= 10) || (nbytes <= 4));
85 }
86 
87 int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const DetectByteMathData *data,
88  const Signature *s, const uint8_t *payload, const uint32_t payload_len, uint8_t nbytes,
89  uint64_t rvalue, uint64_t *value, uint8_t endian)
90 {
91  if (payload_len == 0) {
92  return 0;
93  }
94 
95  if (!DetectByteMathValidateNbytesOnly(data, nbytes)) {
96  return 0;
97  }
98 
99  const uint8_t *ptr;
100  int32_t len;
101  uint64_t val;
102  int extbytes;
103 
104  /* Calculate the ptr value for the byte-math op and length remaining in
105  * the packet from that point.
106  */
107  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
108  SCLogDebug("relative, working with det_ctx->buffer_offset %" PRIu32 ", "
109  "data->offset %" PRIi32 "",
110  det_ctx->buffer_offset, data->offset);
111 
112  ptr = payload + det_ctx->buffer_offset;
113  len = payload_len - det_ctx->buffer_offset;
114 
115  ptr += data->offset;
116  len -= data->offset;
117 
118  /* No match if there is no relative base */
119  if (len <= 0) {
120  return 0;
121  }
122  } else {
123  SCLogDebug("absolute, data->offset %" PRIi32 "", data->offset);
124 
125  ptr = payload + data->offset;
126  len = payload_len - data->offset;
127  }
128 
129  /* Validate that the to-be-extracted is within the packet */
130  if (ptr < payload || nbytes > len) {
131  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%" PRIu32 ", nbytes=%d", payload,
132  ptr, len, nbytes);
133  return 0;
134  }
135 
136  /* Extract the byte data */
137  if (data->flags & DETECT_BYTEMATH_FLAG_STRING) {
138  extbytes = ByteExtractStringUint64(&val, data->base, nbytes, (const char *)ptr);
139  if (extbytes <= 0) {
140  if (val == 0) {
141  SCLogDebug("No Numeric value");
142  return 0;
143  } else {
144  SCLogDebug("error extracting %d bytes of string data: %d", nbytes, extbytes);
145  return -1;
146  }
147  }
148  } else {
149  ByteMathEndian bme = endian;
150  int endianness = (bme == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
151  extbytes = ByteExtractUint64(&val, endianness, nbytes, ptr);
152  if (extbytes != nbytes) {
153  SCLogDebug("error extracting %d bytes of numeric data: %d", nbytes, extbytes);
154  return 0;
155  }
156  }
157 
158  BUG_ON(extbytes > len);
159 
160  ptr += extbytes;
161 
162  switch (data->oper) {
163  case OperatorNone:
164  break;
165  case Addition:
166  val += rvalue;
167  break;
168  case Subtraction:
169  val -= rvalue;
170  break;
171  case Division:
172  if (rvalue == 0) {
173  SCLogDebug("avoiding division by zero");
174  return 0;
175  }
176  val /= rvalue;
177  break;
178  case Multiplication:
179  val *= rvalue;
180  break;
181  case LeftShift:
182  if (rvalue < 64) {
183  val <<= rvalue;
184  } else {
185  val = 0;
186  }
187  break;
188  case RightShift:
189  val >>= rvalue;
190  break;
191  }
192 
193  det_ctx->buffer_offset = ptr - payload;
194 
195  if (data->flags & DETECT_BYTEMATH_FLAG_BITMASK) {
196  val &= data->bitmask_val;
197  if (val && data->bitmask_shift_count) {
198  val = val >> data->bitmask_shift_count;
199  }
200  }
201 
202  *value = val;
203  return 1;
204 }
205 
206 /**
207  * \internal
208  * \brief Used to parse byte_math arg.
209  *
210  * \param arg The argument to parse.
211  * \param rvalue May be NULL. When non-null, will contain the variable
212  * name of rvalue (iff rvalue is not a scalar value)
213  *
214  * \retval bmd On success an instance containing the parsed data.
215  * On failure, NULL.
216  */
217 static DetectByteMathData *DetectByteMathParse(
218  DetectEngineCtx *de_ctx, const char *arg, char **nbytes, char **rvalue)
219 {
220  DetectByteMathData *bmd;
221  if ((bmd = ScByteMathParse(arg)) == NULL) {
222  SCLogError("invalid bytemath values");
223  return NULL;
224  }
225 
226  if (bmd->nbytes_str) {
227  if (nbytes == NULL) {
228  SCLogError("byte_math supplied with "
229  "var name for nbytes. \"nbytes\" argument supplied to "
230  "this function must be non-NULL");
231  goto error;
232  }
233  *nbytes = SCStrdup(bmd->nbytes_str);
234  if (*nbytes == NULL) {
235  goto error;
236  }
237  }
238 
239  if (bmd->rvalue_str) {
240  if (rvalue == NULL) {
241  SCLogError("byte_math supplied with "
242  "var name for rvalue. \"rvalue\" argument supplied to "
243  "this function must be non-NULL");
244  goto error;
245  }
246  *rvalue = SCStrdup(bmd->rvalue_str);
247  if (*rvalue == NULL) {
248  goto error;
249  }
250  }
251 
252  if (bmd->flags & DETECT_BYTEMATH_FLAG_BITMASK) {
253  if (bmd->bitmask_val) {
254  uint32_t bmask = bmd->bitmask_val;
255  while (!(bmask & 0x1)){
256  bmask = bmask >> 1;
257  bmd->bitmask_shift_count++;
258  }
259  }
260  }
261 
262  return bmd;
263 
264  error:
265  if (bmd != NULL)
266  DetectByteMathFree(de_ctx, bmd);
267  return NULL;
268 }
269 
270 /**
271  * \brief The setup function for the byte_math keyword for a signature.
272  *
273  * \param de_ctx Pointer to the detection engine context.
274  * \param s Pointer to signature for the current Signature being parsed
275  * from the rules.
276  * \param arg Pointer to the string holding the keyword value.
277  *
278  * \retval 0 On success.
279  * \retval -1 On failure.
280  */
281 static int DetectByteMathSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
282 {
283  SigMatch *prev_pm = NULL;
284  DetectByteMathData *data;
285  char *rvalue = NULL;
286  char *nbytes = NULL;
287  int ret = -1;
288 
289  data = DetectByteMathParse(de_ctx, arg, &nbytes, &rvalue);
290  if (data == NULL)
291  goto error;
292 
293  int sm_list;
294  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
295  if (DetectBufferGetActiveList(de_ctx, s) == -1)
296  goto error;
297 
298  sm_list = s->init_data->list;
299 
300  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
301  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
302  if (!prev_pm) {
303  SCLogError("relative specified without "
304  "previous pattern match");
305  goto error;
306  }
307  }
308  } else if (data->endian == EndianDCE) {
309  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
310  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
311  DETECT_BYTETEST, DETECT_BYTEJUMP,
312  DETECT_BYTE_EXTRACT,
313  DETECT_BYTEMATH,
314  DETECT_ISDATAAT, -1);
315  if (prev_pm == NULL) {
316  sm_list = DETECT_SM_LIST_PMATCH;
317  } else {
318  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
319  if (sm_list < 0)
320  goto error;
321  }
322  } else {
323  sm_list = DETECT_SM_LIST_PMATCH;
324  }
325 
326  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
327  goto error;
328 
329  } else if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
330  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
331  DETECT_BYTETEST, DETECT_BYTEJUMP,
332  DETECT_BYTE_EXTRACT, DETECT_BYTEMATH,
333  DETECT_ISDATAAT, -1);
334  if (prev_pm == NULL) {
335  sm_list = DETECT_SM_LIST_PMATCH;
336  } else {
337  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
338  if (sm_list < 0)
339  goto error;
340  }
341 
342  } else {
343  sm_list = DETECT_SM_LIST_PMATCH;
344  }
345 
346  if (data->endian == EndianDCE) {
347  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
348  goto error;
349 
350  if ((data->flags & DETECT_BYTEMATH_FLAG_STRING) || (data->base == BaseDec) ||
351  (data->base == BaseHex) || (data->base == BaseOct)) {
352  SCLogError("Invalid option. "
353  "A bytemath keyword with dce holds other invalid modifiers.");
354  goto error;
355  }
356  }
357 
358  if (nbytes != NULL) {
359  DetectByteIndexType index;
360  if (!DetectByteRetrieveSMVar(nbytes, s, &index)) {
361  SCLogError("unknown byte_ keyword var seen in byte_math - %s", nbytes);
362  goto error;
363  }
364  data->nbytes = index;
365  data->flags |= DETECT_BYTEMATH_FLAG_NBYTES_VAR;
366  SCFree(nbytes);
367  nbytes = NULL;
368  }
369 
370  if (rvalue != NULL) {
371  DetectByteIndexType index;
372  if (!DetectByteRetrieveSMVar(rvalue, s, &index)) {
373  SCLogError("unknown byte_ keyword var seen in byte_math - %s", rvalue);
374  goto error;
375  }
376  data->rvalue = index;
377  data->flags |= DETECT_BYTEMATH_FLAG_RVALUE_VAR;
378  SCFree(rvalue);
379  rvalue = NULL;
380  }
381 
382  SigMatch *prev_bmd_sm = DetectGetLastSMByListId(s, sm_list,
383  DETECT_BYTEMATH, -1);
384  if (prev_bmd_sm == NULL) {
385  data->local_id = 0;
386  } else {
387  data->local_id = ((DetectByteMathData *)prev_bmd_sm->ctx)->local_id + 1;
388  }
389  if (data->local_id > de_ctx->byte_extract_max_local_id) {
390  de_ctx->byte_extract_max_local_id = data->local_id;
391  }
392 
393  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BYTEMATH, (SigMatchCtx *)data, sm_list) == NULL) {
394  goto error;
395  }
396 
397  if (!(data->flags & DETECT_BYTEMATH_FLAG_RELATIVE))
398  goto okay;
399 
400  if (prev_pm == NULL)
401  goto okay;
402 
403  if (prev_pm->type == DETECT_CONTENT) {
404  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
405  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
406  } else if (prev_pm->type == DETECT_PCRE) {
407  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
408  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
409  }
410 
411  okay:
412  return 0;
413 
414  error:
415  if (rvalue)
416  SCFree(rvalue);
417  if (nbytes)
418  SCFree(nbytes);
419  DetectByteMathFree(de_ctx, data);
420  return ret;
421 }
422 
423 /**
424  * \brief Used to free instances of DetectByteMathractData.
425  *
426  * \param ptr Instance of DetectByteMathData to be freed.
427  */
428 static void DetectByteMathFree(DetectEngineCtx *de_ctx, void *ptr)
429 {
430  ScByteMathFree(ptr);
431 }
432 
433 /**
434  * \brief Lookup the SigMatch for a named byte_math variable.
435  *
436  * \param arg The name of the byte_math variable to lookup.
437  * \param s Pointer the signature to look in.
438  *
439  * \retval A pointer to the SigMatch if found, otherwise NULL.
440  */
441 SigMatch *DetectByteMathRetrieveSMVar(const char *arg, const Signature *s)
442 {
443  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
444  SigMatch *sm = s->init_data->buffers[x].head;
445  while (sm != NULL) {
446  if (sm->type == DETECT_BYTEMATH) {
447  const DetectByteMathData *bmd = (const DetectByteMathData *)sm->ctx;
448  if (strcmp(bmd->result, arg) == 0) {
449  SCLogDebug("Retrieved SM for \"%s\"", arg);
450  return sm;
451  }
452  }
453  sm = sm->next;
454  }
455  }
456 
457  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
458  SigMatch *sm = s->init_data->smlists[list];
459  while (sm != NULL) {
460  if (sm->type == DETECT_BYTEMATH) {
461  const DetectByteMathData *bmd = (const DetectByteMathData *)sm->ctx;
462  if (strcmp(bmd->result, arg) == 0) {
463  SCLogDebug("Retrieved SM for \"%s\"", arg);
464  return sm;
465  }
466  }
467  sm = sm->next;
468  }
469  }
470 
471  return NULL;
472 }
473 
474 /*************************************Unittests********************************/
475 #ifdef UNITTESTS
476 #include "detect-engine-alert.h"
477 
478 static int DetectByteMathParseTest01(void)
479 {
480 
481  DetectByteMathData *bmd = DetectByteMathParse(NULL,
482  "bytes 4, offset 2, oper +,"
483  "rvalue 10, result bar",
484  NULL, NULL);
485  FAIL_IF(bmd == NULL);
486 
487  FAIL_IF_NOT(bmd->nbytes == 4);
488  FAIL_IF_NOT(bmd->offset == 2);
489  FAIL_IF_NOT(bmd->oper == Addition);
490  FAIL_IF_NOT(bmd->rvalue == 10);
491  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
492  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
493  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
494 
495  DetectByteMathFree(NULL, bmd);
496 
497  PASS;
498 }
499 
500 static int DetectByteMathParseTest02(void)
501 {
502  /* bytes value invalid */
503  DetectByteMathData *bmd = DetectByteMathParse(NULL,
504  "bytes 257, offset 2, oper +, "
505  "rvalue 39, result bar",
506  NULL, NULL);
507 
508  FAIL_IF_NOT(bmd == NULL);
509 
510  PASS;
511 }
512 
513 static int DetectByteMathParseTest03(void)
514 {
515  /* bytes value invalid */
516  DetectByteMathData *bmd = DetectByteMathParse(NULL,
517  "bytes 11, offset 2, oper +, "
518  "rvalue 39, result bar",
519  NULL, NULL);
520  FAIL_IF_NOT(bmd == NULL);
521 
522  PASS;
523 }
524 
525 static int DetectByteMathParseTest04(void)
526 {
527  /* offset value invalid */
528  DetectByteMathData *bmd = DetectByteMathParse(NULL,
529  "bytes 4, offset 70000, oper +,"
530  " rvalue 39, result bar",
531  NULL, NULL);
532 
533  FAIL_IF_NOT(bmd == NULL);
534 
535  PASS;
536 }
537 
538 static int DetectByteMathParseTest05(void)
539 {
540  /* oper value invalid */
541  DetectByteMathData *bmd = DetectByteMathParse(NULL,
542  "bytes 11, offset 16, oper &,"
543  "rvalue 39, result bar",
544  NULL, NULL);
545  FAIL_IF_NOT(bmd == NULL);
546 
547  PASS;
548 }
549 
550 static int DetectByteMathParseTest06(void)
551 {
552  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE;
553  char *rvalue = NULL;
554 
555  DetectByteMathData *bmd = DetectByteMathParse(NULL,
556  "bytes 4, offset 0, oper +,"
557  "rvalue 248, result var, relative",
558  NULL, &rvalue);
559 
560  FAIL_IF(bmd == NULL);
561  FAIL_IF_NOT(bmd->nbytes == 4);
562  FAIL_IF_NOT(bmd->offset == 0);
563  FAIL_IF_NOT(bmd->oper == Addition);
564  FAIL_IF_NOT(bmd->rvalue == 248);
565  FAIL_IF_NOT(strcmp(bmd->result, "var") == 0);
566  FAIL_IF_NOT(bmd->flags == flags);
567  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
568  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
569 
570  DetectByteMathFree(NULL, bmd);
571 
572  PASS;
573 }
574 
575 static int DetectByteMathParseTest07(void)
576 {
577  char *rvalue = NULL;
578 
579  DetectByteMathData *bmd = DetectByteMathParse(NULL,
580  "bytes 4, offset 2, oper +,"
581  "rvalue foo, result bar",
582  NULL, &rvalue);
583  FAIL_IF_NOT(rvalue);
584  FAIL_IF_NOT(bmd->nbytes == 4);
585  FAIL_IF_NOT(bmd->offset == 2);
586  FAIL_IF_NOT(bmd->oper == Addition);
587  FAIL_IF_NOT(strcmp(rvalue, "foo") == 0);
588  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
589  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
590  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
591 
592  DetectByteMathFree(NULL, bmd);
593 
594  SCFree(rvalue);
595 
596  PASS;
597 }
598 
599 static int DetectByteMathParseTest08(void)
600 {
601  /* ensure Parse checks the pointer value when rvalue is a var */
602  DetectByteMathData *bmd = DetectByteMathParse(NULL,
603  "bytes 4, offset 2, oper +,"
604  "rvalue foo, result bar",
605  NULL, NULL);
606  FAIL_IF_NOT(bmd == NULL);
607 
608  PASS;
609 }
610 
611 static int DetectByteMathParseTest09(void)
612 {
613  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE;
614 
615  DetectByteMathData *bmd = DetectByteMathParse(NULL,
616  "bytes 4, offset 2, oper +,"
617  "rvalue 39, result bar, relative",
618  NULL, NULL);
619  FAIL_IF(bmd == NULL);
620 
621  FAIL_IF_NOT(bmd->nbytes == 4);
622  FAIL_IF_NOT(bmd->offset == 2);
623  FAIL_IF_NOT(bmd->oper == Addition);
624  FAIL_IF_NOT(bmd->rvalue == 39);
625  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
626  FAIL_IF_NOT(bmd->flags == flags);
627  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
628  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
629 
630  DetectByteMathFree(NULL, bmd);
631 
632  PASS;
633 }
634 
635 static int DetectByteMathParseTest10(void)
636 {
637  uint8_t flags = DETECT_BYTEMATH_FLAG_ENDIAN;
638 
639  DetectByteMathData *bmd = DetectByteMathParse(NULL,
640  "bytes 4, offset 2, oper +,"
641  "rvalue 39, result bar, endian"
642  " big",
643  NULL, NULL);
644 
645  FAIL_IF(bmd == NULL);
646  FAIL_IF_NOT(bmd->nbytes == 4);
647  FAIL_IF_NOT(bmd->offset == 2);
648  FAIL_IF_NOT(bmd->oper == Addition);
649  FAIL_IF_NOT(bmd->rvalue == 39);
650  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
651  FAIL_IF_NOT(bmd->flags == flags);
652  FAIL_IF_NOT(bmd->endian == BigEndian);
653  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
654 
655  DetectByteMathFree(NULL, bmd);
656 
657  PASS;
658 }
659 
660 static int DetectByteMathParseTest11(void)
661 {
662  uint8_t flags = DETECT_BYTEMATH_FLAG_ENDIAN;
663 
664  DetectByteMathData *bmd = DetectByteMathParse(NULL,
665  "bytes 4, offset 2, oper +, "
666  "rvalue 39, result bar, dce",
667  NULL, NULL);
668 
669  FAIL_IF(bmd == NULL);
670  FAIL_IF_NOT(bmd->nbytes == 4);
671  FAIL_IF_NOT(bmd->offset == 2);
672  FAIL_IF_NOT(bmd->oper == Addition);
673  FAIL_IF_NOT(bmd->rvalue == 39);
674  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
675  FAIL_IF_NOT(bmd->flags == flags);
676  FAIL_IF_NOT(bmd->endian == EndianDCE);
677  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
678 
679  DetectByteMathFree(NULL, bmd);
680 
681  PASS;
682 }
683 
684 static int DetectByteMathParseTest12(void)
685 {
686  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE | DETECT_BYTEMATH_FLAG_STRING;
687 
688  DetectByteMathData *bmd = DetectByteMathParse(NULL,
689  "bytes 4, offset 2, oper +,"
690  "rvalue 39, result bar, "
691  "relative, string dec",
692  NULL, NULL);
693 
694  FAIL_IF(bmd == NULL);
695  FAIL_IF_NOT(bmd->nbytes == 4);
696  FAIL_IF_NOT(bmd->offset == 2);
697  FAIL_IF_NOT(bmd->oper == Addition);
698  FAIL_IF_NOT(bmd->rvalue == 39);
699  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
700  FAIL_IF_NOT(bmd->flags == flags);
701  FAIL_IF_NOT(bmd->endian == BigEndian);
702  FAIL_IF_NOT(bmd->base == BaseDec);
703 
704  DetectByteMathFree(NULL, bmd);
705 
706  PASS;
707 }
708 
709 static int DetectByteMathParseTest13(void)
710 {
711  uint8_t flags = DETECT_BYTEMATH_FLAG_STRING |
712  DETECT_BYTEMATH_FLAG_RELATIVE |
713  DETECT_BYTEMATH_FLAG_BITMASK;
714 
715  DetectByteMathData *bmd = DetectByteMathParse(NULL,
716  "bytes 4, offset 2, oper +, "
717  "rvalue 39, result bar, "
718  "relative, string dec, bitmask "
719  "0x8f40",
720  NULL, NULL);
721 
722  FAIL_IF(bmd == NULL);
723  FAIL_IF_NOT(bmd->nbytes == 4);
724  FAIL_IF_NOT(bmd->offset == 2);
725  FAIL_IF_NOT(bmd->oper == Addition);
726  FAIL_IF_NOT(bmd->rvalue == 39);
727  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
728  FAIL_IF_NOT(bmd->bitmask_val == 0x8f40);
729  FAIL_IF_NOT(bmd->bitmask_shift_count == 6);
730  FAIL_IF_NOT(bmd->flags == flags);
731  FAIL_IF_NOT(bmd->endian == BigEndian);
732  FAIL_IF_NOT(bmd->base == BaseDec);
733 
734  DetectByteMathFree(NULL, bmd);
735 
736  PASS;
737 }
738 
739 
740 static int DetectByteMathParseTest14(void)
741 {
742  /* incomplete */
743  DetectByteMathData *bmd = DetectByteMathParse(NULL,
744  "bytes 4, offset 2, oper +,"
745  "rvalue foo",
746  NULL, NULL);
747 
748  FAIL_IF_NOT(bmd == NULL);
749 
750  PASS;
751 }
752 
753 static int DetectByteMathParseTest15(void)
754 {
755 
756  /* incomplete */
757  DetectByteMathData *bmd = DetectByteMathParse(NULL,
758  "bytes 4, offset 2, oper +, "
759  "result bar",
760  NULL, NULL);
761 
762  FAIL_IF_NOT(bmd == NULL);
763 
764  PASS;
765 }
766 
767 static int DetectByteMathParseTest16(void)
768 {
769  uint8_t flags = DETECT_BYTEMATH_FLAG_STRING | DETECT_BYTEMATH_FLAG_RELATIVE |
770  DETECT_BYTEMATH_FLAG_BITMASK;
771 
772  DetectByteMathData *bmd = DetectByteMathParse(NULL,
773  "bytes 4, offset -2, oper +, "
774  "rvalue 39, result bar, "
775  "relative, string dec, bitmask "
776  "0x8f40",
777  NULL, NULL);
778 
779  FAIL_IF(bmd == NULL);
780  FAIL_IF_NOT(bmd->nbytes == 4);
781  FAIL_IF_NOT(bmd->offset == -2);
782  FAIL_IF_NOT(bmd->oper == Addition);
783  FAIL_IF_NOT(bmd->rvalue == 39);
784  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
785  FAIL_IF_NOT(bmd->bitmask_val == 0x8f40);
786  FAIL_IF_NOT(bmd->bitmask_shift_count == 6);
787  FAIL_IF_NOT(bmd->flags == flags);
788  FAIL_IF_NOT(bmd->endian == BigEndian);
789  FAIL_IF_NOT(bmd->base == BaseDec);
790 
791  DetectByteMathFree(NULL, bmd);
792 
793  PASS;
794 }
795 
796 static int DetectByteMathPacket01(void)
797 {
798  uint8_t buf[] = { 0x38, 0x35, 0x6d, 0x00, 0x00, 0x01,
799  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
800  0x00, 0x00, 0x6d, 0x00, 0x01, 0x00 };
801  Flow f;
802  void *dns_state = NULL;
803  Packet *p = NULL;
804  Signature *s = NULL;
805  ThreadVars tv;
806  DetectEngineThreadCtx *det_ctx = NULL;
807  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
808 
809  memset(&tv, 0, sizeof(ThreadVars));
810  memset(&f, 0, sizeof(Flow));
811 
812  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
813  "192.168.1.5", "192.168.1.1",
814  41424, 53);
815  FAIL_IF_NULL(p);
816 
817  FLOW_INITIALIZE(&f);
818  f.flags |= FLOW_IPV4;
819  f.proto = IPPROTO_UDP;
820  f.protomap = FlowGetProtoMapping(f.proto);
821 
822  p->flow = &f;
823  p->flags |= PKT_HAS_FLOW;
824  p->flowflags |= FLOW_PKT_TOSERVER;
825  f.alproto = ALPROTO_DNS;
826 
827  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
828  FAIL_IF_NULL(de_ctx);
829 
830  de_ctx->mpm_matcher = mpm_default_matcher;
831  de_ctx->flags |= DE_QUIET;
832 
833  /*
834  * byte_extract: Extract 1 byte from offset 0 --> 0x0038
835  * byte_math: Extract 1 byte from offset 2 (0x35)
836  * Add 0x35 + 0x38 = 109 (0x6d)
837  * byte_test: Compare 2 bytes at offset 13 bytes from last
838  * match and compare with 0x6d
839  */
840  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
841  "(byte_extract: 1, 0, extracted_val, relative;"
842  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
843  "byte_test: 2, =, var, 13;"
844  "msg:\"Byte extract and byte math with byte test verification\";"
845  "sid:1;)");
846  FAIL_IF_NULL(s);
847 
848  /* this rule should not alert */
849  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
850  "(byte_extract: 1, 0, extracted_val, relative;"
851  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
852  "byte_test: 2, !=, var, 13;"
853  "msg:\"Byte extract and byte math with byte test verification\";"
854  "sid:2;)");
855  FAIL_IF_NULL(s);
856 
857  /*
858  * this rule should alert:
859  * compares offset 15 with var ... 1 (offset 15) < 0x6d (var)
860  */
861  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
862  "(byte_extract: 1, 0, extracted_val, relative;"
863  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
864  "byte_test: 2, <, var, 15;"
865  "msg:\"Byte extract and byte math with byte test verification\";"
866  "sid:3;)");
867  FAIL_IF_NULL(s);
868 
869  SigGroupBuild(de_ctx);
870  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
871  FAIL_IF_NULL(det_ctx);
872 
873  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
874  STREAM_TOSERVER, buf, sizeof(buf));
875  FAIL_IF_NOT(r == 0);
876 
877  dns_state = f.alstate;
878  FAIL_IF_NULL(dns_state);
879 
880  /* do detect */
881  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
882 
883  /* ensure sids 1 & 3 alerted */
884  FAIL_IF_NOT(PacketAlertCheck(p, 1));
885  FAIL_IF(PacketAlertCheck(p, 2));
886  FAIL_IF_NOT(PacketAlertCheck(p, 3));
887 
888  AppLayerParserThreadCtxFree(alp_tctx);
889  DetectEngineThreadCtxDeinit(&tv, det_ctx);
890  DetectEngineCtxFree(de_ctx);
891 
892  FLOW_DESTROY(&f);
893  UTHFreePacket(p);
894 
895  PASS;
896 }
897 
898 static int DetectByteMathPacket02(void)
899 {
900  uint8_t buf[] = { 0x38, 0x35, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
901  0x00, 0x70, 0x00, 0x01, 0x00 };
902  Flow f;
903  void *dns_state = NULL;
904  Packet *p = NULL;
905  Signature *s = NULL;
906  ThreadVars tv;
907  DetectEngineThreadCtx *det_ctx = NULL;
908  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
909 
910  memset(&tv, 0, sizeof(ThreadVars));
911  memset(&f, 0, sizeof(Flow));
912 
913  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP, "192.168.1.5", "192.168.1.1", 41424, 53);
914  FAIL_IF_NULL(p);
915 
916  FLOW_INITIALIZE(&f);
917  f.flags |= FLOW_IPV4;
918  f.proto = IPPROTO_UDP;
919  f.protomap = FlowGetProtoMapping(f.proto);
920 
921  p->flow = &f;
922  p->flags |= PKT_HAS_FLOW;
923  p->flowflags |= FLOW_PKT_TOSERVER;
924  f.alproto = ALPROTO_DNS;
925 
926  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
927  FAIL_IF_NULL(de_ctx);
928 
929  de_ctx->mpm_matcher = mpm_default_matcher;
930  de_ctx->flags |= DE_QUIET;
931 
932  /*
933  * byte_extract: Extract 1 byte from offset 0 --> 0x38
934  * byte_math: Extract 1 byte from offset -1 (0x38)
935  * Add 0x38 + 0x38 = 112 (0x70)
936  * byte_test: Compare 2 bytes at offset 13 bytes from last
937  * match and compare with 0x70
938  */
939  s = DetectEngineAppendSig(de_ctx,
940  "alert udp any any -> any any "
941  "(byte_extract: 1, 0, extracted_val, relative;"
942  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
943  "byte_test: 2, =, var, 13;"
944  "msg:\"Byte extract and byte math with byte test verification\";"
945  "sid:1;)");
946  FAIL_IF_NULL(s);
947 
948  /* this rule should not alert */
949  s = DetectEngineAppendSig(de_ctx,
950  "alert udp any any -> any any "
951  "(byte_extract: 1, 0, extracted_val, relative;"
952  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
953  "byte_test: 2, !=, var, 13;"
954  "msg:\"Byte extract and byte math with byte test verification\";"
955  "sid:2;)");
956  FAIL_IF_NULL(s);
957 
958  /*
959  * this rule should alert:
960  * compares offset 15 with var ... 1 (offset 15) < 0x70 (var)
961  */
962  s = DetectEngineAppendSig(de_ctx,
963  "alert udp any any -> any any "
964  "(byte_extract: 1, 0, extracted_val, relative;"
965  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
966  "byte_test: 2, <, var, 15;"
967  "msg:\"Byte extract and byte math with byte test verification\";"
968  "sid:3;)");
969  FAIL_IF_NULL(s);
970 
971  SigGroupBuild(de_ctx);
972  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
973  FAIL_IF_NULL(det_ctx);
974 
975  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER, buf, sizeof(buf));
976  FAIL_IF_NOT(r == 0);
977 
978  dns_state = f.alstate;
979  FAIL_IF_NULL(dns_state);
980 
981  /* do detect */
982  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
983 
984  /* ensure sids 1 & 3 alerted */
985  FAIL_IF_NOT(PacketAlertCheck(p, 1));
986  FAIL_IF(PacketAlertCheck(p, 2));
987  FAIL_IF_NOT(PacketAlertCheck(p, 3));
988 
989  AppLayerParserThreadCtxFree(alp_tctx);
990  DetectEngineThreadCtxDeinit(&tv, det_ctx);
991  DetectEngineCtxFree(de_ctx);
992 
993  FLOW_DESTROY(&f);
994  UTHFreePacket(p);
995 
996  PASS;
997 }
998 
999 static int DetectByteMathContext01(void)
1000 {
1001  DetectEngineCtx *de_ctx = NULL;
1002  Signature *s = NULL;
1003  SigMatch *sm = NULL;
1004  DetectContentData *cd = NULL;
1005  DetectByteMathData *bmd = NULL;
1006 
1007  de_ctx = DetectEngineCtxInit();
1008  FAIL_IF(de_ctx == NULL);
1009 
1010  de_ctx->flags |= DE_QUIET;
1011  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1012  "(msg:\"Testing bytemath_body\"; "
1013  "content:\"|00 04 93 F3|\"; "
1014  "content:\"|00 00 00 07|\"; distance:4; within:4;"
1015  "byte_math:bytes 4, offset 0, oper +, rvalue "
1016  "248, result var, relative; sid:1;)");
1017 
1018  FAIL_IF(de_ctx->sig_list == NULL);
1019 
1020  FAIL_IF(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL);
1021 
1022  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1023  FAIL_IF(sm->type != DETECT_CONTENT);
1024  cd = (DetectContentData *)sm->ctx;
1025  FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
1026  FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
1027  FAIL_IF(cd->content_len != 4);
1028 
1029  sm = sm->next;
1030  FAIL_IF(sm->type != DETECT_CONTENT);
1031  sm = sm->next;
1032  FAIL_IF(sm->type != DETECT_BYTEMATH);
1033 
1034  FAIL_IF(sm->ctx == NULL);
1035 
1036  bmd = (DetectByteMathData *)sm->ctx;
1037  FAIL_IF_NOT(bmd->nbytes == 4);
1038  FAIL_IF_NOT(bmd->offset == 0);
1039  FAIL_IF_NOT(bmd->rvalue == 248);
1040  FAIL_IF_NOT(strcmp(bmd->result, "var") == 0);
1041  FAIL_IF_NOT(bmd->flags == DETECT_BYTEMATH_FLAG_RELATIVE);
1042  FAIL_IF_NOT(bmd->endian == BigEndian);
1043  FAIL_IF_NOT(bmd->oper == Addition);
1044  FAIL_IF_NOT(bmd->base == BaseDec);
1045 
1046  DetectEngineCtxFree(de_ctx);
1047 
1048  PASS;
1049 }
1050 
1051 static void DetectByteMathRegisterTests(void)
1052 {
1053  UtRegisterTest("DetectByteMathParseTest01", DetectByteMathParseTest01);
1054  UtRegisterTest("DetectByteMathParseTest02", DetectByteMathParseTest02);
1055  UtRegisterTest("DetectByteMathParseTest03", DetectByteMathParseTest03);
1056  UtRegisterTest("DetectByteMathParseTest04", DetectByteMathParseTest04);
1057  UtRegisterTest("DetectByteMathParseTest05", DetectByteMathParseTest05);
1058  UtRegisterTest("DetectByteMathParseTest06", DetectByteMathParseTest06);
1059  UtRegisterTest("DetectByteMathParseTest07", DetectByteMathParseTest07);
1060  UtRegisterTest("DetectByteMathParseTest08", DetectByteMathParseTest08);
1061  UtRegisterTest("DetectByteMathParseTest09", DetectByteMathParseTest09);
1062  UtRegisterTest("DetectByteMathParseTest10", DetectByteMathParseTest10);
1063  UtRegisterTest("DetectByteMathParseTest11", DetectByteMathParseTest11);
1064  UtRegisterTest("DetectByteMathParseTest12", DetectByteMathParseTest12);
1065  UtRegisterTest("DetectByteMathParseTest13", DetectByteMathParseTest13);
1066  UtRegisterTest("DetectByteMathParseTest14", DetectByteMathParseTest14);
1067  UtRegisterTest("DetectByteMathParseTest15", DetectByteMathParseTest15);
1068  UtRegisterTest("DetectByteMathParseTest16", DetectByteMathParseTest16);
1069  UtRegisterTest("DetectByteMathPacket01", DetectByteMathPacket01);
1070  UtRegisterTest("DetectByteMathPacket02", DetectByteMathPacket02);
1071  UtRegisterTest("DetectByteMathContext01", DetectByteMathContext01);
1072 }
1073 #endif /* UNITTESTS */
util-byte.h
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1753
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:530
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1124
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:116
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:581
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1286
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
SigTableElmt_::name
const char * name
Definition: detect.h:1296
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:583
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:76
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
threads.h
Flow_
Flow data structure.
Definition: flow.h:351
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1895
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:46
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine.c:1403
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:244
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1281
detect-pcre.h
DETECT_BYTEMATH_ENDIAN_DEFAULT
#define DETECT_BYTEMATH_ENDIAN_DEFAULT
Definition: detect-bytemath.c:65
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
DetectByteIndexType
uint8_t DetectByteIndexType
Definition: detect-byte.h:28
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:713
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1095
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
SignatureInitData_::list
int list
Definition: detect.h:565
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:354
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:842
DetectByteMathRetrieveSMVar
SigMatch * DetectByteMathRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_math variable.
Definition: detect-bytemath.c:441
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:353
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:97
Packet_
Definition: decode.h:437
detect-engine-build.h
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:665
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1264
detect-byte.h
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:915
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:345
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:141
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:75
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectByteMathDoMatch
int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const DetectByteMathData *data, const Signature *s, const uint8_t *payload, const uint32_t payload_len, uint8_t nbytes, uint64_t rvalue, uint64_t *value, uint8_t endian)
Definition: detect-bytemath.c:87
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectByteRetrieveSMVar
bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, DetectByteIndexType *index)
Used to retrieve args from BM.
Definition: detect-byte.c:40
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1292
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
SigMatch_::type
uint16_t type
Definition: detect.h:351
DETECT_BYTEMATH_BASE_DEFAULT
#define DETECT_BYTEMATH_BASE_DEFAULT
Definition: detect-bytemath.c:66
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
util-spm.h
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:847
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DetectBytemathRegister
void DetectBytemathRegister(void)
Registers the keyword handlers for the "byte_math" keyword.
Definition: detect-bytemath.c:70
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:586
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:820
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
Flow_::alstate
void * alstate
Definition: flow.h:476
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:184
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
Signature_
Signature container.
Definition: detect.h:596
SigMatch_
a single match condition for a signature
Definition: detect.h:350
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:132
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
DetectPcreData_
Definition: detect-pcre.h:42
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:77
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:619
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:841
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:587
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1288
detect-bytemath.h