suricata
detect-bytemath.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Jeff Lucovsky <jeff@lucovsky.org>
22  */
23 
24 /*
25  * Refer to the Snort manual, section 3.5.34 for details.
26  */
27 
28 #include "suricata-common.h"
29 #include "threads.h"
30 #include "decode.h"
31 
32 #include "app-layer-parser.h"
33 #include "app-layer-protos.h"
34 
35 #include "detect.h"
36 #include "detect-parse.h"
37 #include "detect-engine.h"
38 #include "detect-engine-buffer.h"
39 #include "detect-engine-mpm.h"
40 #include "detect-engine-state.h"
41 #include "detect-engine-build.h"
42 
43 #include "rust-bindings.h"
44 
45 #include "detect-content.h"
46 #include "detect-pcre.h"
47 #include "detect-byte.h"
48 #include "detect-bytemath.h"
49 
50 #include "flow.h"
51 #include "flow-var.h"
52 #include "flow-util.h"
53 
54 #include "util-byte.h"
55 #include "util-debug.h"
56 #include "util-unittest.h"
57 #include "util-unittest-helper.h"
58 #include "util-spm.h"
59 
60 static int DetectByteMathSetup(DetectEngineCtx *, Signature *, const char *);
61 #ifdef UNITTESTS
62 #define DETECT_BYTEMATH_ENDIAN_DEFAULT (uint8_t) BigEndian
63 #define DETECT_BYTEMATH_BASE_DEFAULT (uint8_t) BaseDec
64 
65 static void DetectByteMathRegisterTests(void);
66 #endif
67 static void DetectByteMathFree(DetectEngineCtx *, void *);
68 
69 /**
70  * \brief Registers the keyword handlers for the "byte_math" keyword.
71  */
72 void DetectBytemathRegister(void)
73 {
74  sigmatch_table[DETECT_BYTEMATH].name = "byte_math";
75  sigmatch_table[DETECT_BYTEMATH].Match = NULL;
76  sigmatch_table[DETECT_BYTEMATH].Setup = DetectByteMathSetup;
77  sigmatch_table[DETECT_BYTEMATH].Free = DetectByteMathFree;
78 #ifdef UNITTESTS
79  sigmatch_table[DETECT_BYTEMATH].RegisterTests = DetectByteMathRegisterTests;
80 #endif
81 }
82 
83 static inline bool DetectByteMathValidateNbytesOnly(const DetectByteMathData *data, int32_t nbytes)
84 {
85  return nbytes >= 1 &&
86  (((data->flags & DETECT_BYTEMATH_FLAG_STRING) && nbytes <= 10) || (nbytes <= 4));
87 }
88 
89 int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const DetectByteMathData *data,
90  const Signature *s, const uint8_t *payload, const uint32_t payload_len, uint8_t nbytes,
91  uint64_t rvalue, uint64_t *value, uint8_t endian)
92 {
93  if (payload_len == 0) {
94  return 0;
95  }
96 
97  if (!DetectByteMathValidateNbytesOnly(data, nbytes)) {
98  return 0;
99  }
100 
101  const uint8_t *ptr;
102  int32_t len;
103  uint64_t val;
104  int extbytes;
105 
106  /* Calculate the ptr value for the byte-math op and length remaining in
107  * the packet from that point.
108  */
109  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
110  SCLogDebug("relative, working with det_ctx->buffer_offset %" PRIu32 ", "
111  "data->offset %" PRIi32 "",
112  det_ctx->buffer_offset, data->offset);
113 
114  ptr = payload + det_ctx->buffer_offset;
115  len = payload_len - det_ctx->buffer_offset;
116 
117  ptr += data->offset;
118  len -= data->offset;
119 
120  /* No match if there is no relative base */
121  if (len <= 0) {
122  return 0;
123  }
124  } else {
125  SCLogDebug("absolute, data->offset %" PRIi32 "", data->offset);
126 
127  ptr = payload + data->offset;
128  len = payload_len - data->offset;
129  }
130 
131  /* Validate that the to-be-extracted is within the packet */
132  if (ptr < payload || nbytes > len) {
133  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%" PRIu32 ", nbytes=%d", payload,
134  ptr, len, nbytes);
135  return 0;
136  }
137 
138  /* Extract the byte data */
139  if (data->flags & DETECT_BYTEMATH_FLAG_STRING) {
140  extbytes = ByteExtractStringUint64(&val, data->base, nbytes, (const char *)ptr);
141  if (extbytes <= 0) {
142  if (val == 0) {
143  SCLogDebug("No Numeric value");
144  return 0;
145  } else {
146  SCLogDebug("error extracting %d bytes of string data: %d", nbytes, extbytes);
147  return -1;
148  }
149  }
150  } else {
151  ByteEndian bme = endian;
152  int endianness = (bme == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
153  extbytes = ByteExtractUint64(&val, endianness, nbytes, ptr);
154  if (extbytes != nbytes) {
155  SCLogDebug("error extracting %d bytes of numeric data: %d", nbytes, extbytes);
156  return 0;
157  }
158  }
159 
160  BUG_ON(extbytes > len);
161 
162  ptr += extbytes;
163 
164  switch (data->oper) {
165  case OperatorNone:
166  break;
167  case Addition:
168  val += rvalue;
169  break;
170  case Subtraction:
171  val -= rvalue;
172  break;
173  case Division:
174  if (rvalue == 0) {
175  SCLogDebug("avoiding division by zero");
176  return 0;
177  }
178  val /= rvalue;
179  break;
180  case Multiplication:
181  val *= rvalue;
182  break;
183  case LeftShift:
184  if (rvalue < 64) {
185  val <<= rvalue;
186  } else {
187  val = 0;
188  }
189  break;
190  case RightShift:
191  val >>= rvalue;
192  break;
193  }
194 
195  det_ctx->buffer_offset = (uint32_t)(ptr - payload);
196 
197  if (data->flags & DETECT_BYTEMATH_FLAG_BITMASK) {
198  val &= data->bitmask_val;
199  if (val && data->bitmask_shift_count) {
200  val = val >> data->bitmask_shift_count;
201  }
202  }
203 
204  *value = val;
205  return 1;
206 }
207 
208 /**
209  * \internal
210  * \brief Used to parse byte_math arg.
211  *
212  * \param arg The argument to parse.
213  * \param rvalue May be NULL. When non-null, will contain the variable
214  * name of rvalue (iff rvalue is not a scalar value)
215  *
216  * \retval bmd On success an instance containing the parsed data.
217  * On failure, NULL.
218  */
219 static DetectByteMathData *DetectByteMathParse(
220  DetectEngineCtx *de_ctx, const char *arg, char **nbytes, char **rvalue)
221 {
222  DetectByteMathData *bmd;
223  if ((bmd = SCByteMathParse(arg)) == NULL) {
224  SCLogError("invalid bytemath values");
225  return NULL;
226  }
227 
228  if (bmd->nbytes_str) {
229  if (nbytes == NULL) {
230  SCLogError("byte_math supplied with "
231  "var name for nbytes. \"nbytes\" argument supplied to "
232  "this function must be non-NULL");
233  goto error;
234  }
235  *nbytes = SCStrdup(bmd->nbytes_str);
236  if (*nbytes == NULL) {
237  goto error;
238  }
239  }
240 
241  if (bmd->rvalue_str) {
242  if (rvalue == NULL) {
243  SCLogError("byte_math supplied with "
244  "var name for rvalue. \"rvalue\" argument supplied to "
245  "this function must be non-NULL");
246  goto error;
247  }
248  *rvalue = SCStrdup(bmd->rvalue_str);
249  if (*rvalue == NULL) {
250  goto error;
251  }
252  }
253 
254  if (bmd->flags & DETECT_BYTEMATH_FLAG_BITMASK) {
255  if (bmd->bitmask_val) {
256  uint32_t bmask = bmd->bitmask_val;
257  while (!(bmask & 0x1)){
258  bmask = bmask >> 1;
259  bmd->bitmask_shift_count++;
260  }
261  }
262  }
263 
264  return bmd;
265 
266  error:
267  if (bmd != NULL)
268  DetectByteMathFree(de_ctx, bmd);
269  return NULL;
270 }
271 
272 /**
273  * \brief The setup function for the byte_math keyword for a signature.
274  *
275  * \param de_ctx Pointer to the detection engine context.
276  * \param s Pointer to signature for the current Signature being parsed
277  * from the rules.
278  * \param arg Pointer to the string holding the keyword value.
279  *
280  * \retval 0 On success.
281  * \retval -1 On failure.
282  */
283 static int DetectByteMathSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
284 {
285  SigMatch *prev_pm = NULL;
286  DetectByteMathData *data;
287  char *rvalue = NULL;
288  char *nbytes = NULL;
289  int ret = -1;
290 
291  data = DetectByteMathParse(de_ctx, arg, &nbytes, &rvalue);
292  if (data == NULL)
293  goto error;
294 
295  int sm_list;
296  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
297  if (DetectBufferGetActiveList(de_ctx, s) == -1)
298  goto error;
299 
300  sm_list = s->init_data->list;
301 
302  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
303  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
304  if (!prev_pm) {
305  SCLogError("relative specified without "
306  "previous pattern match");
307  goto error;
308  }
309  }
310  } else if (data->endian == EndianDCE) {
311  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
312  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
313  DETECT_BYTETEST, DETECT_BYTEJUMP,
314  DETECT_BYTE_EXTRACT,
315  DETECT_BYTEMATH,
316  DETECT_ISDATAAT, -1);
317  if (prev_pm == NULL) {
318  sm_list = DETECT_SM_LIST_PMATCH;
319  } else {
320  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
321  if (sm_list < 0)
322  goto error;
323  }
324  } else {
325  sm_list = DETECT_SM_LIST_PMATCH;
326  }
327 
328  if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
329  goto error;
330 
331  } else if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
332  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
333  DETECT_BYTETEST, DETECT_BYTEJUMP,
334  DETECT_BYTE_EXTRACT, DETECT_BYTEMATH,
335  DETECT_ISDATAAT, -1);
336  if (prev_pm == NULL) {
337  sm_list = DETECT_SM_LIST_PMATCH;
338  } else {
339  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
340  if (sm_list < 0)
341  goto error;
342  }
343 
344  } else {
345  sm_list = DETECT_SM_LIST_PMATCH;
346  }
347 
348  if (data->endian == EndianDCE) {
349  if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
350  goto error;
351 
352  if ((data->flags & DETECT_BYTEMATH_FLAG_STRING) || (data->base == BaseDec) ||
353  (data->base == BaseHex) || (data->base == BaseOct)) {
354  SCLogError("Invalid option. "
355  "A bytemath keyword with dce holds other invalid modifiers.");
356  goto error;
357  }
358  }
359 
360  if (nbytes != NULL) {
361  DetectByteIndexType index;
362  if (!DetectByteRetrieveSMVar(nbytes, s, &index)) {
363  SCLogError("unknown byte_ keyword var seen in byte_math - %s", nbytes);
364  goto error;
365  }
366  data->nbytes = index;
367  data->flags |= DETECT_BYTEMATH_FLAG_NBYTES_VAR;
368  SCFree(nbytes);
369  nbytes = NULL;
370  }
371 
372  if (rvalue != NULL) {
373  DetectByteIndexType index;
374  if (!DetectByteRetrieveSMVar(rvalue, s, &index)) {
375  SCLogError("unknown byte_ keyword var seen in byte_math - %s", rvalue);
376  goto error;
377  }
378  data->rvalue = index;
379  data->flags |= DETECT_BYTEMATH_FLAG_RVALUE_VAR;
380  SCFree(rvalue);
381  rvalue = NULL;
382  }
383 
384  SigMatch *prev_bmd_sm = DetectGetLastSMByListId(s, sm_list,
385  DETECT_BYTEMATH, -1);
386  if (prev_bmd_sm == NULL) {
387  data->local_id = 0;
388  } else {
389  data->local_id = ((DetectByteMathData *)prev_bmd_sm->ctx)->local_id + 1;
390  }
391  if (data->local_id > de_ctx->byte_extract_max_local_id) {
392  de_ctx->byte_extract_max_local_id = data->local_id;
393  }
394 
395  if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_BYTEMATH, (SigMatchCtx *)data, sm_list) ==
396  NULL) {
397  goto error;
398  }
399 
400  if (!(data->flags & DETECT_BYTEMATH_FLAG_RELATIVE))
401  goto okay;
402 
403  if (prev_pm == NULL)
404  goto okay;
405 
406  if (prev_pm->type == DETECT_CONTENT) {
407  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
408  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
409  } else if (prev_pm->type == DETECT_PCRE) {
410  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
411  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
412  }
413 
414  okay:
415  return 0;
416 
417  error:
418  if (rvalue)
419  SCFree(rvalue);
420  if (nbytes)
421  SCFree(nbytes);
422  DetectByteMathFree(de_ctx, data);
423  return ret;
424 }
425 
426 /**
427  * \brief Used to free instances of DetectByteMathractData.
428  *
429  * \param ptr Instance of DetectByteMathData to be freed.
430  */
431 static void DetectByteMathFree(DetectEngineCtx *de_ctx, void *ptr)
432 {
433  SCByteMathFree(ptr);
434 }
435 
436 /**
437  * \brief Lookup the SigMatch for a named byte_math variable.
438  *
439  * \param arg The name of the byte_math variable to lookup.
440  * \param s Pointer the signature to look in.
441  *
442  * \retval A pointer to the SigMatch if found, otherwise NULL.
443  */
444 SigMatch *DetectByteMathRetrieveSMVar(const char *arg, const Signature *s)
445 {
446  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
447  SigMatch *sm = s->init_data->buffers[x].head;
448  while (sm != NULL) {
449  if (sm->type == DETECT_BYTEMATH) {
450  const DetectByteMathData *bmd = (const DetectByteMathData *)sm->ctx;
451  if (strcmp(bmd->result, arg) == 0) {
452  SCLogDebug("Retrieved SM for \"%s\"", arg);
453  return sm;
454  }
455  }
456  sm = sm->next;
457  }
458  }
459 
460  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
461  SigMatch *sm = s->init_data->smlists[list];
462  while (sm != NULL) {
463  if (sm->type == DETECT_BYTEMATH) {
464  const DetectByteMathData *bmd = (const DetectByteMathData *)sm->ctx;
465  if (strcmp(bmd->result, arg) == 0) {
466  SCLogDebug("Retrieved SM for \"%s\"", arg);
467  return sm;
468  }
469  }
470  sm = sm->next;
471  }
472  }
473 
474  return NULL;
475 }
476 
477 /*************************************Unittests********************************/
478 #ifdef UNITTESTS
479 #include "detect-engine-alert.h"
480 
481 static int DetectByteMathParseTest01(void)
482 {
483 
484  DetectByteMathData *bmd = DetectByteMathParse(NULL,
485  "bytes 4, offset 2, oper +,"
486  "rvalue 10, result bar",
487  NULL, NULL);
488  FAIL_IF(bmd == NULL);
489 
490  FAIL_IF_NOT(bmd->nbytes == 4);
491  FAIL_IF_NOT(bmd->offset == 2);
492  FAIL_IF_NOT(bmd->oper == Addition);
493  FAIL_IF_NOT(bmd->rvalue == 10);
494  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
495  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
496  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
497 
498  DetectByteMathFree(NULL, bmd);
499 
500  PASS;
501 }
502 
503 static int DetectByteMathParseTest02(void)
504 {
505  /* bytes value invalid */
506  DetectByteMathData *bmd = DetectByteMathParse(NULL,
507  "bytes 257, offset 2, oper +, "
508  "rvalue 39, result bar",
509  NULL, NULL);
510 
511  FAIL_IF_NOT(bmd == NULL);
512 
513  PASS;
514 }
515 
516 static int DetectByteMathParseTest03(void)
517 {
518  /* bytes value invalid */
519  DetectByteMathData *bmd = DetectByteMathParse(NULL,
520  "bytes 11, offset 2, oper +, "
521  "rvalue 39, result bar",
522  NULL, NULL);
523  FAIL_IF_NOT(bmd == NULL);
524 
525  PASS;
526 }
527 
528 static int DetectByteMathParseTest04(void)
529 {
530  /* offset value invalid */
531  DetectByteMathData *bmd = DetectByteMathParse(NULL,
532  "bytes 4, offset 70000, oper +,"
533  " rvalue 39, result bar",
534  NULL, NULL);
535 
536  FAIL_IF_NOT(bmd == NULL);
537 
538  PASS;
539 }
540 
541 static int DetectByteMathParseTest05(void)
542 {
543  /* oper value invalid */
544  DetectByteMathData *bmd = DetectByteMathParse(NULL,
545  "bytes 11, offset 16, oper &,"
546  "rvalue 39, result bar",
547  NULL, NULL);
548  FAIL_IF_NOT(bmd == NULL);
549 
550  PASS;
551 }
552 
553 static int DetectByteMathParseTest06(void)
554 {
555  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE;
556  char *rvalue = NULL;
557 
558  DetectByteMathData *bmd = DetectByteMathParse(NULL,
559  "bytes 4, offset 0, oper +,"
560  "rvalue 248, result var, relative",
561  NULL, &rvalue);
562 
563  FAIL_IF(bmd == NULL);
564  FAIL_IF_NOT(bmd->nbytes == 4);
565  FAIL_IF_NOT(bmd->offset == 0);
566  FAIL_IF_NOT(bmd->oper == Addition);
567  FAIL_IF_NOT(bmd->rvalue == 248);
568  FAIL_IF_NOT(strcmp(bmd->result, "var") == 0);
569  FAIL_IF_NOT(bmd->flags == flags);
570  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
571  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
572 
573  DetectByteMathFree(NULL, bmd);
574 
575  PASS;
576 }
577 
578 static int DetectByteMathParseTest07(void)
579 {
580  char *rvalue = NULL;
581 
582  DetectByteMathData *bmd = DetectByteMathParse(NULL,
583  "bytes 4, offset 2, oper +,"
584  "rvalue foo, result bar",
585  NULL, &rvalue);
586  FAIL_IF_NOT(rvalue);
587  FAIL_IF_NOT(bmd->nbytes == 4);
588  FAIL_IF_NOT(bmd->offset == 2);
589  FAIL_IF_NOT(bmd->oper == Addition);
590  FAIL_IF_NOT(strcmp(rvalue, "foo") == 0);
591  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
592  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
593  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
594 
595  DetectByteMathFree(NULL, bmd);
596 
597  SCFree(rvalue);
598 
599  PASS;
600 }
601 
602 static int DetectByteMathParseTest08(void)
603 {
604  /* ensure Parse checks the pointer value when rvalue is a var */
605  DetectByteMathData *bmd = DetectByteMathParse(NULL,
606  "bytes 4, offset 2, oper +,"
607  "rvalue foo, result bar",
608  NULL, NULL);
609  FAIL_IF_NOT(bmd == NULL);
610 
611  PASS;
612 }
613 
614 static int DetectByteMathParseTest09(void)
615 {
616  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE;
617 
618  DetectByteMathData *bmd = DetectByteMathParse(NULL,
619  "bytes 4, offset 2, oper +,"
620  "rvalue 39, result bar, relative",
621  NULL, NULL);
622  FAIL_IF(bmd == NULL);
623 
624  FAIL_IF_NOT(bmd->nbytes == 4);
625  FAIL_IF_NOT(bmd->offset == 2);
626  FAIL_IF_NOT(bmd->oper == Addition);
627  FAIL_IF_NOT(bmd->rvalue == 39);
628  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
629  FAIL_IF_NOT(bmd->flags == flags);
630  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
631  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
632 
633  DetectByteMathFree(NULL, bmd);
634 
635  PASS;
636 }
637 
638 static int DetectByteMathParseTest10(void)
639 {
640  uint8_t flags = DETECT_BYTEMATH_FLAG_ENDIAN;
641 
642  DetectByteMathData *bmd = DetectByteMathParse(NULL,
643  "bytes 4, offset 2, oper +,"
644  "rvalue 39, result bar, endian"
645  " big",
646  NULL, NULL);
647 
648  FAIL_IF(bmd == NULL);
649  FAIL_IF_NOT(bmd->nbytes == 4);
650  FAIL_IF_NOT(bmd->offset == 2);
651  FAIL_IF_NOT(bmd->oper == Addition);
652  FAIL_IF_NOT(bmd->rvalue == 39);
653  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
654  FAIL_IF_NOT(bmd->flags == flags);
655  FAIL_IF_NOT(bmd->endian == BigEndian);
656  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
657 
658  DetectByteMathFree(NULL, bmd);
659 
660  PASS;
661 }
662 
663 static int DetectByteMathParseTest11(void)
664 {
665  uint8_t flags = DETECT_BYTEMATH_FLAG_ENDIAN;
666 
667  DetectByteMathData *bmd = DetectByteMathParse(NULL,
668  "bytes 4, offset 2, oper +, "
669  "rvalue 39, result bar, dce",
670  NULL, NULL);
671 
672  FAIL_IF(bmd == NULL);
673  FAIL_IF_NOT(bmd->nbytes == 4);
674  FAIL_IF_NOT(bmd->offset == 2);
675  FAIL_IF_NOT(bmd->oper == Addition);
676  FAIL_IF_NOT(bmd->rvalue == 39);
677  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
678  FAIL_IF_NOT(bmd->flags == flags);
679  FAIL_IF_NOT(bmd->endian == EndianDCE);
680  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
681 
682  DetectByteMathFree(NULL, bmd);
683 
684  PASS;
685 }
686 
687 static int DetectByteMathParseTest12(void)
688 {
689  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE | DETECT_BYTEMATH_FLAG_STRING;
690 
691  DetectByteMathData *bmd = DetectByteMathParse(NULL,
692  "bytes 4, offset 2, oper +,"
693  "rvalue 39, result bar, "
694  "relative, string dec",
695  NULL, NULL);
696 
697  FAIL_IF(bmd == NULL);
698  FAIL_IF_NOT(bmd->nbytes == 4);
699  FAIL_IF_NOT(bmd->offset == 2);
700  FAIL_IF_NOT(bmd->oper == Addition);
701  FAIL_IF_NOT(bmd->rvalue == 39);
702  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
703  FAIL_IF_NOT(bmd->flags == flags);
704  FAIL_IF_NOT(bmd->endian == BigEndian);
705  FAIL_IF_NOT(bmd->base == BaseDec);
706 
707  DetectByteMathFree(NULL, bmd);
708 
709  PASS;
710 }
711 
712 static int DetectByteMathParseTest13(void)
713 {
714  uint8_t flags = DETECT_BYTEMATH_FLAG_STRING |
715  DETECT_BYTEMATH_FLAG_RELATIVE |
716  DETECT_BYTEMATH_FLAG_BITMASK;
717 
718  DetectByteMathData *bmd = DetectByteMathParse(NULL,
719  "bytes 4, offset 2, oper +, "
720  "rvalue 39, result bar, "
721  "relative, string dec, bitmask "
722  "0x8f40",
723  NULL, NULL);
724 
725  FAIL_IF(bmd == NULL);
726  FAIL_IF_NOT(bmd->nbytes == 4);
727  FAIL_IF_NOT(bmd->offset == 2);
728  FAIL_IF_NOT(bmd->oper == Addition);
729  FAIL_IF_NOT(bmd->rvalue == 39);
730  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
731  FAIL_IF_NOT(bmd->bitmask_val == 0x8f40);
732  FAIL_IF_NOT(bmd->bitmask_shift_count == 6);
733  FAIL_IF_NOT(bmd->flags == flags);
734  FAIL_IF_NOT(bmd->endian == BigEndian);
735  FAIL_IF_NOT(bmd->base == BaseDec);
736 
737  DetectByteMathFree(NULL, bmd);
738 
739  PASS;
740 }
741 
742 
743 static int DetectByteMathParseTest14(void)
744 {
745  /* incomplete */
746  DetectByteMathData *bmd = DetectByteMathParse(NULL,
747  "bytes 4, offset 2, oper +,"
748  "rvalue foo",
749  NULL, NULL);
750 
751  FAIL_IF_NOT(bmd == NULL);
752 
753  PASS;
754 }
755 
756 static int DetectByteMathParseTest15(void)
757 {
758 
759  /* incomplete */
760  DetectByteMathData *bmd = DetectByteMathParse(NULL,
761  "bytes 4, offset 2, oper +, "
762  "result bar",
763  NULL, NULL);
764 
765  FAIL_IF_NOT(bmd == NULL);
766 
767  PASS;
768 }
769 
770 static int DetectByteMathParseTest16(void)
771 {
772  uint8_t flags = DETECT_BYTEMATH_FLAG_STRING | DETECT_BYTEMATH_FLAG_RELATIVE |
773  DETECT_BYTEMATH_FLAG_BITMASK;
774 
775  DetectByteMathData *bmd = DetectByteMathParse(NULL,
776  "bytes 4, offset -2, oper +, "
777  "rvalue 39, result bar, "
778  "relative, string dec, bitmask "
779  "0x8f40",
780  NULL, NULL);
781 
782  FAIL_IF(bmd == NULL);
783  FAIL_IF_NOT(bmd->nbytes == 4);
784  FAIL_IF_NOT(bmd->offset == -2);
785  FAIL_IF_NOT(bmd->oper == Addition);
786  FAIL_IF_NOT(bmd->rvalue == 39);
787  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
788  FAIL_IF_NOT(bmd->bitmask_val == 0x8f40);
789  FAIL_IF_NOT(bmd->bitmask_shift_count == 6);
790  FAIL_IF_NOT(bmd->flags == flags);
791  FAIL_IF_NOT(bmd->endian == BigEndian);
792  FAIL_IF_NOT(bmd->base == BaseDec);
793 
794  DetectByteMathFree(NULL, bmd);
795 
796  PASS;
797 }
798 
799 static int DetectByteMathPacket01(void)
800 {
801  uint8_t buf[] = { 0x38, 0x35, 0x6d, 0x00, 0x00, 0x01,
802  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
803  0x00, 0x00, 0x6d, 0x00, 0x01, 0x00 };
804  Flow f;
805  void *dns_state = NULL;
806  Packet *p = NULL;
807  Signature *s = NULL;
808  ThreadVars tv;
809  DetectEngineThreadCtx *det_ctx = NULL;
810  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
811 
812  memset(&tv, 0, sizeof(ThreadVars));
813  memset(&f, 0, sizeof(Flow));
814 
815  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
816  "192.168.1.5", "192.168.1.1",
817  41424, 53);
818  FAIL_IF_NULL(p);
819 
820  FLOW_INITIALIZE(&f);
821  f.flags |= FLOW_IPV4;
822  f.proto = IPPROTO_UDP;
823  f.protomap = FlowGetProtoMapping(f.proto);
824 
825  p->flow = &f;
826  p->flags |= PKT_HAS_FLOW;
827  p->flowflags |= FLOW_PKT_TOSERVER;
828  f.alproto = ALPROTO_DNS;
829 
830  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
831  FAIL_IF_NULL(de_ctx);
832 
833  de_ctx->mpm_matcher = mpm_default_matcher;
834  de_ctx->flags |= DE_QUIET;
835 
836  /*
837  * byte_extract: Extract 1 byte from offset 0 --> 0x0038
838  * byte_math: Extract 1 byte from offset 2 (0x35)
839  * Add 0x35 + 0x38 = 109 (0x6d)
840  * byte_test: Compare 2 bytes at offset 13 bytes from last
841  * match and compare with 0x6d
842  */
843  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
844  "(byte_extract: 1, 0, extracted_val, relative;"
845  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
846  "byte_test: 2, =, var, 13;"
847  "msg:\"Byte extract and byte math with byte test verification\";"
848  "sid:1;)");
849  FAIL_IF_NULL(s);
850 
851  /* this rule should not alert */
852  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
853  "(byte_extract: 1, 0, extracted_val, relative;"
854  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
855  "byte_test: 2, !=, var, 13;"
856  "msg:\"Byte extract and byte math with byte test verification\";"
857  "sid:2;)");
858  FAIL_IF_NULL(s);
859 
860  /*
861  * this rule should alert:
862  * compares offset 15 with var ... 1 (offset 15) < 0x6d (var)
863  */
864  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
865  "(byte_extract: 1, 0, extracted_val, relative;"
866  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
867  "byte_test: 2, <, var, 15;"
868  "msg:\"Byte extract and byte math with byte test verification\";"
869  "sid:3;)");
870  FAIL_IF_NULL(s);
871 
872  SigGroupBuild(de_ctx);
873  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
874  FAIL_IF_NULL(det_ctx);
875 
876  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
877  STREAM_TOSERVER, buf, sizeof(buf));
878  FAIL_IF_NOT(r == 0);
879 
880  dns_state = f.alstate;
881  FAIL_IF_NULL(dns_state);
882 
883  /* do detect */
884  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
885 
886  /* ensure sids 1 & 3 alerted */
887  FAIL_IF_NOT(PacketAlertCheck(p, 1));
888  FAIL_IF(PacketAlertCheck(p, 2));
889  FAIL_IF_NOT(PacketAlertCheck(p, 3));
890 
891  AppLayerParserThreadCtxFree(alp_tctx);
892  DetectEngineThreadCtxDeinit(&tv, det_ctx);
893  DetectEngineCtxFree(de_ctx);
894 
895  FLOW_DESTROY(&f);
896  UTHFreePacket(p);
897 
898  PASS;
899 }
900 
901 static int DetectByteMathPacket02(void)
902 {
903  uint8_t buf[] = { 0x38, 0x35, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
904  0x00, 0x70, 0x00, 0x01, 0x00 };
905  Flow f;
906  void *dns_state = NULL;
907  Packet *p = NULL;
908  Signature *s = NULL;
909  ThreadVars tv;
910  DetectEngineThreadCtx *det_ctx = NULL;
911  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
912 
913  memset(&tv, 0, sizeof(ThreadVars));
914  memset(&f, 0, sizeof(Flow));
915 
916  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP, "192.168.1.5", "192.168.1.1", 41424, 53);
917  FAIL_IF_NULL(p);
918 
919  FLOW_INITIALIZE(&f);
920  f.flags |= FLOW_IPV4;
921  f.proto = IPPROTO_UDP;
922  f.protomap = FlowGetProtoMapping(f.proto);
923 
924  p->flow = &f;
925  p->flags |= PKT_HAS_FLOW;
926  p->flowflags |= FLOW_PKT_TOSERVER;
927  f.alproto = ALPROTO_DNS;
928 
929  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
930  FAIL_IF_NULL(de_ctx);
931 
932  de_ctx->mpm_matcher = mpm_default_matcher;
933  de_ctx->flags |= DE_QUIET;
934 
935  /*
936  * byte_extract: Extract 1 byte from offset 0 --> 0x38
937  * byte_math: Extract 1 byte from offset -1 (0x38)
938  * Add 0x38 + 0x38 = 112 (0x70)
939  * byte_test: Compare 2 bytes at offset 13 bytes from last
940  * match and compare with 0x70
941  */
942  s = DetectEngineAppendSig(de_ctx,
943  "alert udp any any -> any any "
944  "(byte_extract: 1, 0, extracted_val, relative;"
945  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
946  "byte_test: 2, =, var, 13;"
947  "msg:\"Byte extract and byte math with byte test verification\";"
948  "sid:1;)");
949  FAIL_IF_NULL(s);
950 
951  /* this rule should not alert */
952  s = DetectEngineAppendSig(de_ctx,
953  "alert udp any any -> any any "
954  "(byte_extract: 1, 0, extracted_val, relative;"
955  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
956  "byte_test: 2, !=, var, 13;"
957  "msg:\"Byte extract and byte math with byte test verification\";"
958  "sid:2;)");
959  FAIL_IF_NULL(s);
960 
961  /*
962  * this rule should alert:
963  * compares offset 15 with var ... 1 (offset 15) < 0x70 (var)
964  */
965  s = DetectEngineAppendSig(de_ctx,
966  "alert udp any any -> any any "
967  "(byte_extract: 1, 0, extracted_val, relative;"
968  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
969  "byte_test: 2, <, var, 15;"
970  "msg:\"Byte extract and byte math with byte test verification\";"
971  "sid:3;)");
972  FAIL_IF_NULL(s);
973 
974  SigGroupBuild(de_ctx);
975  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
976  FAIL_IF_NULL(det_ctx);
977 
978  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER, buf, sizeof(buf));
979  FAIL_IF_NOT(r == 0);
980 
981  dns_state = f.alstate;
982  FAIL_IF_NULL(dns_state);
983 
984  /* do detect */
985  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
986 
987  /* ensure sids 1 & 3 alerted */
988  FAIL_IF_NOT(PacketAlertCheck(p, 1));
989  FAIL_IF(PacketAlertCheck(p, 2));
990  FAIL_IF_NOT(PacketAlertCheck(p, 3));
991 
992  AppLayerParserThreadCtxFree(alp_tctx);
993  DetectEngineThreadCtxDeinit(&tv, det_ctx);
994  DetectEngineCtxFree(de_ctx);
995 
996  FLOW_DESTROY(&f);
997  UTHFreePacket(p);
998 
999  PASS;
1000 }
1001 
1002 static int DetectByteMathContext01(void)
1003 {
1004  DetectEngineCtx *de_ctx = NULL;
1005  Signature *s = NULL;
1006  SigMatch *sm = NULL;
1007  DetectContentData *cd = NULL;
1008  DetectByteMathData *bmd = NULL;
1009 
1010  de_ctx = DetectEngineCtxInit();
1011  FAIL_IF(de_ctx == NULL);
1012 
1013  de_ctx->flags |= DE_QUIET;
1014  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1015  "(msg:\"Testing bytemath_body\"; "
1016  "content:\"|00 04 93 F3|\"; "
1017  "content:\"|00 00 00 07|\"; distance:4; within:4;"
1018  "byte_math:bytes 4, offset 0, oper +, rvalue "
1019  "248, result var, relative; sid:1;)");
1020 
1021  FAIL_IF(de_ctx->sig_list == NULL);
1022 
1023  FAIL_IF(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL);
1024 
1025  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1026  FAIL_IF(sm->type != DETECT_CONTENT);
1027  cd = (DetectContentData *)sm->ctx;
1028  FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
1029  FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
1030  FAIL_IF(cd->content_len != 4);
1031 
1032  sm = sm->next;
1033  FAIL_IF(sm->type != DETECT_CONTENT);
1034  sm = sm->next;
1035  FAIL_IF(sm->type != DETECT_BYTEMATH);
1036 
1037  FAIL_IF(sm->ctx == NULL);
1038 
1039  bmd = (DetectByteMathData *)sm->ctx;
1040  FAIL_IF_NOT(bmd->nbytes == 4);
1041  FAIL_IF_NOT(bmd->offset == 0);
1042  FAIL_IF_NOT(bmd->rvalue == 248);
1043  FAIL_IF_NOT(strcmp(bmd->result, "var") == 0);
1044  FAIL_IF_NOT(bmd->flags == DETECT_BYTEMATH_FLAG_RELATIVE);
1045  FAIL_IF_NOT(bmd->endian == BigEndian);
1046  FAIL_IF_NOT(bmd->oper == Addition);
1047  FAIL_IF_NOT(bmd->base == BaseDec);
1048 
1049  DetectEngineCtxFree(de_ctx);
1050 
1051  PASS;
1052 }
1053 
1054 static void DetectByteMathRegisterTests(void)
1055 {
1056  UtRegisterTest("DetectByteMathParseTest01", DetectByteMathParseTest01);
1057  UtRegisterTest("DetectByteMathParseTest02", DetectByteMathParseTest02);
1058  UtRegisterTest("DetectByteMathParseTest03", DetectByteMathParseTest03);
1059  UtRegisterTest("DetectByteMathParseTest04", DetectByteMathParseTest04);
1060  UtRegisterTest("DetectByteMathParseTest05", DetectByteMathParseTest05);
1061  UtRegisterTest("DetectByteMathParseTest06", DetectByteMathParseTest06);
1062  UtRegisterTest("DetectByteMathParseTest07", DetectByteMathParseTest07);
1063  UtRegisterTest("DetectByteMathParseTest08", DetectByteMathParseTest08);
1064  UtRegisterTest("DetectByteMathParseTest09", DetectByteMathParseTest09);
1065  UtRegisterTest("DetectByteMathParseTest10", DetectByteMathParseTest10);
1066  UtRegisterTest("DetectByteMathParseTest11", DetectByteMathParseTest11);
1067  UtRegisterTest("DetectByteMathParseTest12", DetectByteMathParseTest12);
1068  UtRegisterTest("DetectByteMathParseTest13", DetectByteMathParseTest13);
1069  UtRegisterTest("DetectByteMathParseTest14", DetectByteMathParseTest14);
1070  UtRegisterTest("DetectByteMathParseTest15", DetectByteMathParseTest15);
1071  UtRegisterTest("DetectByteMathParseTest16", DetectByteMathParseTest16);
1072  UtRegisterTest("DetectByteMathPacket01", DetectByteMathPacket01);
1073  UtRegisterTest("DetectByteMathPacket02", DetectByteMathPacket02);
1074  UtRegisterTest("DetectByteMathContext01", DetectByteMathContext01);
1075 }
1076 #endif /* UNITTESTS */
util-byte.h
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:535
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1235
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:631
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1253
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1409
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
SigTableElmt_::name
const char * name
Definition: detect.h:1419
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:633
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:83
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:270
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:535
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:919
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2624
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:322
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:233
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2349
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:51
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2212
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3338
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:523
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:260
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1404
detect-pcre.h
DETECT_BYTEMATH_ENDIAN_DEFAULT
#define DETECT_BYTEMATH_ENDIAN_DEFAULT
Definition: detect-bytemath.c:62
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
DetectByteIndexType
uint8_t DetectByteIndexType
Definition: detect-byte.h:28
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:658
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1211
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
SignatureInitData_::list
int list
Definition: detect.h:617
detect-engine-mpm.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3350
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:361
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:922
DetectByteMathRetrieveSMVar
SigMatch * DetectByteMathRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_math variable.
Definition: detect-bytemath.c:444
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2996
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:360
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:317
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:99
Packet_
Definition: decode.h:492
detect-engine-build.h
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:736
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1384
detect-byte.h
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:997
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:71
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2130
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:295
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:352
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:144
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:82
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
Packet_::flow
struct Flow_ * flow
Definition: decode.h:537
DetectByteMathDoMatch
int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const DetectByteMathData *data, const Signature *s, const uint8_t *payload, const uint32_t payload_len, uint8_t nbytes, uint64_t rvalue, uint64_t *value, uint8_t endian)
Definition: detect-bytemath.c:89
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectByteRetrieveSMVar
bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, DetectByteIndexType *index)
Used to retrieve args from BM.
Definition: detect-byte.c:40
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1290
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:358
DETECT_BYTEMATH_BASE_DEFAULT
#define DETECT_BYTEMATH_BASE_DEFAULT
Definition: detect-bytemath.c:63
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3576
util-spm.h
detect-engine-buffer.h
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:928
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DetectBytemathRegister
void DetectBytemathRegister(void)
Registers the keyword handlers for the "byte_math" keyword.
Definition: detect-bytemath.c:72
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:636
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:262
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:763
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:479
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:85
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
Signature_
Signature container.
Definition: detect.h:657
SigMatch_
a single match condition for a signature
Definition: detect.h:357
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:93
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:135
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2585
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
DetectPcreData_
Definition: detect-pcre.h:47
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:84
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:564
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:921
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine-buffer.c:109
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:637
flow-var.h
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1411
detect-bytemath.h