suricata
detect-bytemath.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Jeff Lucovsky <jeff@lucovsky.org>
22  */
23 
24 /*
25  * Refer to the Snort manual, section 3.5.34 for details.
26  */
27 
28 #include "suricata-common.h"
29 #include "threads.h"
30 #include "decode.h"
31 
32 #include "rust.h"
33 #include "app-layer-parser.h"
34 #include "app-layer-protos.h"
35 
36 #include "detect.h"
37 #include "detect-parse.h"
38 #include "detect-engine.h"
39 #include "detect-engine-buffer.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
42 #include "detect-engine-build.h"
43 
44 #include "detect-content.h"
45 #include "detect-pcre.h"
46 #include "detect-byte.h"
47 #include "detect-bytemath.h"
48 
49 #include "flow.h"
50 #include "flow-var.h"
51 #include "flow-util.h"
52 
53 #include "util-byte.h"
54 #include "util-debug.h"
55 #include "util-unittest.h"
56 #include "util-unittest-helper.h"
57 #include "util-spm.h"
58 
59 static int DetectByteMathSetup(DetectEngineCtx *, Signature *, const char *);
60 #ifdef UNITTESTS
61 #define DETECT_BYTEMATH_ENDIAN_DEFAULT (uint8_t) BigEndian
62 #define DETECT_BYTEMATH_BASE_DEFAULT (uint8_t) BaseDec
63 
64 static void DetectByteMathRegisterTests(void);
65 #endif
66 static void DetectByteMathFree(DetectEngineCtx *, void *);
67 
68 /**
69  * \brief Registers the keyword handlers for the "byte_math" keyword.
70  */
71 void DetectBytemathRegister(void)
72 {
73  sigmatch_table[DETECT_BYTEMATH].name = "byte_math";
74  sigmatch_table[DETECT_BYTEMATH].Match = NULL;
75  sigmatch_table[DETECT_BYTEMATH].Setup = DetectByteMathSetup;
76  sigmatch_table[DETECT_BYTEMATH].Free = DetectByteMathFree;
77  sigmatch_table[DETECT_BYTEMATH].desc = "used to perform mathematical operations on byte values";
78  sigmatch_table[DETECT_BYTEMATH].url = "/rules/payload-keywords.html#byte-math";
79 #ifdef UNITTESTS
80  sigmatch_table[DETECT_BYTEMATH].RegisterTests = DetectByteMathRegisterTests;
81 #endif
82 }
83 
84 static inline bool DetectByteMathValidateNbytesOnly(const DetectByteMathData *data, int32_t nbytes)
85 {
86  return nbytes >= 1 &&
87  (((data->flags & DETECT_BYTEMATH_FLAG_STRING) && nbytes <= 10) || (nbytes <= 4));
88 }
89 
90 int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const DetectByteMathData *data,
91  const Signature *s, const uint8_t *payload, const uint32_t payload_len, uint8_t nbytes,
92  uint64_t rvalue, uint64_t *value, uint8_t endian)
93 {
94  if (payload_len == 0) {
95  return 0;
96  }
97 
98  if (!DetectByteMathValidateNbytesOnly(data, nbytes)) {
99  return 0;
100  }
101 
102  const uint8_t *ptr;
103  int32_t len;
104  uint64_t val;
105  int extbytes;
106 
107  /* Calculate the ptr value for the byte-math op and length remaining in
108  * the packet from that point.
109  */
110  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
111  SCLogDebug("relative, working with det_ctx->buffer_offset %" PRIu32 ", "
112  "data->offset %" PRIi32 "",
113  det_ctx->buffer_offset, data->offset);
114 
115  ptr = payload + det_ctx->buffer_offset;
116  len = payload_len - det_ctx->buffer_offset;
117 
118  ptr += data->offset;
119  len -= data->offset;
120 
121  /* No match if there is no relative base */
122  if (len <= 0) {
123  return 0;
124  }
125  } else {
126  SCLogDebug("absolute, data->offset %" PRIi32 "", data->offset);
127 
128  ptr = payload + data->offset;
129  len = payload_len - data->offset;
130  }
131 
132  /* Validate that the to-be-extracted is within the packet */
133  if (ptr < payload || nbytes > len) {
134  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%" PRIu32 ", nbytes=%d", payload,
135  ptr, len, nbytes);
136  return 0;
137  }
138 
139  /* Extract the byte data */
140  if (data->flags & DETECT_BYTEMATH_FLAG_STRING) {
141  extbytes = ByteExtractStringUint64(&val, data->base, nbytes, (const char *)ptr);
142  if (extbytes <= 0) {
143  if (val == 0) {
144  SCLogDebug("No Numeric value");
145  return 0;
146  } else {
147  SCLogDebug("error extracting %d bytes of string data: %d", nbytes, extbytes);
148  return -1;
149  }
150  }
151  } else {
152  ByteEndian bme = endian;
153  int endianness = (bme == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
154  extbytes = ByteExtractUint64(&val, endianness, nbytes, ptr);
155  if (extbytes != nbytes) {
156  SCLogDebug("error extracting %d bytes of numeric data: %d", nbytes, extbytes);
157  return 0;
158  }
159  }
160 
161  DEBUG_VALIDATE_BUG_ON(extbytes > len);
162 
163  ptr += extbytes;
164 
165  switch (data->oper) {
166  case OperatorNone:
167  break;
168  case Addition:
169  val += rvalue;
170  break;
171  case Subtraction:
172  val -= rvalue;
173  break;
174  case Division:
175  if (rvalue == 0) {
176  SCLogDebug("avoiding division by zero");
177  return 0;
178  }
179  val /= rvalue;
180  break;
181  case Multiplication:
182  val *= rvalue;
183  break;
184  case LeftShift:
185  if (rvalue < 64) {
186  val <<= rvalue;
187  } else {
188  val = 0;
189  }
190  break;
191  case RightShift:
192  val >>= rvalue;
193  break;
194  }
195 
196  det_ctx->buffer_offset = (uint32_t)(ptr - payload);
197 
198  if (data->flags & DETECT_BYTEMATH_FLAG_BITMASK) {
199  val &= data->bitmask_val;
200  if (val && data->bitmask_shift_count) {
201  val = val >> data->bitmask_shift_count;
202  }
203  }
204 
205  *value = val;
206  return 1;
207 }
208 
209 /**
210  * \internal
211  * \brief Used to parse byte_math arg.
212  *
213  * \param arg The argument to parse.
214  * \param rvalue May be NULL. When non-null, will contain the variable
215  * name of rvalue (iff rvalue is not a scalar value)
216  *
217  * \retval bmd On success an instance containing the parsed data.
218  * On failure, NULL.
219  */
220 static DetectByteMathData *DetectByteMathParse(
221  DetectEngineCtx *de_ctx, const char *arg, char **nbytes, char **rvalue)
222 {
223  DetectByteMathData *bmd;
224  if ((bmd = SCByteMathParse(arg)) == NULL) {
225  SCLogError("invalid bytemath values");
226  return NULL;
227  }
228 
229  if (bmd->nbytes_str) {
230  if (nbytes == NULL) {
231  SCLogError("byte_math supplied with "
232  "var name for nbytes. \"nbytes\" argument supplied to "
233  "this function must be non-NULL");
234  goto error;
235  }
236  *nbytes = SCStrdup(bmd->nbytes_str);
237  if (*nbytes == NULL) {
238  goto error;
239  }
240  }
241 
242  if (bmd->rvalue_str) {
243  if (rvalue == NULL) {
244  SCLogError("byte_math supplied with "
245  "var name for rvalue. \"rvalue\" argument supplied to "
246  "this function must be non-NULL");
247  goto error;
248  }
249  *rvalue = SCStrdup(bmd->rvalue_str);
250  if (*rvalue == NULL) {
251  goto error;
252  }
253  }
254 
255  if (bmd->flags & DETECT_BYTEMATH_FLAG_BITMASK) {
256  if (bmd->bitmask_val) {
257  uint32_t bmask = bmd->bitmask_val;
258  while (!(bmask & 0x1)){
259  bmask = bmask >> 1;
260  bmd->bitmask_shift_count++;
261  }
262  }
263  }
264 
265  return bmd;
266 
267  error:
268  if (bmd != NULL)
269  DetectByteMathFree(de_ctx, bmd);
270  return NULL;
271 }
272 
273 /**
274  * \brief The setup function for the byte_math keyword for a signature.
275  *
276  * \param de_ctx Pointer to the detection engine context.
277  * \param s Pointer to signature for the current Signature being parsed
278  * from the rules.
279  * \param arg Pointer to the string holding the keyword value.
280  *
281  * \retval 0 On success.
282  * \retval -1 On failure.
283  */
284 static int DetectByteMathSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
285 {
286  SigMatch *prev_pm = NULL;
287  DetectByteMathData *data;
288  char *rvalue = NULL;
289  char *nbytes = NULL;
290  int ret = -1;
291 
292  data = DetectByteMathParse(de_ctx, arg, &nbytes, &rvalue);
293  if (data == NULL)
294  goto error;
295 
296  int sm_list;
297  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
298  if (DetectBufferGetActiveList(de_ctx, s) == -1)
299  goto error;
300 
301  sm_list = s->init_data->list;
302 
303  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
304  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
305  if (!prev_pm) {
306  SCLogError("relative specified without "
307  "previous pattern match");
308  goto error;
309  }
310  }
311  } else if (data->endian == EndianDCE) {
312  if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
313  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
314  DETECT_BYTETEST, DETECT_BYTEJUMP,
315  DETECT_BYTE_EXTRACT,
316  DETECT_BYTEMATH,
317  DETECT_ISDATAAT, -1);
318  if (prev_pm == NULL) {
319  sm_list = DETECT_SM_LIST_PMATCH;
320  } else {
321  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
322  if (sm_list < 0)
323  goto error;
324  }
325  } else {
326  sm_list = DETECT_SM_LIST_PMATCH;
327  }
328 
329  if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
330  goto error;
331 
332  } else if (data->flags & DETECT_BYTEMATH_FLAG_RELATIVE) {
333  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
334  DETECT_BYTETEST, DETECT_BYTEJUMP,
335  DETECT_BYTE_EXTRACT, DETECT_BYTEMATH,
336  DETECT_ISDATAAT, -1);
337  if (prev_pm == NULL) {
338  sm_list = DETECT_SM_LIST_PMATCH;
339  } else {
340  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
341  if (sm_list < 0)
342  goto error;
343  }
344 
345  } else {
346  sm_list = DETECT_SM_LIST_PMATCH;
347  }
348 
349  if (data->endian == EndianDCE) {
350  if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
351  goto error;
352 
353  if ((data->flags & DETECT_BYTEMATH_FLAG_STRING) || (data->base == BaseDec) ||
354  (data->base == BaseHex) || (data->base == BaseOct)) {
355  SCLogError("Invalid option. "
356  "A bytemath keyword with dce holds other invalid modifiers.");
357  goto error;
358  }
359  }
360 
361  if (nbytes != NULL) {
362  DetectByteIndexType index;
363  if (!DetectByteRetrieveSMVar(nbytes, s, sm_list, &index)) {
364  SCLogError("unknown byte_ keyword var seen in byte_math - %s", nbytes);
365  goto error;
366  }
367  data->nbytes = index;
368  data->flags |= DETECT_BYTEMATH_FLAG_NBYTES_VAR;
369  SCFree(nbytes);
370  nbytes = NULL;
371  }
372 
373  if (rvalue != NULL) {
374  DetectByteIndexType index;
375  if (!DetectByteRetrieveSMVar(rvalue, s, sm_list, &index)) {
376  SCLogError("unknown byte_ keyword var seen in byte_math - %s", rvalue);
377  goto error;
378  }
379  data->rvalue = index;
380  data->flags |= DETECT_BYTEMATH_FLAG_RVALUE_VAR;
381  SCFree(rvalue);
382  rvalue = NULL;
383  }
384 
385  SigMatch *prev_bmd_sm = DetectGetLastSMByListId(s, sm_list,
386  DETECT_BYTEMATH, -1);
387  if (prev_bmd_sm == NULL) {
388  data->local_id = 0;
389  } else {
390  data->local_id = ((DetectByteMathData *)prev_bmd_sm->ctx)->local_id + 1;
391  }
392  if (data->local_id > de_ctx->byte_extract_max_local_id) {
393  de_ctx->byte_extract_max_local_id = data->local_id;
394  }
395 
396  if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_BYTEMATH, (SigMatchCtx *)data, sm_list) ==
397  NULL) {
398  goto error;
399  }
400 
401  if (!(data->flags & DETECT_BYTEMATH_FLAG_RELATIVE))
402  goto okay;
403 
404  if (prev_pm == NULL)
405  goto okay;
406 
407  if (prev_pm->type == DETECT_CONTENT) {
408  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
409  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
410  } else if (prev_pm->type == DETECT_PCRE) {
411  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
412  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
413  }
414 
415  okay:
416  return 0;
417 
418  error:
419  if (rvalue)
420  SCFree(rvalue);
421  if (nbytes)
422  SCFree(nbytes);
423  DetectByteMathFree(de_ctx, data);
424  return ret;
425 }
426 
427 /**
428  * \brief Used to free instances of DetectByteMathractData.
429  *
430  * \param ptr Instance of DetectByteMathData to be freed.
431  */
432 static void DetectByteMathFree(DetectEngineCtx *de_ctx, void *ptr)
433 {
434  SCByteMathFree(ptr);
435 }
436 
437 /**
438  * \brief Lookup the SigMatch for a named byte_math variable.
439  *
440  * \param arg The name of the byte_math variable to lookup.
441  * \param s Pointer the signature to look in.
442  *
443  * \retval A pointer to the SigMatch if found, otherwise NULL.
444  */
445 SigMatch *DetectByteMathRetrieveSMVar(const char *arg, int sm_list, const Signature *s)
446 {
447  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
448  SigMatch *sm = s->init_data->buffers[x].head;
449  while (sm != NULL) {
450  if (sm->type == DETECT_BYTEMATH) {
451  const DetectByteMathData *bmd = (const DetectByteMathData *)sm->ctx;
452  if (strcmp(bmd->result, arg) == 0) {
453  SCLogDebug("Retrieved SM for \"%s\"", arg);
454  return sm;
455  }
456  }
457  sm = sm->next;
458  }
459  }
460 
461  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
462  SigMatch *sm = s->init_data->smlists[list];
463  while (sm != NULL) {
464  // Make sure that the linked buffers ore on the same list
465  if (sm->type == DETECT_BYTEMATH && (sm_list == -1 || sm_list == list)) {
466  const DetectByteMathData *bmd = (const DetectByteMathData *)sm->ctx;
467  if (strcmp(bmd->result, arg) == 0) {
468  SCLogDebug("Retrieved SM for \"%s\"", arg);
469  return sm;
470  }
471  }
472  sm = sm->next;
473  }
474  }
475 
476  return NULL;
477 }
478 
479 /*************************************Unittests********************************/
480 #ifdef UNITTESTS
481 #include "detect-engine-alert.h"
482 
483 static int DetectByteMathParseTest01(void)
484 {
485 
486  DetectByteMathData *bmd = DetectByteMathParse(NULL,
487  "bytes 4, offset 2, oper +,"
488  "rvalue 10, result bar",
489  NULL, NULL);
490  FAIL_IF(bmd == NULL);
491 
492  FAIL_IF_NOT(bmd->nbytes == 4);
493  FAIL_IF_NOT(bmd->offset == 2);
494  FAIL_IF_NOT(bmd->oper == Addition);
495  FAIL_IF_NOT(bmd->rvalue == 10);
496  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
497  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
498  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
499 
500  DetectByteMathFree(NULL, bmd);
501 
502  PASS;
503 }
504 
505 static int DetectByteMathParseTest02(void)
506 {
507  /* bytes value invalid */
508  DetectByteMathData *bmd = DetectByteMathParse(NULL,
509  "bytes 257, offset 2, oper +, "
510  "rvalue 39, result bar",
511  NULL, NULL);
512 
513  FAIL_IF_NOT(bmd == NULL);
514 
515  PASS;
516 }
517 
518 static int DetectByteMathParseTest03(void)
519 {
520  /* bytes value invalid */
521  DetectByteMathData *bmd = DetectByteMathParse(NULL,
522  "bytes 11, offset 2, oper +, "
523  "rvalue 39, result bar",
524  NULL, NULL);
525  FAIL_IF_NOT(bmd == NULL);
526 
527  PASS;
528 }
529 
530 static int DetectByteMathParseTest04(void)
531 {
532  /* offset value invalid */
533  DetectByteMathData *bmd = DetectByteMathParse(NULL,
534  "bytes 4, offset 70000, oper +,"
535  " rvalue 39, result bar",
536  NULL, NULL);
537 
538  FAIL_IF_NOT(bmd == NULL);
539 
540  PASS;
541 }
542 
543 static int DetectByteMathParseTest05(void)
544 {
545  /* oper value invalid */
546  DetectByteMathData *bmd = DetectByteMathParse(NULL,
547  "bytes 11, offset 16, oper &,"
548  "rvalue 39, result bar",
549  NULL, NULL);
550  FAIL_IF_NOT(bmd == NULL);
551 
552  PASS;
553 }
554 
555 static int DetectByteMathParseTest06(void)
556 {
557  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE;
558  char *rvalue = NULL;
559 
560  DetectByteMathData *bmd = DetectByteMathParse(NULL,
561  "bytes 4, offset 0, oper +,"
562  "rvalue 248, result var, relative",
563  NULL, &rvalue);
564 
565  FAIL_IF(bmd == NULL);
566  FAIL_IF_NOT(bmd->nbytes == 4);
567  FAIL_IF_NOT(bmd->offset == 0);
568  FAIL_IF_NOT(bmd->oper == Addition);
569  FAIL_IF_NOT(bmd->rvalue == 248);
570  FAIL_IF_NOT(strcmp(bmd->result, "var") == 0);
571  FAIL_IF_NOT(bmd->flags == flags);
572  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
573  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
574 
575  DetectByteMathFree(NULL, bmd);
576 
577  PASS;
578 }
579 
580 static int DetectByteMathParseTest07(void)
581 {
582  char *rvalue = NULL;
583 
584  DetectByteMathData *bmd = DetectByteMathParse(NULL,
585  "bytes 4, offset 2, oper +,"
586  "rvalue foo, result bar",
587  NULL, &rvalue);
588  FAIL_IF_NOT(rvalue);
589  FAIL_IF_NOT(bmd->nbytes == 4);
590  FAIL_IF_NOT(bmd->offset == 2);
591  FAIL_IF_NOT(bmd->oper == Addition);
592  FAIL_IF_NOT(strcmp(rvalue, "foo") == 0);
593  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
594  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
595  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
596 
597  DetectByteMathFree(NULL, bmd);
598 
599  SCFree(rvalue);
600 
601  PASS;
602 }
603 
604 static int DetectByteMathParseTest08(void)
605 {
606  /* ensure Parse checks the pointer value when rvalue is a var */
607  DetectByteMathData *bmd = DetectByteMathParse(NULL,
608  "bytes 4, offset 2, oper +,"
609  "rvalue foo, result bar",
610  NULL, NULL);
611  FAIL_IF_NOT(bmd == NULL);
612 
613  PASS;
614 }
615 
616 static int DetectByteMathParseTest09(void)
617 {
618  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE;
619 
620  DetectByteMathData *bmd = DetectByteMathParse(NULL,
621  "bytes 4, offset 2, oper +,"
622  "rvalue 39, result bar, relative",
623  NULL, NULL);
624  FAIL_IF(bmd == NULL);
625 
626  FAIL_IF_NOT(bmd->nbytes == 4);
627  FAIL_IF_NOT(bmd->offset == 2);
628  FAIL_IF_NOT(bmd->oper == Addition);
629  FAIL_IF_NOT(bmd->rvalue == 39);
630  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
631  FAIL_IF_NOT(bmd->flags == flags);
632  FAIL_IF_NOT(bmd->endian == DETECT_BYTEMATH_ENDIAN_DEFAULT);
633  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
634 
635  DetectByteMathFree(NULL, bmd);
636 
637  PASS;
638 }
639 
640 static int DetectByteMathParseTest10(void)
641 {
642  uint8_t flags = DETECT_BYTEMATH_FLAG_ENDIAN;
643 
644  DetectByteMathData *bmd = DetectByteMathParse(NULL,
645  "bytes 4, offset 2, oper +,"
646  "rvalue 39, result bar, endian"
647  " big",
648  NULL, NULL);
649 
650  FAIL_IF(bmd == NULL);
651  FAIL_IF_NOT(bmd->nbytes == 4);
652  FAIL_IF_NOT(bmd->offset == 2);
653  FAIL_IF_NOT(bmd->oper == Addition);
654  FAIL_IF_NOT(bmd->rvalue == 39);
655  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
656  FAIL_IF_NOT(bmd->flags == flags);
657  FAIL_IF_NOT(bmd->endian == BigEndian);
658  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
659 
660  DetectByteMathFree(NULL, bmd);
661 
662  PASS;
663 }
664 
665 static int DetectByteMathParseTest11(void)
666 {
667  uint8_t flags = DETECT_BYTEMATH_FLAG_ENDIAN;
668 
669  DetectByteMathData *bmd = DetectByteMathParse(NULL,
670  "bytes 4, offset 2, oper +, "
671  "rvalue 39, result bar, dce",
672  NULL, NULL);
673 
674  FAIL_IF(bmd == NULL);
675  FAIL_IF_NOT(bmd->nbytes == 4);
676  FAIL_IF_NOT(bmd->offset == 2);
677  FAIL_IF_NOT(bmd->oper == Addition);
678  FAIL_IF_NOT(bmd->rvalue == 39);
679  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
680  FAIL_IF_NOT(bmd->flags == flags);
681  FAIL_IF_NOT(bmd->endian == EndianDCE);
682  FAIL_IF_NOT(bmd->base == DETECT_BYTEMATH_BASE_DEFAULT);
683 
684  DetectByteMathFree(NULL, bmd);
685 
686  PASS;
687 }
688 
689 static int DetectByteMathParseTest12(void)
690 {
691  uint8_t flags = DETECT_BYTEMATH_FLAG_RELATIVE | DETECT_BYTEMATH_FLAG_STRING;
692 
693  DetectByteMathData *bmd = DetectByteMathParse(NULL,
694  "bytes 4, offset 2, oper +,"
695  "rvalue 39, result bar, "
696  "relative, string dec",
697  NULL, NULL);
698 
699  FAIL_IF(bmd == NULL);
700  FAIL_IF_NOT(bmd->nbytes == 4);
701  FAIL_IF_NOT(bmd->offset == 2);
702  FAIL_IF_NOT(bmd->oper == Addition);
703  FAIL_IF_NOT(bmd->rvalue == 39);
704  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
705  FAIL_IF_NOT(bmd->flags == flags);
706  FAIL_IF_NOT(bmd->endian == BigEndian);
707  FAIL_IF_NOT(bmd->base == BaseDec);
708 
709  DetectByteMathFree(NULL, bmd);
710 
711  PASS;
712 }
713 
714 static int DetectByteMathParseTest13(void)
715 {
716  uint8_t flags = DETECT_BYTEMATH_FLAG_STRING |
717  DETECT_BYTEMATH_FLAG_RELATIVE |
718  DETECT_BYTEMATH_FLAG_BITMASK;
719 
720  DetectByteMathData *bmd = DetectByteMathParse(NULL,
721  "bytes 4, offset 2, oper +, "
722  "rvalue 39, result bar, "
723  "relative, string dec, bitmask "
724  "0x8f40",
725  NULL, NULL);
726 
727  FAIL_IF(bmd == NULL);
728  FAIL_IF_NOT(bmd->nbytes == 4);
729  FAIL_IF_NOT(bmd->offset == 2);
730  FAIL_IF_NOT(bmd->oper == Addition);
731  FAIL_IF_NOT(bmd->rvalue == 39);
732  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
733  FAIL_IF_NOT(bmd->bitmask_val == 0x8f40);
734  FAIL_IF_NOT(bmd->bitmask_shift_count == 6);
735  FAIL_IF_NOT(bmd->flags == flags);
736  FAIL_IF_NOT(bmd->endian == BigEndian);
737  FAIL_IF_NOT(bmd->base == BaseDec);
738 
739  DetectByteMathFree(NULL, bmd);
740 
741  PASS;
742 }
743 
744 
745 static int DetectByteMathParseTest14(void)
746 {
747  /* incomplete */
748  DetectByteMathData *bmd = DetectByteMathParse(NULL,
749  "bytes 4, offset 2, oper +,"
750  "rvalue foo",
751  NULL, NULL);
752 
753  FAIL_IF_NOT(bmd == NULL);
754 
755  PASS;
756 }
757 
758 static int DetectByteMathParseTest15(void)
759 {
760 
761  /* incomplete */
762  DetectByteMathData *bmd = DetectByteMathParse(NULL,
763  "bytes 4, offset 2, oper +, "
764  "result bar",
765  NULL, NULL);
766 
767  FAIL_IF_NOT(bmd == NULL);
768 
769  PASS;
770 }
771 
772 static int DetectByteMathParseTest16(void)
773 {
774  uint8_t flags = DETECT_BYTEMATH_FLAG_STRING | DETECT_BYTEMATH_FLAG_RELATIVE |
775  DETECT_BYTEMATH_FLAG_BITMASK;
776 
777  DetectByteMathData *bmd = DetectByteMathParse(NULL,
778  "bytes 4, offset -2, oper +, "
779  "rvalue 39, result bar, "
780  "relative, string dec, bitmask "
781  "0x8f40",
782  NULL, NULL);
783 
784  FAIL_IF(bmd == NULL);
785  FAIL_IF_NOT(bmd->nbytes == 4);
786  FAIL_IF_NOT(bmd->offset == -2);
787  FAIL_IF_NOT(bmd->oper == Addition);
788  FAIL_IF_NOT(bmd->rvalue == 39);
789  FAIL_IF_NOT(strcmp(bmd->result, "bar") == 0);
790  FAIL_IF_NOT(bmd->bitmask_val == 0x8f40);
791  FAIL_IF_NOT(bmd->bitmask_shift_count == 6);
792  FAIL_IF_NOT(bmd->flags == flags);
793  FAIL_IF_NOT(bmd->endian == BigEndian);
794  FAIL_IF_NOT(bmd->base == BaseDec);
795 
796  DetectByteMathFree(NULL, bmd);
797 
798  PASS;
799 }
800 
801 static int DetectByteMathPacket01(void)
802 {
803  uint8_t buf[] = { 0x38, 0x35, 0x6d, 0x00, 0x00, 0x01,
804  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
805  0x00, 0x00, 0x6d, 0x00, 0x01, 0x00 };
806  Flow f;
807  void *dns_state = NULL;
808  Packet *p = NULL;
809  Signature *s = NULL;
810  ThreadVars tv;
811  DetectEngineThreadCtx *det_ctx = NULL;
812  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
813 
814  memset(&tv, 0, sizeof(ThreadVars));
815  memset(&f, 0, sizeof(Flow));
816 
817  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
818  "192.168.1.5", "192.168.1.1",
819  41424, 53);
820  FAIL_IF_NULL(p);
821 
822  FLOW_INITIALIZE(&f);
823  f.flags |= FLOW_IPV4;
824  f.proto = IPPROTO_UDP;
825  f.protomap = FlowGetProtoMapping(f.proto);
826 
827  p->flow = &f;
828  p->flags |= PKT_HAS_FLOW;
829  p->flowflags |= FLOW_PKT_TOSERVER;
830  f.alproto = ALPROTO_DNS;
831 
832  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
833  FAIL_IF_NULL(de_ctx);
834 
835  de_ctx->mpm_matcher = mpm_default_matcher;
836  de_ctx->flags |= DE_QUIET;
837 
838  /*
839  * byte_extract: Extract 1 byte from offset 0 --> 0x0038
840  * byte_math: Extract 1 byte from offset 2 (0x35)
841  * Add 0x35 + 0x38 = 109 (0x6d)
842  * byte_test: Compare 2 bytes at offset 13 bytes from last
843  * match and compare with 0x6d
844  */
845  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
846  "(byte_extract: 1, 0, extracted_val, relative;"
847  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
848  "byte_test: 2, =, var, 13;"
849  "msg:\"Byte extract and byte math with byte test verification\";"
850  "sid:1;)");
851  FAIL_IF_NULL(s);
852 
853  /* this rule should not alert */
854  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
855  "(byte_extract: 1, 0, extracted_val, relative;"
856  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
857  "byte_test: 2, !=, var, 13;"
858  "msg:\"Byte extract and byte math with byte test verification\";"
859  "sid:2;)");
860  FAIL_IF_NULL(s);
861 
862  /*
863  * this rule should alert:
864  * compares offset 15 with var ... 1 (offset 15) < 0x6d (var)
865  */
866  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
867  "(byte_extract: 1, 0, extracted_val, relative;"
868  "byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;"
869  "byte_test: 2, <, var, 15;"
870  "msg:\"Byte extract and byte math with byte test verification\";"
871  "sid:3;)");
872  FAIL_IF_NULL(s);
873 
874  SigGroupBuild(de_ctx);
875  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
876  FAIL_IF_NULL(det_ctx);
877 
878  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
879  STREAM_TOSERVER, buf, sizeof(buf));
880  FAIL_IF_NOT(r == 0);
881 
882  dns_state = f.alstate;
883  FAIL_IF_NULL(dns_state);
884 
885  /* do detect */
886  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
887 
888  /* ensure sids 1 & 3 alerted */
889  FAIL_IF_NOT(PacketAlertCheck(p, 1));
890  FAIL_IF(PacketAlertCheck(p, 2));
891  FAIL_IF_NOT(PacketAlertCheck(p, 3));
892 
893  AppLayerParserThreadCtxFree(alp_tctx);
894  DetectEngineThreadCtxDeinit(&tv, det_ctx);
895  DetectEngineCtxFree(de_ctx);
896 
897  FLOW_DESTROY(&f);
898  UTHFreePacket(p);
899 
900  PASS;
901 }
902 
903 static int DetectByteMathPacket02(void)
904 {
905  uint8_t buf[] = { 0x38, 0x35, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
906  0x00, 0x70, 0x00, 0x01, 0x00 };
907  Flow f;
908  void *dns_state = NULL;
909  Packet *p = NULL;
910  Signature *s = NULL;
911  ThreadVars tv;
912  DetectEngineThreadCtx *det_ctx = NULL;
913  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
914 
915  memset(&tv, 0, sizeof(ThreadVars));
916  memset(&f, 0, sizeof(Flow));
917 
918  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP, "192.168.1.5", "192.168.1.1", 41424, 53);
919  FAIL_IF_NULL(p);
920 
921  FLOW_INITIALIZE(&f);
922  f.flags |= FLOW_IPV4;
923  f.proto = IPPROTO_UDP;
924  f.protomap = FlowGetProtoMapping(f.proto);
925 
926  p->flow = &f;
927  p->flags |= PKT_HAS_FLOW;
928  p->flowflags |= FLOW_PKT_TOSERVER;
929  f.alproto = ALPROTO_DNS;
930 
931  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
932  FAIL_IF_NULL(de_ctx);
933 
934  de_ctx->mpm_matcher = mpm_default_matcher;
935  de_ctx->flags |= DE_QUIET;
936 
937  /*
938  * byte_extract: Extract 1 byte from offset 0 --> 0x38
939  * byte_math: Extract 1 byte from offset -1 (0x38)
940  * Add 0x38 + 0x38 = 112 (0x70)
941  * byte_test: Compare 2 bytes at offset 13 bytes from last
942  * match and compare with 0x70
943  */
944  s = DetectEngineAppendSig(de_ctx,
945  "alert udp any any -> any any "
946  "(byte_extract: 1, 0, extracted_val, relative;"
947  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
948  "byte_test: 2, =, var, 13;"
949  "msg:\"Byte extract and byte math with byte test verification\";"
950  "sid:1;)");
951  FAIL_IF_NULL(s);
952 
953  /* this rule should not alert */
954  s = DetectEngineAppendSig(de_ctx,
955  "alert udp any any -> any any "
956  "(byte_extract: 1, 0, extracted_val, relative;"
957  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
958  "byte_test: 2, !=, var, 13;"
959  "msg:\"Byte extract and byte math with byte test verification\";"
960  "sid:2;)");
961  FAIL_IF_NULL(s);
962 
963  /*
964  * this rule should alert:
965  * compares offset 15 with var ... 1 (offset 15) < 0x70 (var)
966  */
967  s = DetectEngineAppendSig(de_ctx,
968  "alert udp any any -> any any "
969  "(byte_extract: 1, 0, extracted_val, relative;"
970  "byte_math: bytes 1, offset -1, oper +, rvalue extracted_val, result var, relative;"
971  "byte_test: 2, <, var, 15;"
972  "msg:\"Byte extract and byte math with byte test verification\";"
973  "sid:3;)");
974  FAIL_IF_NULL(s);
975 
976  SigGroupBuild(de_ctx);
977  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
978  FAIL_IF_NULL(det_ctx);
979 
980  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER, buf, sizeof(buf));
981  FAIL_IF_NOT(r == 0);
982 
983  dns_state = f.alstate;
984  FAIL_IF_NULL(dns_state);
985 
986  /* do detect */
987  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
988 
989  /* ensure sids 1 & 3 alerted */
990  FAIL_IF_NOT(PacketAlertCheck(p, 1));
991  FAIL_IF(PacketAlertCheck(p, 2));
992  FAIL_IF_NOT(PacketAlertCheck(p, 3));
993 
994  AppLayerParserThreadCtxFree(alp_tctx);
995  DetectEngineThreadCtxDeinit(&tv, det_ctx);
996  DetectEngineCtxFree(de_ctx);
997 
998  FLOW_DESTROY(&f);
999  UTHFreePacket(p);
1000 
1001  PASS;
1002 }
1003 
1004 static int DetectByteMathContext01(void)
1005 {
1006  DetectEngineCtx *de_ctx = NULL;
1007  Signature *s = NULL;
1008  SigMatch *sm = NULL;
1009  DetectContentData *cd = NULL;
1010  DetectByteMathData *bmd = NULL;
1011 
1012  de_ctx = DetectEngineCtxInit();
1013  FAIL_IF(de_ctx == NULL);
1014 
1015  de_ctx->flags |= DE_QUIET;
1016  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1017  "(msg:\"Testing bytemath_body\"; "
1018  "content:\"|00 04 93 F3|\"; "
1019  "content:\"|00 00 00 07|\"; distance:4; within:4;"
1020  "byte_math:bytes 4, offset 0, oper +, rvalue "
1021  "248, result var, relative; sid:1;)");
1022 
1023  FAIL_IF(de_ctx->sig_list == NULL);
1024 
1025  FAIL_IF(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL);
1026 
1027  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1028  FAIL_IF(sm->type != DETECT_CONTENT);
1029  cd = (DetectContentData *)sm->ctx;
1030  FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
1031  FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
1032  FAIL_IF(cd->content_len != 4);
1033 
1034  sm = sm->next;
1035  FAIL_IF(sm->type != DETECT_CONTENT);
1036  sm = sm->next;
1037  FAIL_IF(sm->type != DETECT_BYTEMATH);
1038 
1039  FAIL_IF(sm->ctx == NULL);
1040 
1041  bmd = (DetectByteMathData *)sm->ctx;
1042  FAIL_IF_NOT(bmd->nbytes == 4);
1043  FAIL_IF_NOT(bmd->offset == 0);
1044  FAIL_IF_NOT(bmd->rvalue == 248);
1045  FAIL_IF_NOT(strcmp(bmd->result, "var") == 0);
1046  FAIL_IF_NOT(bmd->flags == DETECT_BYTEMATH_FLAG_RELATIVE);
1047  FAIL_IF_NOT(bmd->endian == BigEndian);
1048  FAIL_IF_NOT(bmd->oper == Addition);
1049  FAIL_IF_NOT(bmd->base == BaseDec);
1050 
1051  DetectEngineCtxFree(de_ctx);
1052 
1053  PASS;
1054 }
1055 
1056 static void DetectByteMathRegisterTests(void)
1057 {
1058  UtRegisterTest("DetectByteMathParseTest01", DetectByteMathParseTest01);
1059  UtRegisterTest("DetectByteMathParseTest02", DetectByteMathParseTest02);
1060  UtRegisterTest("DetectByteMathParseTest03", DetectByteMathParseTest03);
1061  UtRegisterTest("DetectByteMathParseTest04", DetectByteMathParseTest04);
1062  UtRegisterTest("DetectByteMathParseTest05", DetectByteMathParseTest05);
1063  UtRegisterTest("DetectByteMathParseTest06", DetectByteMathParseTest06);
1064  UtRegisterTest("DetectByteMathParseTest07", DetectByteMathParseTest07);
1065  UtRegisterTest("DetectByteMathParseTest08", DetectByteMathParseTest08);
1066  UtRegisterTest("DetectByteMathParseTest09", DetectByteMathParseTest09);
1067  UtRegisterTest("DetectByteMathParseTest10", DetectByteMathParseTest10);
1068  UtRegisterTest("DetectByteMathParseTest11", DetectByteMathParseTest11);
1069  UtRegisterTest("DetectByteMathParseTest12", DetectByteMathParseTest12);
1070  UtRegisterTest("DetectByteMathParseTest13", DetectByteMathParseTest13);
1071  UtRegisterTest("DetectByteMathParseTest14", DetectByteMathParseTest14);
1072  UtRegisterTest("DetectByteMathParseTest15", DetectByteMathParseTest15);
1073  UtRegisterTest("DetectByteMathParseTest16", DetectByteMathParseTest16);
1074  UtRegisterTest("DetectByteMathPacket01", DetectByteMathPacket01);
1075  UtRegisterTest("DetectByteMathPacket02", DetectByteMathPacket02);
1076  UtRegisterTest("DetectByteMathContext01", DetectByteMathContext01);
1077 }
1078 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1462
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:534
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1268
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:642
SigTableElmt_::desc
const char * desc
Definition: detect.h:1461
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1266
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1446
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:47
SigTableElmt_::name
const char * name
Definition: detect.h:1459
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:644
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:83
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2641
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:233
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2420
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:51
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2229
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3437
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:260
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1441
detect-pcre.h
DETECT_BYTEMATH_ENDIAN_DEFAULT
#define DETECT_BYTEMATH_ENDIAN_DEFAULT
Definition: detect-bytemath.c:61
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
DetectByteIndexType
uint8_t DetectByteIndexType
Definition: detect-byte.h:28
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:658
DetectByteMathRetrieveSMVar
SigMatch * DetectByteMathRetrieveSMVar(const char *arg, int sm_list, const Signature *s)
Lookup the SigMatch for a named byte_math variable.
Definition: detect-bytemath.c:445
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
SignatureInitData_::list
int list
Definition: detect.h:628
detect-engine-mpm.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3372
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:935
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3095
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:99
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1421
detect-byte.h
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:1010
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:71
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2204
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:144
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:82
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
DetectByteMathDoMatch
int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const DetectByteMathData *data, const Signature *s, const uint8_t *payload, const uint32_t payload_len, uint8_t nbytes, uint64_t rvalue, uint64_t *value, uint8_t endian)
Definition: detect-bytemath.c:90
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
DETECT_BYTEMATH_BASE_DEFAULT
#define DETECT_BYTEMATH_BASE_DEFAULT
Definition: detect-bytemath.c:62
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3608
util-spm.h
detect-engine-buffer.h
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DetectBytemathRegister
void DetectBytemathRegister(void)
Registers the keyword handlers for the "byte_math" keyword.
Definition: detect-bytemath.c:71
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:647
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:267
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:763
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:479
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:85
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:93
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:135
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2602
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
DetectPcreData_
Definition: detect-pcre.h:47
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:84
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:564
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
DetectByteRetrieveSMVar
bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, int sm_list, DetectByteIndexType *index)
Used to retrieve args from BM.
Definition: detect-byte.c:41
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine-buffer.c:109
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:648
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1448
detect-bytemath.h