suricata
detect-csum.c File Reference
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-csum.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-engine.h"
#include "stream-tcp.h"
Include dependency graph for detect-csum.c:

Go to the source code of this file.

Macros

#define mystr(s)   #s
 
#define TEST1(kwstr)
 
#define TEST2(kwstr)
 
#define TEST3(kwstr, kwtype)
 

Functions

void DetectCsumRegister (void)
 Registers handlers for all the checksum keywords. The checksum keywords that are registered are ipv4-sum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum. More...
 

Detailed Description

Author
Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com

Implements checksum keyword.

Definition in file detect-csum.c.

Macro Definition Documentation

◆ mystr

#define mystr (   s)    #s

Definition at line 895 of file detect-csum.c.

◆ TEST1

#define TEST1 (   kwstr)
Value:
{\
DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
FAIL_IF_NULL(de_ctx);\
de_ctx->flags = DE_QUIET;\
\
Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
FAIL_IF_NULL(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:invalid; sid:2;)");\
FAIL_IF_NULL(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaLid; sid:3;)");\
FAIL_IF_NULL(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:VALID; sid:4;)");\
FAIL_IF_NULL(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:iNvaLid; sid:5;)");\
FAIL_IF_NULL(s);\
DetectEngineCtxFree(de_ctx);\
}

Definition at line 896 of file detect-csum.c.

◆ TEST2

#define TEST2 (   kwstr)
Value:
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
FAIL_IF_NULL(de_ctx);\
Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaid; sid:1;)");\
FAIL_IF(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:invaalid; sid:2;)");\
FAIL_IF(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaLiid; sid:3;)");\
FAIL_IF(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:VALieD; sid:4;)");\
FAIL_IF(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:iNvamid; sid:5;)");\
FAIL_IF(s);\
DetectEngineCtxFree(de_ctx);\
}

Definition at line 928 of file detect-csum.c.

◆ TEST3

#define TEST3 (   kwstr,
  kwtype 
)
Value:
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
FAIL_IF_NULL(de_ctx);\
Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
FAIL_IF_NULL(s);\
SigMatch *sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
FAIL_IF_NULL(sm);\
FAIL_IF_NULL(sm->ctx);\
FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 1);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:INVALID; sid:2;)");\
FAIL_IF_NULL(s);\
sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
FAIL_IF_NULL(sm);\
FAIL_IF_NULL(sm->ctx);\
FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 0);\
DetectEngineCtxFree(de_ctx);\
}

Definition at line 957 of file detect-csum.c.

Function Documentation

◆ DetectCsumRegister()

void DetectCsumRegister ( void  )

Registers handlers for all the checksum keywords. The checksum keywords that are registered are ipv4-sum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum.

Each of the checksum keywords implemented here takes 2 arguments - "valid" or "invalid". If the rule keyword in the signature is specified as "valid", the Match function would return TRUE if the checksum for that particular packet and protocol is valid. Similarly for "invalid".

The Setup functions takes 4 arguments -

DetectEngineCtx * (de_ctx) - A pointer to the detection engine context Signature *(s) - Pointer to signature for the current Signature being parsed from the rules SigMatchCtx * (m) - Pointer to the head of the SigMatchs added to the current Signature being parsed char * (csum_str) - Pointer to a string holding the keyword value

The Setup function returns 0 if it successfully parses the keyword value, and -1 otherwise.

The Match function takes 5 arguments -

ThreadVars * (t) - Pointer to the tv for the detection module instance DetectEngineThreadCtx * (det_ctx) - Pointer to the detection engine thread context Packet * (p) - Pointer to the Packet currently being handled Signature * (s) - Pointer to the Signature, the packet is being currently matched with SigMatchCtx * (m) - Pointer to the keyword structure from the above Signature, the Packet is being currently matched with

The Match function returns 1 if the Packet contents match the keyword, and 0 otherwise

The Free function takes a single argument -

void * (ptr) - Pointer to the DetectCsumData for a keyword

Definition at line 130 of file detect-csum.c.

References DETECT_IPV4_CSUM, SigTableElmt_::Match, SigTableElmt_::name, and sigmatch_table.

Referenced by SigTableSetup().

Here is the caller graph for this function:
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2361
DetectCsumData_
Definition: detect-csum.h:30
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
mystr
#define mystr(s)
Definition: detect-csum.c:894
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468