suricata
detect-csum.c File Reference
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-csum.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-engine-build.h"
#include "util-unittest-helper.h"
#include "detect-engine.h"
#include "detect-engine-alert.h"
#include "packet.h"
#include "stream-tcp.h"
Include dependency graph for detect-csum.c:

Go to the source code of this file.

Data Structures

struct  DetectCsumData_
 

Macros

#define DETECT_CSUM_VALID   "valid"
 
#define DETECT_CSUM_INVALID   "invalid"
 
#define mystr(s)   #s
 
#define TEST1(kwstr)
 
#define TEST2(kwstr)
 
#define TEST3(kwstr, kwtype)
 

Typedefs

typedef struct DetectCsumData_ DetectCsumData
 

Functions

void DetectCsumRegister (void)
 Registers handlers for all the checksum keywords. The checksum keywords that are registered are ipv4-sum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum. More...
 

Detailed Description

Author
Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com

Implements checksum keyword.

Definition in file detect-csum.c.

Macro Definition Documentation

◆ DETECT_CSUM_INVALID

#define DETECT_CSUM_INVALID   "invalid"

Definition at line 44 of file detect-csum.c.

◆ DETECT_CSUM_VALID

#define DETECT_CSUM_VALID   "valid"

Definition at line 43 of file detect-csum.c.

◆ mystr

#define mystr (   s)    #s

Definition at line 801 of file detect-csum.c.

◆ TEST1

#define TEST1 (   kwstr)
Value:
{\
DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
FAIL_IF_NULL(de_ctx);\
de_ctx->flags = DE_QUIET;\
\
Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
FAIL_IF_NULL(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:invalid; sid:2;)");\
FAIL_IF_NULL(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaLid; sid:3;)");\
FAIL_IF_NULL(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:VALID; sid:4;)");\
FAIL_IF_NULL(s);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:iNvaLid; sid:5;)");\
FAIL_IF_NULL(s);\
DetectEngineCtxFree(de_ctx);\
}

Definition at line 802 of file detect-csum.c.

◆ TEST2

#define TEST2 (   kwstr)
Value:
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
Signature *s = DetectEngineAppendSig( \
de_ctx, "alert ip any any -> any any (" mystr(kwstr) "-csum:xxxx; sid:1;)"); \
FAIL_IF(s); \
de_ctx, "alert ip any any -> any any (" mystr(kwstr) "-csum:xxxxxxxx; sid:2;)"); \
FAIL_IF(s); \
de_ctx, "alert ip any any -> any any (" mystr(kwstr) "-csum:xxxxxx; sid:3;)"); \
FAIL_IF(s); \
de_ctx, "alert ip any any -> any any (" mystr(kwstr) "-csum:XXXXXX; sid:4;)"); \
FAIL_IF(s); \
de_ctx, "alert ip any any -> any any (" mystr(kwstr) "-csum:XxXxXxX; sid:5;)"); \
FAIL_IF(s); \
DetectEngineCtxFree(de_ctx); \
}

Definition at line 834 of file detect-csum.c.

◆ TEST3

#define TEST3 (   kwstr,
  kwtype 
)
Value:
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
FAIL_IF_NULL(de_ctx);\
Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
FAIL_IF_NULL(s);\
SigMatch *sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
FAIL_IF_NULL(sm);\
FAIL_IF_NULL(sm->ctx);\
FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 1);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:INVALID; sid:2;)");\
FAIL_IF_NULL(s);\
sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
FAIL_IF_NULL(sm);\
FAIL_IF_NULL(sm->ctx);\
FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 0);\
DetectEngineCtxFree(de_ctx);\
}

Definition at line 869 of file detect-csum.c.

Typedef Documentation

◆ DetectCsumData

Function Documentation

◆ DetectCsumRegister()

void DetectCsumRegister ( void  )

Registers handlers for all the checksum keywords. The checksum keywords that are registered are ipv4-sum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum.

Each of the checksum keywords implemented here takes 2 arguments - "valid" or "invalid". If the rule keyword in the signature is specified as "valid", the Match function would return TRUE if the checksum for that particular packet and protocol is valid. Similarly for "invalid".

The Setup functions takes 4 arguments -

DetectEngineCtx * (de_ctx) - A pointer to the detection engine context Signature *(s) - Pointer to signature for the current Signature being parsed from the rules SigMatchCtx * (m) - Pointer to the head of the SigMatchs added to the current Signature being parsed char * (csum_str) - Pointer to a string holding the keyword value

The Setup function returns 0 if it successfully parses the keyword value, and -1 otherwise.

The Match function takes 5 arguments -

ThreadVars * (t) - Pointer to the tv for the detection module instance DetectEngineThreadCtx * (det_ctx) - Pointer to the detection engine thread context Packet * (p) - Pointer to the Packet currently being handled Signature * (s) - Pointer to the Signature, the packet is being currently matched with SigMatchCtx * (m) - Pointer to the keyword structure from the above Signature, the Packet is being currently matched with

The Match function returns 1 if the Packet contents match the keyword, and 0 otherwise

The Free function takes a single argument -

void * (ptr) - Pointer to the DetectCsumData for a keyword

Definition at line 139 of file detect-csum.c.

References DETECT_IPV4_CSUM, SigTableElmt_::Match, SigTableElmt_::name, and sigmatch_table.

Referenced by SigTableSetup().

Here is the caller graph for this function:
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectCsumData_
Definition: detect-csum.c:45
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2572
mystr
#define mystr(s)
Definition: detect-csum.c:800
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:606