suricata
detect-csum.c File Reference
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-csum.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-engine.h"
#include "stream-tcp.h"
Include dependency graph for detect-csum.c:

Go to the source code of this file.

Macros

#define mystr(s)   #s
 
#define TEST1(kwstr)
 
#define TEST2(kwstr)
 
#define TEST3(kwstr, kwtype)
 

Functions

void DetectCsumRegister (void)
 Registers handlers for all the checksum keywords. The checksum keywords that are registered are ipv4-sum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum. More...
 

Detailed Description

Author
Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com

Implements checksum keyword.

Definition in file detect-csum.c.

Macro Definition Documentation

#define mystr (   s)    #s

Definition at line 898 of file detect-csum.c.

#define TEST1 (   kwstr)
Value:
{\
FAIL_IF_NULL(de_ctx);\
de_ctx->flags = DE_QUIET;\
\
Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:invalid; sid:2;)");\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaLid; sid:3;)");\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:VALID; sid:4;)");\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:iNvaLid; sid:5;)");\
}
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
struct Signature_ Signature
Signature container.
#define DE_QUIET
Definition: detect.h:296
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
#define mystr(s)
Definition: detect-csum.c:898
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
DetectEngineCtx * DetectEngineCtxInit(void)

Definition at line 899 of file detect-csum.c.

#define TEST2 (   kwstr)
Value:
{ \
Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaid; sid:1;)");\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:invaalid; sid:2;)");\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaLiid; sid:3;)");\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:VALieD; sid:4;)");\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:iNvamid; sid:5;)");\
}
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
struct Signature_ Signature
Signature container.
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
#define mystr(s)
Definition: detect-csum.c:898
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
DetectEngineCtx * DetectEngineCtxInit(void)

Definition at line 931 of file detect-csum.c.

#define TEST3 (   kwstr,
  kwtype 
)
Value:
{ \
Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
SigMatch *sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
FAIL_IF_NULL(sm->ctx);\
FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 1);\
s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:INVALID; sid:2;)");\
sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
FAIL_IF_NULL(sm->ctx);\
FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 0);\
}
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
struct SigMatch_ SigMatch
a single match condition for a signature
struct Signature_ Signature
Signature container.
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
#define mystr(s)
Definition: detect-csum.c:898
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us. ...
Definition: detect-parse.c:407
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineCtx * DetectEngineCtxInit(void)

Definition at line 960 of file detect-csum.c.

Function Documentation

void DetectCsumRegister ( void  )

Registers handlers for all the checksum keywords. The checksum keywords that are registered are ipv4-sum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum.

Each of the checksum keywords implemented here takes 2 arguments - "valid" or "invalid". If the rule keyword in the signature is specified as "valid", the Match function would return TRUE if the checksum for that particular packet and protocol is valid. Similarly for "invalid".

The Setup functions takes 4 arguments -

DetectEngineCtx * (de_ctx) - A pointer to the detection engine context Signature *(s) - Pointer to signature for the current Signature being parsed from the rules SigMatchCtx * (m) - Pointer to the head of the SigMatchs added to the current Signature being parsed char * (csum_str) - Pointer to a string holding the keyword value

The Setup function returns 0 if it successfully parses the keyword value, and -1 otherwise.

The Match function takes 5 arguments -

ThreadVars * (t) - Pointer to the tv for the detection module instance DetectEngineThreadCtx * (det_ctx) - Pointer to the detection engine thread context Packet * (p) - Pointer to the Packet currently being handled Signature * (s) - Pointer to the Signature, the packet is being currently matched with SigMatchCtx * (m) - Pointer to the keyword structure from the above Signature, the Packet is being currently matched with

The Match function returns 1 if the Packet contents match the keyword, and 0 otherwise

The Free function takes a single argument -

void * (ptr) - Pointer to the DetectCsumData for a keyword

Definition at line 128 of file detect-csum.c.

References ICMPV6Hdr_::csum, SigMatch_::ctx, DETECT_CSUM_INVALID, DETECT_CSUM_VALID, DETECT_ICMPV4_CSUM, DETECT_ICMPV6_CSUM, DETECT_IPV4_CSUM, DETECT_SM_LIST_MATCH, DETECT_TCPV4_CSUM, DETECT_TCPV6_CSUM, DETECT_UDPV4_CSUM, DETECT_UDPV6_CSUM, Packet_::flags, SigTableElmt_::Free, GET_PKT_DATA, GET_PKT_LEN, Packet_::icmpv4h, Packet_::icmpv6h, Packet_::ip4h, Packet_::ip6h, IPV4Hdr_::ip_csum, IPV4_GET_HLEN, IPV4_GET_RAW_HLEN, IPV4_GET_RAW_IPLEN, IPV6_GET_RAW_PLEN, IPV6_HEADER_LEN, len, Packet_::level3_comp_csum, Packet_::level4_comp_csum, SigTableElmt_::Match, SigTableElmt_::name, Packet_::payload_len, PKT_IGNORE_CHECKSUM, PKT_IS_PSEUDOPKT, Packet_::proto, SigTableElmt_::RegisterTests, SCFree, SCMalloc, SCNtohs, SCStrdup, SigTableElmt_::Setup, sigmatch_table, SigMatchAlloc(), SigMatchAppendSMToList(), str, TCP_GET_HLEN, Packet_::tcph, SigMatch_::type, UDP_HEADER_LEN, Packet_::udph, unlikely, and DetectCsumData_::valid.

Referenced by SigTableSetup().

Here is the call graph for this function:

Here is the caller graph for this function: