suricata
detect-csum.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements checksum keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-csum.h"
33 
34 #include "util-unittest.h"
35 #include "util-debug.h"
36 
37 #include "pkt-var.h"
38 #include "host.h"
39 #include "util-profiling.h"
40 #include "detect-engine-build.h"
41 
42 #define DETECT_CSUM_VALID "valid"
43 #define DETECT_CSUM_INVALID "invalid"
44 
45 typedef struct DetectCsumData_ {
46  /* Indicates if the csum-<protocol> keyword in a rule holds the
47  keyvalue "valid" or "invalid" */
48  int16_t valid;
50 
51 /* prototypes for the "ipv4-csum" rule keyword */
52 static int DetectIPV4CsumMatch(DetectEngineThreadCtx *,
53  Packet *, const Signature *, const SigMatchCtx *);
54 static int DetectIPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
55 static void DetectIPV4CsumFree(DetectEngineCtx *, void *);
56 
57 /* prototypes for the "tcpv4-csum" rule keyword */
58 static int DetectTCPV4CsumMatch(DetectEngineThreadCtx *,
59  Packet *, const Signature *, const SigMatchCtx *);
60 static int DetectTCPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
61 static void DetectTCPV4CsumFree(DetectEngineCtx *, void *);
62 
63 /* prototypes for the "tcpv6-csum" rule keyword */
64 static int DetectTCPV6CsumMatch(DetectEngineThreadCtx *,
65  Packet *, const Signature *, const SigMatchCtx *);
66 static int DetectTCPV6CsumSetup(DetectEngineCtx *, Signature *, const char *);
67 static void DetectTCPV6CsumFree(DetectEngineCtx *, void *);
68 
69 /* prototypes for the "udpv4-csum" rule keyword */
70 static int DetectUDPV4CsumMatch(DetectEngineThreadCtx *,
71  Packet *, const Signature *, const SigMatchCtx *);
72 static int DetectUDPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
73 static void DetectUDPV4CsumFree(DetectEngineCtx *, void *);
74 
75 /* prototypes for the "udpv6-csum" rule keyword */
76 static int DetectUDPV6CsumMatch(DetectEngineThreadCtx *,
77  Packet *, const Signature *, const SigMatchCtx *);
78 static int DetectUDPV6CsumSetup(DetectEngineCtx *, Signature *, const char *);
79 static void DetectUDPV6CsumFree(DetectEngineCtx *de_ctx, void *);
80 
81 /* prototypes for the "icmpv4-csum" rule keyword */
82 static int DetectICMPV4CsumMatch(DetectEngineThreadCtx *,
83  Packet *, const Signature *, const SigMatchCtx *);
84 static int DetectICMPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
85 static void DetectICMPV4CsumFree(DetectEngineCtx *, void *);
86 
87 /* prototypes for the "icmpv6-csum" rule keyword */
88 static int DetectICMPV6CsumMatch(DetectEngineThreadCtx *,
89  Packet *, const Signature *, const SigMatchCtx *);
90 static int DetectICMPV6CsumSetup(DetectEngineCtx *, Signature *, const char *);
91 static void DetectICMPV6CsumFree(DetectEngineCtx *, void *);
92 
93 #ifdef UNITTESTS
94 static void DetectCsumRegisterTests(void);
95 #endif
96 
97 /**
98  * \brief Registers handlers for all the checksum keywords. The checksum
99  * keywords that are registered are ipv4-sum, tcpv4-csum, tcpv6-csum,
100  * udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum.
101  *
102  * Each of the checksum keywords implemented here takes 2 arguments -
103  * "valid" or "invalid". If the rule keyword in the signature is
104  * specified as "valid", the Match function would return TRUE if the
105  * checksum for that particular packet and protocol is valid. Similarly
106  * for "invalid".
107  *
108  * The Setup functions takes 4 arguments -
109  *
110  * DetectEngineCtx * (de_ctx) - A pointer to the detection engine context
111  * Signature *(s) - Pointer to signature for the current Signature being
112  * parsed from the rules
113  * SigMatchCtx * (m) - Pointer to the head of the SigMatchs added to the
114  * current Signature being parsed
115  * char * (csum_str) - Pointer to a string holding the keyword value
116  *
117  * The Setup function returns 0 if it successfully parses the keyword
118  * value, and -1 otherwise.
119  *
120  * The Match function takes 5 arguments -
121  *
122  * ThreadVars * (t) - Pointer to the tv for the detection module instance
123  * DetectEngineThreadCtx * (det_ctx) - Pointer to the detection engine
124  * thread context
125  * Packet * (p) - Pointer to the Packet currently being handled
126  * Signature * (s) - Pointer to the Signature, the packet is being
127  * currently matched with
128  * SigMatchCtx * (m) - Pointer to the keyword structure from the above
129  * Signature, the Packet is being currently matched
130  * with
131  *
132  * The Match function returns 1 if the Packet contents match the keyword,
133  * and 0 otherwise
134  *
135  * The Free function takes a single argument -
136  *
137  * void * (ptr) - Pointer to the DetectCsumData for a keyword
138  */
140 {
141  sigmatch_table[DETECT_IPV4_CSUM].name = "ipv4-csum";
142  sigmatch_table[DETECT_IPV4_CSUM].Match = DetectIPV4CsumMatch;
143  sigmatch_table[DETECT_IPV4_CSUM].Setup = DetectIPV4CsumSetup;
144  sigmatch_table[DETECT_IPV4_CSUM].Free = DetectIPV4CsumFree;
145  sigmatch_table[DETECT_IPV4_CSUM].desc = "match on IPv4 checksum";
146 #ifdef UNITTESTS
147  sigmatch_table[DETECT_IPV4_CSUM].RegisterTests = DetectCsumRegisterTests;
148 #endif
149 
150  sigmatch_table[DETECT_TCPV4_CSUM].name = "tcpv4-csum";
151  sigmatch_table[DETECT_TCPV4_CSUM].Match = DetectTCPV4CsumMatch;
152  sigmatch_table[DETECT_TCPV4_CSUM].Setup = DetectTCPV4CsumSetup;
153  sigmatch_table[DETECT_TCPV4_CSUM].Free = DetectTCPV4CsumFree;
154  sigmatch_table[DETECT_TCPV4_CSUM].desc = "match on IPv4/TCP checksum";
155 
156  sigmatch_table[DETECT_TCPV6_CSUM].name = "tcpv6-csum";
157  sigmatch_table[DETECT_TCPV6_CSUM].Match = DetectTCPV6CsumMatch;
158  sigmatch_table[DETECT_TCPV6_CSUM].Setup = DetectTCPV6CsumSetup;
159  sigmatch_table[DETECT_TCPV6_CSUM].Free = DetectTCPV6CsumFree;
160  sigmatch_table[DETECT_TCPV6_CSUM].desc = "match on IPv6/TCP checksum";
161 
162  sigmatch_table[DETECT_UDPV4_CSUM].name = "udpv4-csum";
163  sigmatch_table[DETECT_UDPV4_CSUM].Match = DetectUDPV4CsumMatch;
164  sigmatch_table[DETECT_UDPV4_CSUM].Setup = DetectUDPV4CsumSetup;
165  sigmatch_table[DETECT_UDPV4_CSUM].Free = DetectUDPV4CsumFree;
166  sigmatch_table[DETECT_UDPV4_CSUM].desc = "match on IPv4/UDP checksum";
167 
168  sigmatch_table[DETECT_UDPV6_CSUM].name = "udpv6-csum";
169  sigmatch_table[DETECT_UDPV6_CSUM].Match = DetectUDPV6CsumMatch;
170  sigmatch_table[DETECT_UDPV6_CSUM].Setup = DetectUDPV6CsumSetup;
171  sigmatch_table[DETECT_UDPV6_CSUM].Free = DetectUDPV6CsumFree;
172  sigmatch_table[DETECT_UDPV6_CSUM].desc = "match on IPv6/UDP checksum";
173 
174  sigmatch_table[DETECT_ICMPV4_CSUM].name = "icmpv4-csum";
175  sigmatch_table[DETECT_ICMPV4_CSUM].Match = DetectICMPV4CsumMatch;
176  sigmatch_table[DETECT_ICMPV4_CSUM].Setup = DetectICMPV4CsumSetup;
177  sigmatch_table[DETECT_ICMPV4_CSUM].Free = DetectICMPV4CsumFree;
178  sigmatch_table[DETECT_ICMPV4_CSUM].desc = "match on IPv4/ICMP checksum";
179 
180  sigmatch_table[DETECT_ICMPV6_CSUM].name = "icmpv6-csum";
181  sigmatch_table[DETECT_ICMPV6_CSUM].Match = DetectICMPV6CsumMatch;
182  sigmatch_table[DETECT_ICMPV6_CSUM].Setup = DetectICMPV6CsumSetup;
183  sigmatch_table[DETECT_ICMPV6_CSUM].Free = DetectICMPV6CsumFree;
184  sigmatch_table[DETECT_ICMPV6_CSUM].desc = "match on IPv6/ICMPv6 checksum";
185 }
186 
187 /**
188  * \brief Validates and parses the argument supplied with the checksum keyword.
189  * Accepts strings both with and without quotes, i.e. valid, \"valid\",
190  * invalid and \"invalid\"
191  *
192  * \param key Pointer to a const character string holding the csum keyword value
193  * \param cd Pointer to the DetectCsumData structure that holds the keyword
194  * value sent as argument
195  *
196  * \retval 1 the keyvalue has been parsed successfully
197  * \retval 0 error
198  */
199 static int DetectCsumParseArg(const char *key, DetectCsumData *cd)
200 {
201  char *str;
202 
203  if (key[0] == '\"' && key[strlen(key) - 1] == '\"') {
204  str = SCStrdup(key + 1);
205  if (unlikely(str == NULL)) {
206  return 0;
207  }
208  str[strlen(key) - 2] = '\0';
209  } else {
210  str = SCStrdup(key);
211  if (unlikely(str == NULL)) {
212  return 0;
213  }
214  }
215 
216  if (strcasecmp(str, DETECT_CSUM_VALID) == 0 ||
217  strcasecmp(str, DETECT_CSUM_INVALID) == 0) {
218  cd->valid = (strcasecmp(key, DETECT_CSUM_VALID) == 0);
219  SCFree(str);
220  return 1;
221  }
222 
223  SCFree(str);
224  return 0;
225 }
226 
227 /**
228  * \brief Checks if the packet sent as the argument, has a valid or invalid
229  * ipv4 checksum, based on whether ipv4-csum option for this rule
230  * has been supplied with "valid" or "invalid" argument
231  *
232  * \param t Pointer to the tv for this detection module instance
233  * \param det_ctx Pointer to the detection engine thread context
234  * \param p Pointer to the Packet currently being matched
235  * \param s Pointer to the Signature, the packet is being currently
236  * matched with
237  * \param m Pointer to the keyword_structure(SigMatch) from the above
238  * Signature, the Packet is being currently matched with
239  *
240  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
241  */
242 static int DetectIPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
243  Packet *p, const Signature *s, const SigMatchCtx *ctx)
244 {
245  const DetectCsumData *cd = (const DetectCsumData *)ctx;
246 
247  if (!PacketIsIPv4(p))
248  return 0;
249 
250  if (p->flags & PKT_IGNORE_CHECKSUM) {
251  return cd->valid;
252  }
253 
254  if (!p->l3.csum_set) {
255  const IPV4Hdr *ip4h = PacketGetIPv4(p);
256  p->l3.csum = IPV4Checksum((uint16_t *)ip4h, IPV4_GET_RAW_HLEN(ip4h), ip4h->ip_csum);
257  p->l3.csum_set = true;
258  }
259 
260  if (p->l3.csum == 0 && cd->valid == 1)
261  return 1;
262  else if (p->l3.csum != 0 && cd->valid == 0)
263  return 1;
264  else
265  return 0;
266 }
267 
268 /**
269  * \brief Creates a SigMatch for the ipv4-csum keyword being sent as argument,
270  * and appends it to the Signature(s). Accepts 2 values for the
271  * keyword - "valid" and "invalid", both with and without quotes
272  *
273  * \param de_ctx Pointer to the detection engine context
274  * \param s Pointer to signature for the current Signature being parsed
275  * from the rules
276  * \param csum_str Pointer to the string holding the keyword value
277  *
278  * \retval 0 on success, -1 on failure
279  */
280 static int DetectIPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
281 {
282  DetectCsumData *cd = SCCalloc(1, sizeof(DetectCsumData));
283  if (cd == NULL)
284  return -1;
285 
286  if (DetectCsumParseArg(csum_str, cd) == 0)
287  goto error;
288 
291  goto error;
292  }
293 
294  return 0;
295 
296 error:
297  DetectIPV4CsumFree(de_ctx, cd);
298  return -1;
299 }
300 
301 static void DetectIPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
302 {
303  SCFree(ptr);
304 }
305 
306 /**
307  * \brief Checks if the packet sent as the argument, has a valid or invalid
308  * tcpv4 checksum, based on whether tcpv4-csum option for this rule
309  * has been supplied with "valid" or "invalid" argument
310  *
311  * \param t Pointer to the tv for this detection module instance
312  * \param det_ctx Pointer to the detection engine thread context
313  * \param p Pointer to the Packet currently being matched
314  * \param s Pointer to the Signature, the packet is being currently
315  * matched with
316  * \param m Pointer to the keyword_structure(SigMatch) from the above
317  * Signature, the Packet is being currently matched with
318  *
319  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
320  */
321 static int DetectTCPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
322  Packet *p, const Signature *s, const SigMatchCtx *ctx)
323 {
324  const DetectCsumData *cd = (const DetectCsumData *)ctx;
325 
326  if (!PacketIsIPv4(p) || !PacketIsTCP(p) || p->proto != IPPROTO_TCP)
327  return 0;
328 
329  if (p->flags & PKT_IGNORE_CHECKSUM) {
330  return cd->valid;
331  }
332 
333  if (!p->l4.csum_set) {
334  const IPV4Hdr *ip4h = PacketGetIPv4(p);
335  const TCPHdr *tcph = PacketGetTCP(p);
336  p->l4.csum = TCPChecksum(ip4h->s_ip_addrs, (uint16_t *)tcph,
337  (p->payload_len + TCP_GET_RAW_HLEN(tcph)), tcph->th_sum);
338  p->l4.csum_set = true;
339  }
340  if (p->l4.csum == 0 && cd->valid == 1)
341  return 1;
342  else if (p->l4.csum != 0 && cd->valid == 0)
343  return 1;
344  else
345  return 0;
346 }
347 
348 /**
349  * \brief Creates a SigMatch for the tcpv4-csum keyword being sent as argument,
350  * and appends it to the Signature(s). Accepts 2 values for the
351  * keyword - "valid" and "invalid", both with and without quotes
352  *
353  * \param de_ctx Pointer to the detection engine context
354  * \param s Pointer to signature for the current Signature being parsed
355  * from the rules
356  * \param csum_str Pointer to the string holding the keyword value
357  *
358  * \retval 0 on success, -1 on failure
359  */
360 static int DetectTCPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
361 {
362  DetectCsumData *cd = SCCalloc(1, sizeof(DetectCsumData));
363  if (cd == NULL)
364  return -1;
365 
366  if (DetectCsumParseArg(csum_str, cd) == 0)
367  goto error;
368 
371  goto error;
372  }
373 
374  return 0;
375 
376 error:
377  DetectTCPV4CsumFree(de_ctx, cd);
378  return -1;
379 }
380 
381 static void DetectTCPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
382 {
383  SCFree(ptr);
384 }
385 
386 /**
387  * \brief Checks if the packet sent as the argument, has a valid or invalid
388  * tcpv6 checksum, based on whether tcpv6-csum option for this rule
389  * has been supplied with "valid" or "invalid" argument
390  *
391  * \param t Pointer to the tv for this detection module instance
392  * \param det_ctx Pointer to the detection engine thread context
393  * \param p Pointer to the Packet currently being matched
394  * \param s Pointer to the Signature, the packet is being currently
395  * matched with
396  * \param m Pointer to the keyword_structure(SigMatch) from the above
397  * Signature, the Packet is being currently matched with
398  *
399  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
400  */
401 static int DetectTCPV6CsumMatch(DetectEngineThreadCtx *det_ctx,
402  Packet *p, const Signature *s, const SigMatchCtx *ctx)
403 {
404  const DetectCsumData *cd = (const DetectCsumData *)ctx;
405 
406  if (!PacketIsIPv6(p) || !PacketIsTCP(p) || p->proto != IPPROTO_TCP)
407  return 0;
408 
409  if (p->flags & PKT_IGNORE_CHECKSUM) {
410  return cd->valid;
411  }
412 
413  if (!p->l4.csum_set) {
414  const IPV6Hdr *ip6h = PacketGetIPv6(p);
415  const TCPHdr *tcph = PacketGetTCP(p);
416  p->l4.csum = TCPV6Checksum(ip6h->s_ip6_addrs, (uint16_t *)tcph,
417  (p->payload_len + TCP_GET_RAW_HLEN(tcph)), tcph->th_sum);
418  p->l4.csum_set = true;
419  }
420 
421  if (p->l4.csum == 0 && cd->valid == 1)
422  return 1;
423  else if (p->l4.csum != 0 && cd->valid == 0)
424  return 1;
425  else
426  return 0;
427 }
428 
429 /**
430  * \brief Creates a SigMatch for the tcpv6-csum keyword being sent as argument,
431  * and appends it to the Signature(s). Accepts 2 values for the
432  * keyword - "valid" and "invalid", both with and without quotes
433  *
434  * \param de_ctx Pointer to the detection engine context
435  * \param s Pointer to signature for the current Signature being parsed
436  * from the rules
437  * \param csum_str Pointer to the string holding the keyword value
438  *
439  * \retval 0 on success, -1 on failure
440  */
441 static int DetectTCPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
442 {
443  DetectCsumData *cd = SCCalloc(1, sizeof(DetectCsumData));
444  if (cd == NULL)
445  return -1;
446 
447  if (DetectCsumParseArg(csum_str, cd) == 0)
448  goto error;
449 
452  goto error;
453  }
454 
455  return 0;
456 
457 error:
458  DetectTCPV6CsumFree(de_ctx, cd);
459  return -1;
460 }
461 
462 static void DetectTCPV6CsumFree(DetectEngineCtx *de_ctx, void *ptr)
463 {
464  SCFree(ptr);
465 }
466 
467 /**
468  * \brief Checks if the packet sent as the argument, has a valid or invalid
469  * udpv4 checksum, based on whether udpv4-csum option for this rule
470  * has been supplied with "valid" or "invalid" argument
471  *
472  * \param t Pointer to the tv for this detection module instance
473  * \param det_ctx Pointer to the detection engine thread context
474  * \param p Pointer to the Packet currently being matched
475  * \param s Pointer to the Signature, the packet is being currently
476  * matched with
477  * \param m Pointer to the keyword_structure(SigMatch) from the above
478  * Signature, the Packet is being currently matched with
479  *
480  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
481  */
482 static int DetectUDPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
483  Packet *p, const Signature *s, const SigMatchCtx *ctx)
484 {
485  const DetectCsumData *cd = (const DetectCsumData *)ctx;
486 
487  if (!PacketIsIPv4(p) || !PacketIsUDP(p) || p->proto != IPPROTO_UDP)
488  return 0;
489 
490  const UDPHdr *udph = PacketGetUDP(p);
491  if (udph->uh_sum == 0)
492  return 0;
493 
494  if (p->flags & PKT_IGNORE_CHECKSUM) {
495  return cd->valid;
496  }
497 
498  if (!p->l4.csum_set) {
499  const IPV4Hdr *ip4h = PacketGetIPv4(p);
500  p->l4.csum = UDPV4Checksum(ip4h->s_ip_addrs, (uint16_t *)udph,
501  (p->payload_len + UDP_HEADER_LEN), udph->uh_sum);
502  p->l4.csum_set = true;
503  }
504  if (p->l4.csum == 0 && cd->valid == 1)
505  return 1;
506  else if (p->l4.csum != 0 && cd->valid == 0)
507  return 1;
508  else
509  return 0;
510 }
511 
512 /**
513  * \brief Creates a SigMatch for the udpv4-csum keyword being sent as argument,
514  * and appends it to the Signature(s). Accepts 2 values for the
515  * keyword - "valid" and "invalid", both with and without quotes
516  *
517  * \param de_ctx Pointer to the detection engine context
518  * \param s Pointer to signature for the current Signature being parsed
519  * from the rules
520  * \param csum_str Pointer to the string holding the keyword value
521  *
522  * \retval 0 on success, -1 on failure
523  */
524 static int DetectUDPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
525 {
526  DetectCsumData *cd = SCCalloc(1, sizeof(DetectCsumData));
527  if (cd == NULL)
528  return -1;
529 
530  if (DetectCsumParseArg(csum_str, cd) == 0)
531  goto error;
532 
535  goto error;
536  }
537 
538  return 0;
539 
540 error:
541  DetectUDPV4CsumFree(de_ctx, cd);
542  return -1;
543 }
544 
545 static void DetectUDPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
546 {
547  SCFree(ptr);
548 }
549 
550 /**
551  * \brief Checks if the packet sent as the argument, has a valid or invalid
552  * udpv6 checksum, based on whether udpv6-csum option for this rule
553  * has been supplied with "valid" or "invalid" argument
554  *
555  * \param t Pointer to the tv for this detection module instance
556  * \param det_ctx Pointer to the detection engine thread context
557  * \param p Pointer to the Packet currently being matched
558  * \param s Pointer to the Signature, the packet is being currently
559  * matched with
560  * \param m Pointer to the keyword_structure(SigMatch) from the above
561  * Signature, the Packet is being currently matched with
562  *
563  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
564  */
565 static int DetectUDPV6CsumMatch(DetectEngineThreadCtx *det_ctx,
566  Packet *p, const Signature *s, const SigMatchCtx *ctx)
567 {
568  const DetectCsumData *cd = (const DetectCsumData *)ctx;
569 
570  if (!PacketIsIPv6(p) || !PacketIsUDP(p) || p->proto != IPPROTO_UDP)
571  return 0;
572 
573  if (p->flags & PKT_IGNORE_CHECKSUM) {
574  return cd->valid;
575  }
576 
577  if (!p->l4.csum_set) {
578  const IPV6Hdr *ip6h = PacketGetIPv6(p);
579  const UDPHdr *udph = PacketGetUDP(p);
580  p->l4.csum = UDPV6Checksum(ip6h->s_ip6_addrs, (uint16_t *)udph,
581  (p->payload_len + UDP_HEADER_LEN), udph->uh_sum);
582  p->l4.csum_set = true;
583  }
584  if (p->l4.csum == 0 && cd->valid == 1)
585  return 1;
586  else if (p->l4.csum != 0 && cd->valid == 0)
587  return 1;
588  else
589  return 0;
590 }
591 
592 /**
593  * \brief Creates a SigMatch for the udpv6-csum keyword being sent as argument,
594  * and appends it to the Signature(s). Accepts 2 values for the
595  * keyword - "valid" and "invalid", both with and without quotes
596  *
597  * \param de_ctx Pointer to the detection engine context
598  * \param s Pointer to signature for the current Signature being parsed
599  * from the rules
600  * \param csum_str Pointer to the string holding the keyword value
601  *
602  * \retval 0 on success, -1 on failure
603  */
604 static int DetectUDPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
605 {
606  DetectCsumData *cd = SCCalloc(1, sizeof(DetectCsumData));
607  if (cd == NULL)
608  return -1;
609 
610  if (DetectCsumParseArg(csum_str, cd) == 0)
611  goto error;
612 
615  goto error;
616  }
617 
618  return 0;
619 
620 error:
621  DetectUDPV6CsumFree(de_ctx, cd);
622  return -1;
623 }
624 
625 static void DetectUDPV6CsumFree(DetectEngineCtx *de_ctx, void *ptr)
626 {
627  DetectCsumData *cd = (DetectCsumData *)ptr;
628 
629  if (cd != NULL)
630  SCFree(cd);
631 }
632 
633 /**
634  * \brief Checks if the packet sent as the argument, has a valid or invalid
635  * icmpv4 checksum, based on whether icmpv4-csum option for this rule
636  * has been supplied with "valid" or "invalid" argument
637  *
638  * \param t Pointer to the tv for this detection module instance
639  * \param det_ctx Pointer to the detection engine thread context
640  * \param p Pointer to the Packet currently being matched
641  * \param s Pointer to the Signature, the packet is being currently
642  * matched with
643  * \param m Pointer to the keyword_structure(SigMatch) from the above
644  * Signature, the Packet is being currently matched with
645  *
646  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
647  */
648 static int DetectICMPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
649  Packet *p, const Signature *s, const SigMatchCtx *ctx)
650 {
651  const DetectCsumData *cd = (const DetectCsumData *)ctx;
652 
653  if (!PacketIsIPv4(p) || !PacketIsICMPv4(p) || p->proto != IPPROTO_ICMP)
654  return 0;
655 
656  if (p->flags & PKT_IGNORE_CHECKSUM) {
657  return cd->valid;
658  }
659 
660  const ICMPV4Hdr *icmpv4h = PacketGetICMPv4(p);
661  if (!p->l4.csum_set) {
662  const IPV4Hdr *ip4h = PacketGetIPv4(p);
663  p->l4.csum = ICMPV4CalculateChecksum(
664  (uint16_t *)icmpv4h, IPV4_GET_RAW_IPLEN(ip4h) - IPV4_GET_RAW_HLEN(ip4h));
665  p->l4.csum_set = true;
666  }
667  if (p->l4.csum == icmpv4h->checksum && cd->valid == 1)
668  return 1;
669  else if (p->l4.csum != icmpv4h->checksum && cd->valid == 0)
670  return 1;
671  else
672  return 0;
673 }
674 
675 /**
676  * \brief Creates a SigMatch for the icmpv4-csum keyword being sent as argument,
677  * and appends it to the Signature(s). Accepts 2 values for the
678  * keyword - "valid" and "invalid", both with and without quotes
679  *
680  * \param de_ctx Pointer to the detection engine context
681  * \param s Pointer to signature for the current Signature being parsed
682  * from the rules
683  * \param csum_str Pointer to the string holding the keyword value
684  *
685  * \retval 0 on success, -1 on failure
686  */
687 static int DetectICMPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
688 {
689  DetectCsumData *cd = SCCalloc(1, sizeof(DetectCsumData));
690  if (cd == NULL)
691  return -1;
692 
693  if (DetectCsumParseArg(csum_str, cd) == 0)
694  goto error;
695 
698  goto error;
699  }
700 
701  return 0;
702 
703 error:
704  DetectICMPV4CsumFree(de_ctx, cd);
705  return -1;
706 }
707 
708 static void DetectICMPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
709 {
710  SCFree(ptr);
711 }
712 
713 /**
714  * \brief Checks if the packet sent as the argument, has a valid or invalid
715  * icmpv6 checksum, based on whether icmpv6-csum option for this rule
716  * has been supplied with "valid" or "invalid" argument
717  *
718  * \param t Pointer to the tv for this detection module instance
719  * \param det_ctx Pointer to the detection engine thread context
720  * \param p Pointer to the Packet currently being matched
721  * \param s Pointer to the Signature, the packet is being currently
722  * matched with
723  * \param m Pointer to the keyword_structure(SigMatch) from the above
724  * Signature, the Packet is being currently matched with
725  *
726  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
727  */
728 static int DetectICMPV6CsumMatch(DetectEngineThreadCtx *det_ctx,
729  Packet *p, const Signature *s, const SigMatchCtx *ctx)
730 {
731  const DetectCsumData *cd = (const DetectCsumData *)ctx;
732 
733  if (!PacketIsIPv6(p) || !PacketIsICMPv6(p) || p->proto != IPPROTO_ICMPV6) {
734  return 0;
735  }
736  const ICMPV6Hdr *icmpv6h = PacketGetICMPv6(p);
737  if ((GET_PKT_LEN(p) - ((uint8_t *)icmpv6h - GET_PKT_DATA(p))) <= 0) {
738  return 0;
739  }
740 
741  if (p->flags & PKT_IGNORE_CHECKSUM) {
742  return cd->valid;
743  }
744 
745  if (!p->l4.csum_set) {
746  const IPV6Hdr *ip6h = PacketGetIPv6(p);
747  uint16_t len = IPV6_GET_RAW_PLEN(ip6h) -
748  (uint16_t)((uint8_t *)icmpv6h - (uint8_t *)ip6h - IPV6_HEADER_LEN);
749  p->l4.csum = ICMPV6CalculateChecksum(ip6h->s_ip6_addrs, (uint16_t *)icmpv6h, len);
750  p->l4.csum_set = true;
751  }
752 
753  if (p->l4.csum == icmpv6h->csum && cd->valid == 1)
754  return 1;
755  else if (p->l4.csum != icmpv6h->csum && cd->valid == 0)
756  return 1;
757  else
758  return 0;
759 }
760 
761 /**
762  * \brief Creates a SigMatch for the icmpv6-csum keyword being sent as argument,
763  * and appends it to the Signature(s). Accepts 2 values for the
764  * keyword - "valid" and "invalid", both with and without quotes
765  *
766  * \param de_ctx Pointer to the detection engine context
767  * \param s Pointer to signature for the current Signature being parsed
768  * from the rules
769  * \param csum_str Pointer to the string holding the keyword value
770  *
771  * \retval 0 on success, -1 on failure
772  */
773 static int DetectICMPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
774 {
775  DetectCsumData *cd = SCCalloc(1, sizeof(DetectCsumData));
776  if (cd == NULL)
777  return -1;
778 
779  if (DetectCsumParseArg(csum_str, cd) == 0)
780  goto error;
781 
784  goto error;
785  }
786 
787  return 0;
788 
789 error:
790  DetectICMPV6CsumFree(de_ctx, cd);
791  return -1;
792 }
793 
794 static void DetectICMPV6CsumFree(DetectEngineCtx *de_ctx, void *ptr)
795 {
796  SCFree(ptr);
797 }
798 
799 /* ---------------------------------- Unit Tests --------------------------- */
800 
801 #ifdef UNITTESTS
802 #include "util-unittest-helper.h"
803 #include "detect-engine.h"
804 #include "detect-engine-alert.h"
805 #include "packet.h"
806 
807 #define mystr(s) #s
808 #define TEST1(kwstr) {\
809  DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
810  FAIL_IF_NULL(de_ctx);\
811  de_ctx->flags = DE_QUIET;\
812  \
813  Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
814  FAIL_IF_NULL(s);\
815  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:invalid; sid:2;)");\
816  FAIL_IF_NULL(s);\
817  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaLid; sid:3;)");\
818  FAIL_IF_NULL(s);\
819  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:VALID; sid:4;)");\
820  FAIL_IF_NULL(s);\
821  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:iNvaLid; sid:5;)");\
822  FAIL_IF_NULL(s);\
823  DetectEngineCtxFree(de_ctx);\
824 }
825 
826 
827 static int DetectCsumValidArgsTestParse01(void)
828 {
829  TEST1(ipv4);
830  TEST1(tcpv4);
831  TEST1(tcpv6);
832  TEST1(udpv4);
833  TEST1(udpv6);
834  TEST1(icmpv4);
835  TEST1(icmpv6);
836  PASS;
837 }
838 #undef TEST1
839 
840 #define TEST2(kwstr) \
841  { \
842  DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
843  FAIL_IF_NULL(de_ctx); \
844  Signature *s = DetectEngineAppendSig( \
845  de_ctx, "alert ip any any -> any any (" mystr(kwstr) "-csum:xxxx; sid:1;)"); \
846  FAIL_IF(s); \
847  s = DetectEngineAppendSig( \
848  de_ctx, "alert ip any any -> any any (" mystr(kwstr) "-csum:xxxxxxxx; sid:2;)"); \
849  FAIL_IF(s); \
850  s = DetectEngineAppendSig( \
851  de_ctx, "alert ip any any -> any any (" mystr(kwstr) "-csum:xxxxxx; sid:3;)"); \
852  FAIL_IF(s); \
853  s = DetectEngineAppendSig( \
854  de_ctx, "alert ip any any -> any any (" mystr(kwstr) "-csum:XXXXXX; sid:4;)"); \
855  FAIL_IF(s); \
856  s = DetectEngineAppendSig( \
857  de_ctx, "alert ip any any -> any any (" mystr(kwstr) "-csum:XxXxXxX; sid:5;)"); \
858  FAIL_IF(s); \
859  DetectEngineCtxFree(de_ctx); \
860  }
861 
862 static int DetectCsumInvalidArgsTestParse02(void)
863 {
864  TEST2(ipv4);
865  TEST2(tcpv4);
866  TEST2(tcpv6);
867  TEST2(udpv4);
868  TEST2(udpv6);
869  TEST2(icmpv4);
870  TEST2(icmpv6);
871  PASS;
872 }
873 #undef TEST2
874 
875 #define TEST3(kwstr, kwtype) { \
876  DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
877  FAIL_IF_NULL(de_ctx);\
878  Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
879  FAIL_IF_NULL(s);\
880  SigMatch *sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
881  FAIL_IF_NULL(sm);\
882  FAIL_IF_NULL(sm->ctx);\
883  FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 1);\
884  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:INVALID; sid:2;)");\
885  FAIL_IF_NULL(s);\
886  sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
887  FAIL_IF_NULL(sm);\
888  FAIL_IF_NULL(sm->ctx);\
889  FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 0);\
890  DetectEngineCtxFree(de_ctx);\
891 }
892 
893 static int DetectCsumValidArgsTestParse03(void)
894 {
895  TEST3(ipv4, DETECT_IPV4_CSUM);
896  TEST3(tcpv4, DETECT_TCPV4_CSUM);
897  TEST3(tcpv6, DETECT_TCPV6_CSUM);
898  TEST3(udpv4, DETECT_UDPV4_CSUM);
899  TEST3(udpv6, DETECT_UDPV6_CSUM);
900  TEST3(icmpv4, DETECT_ICMPV4_CSUM);
901  TEST3(icmpv6, DETECT_ICMPV6_CSUM);
902  PASS;
903 }
904 #undef TEST3
905 #undef mystr
906 
907 #include "stream-tcp.h"
908 
909 static int DetectCsumICMPV6Test01(void)
910 {
911  DetectEngineCtx *de_ctx = NULL;
912  Signature *s = NULL;
913  ThreadVars tv;
914  DetectEngineThreadCtx *det_ctx = NULL;
916 
917  Packet *p = PacketGetFromAlloc();
918  FAIL_IF_NULL(p);
919 
920  uint8_t pkt[] = {
921  0x00, 0x30, 0x18, 0xa8, 0x7c, 0x23, 0x2c, 0x41,
922  0x38, 0xa7, 0xea, 0xeb, 0x86, 0xdd, 0x60, 0x00,
923  0x00, 0x00, 0x00, 0x40, 0x3c, 0x40, 0xad, 0xa1,
924  0x09, 0x80, 0x00, 0x01, 0xd6, 0xf3, 0x20, 0x01,
925  0xf4, 0xbe, 0xea, 0x3c, 0x00, 0x01, 0x00, 0x00,
926  0x00, 0x00, 0x32, 0xb2, 0x00, 0x01, 0x32, 0xb2,
927  0x09, 0x80, 0x20, 0x01, 0x00, 0x00, 0x3c, 0x00,
928  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00,
929  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
930  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
931  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00,
932  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
933  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x3a, 0x00,
934  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00,
935  0x63, 0xc2, 0x00, 0x00, 0x00, 0x00 };
936 
937  PacketCopyData(p, pkt, sizeof(pkt));
938 
939  memset(&tv, 0, sizeof(tv));
940  memset(&dtv, 0, sizeof(dtv));
941 
942  StreamTcpInitConfig(true);
944 
948  de_ctx->flags |= DE_QUIET;
949 
950  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any any "
951  "(icmpv6-csum:valid; sid:1;)");
952  FAIL_IF_NULL(s);
954 
956 
957  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
958 
959  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
960 
961  FAIL_IF(!PacketAlertCheck(p, 1));
962 
963  DetectEngineThreadCtxDeinit(&tv, det_ctx);
965 
966  StreamTcpFreeConfig(true);
967  PacketRecycle(p);
968  FlowShutdown();
969  SCFree(p);
970  PASS;
971 }
972 
973 static void DetectCsumRegisterTests(void)
974 {
975  UtRegisterTest("DetectCsumValidArgsTestParse01",
976  DetectCsumValidArgsTestParse01);
977  UtRegisterTest("DetectCsumInvalidArgsTestParse02",
978  DetectCsumInvalidArgsTestParse02);
979  UtRegisterTest("DetectCsumValidArgsTestParse03",
980  DetectCsumValidArgsTestParse03);
981 
982  UtRegisterTest("DetectCsumICMPV6Test01",
983  DetectCsumICMPV6Test01);
984 }
985 #endif /* UNITTESTS */
PacketL4::csum_set
bool csum_set
Definition: decode.h:466
host.h
Packet_::proto
uint8_t proto
Definition: decode.h:523
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
SigTableElmt_::desc
const char * desc
Definition: detect.h:1461
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
DETECT_CSUM_VALID
#define DETECT_CSUM_VALID
Definition: detect-csum.c:42
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1446
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:377
SigTableElmt_::name
const char * name
Definition: detect.h:1459
stream-tcp.h
DETECT_ICMPV4_CSUM
@ DETECT_ICMPV4_CSUM
Definition: detect-engine-register.h:117
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PacketL4::csum
uint16_t csum
Definition: decode.h:467
ICMPV6Hdr_::csum
uint16_t csum
Definition: decode-icmpv6.h:132
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:150
DETECT_UDPV6_CSUM
@ DETECT_UDPV6_CSUM
Definition: detect-engine-register.h:116
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2641
TCP_GET_RAW_HLEN
#define TCP_GET_RAW_HLEN(tcph)
Definition: decode-tcp.h:72
DetectCsumData
struct DetectCsumData_ DetectCsumData
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2420
DETECT_CSUM_INVALID
#define DETECT_CSUM_INVALID
Definition: detect-csum.c:43
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1441
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:606
util-unittest.h
util-unittest-helper.h
DETECT_TCPV4_CSUM
@ DETECT_TCPV4_CSUM
Definition: detect-engine-register.h:113
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:547
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:209
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3372
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:96
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:935
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3095
util-profiling.h
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:501
detect-engine-build.h
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
ICMPV4Hdr_
Definition: decode-icmpv4.h:165
detect-engine-alert.h
Packet_::l4
struct PacketL4 l4
Definition: decode.h:601
PKT_IGNORE_CHECKSUM
#define PKT_IGNORE_CHECKSUM
Definition: decode.h:1282
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1421
DETECT_IPV4_CSUM
@ DETECT_IPV4_CSUM
Definition: detect-engine-register.h:112
DetectCsumData_::valid
int16_t valid
Definition: detect-csum.c:48
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2204
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PacketL3::csum_set
bool csum_set
Definition: decode.h:436
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
IPV4Hdr_
Definition: decode-ipv4.h:72
ICMPV6Hdr_
Definition: decode-icmpv6.h:129
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
suricata-common.h
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:691
packet.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3608
DetectCsumRegister
void DetectCsumRegister(void)
Registers handlers for all the checksum keywords. The checksum keywords that are registered are ipv4-...
Definition: detect-csum.c:139
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
UDPHdr_
Definition: decode-udp.h:42
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:258
DetectCsumData_
Definition: detect-csum.c:45
Packet_::l3
struct PacketL3 l3
Definition: decode.h:600
str
#define str(s)
Definition: suricata-common.h:308
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:963
DETECT_ICMPV6_CSUM
@ DETECT_ICMPV6_CSUM
Definition: detect-engine-register.h:118
TEST1
#define TEST1(kwstr)
Definition: detect-csum.c:808
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2602
TEST3
#define TEST3(kwstr, kwtype)
Definition: detect-csum.c:875
PacketL3::csum
uint16_t csum
Definition: decode.h:437
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
TEST2
#define TEST2(kwstr)
Definition: detect-csum.c:840
IPV6_HEADER_LEN
#define IPV6_HEADER_LEN
Definition: decode-ipv6.h:27
IPV4_GET_RAW_IPLEN
#define IPV4_GET_RAW_IPLEN(ip4h)
Definition: decode-ipv4.h:98
detect-csum.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
DETECT_TCPV6_CSUM
@ DETECT_TCPV6_CSUM
Definition: detect-engine-register.h:114
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
TCPHdr_
Definition: decode-tcp.h:149
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1448
DETECT_UDPV4_CSUM
@ DETECT_UDPV4_CSUM
Definition: detect-engine-register.h:115
UDPHdr_::uh_sum
uint16_t uh_sum
Definition: decode-udp.h:46