suricata
detect-csum.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements checksum keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-csum.h"
33 
34 #include "util-unittest.h"
35 #include "util-debug.h"
36 
37 #include "pkt-var.h"
38 #include "host.h"
39 #include "util-profiling.h"
40 #include "detect-engine-build.h"
41 
42 #define DETECT_CSUM_VALID "valid"
43 #define DETECT_CSUM_INVALID "invalid"
44 
45 typedef struct DetectCsumData_ {
46  /* Indicates if the csum-<protocol> keyword in a rule holds the
47  keyvalue "valid" or "invalid" */
48  int16_t valid;
50 
51 /* prototypes for the "ipv4-csum" rule keyword */
52 static int DetectIPV4CsumMatch(DetectEngineThreadCtx *,
53  Packet *, const Signature *, const SigMatchCtx *);
54 static int DetectIPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
55 static void DetectIPV4CsumFree(DetectEngineCtx *, void *);
56 
57 /* prototypes for the "tcpv4-csum" rule keyword */
58 static int DetectTCPV4CsumMatch(DetectEngineThreadCtx *,
59  Packet *, const Signature *, const SigMatchCtx *);
60 static int DetectTCPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
61 static void DetectTCPV4CsumFree(DetectEngineCtx *, void *);
62 
63 /* prototypes for the "tcpv6-csum" rule keyword */
64 static int DetectTCPV6CsumMatch(DetectEngineThreadCtx *,
65  Packet *, const Signature *, const SigMatchCtx *);
66 static int DetectTCPV6CsumSetup(DetectEngineCtx *, Signature *, const char *);
67 static void DetectTCPV6CsumFree(DetectEngineCtx *, void *);
68 
69 /* prototypes for the "udpv4-csum" rule keyword */
70 static int DetectUDPV4CsumMatch(DetectEngineThreadCtx *,
71  Packet *, const Signature *, const SigMatchCtx *);
72 static int DetectUDPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
73 static void DetectUDPV4CsumFree(DetectEngineCtx *, void *);
74 
75 /* prototypes for the "udpv6-csum" rule keyword */
76 static int DetectUDPV6CsumMatch(DetectEngineThreadCtx *,
77  Packet *, const Signature *, const SigMatchCtx *);
78 static int DetectUDPV6CsumSetup(DetectEngineCtx *, Signature *, const char *);
79 static void DetectUDPV6CsumFree(DetectEngineCtx *de_ctx, void *);
80 
81 /* prototypes for the "icmpv4-csum" rule keyword */
82 static int DetectICMPV4CsumMatch(DetectEngineThreadCtx *,
83  Packet *, const Signature *, const SigMatchCtx *);
84 static int DetectICMPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
85 static void DetectICMPV4CsumFree(DetectEngineCtx *, void *);
86 
87 /* prototypes for the "icmpv6-csum" rule keyword */
88 static int DetectICMPV6CsumMatch(DetectEngineThreadCtx *,
89  Packet *, const Signature *, const SigMatchCtx *);
90 static int DetectICMPV6CsumSetup(DetectEngineCtx *, Signature *, const char *);
91 static void DetectICMPV6CsumFree(DetectEngineCtx *, void *);
92 
93 #ifdef UNITTESTS
94 static void DetectCsumRegisterTests(void);
95 #endif
96 
97 /**
98  * \brief Registers handlers for all the checksum keywords. The checksum
99  * keywords that are registered are ipv4-sum, tcpv4-csum, tcpv6-csum,
100  * udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum.
101  *
102  * Each of the checksum keywords implemented here takes 2 arguments -
103  * "valid" or "invalid". If the rule keyword in the signature is
104  * specified as "valid", the Match function would return TRUE if the
105  * checksum for that particular packet and protocol is valid. Similarly
106  * for "invalid".
107  *
108  * The Setup functions takes 4 arguments -
109  *
110  * DetectEngineCtx * (de_ctx) - A pointer to the detection engine context
111  * Signature *(s) - Pointer to signature for the current Signature being
112  * parsed from the rules
113  * SigMatchCtx * (m) - Pointer to the head of the SigMatchs added to the
114  * current Signature being parsed
115  * char * (csum_str) - Pointer to a string holding the keyword value
116  *
117  * The Setup function returns 0 if it successfully parses the keyword
118  * value, and -1 otherwise.
119  *
120  * The Match function takes 5 arguments -
121  *
122  * ThreadVars * (t) - Pointer to the tv for the detection module instance
123  * DetectEngineThreadCtx * (det_ctx) - Pointer to the detection engine
124  * thread context
125  * Packet * (p) - Pointer to the Packet currently being handled
126  * Signature * (s) - Pointer to the Signature, the packet is being
127  * currently matched with
128  * SigMatchCtx * (m) - Pointer to the keyword structure from the above
129  * Signature, the Packet is being currently matched
130  * with
131  *
132  * The Match function returns 1 if the Packet contents match the keyword,
133  * and 0 otherwise
134  *
135  * The Free function takes a single argument -
136  *
137  * void * (ptr) - Pointer to the DetectCsumData for a keyword
138  */
140 {
141  sigmatch_table[DETECT_IPV4_CSUM].name = "ipv4-csum";
142  sigmatch_table[DETECT_IPV4_CSUM].Match = DetectIPV4CsumMatch;
143  sigmatch_table[DETECT_IPV4_CSUM].Setup = DetectIPV4CsumSetup;
144  sigmatch_table[DETECT_IPV4_CSUM].Free = DetectIPV4CsumFree;
145 #ifdef UNITTESTS
146  sigmatch_table[DETECT_IPV4_CSUM].RegisterTests = DetectCsumRegisterTests;
147 #endif
148 
149  sigmatch_table[DETECT_TCPV4_CSUM].name = "tcpv4-csum";
150  sigmatch_table[DETECT_TCPV4_CSUM].Match = DetectTCPV4CsumMatch;
151  sigmatch_table[DETECT_TCPV4_CSUM].Setup = DetectTCPV4CsumSetup;
152  sigmatch_table[DETECT_TCPV4_CSUM].Free = DetectTCPV4CsumFree;
153 
154  sigmatch_table[DETECT_TCPV6_CSUM].name = "tcpv6-csum";
155  sigmatch_table[DETECT_TCPV6_CSUM].Match = DetectTCPV6CsumMatch;
156  sigmatch_table[DETECT_TCPV6_CSUM].Setup = DetectTCPV6CsumSetup;
157  sigmatch_table[DETECT_TCPV6_CSUM].Free = DetectTCPV6CsumFree;
158 
159  sigmatch_table[DETECT_UDPV4_CSUM].name = "udpv4-csum";
160  sigmatch_table[DETECT_UDPV4_CSUM].Match = DetectUDPV4CsumMatch;
161  sigmatch_table[DETECT_UDPV4_CSUM].Setup = DetectUDPV4CsumSetup;
162  sigmatch_table[DETECT_UDPV4_CSUM].Free = DetectUDPV4CsumFree;
163 
164  sigmatch_table[DETECT_UDPV6_CSUM].name = "udpv6-csum";
165  sigmatch_table[DETECT_UDPV6_CSUM].Match = DetectUDPV6CsumMatch;
166  sigmatch_table[DETECT_UDPV6_CSUM].Setup = DetectUDPV6CsumSetup;
167  sigmatch_table[DETECT_UDPV6_CSUM].Free = DetectUDPV6CsumFree;
168 
169  sigmatch_table[DETECT_ICMPV4_CSUM].name = "icmpv4-csum";
170  sigmatch_table[DETECT_ICMPV4_CSUM].Match = DetectICMPV4CsumMatch;
171  sigmatch_table[DETECT_ICMPV4_CSUM].Setup = DetectICMPV4CsumSetup;
172  sigmatch_table[DETECT_ICMPV4_CSUM].Free = DetectICMPV4CsumFree;
173 
174  sigmatch_table[DETECT_ICMPV6_CSUM].name = "icmpv6-csum";
175  sigmatch_table[DETECT_ICMPV6_CSUM].Match = DetectICMPV6CsumMatch;
176  sigmatch_table[DETECT_ICMPV6_CSUM].Setup = DetectICMPV6CsumSetup;
177  sigmatch_table[DETECT_ICMPV6_CSUM].Free = DetectICMPV6CsumFree;
178 }
179 
180 /**
181  * \brief Validates and parses the argument supplied with the checksum keyword.
182  * Accepts strings both with and without quotes, i.e. valid, \"valid\",
183  * invalid and \"invalid\"
184  *
185  * \param key Pointer to a const character string holding the csum keyword value
186  * \param cd Pointer to the DetectCsumData structure that holds the keyword
187  * value sent as argument
188  *
189  * \retval 1 the keyvalue has been parsed successfully
190  * \retval 0 error
191  */
192 static int DetectCsumParseArg(const char *key, DetectCsumData *cd)
193 {
194  char *str;
195 
196  if (key[0] == '\"' && key[strlen(key) - 1] == '\"') {
197  str = SCStrdup(key + 1);
198  if (unlikely(str == NULL)) {
199  goto error;
200  }
201  str[strlen(key) - 2] = '\0';
202  } else {
203  str = SCStrdup(key);
204  if (unlikely(str == NULL)) {
205  goto error;
206  }
207  }
208 
209  if (strcasecmp(str, DETECT_CSUM_VALID) == 0 ||
210  strcasecmp(str, DETECT_CSUM_INVALID) == 0) {
211  cd->valid = (strcasecmp(key, DETECT_CSUM_VALID) == 0);
212  SCFree(str);
213  return 1;
214  }
215 
216 error:
217  if (str != NULL)
218  SCFree(str);
219  return 0;
220 }
221 
222 /**
223  * \brief Checks if the packet sent as the argument, has a valid or invalid
224  * ipv4 checksum, based on whether ipv4-csum option for this rule
225  * has been supplied with "valid" or "invalid" argument
226  *
227  * \param t Pointer to the tv for this detection module instance
228  * \param det_ctx Pointer to the detection engine thread context
229  * \param p Pointer to the Packet currently being matched
230  * \param s Pointer to the Signature, the packet is being currently
231  * matched with
232  * \param m Pointer to the keyword_structure(SigMatch) from the above
233  * Signature, the Packet is being currently matched with
234  *
235  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
236  */
237 static int DetectIPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
238  Packet *p, const Signature *s, const SigMatchCtx *ctx)
239 {
240  const DetectCsumData *cd = (const DetectCsumData *)ctx;
241 
242  if (p->ip4h == NULL || PKT_IS_PSEUDOPKT(p))
243  return 0;
244 
245  if (p->flags & PKT_IGNORE_CHECKSUM) {
246  return cd->valid;
247  }
248 
249  if (p->level3_comp_csum == -1)
250  p->level3_comp_csum = IPV4Checksum((uint16_t *)p->ip4h,
251  IPV4_GET_HLEN(p),
252  p->ip4h->ip_csum);
253 
254  if (p->level3_comp_csum == 0 && cd->valid == 1)
255  return 1;
256  else if (p->level3_comp_csum != 0 && cd->valid == 0)
257  return 1;
258  else
259  return 0;
260 }
261 
262 /**
263  * \brief Creates a SigMatch for the ipv4-csum keyword being sent as argument,
264  * and appends it to the Signature(s). Accepts 2 values for the
265  * keyword - "valid" and "invalid", both with and without quotes
266  *
267  * \param de_ctx Pointer to the detection engine context
268  * \param s Pointer to signature for the current Signature being parsed
269  * from the rules
270  * \param csum_str Pointer to the string holding the keyword value
271  *
272  * \retval 0 on success, -1 on failure
273  */
274 static int DetectIPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
275 {
276  DetectCsumData *cd = NULL;
277  SigMatch *sm = NULL;
278 
279  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
280 
281  sm = SigMatchAlloc();
282  if (sm == NULL)
283  goto error;
284 
285  sm->type = DETECT_IPV4_CSUM;
286 
287  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
288  goto error;
289  memset(cd, 0, sizeof(DetectCsumData));
290 
291  if (DetectCsumParseArg(csum_str, cd) == 0)
292  goto error;
293 
294  sm->ctx = (SigMatchCtx *)cd;
295 
297 
298  return 0;
299 
300 error:
301  if (cd != NULL) DetectIPV4CsumFree(de_ctx, cd);
302  if (sm != NULL) SCFree(sm);
303 
304  return -1;
305 }
306 
307 static void DetectIPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
308 {
309  DetectCsumData *cd = (DetectCsumData *)ptr;
310 
311  if (cd != NULL)
312  SCFree(cd);
313 
314  return;
315 }
316 
317 /**
318  * \brief Checks if the packet sent as the argument, has a valid or invalid
319  * tcpv4 checksum, based on whether tcpv4-csum option for this rule
320  * has been supplied with "valid" or "invalid" argument
321  *
322  * \param t Pointer to the tv for this detection module instance
323  * \param det_ctx Pointer to the detection engine thread context
324  * \param p Pointer to the Packet currently being matched
325  * \param s Pointer to the Signature, the packet is being currently
326  * matched with
327  * \param m Pointer to the keyword_structure(SigMatch) from the above
328  * Signature, the Packet is being currently matched with
329  *
330  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
331  */
332 static int DetectTCPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
333  Packet *p, const Signature *s, const SigMatchCtx *ctx)
334 {
335  const DetectCsumData *cd = (const DetectCsumData *)ctx;
336 
337  if (p->ip4h == NULL || p->tcph == NULL || p->proto != IPPROTO_TCP || PKT_IS_PSEUDOPKT(p))
338  return 0;
339 
340  if (p->flags & PKT_IGNORE_CHECKSUM) {
341  return cd->valid;
342  }
343 
344  if (p->level4_comp_csum == -1)
345  p->level4_comp_csum = TCPChecksum(p->ip4h->s_ip_addrs,
346  (uint16_t *)p->tcph,
347  (p->payload_len +
348  TCP_GET_HLEN(p)),
349  p->tcph->th_sum);
350 
351  if (p->level4_comp_csum == 0 && cd->valid == 1)
352  return 1;
353  else if (p->level4_comp_csum != 0 && cd->valid == 0)
354  return 1;
355  else
356  return 0;
357 }
358 
359 /**
360  * \brief Creates a SigMatch for the tcpv4-csum keyword being sent as argument,
361  * and appends it to the Signature(s). Accepts 2 values for the
362  * keyword - "valid" and "invalid", both with and without quotes
363  *
364  * \param de_ctx Pointer to the detection engine context
365  * \param s Pointer to signature for the current Signature being parsed
366  * from the rules
367  * \param csum_str Pointer to the string holding the keyword value
368  *
369  * \retval 0 on success, -1 on failure
370  */
371 static int DetectTCPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
372 {
373  DetectCsumData *cd = NULL;
374  SigMatch *sm = NULL;
375 
376  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
377 
378  sm = SigMatchAlloc();
379  if (sm == NULL)
380  goto error;
381 
382  sm->type = DETECT_TCPV4_CSUM;
383 
384  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
385  goto error;
386  memset(cd, 0, sizeof(DetectCsumData));
387 
388  if (DetectCsumParseArg(csum_str, cd) == 0)
389  goto error;
390 
391  sm->ctx = (SigMatchCtx *)cd;
392 
394 
395  return 0;
396 
397 error:
398  if (cd != NULL) DetectTCPV4CsumFree(de_ctx, cd);
399  if (sm != NULL) SCFree(sm);
400 
401  return -1;
402 }
403 
404 static void DetectTCPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
405 {
406  DetectCsumData *cd = (DetectCsumData *)ptr;
407 
408  if (cd != NULL)
409  SCFree(cd);
410 
411  return;
412 }
413 
414 /**
415  * \brief Checks if the packet sent as the argument, has a valid or invalid
416  * tcpv6 checksum, based on whether tcpv6-csum option for this rule
417  * has been supplied with "valid" or "invalid" argument
418  *
419  * \param t Pointer to the tv for this detection module instance
420  * \param det_ctx Pointer to the detection engine thread context
421  * \param p Pointer to the Packet currently being matched
422  * \param s Pointer to the Signature, the packet is being currently
423  * matched with
424  * \param m Pointer to the keyword_structure(SigMatch) from the above
425  * Signature, the Packet is being currently matched with
426  *
427  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
428  */
429 static int DetectTCPV6CsumMatch(DetectEngineThreadCtx *det_ctx,
430  Packet *p, const Signature *s, const SigMatchCtx *ctx)
431 {
432  const DetectCsumData *cd = (const DetectCsumData *)ctx;
433 
434  if (p->ip6h == NULL || p->tcph == NULL || p->proto != IPPROTO_TCP || PKT_IS_PSEUDOPKT(p))
435  return 0;
436 
437  if (p->flags & PKT_IGNORE_CHECKSUM) {
438  return cd->valid;
439  }
440 
441  if (p->level4_comp_csum == -1)
442  p->level4_comp_csum = TCPV6Checksum(p->ip6h->s_ip6_addrs,
443  (uint16_t *)p->tcph,
444  (p->payload_len +
445  TCP_GET_HLEN(p)),
446  p->tcph->th_sum);
447 
448  if (p->level4_comp_csum == 0 && cd->valid == 1)
449  return 1;
450  else if (p->level4_comp_csum != 0 && cd->valid == 0)
451  return 1;
452  else
453  return 0;
454 }
455 
456 /**
457  * \brief Creates a SigMatch for the tcpv6-csum keyword being sent as argument,
458  * and appends it to the Signature(s). Accepts 2 values for the
459  * keyword - "valid" and "invalid", both with and without quotes
460  *
461  * \param de_ctx Pointer to the detection engine context
462  * \param s Pointer to signature for the current Signature being parsed
463  * from the rules
464  * \param csum_str Pointer to the string holding the keyword value
465  *
466  * \retval 0 on success, -1 on failure
467  */
468 static int DetectTCPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
469 {
470  DetectCsumData *cd = NULL;
471  SigMatch *sm = NULL;
472 
473  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
474 
475  sm = SigMatchAlloc();
476  if (sm == NULL)
477  goto error;
478 
479  sm->type = DETECT_TCPV6_CSUM;
480 
481  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
482  goto error;
483  memset(cd, 0, sizeof(DetectCsumData));
484 
485  if (DetectCsumParseArg(csum_str, cd) == 0)
486  goto error;
487 
488  sm->ctx = (SigMatchCtx *)cd;
489 
491 
492  return 0;
493 
494 error:
495  if (cd != NULL) DetectTCPV6CsumFree(de_ctx, cd);
496  if (sm != NULL) SCFree(sm);
497 
498  return -1;
499 }
500 
501 static void DetectTCPV6CsumFree(DetectEngineCtx *de_ctx, void *ptr)
502 {
503  DetectCsumData *cd = (DetectCsumData *)ptr;
504 
505  if (cd != NULL)
506  SCFree(cd);
507 
508  return;
509 }
510 
511 /**
512  * \brief Checks if the packet sent as the argument, has a valid or invalid
513  * udpv4 checksum, based on whether udpv4-csum option for this rule
514  * has been supplied with "valid" or "invalid" argument
515  *
516  * \param t Pointer to the tv for this detection module instance
517  * \param det_ctx Pointer to the detection engine thread context
518  * \param p Pointer to the Packet currently being matched
519  * \param s Pointer to the Signature, the packet is being currently
520  * matched with
521  * \param m Pointer to the keyword_structure(SigMatch) from the above
522  * Signature, the Packet is being currently matched with
523  *
524  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
525  */
526 static int DetectUDPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
527  Packet *p, const Signature *s, const SigMatchCtx *ctx)
528 {
529  const DetectCsumData *cd = (const DetectCsumData *)ctx;
530 
531  if (p->ip4h == NULL || p->udph == NULL || p->proto != IPPROTO_UDP || PKT_IS_PSEUDOPKT(p) || p->udph->uh_sum == 0)
532  return 0;
533 
534  if (p->flags & PKT_IGNORE_CHECKSUM) {
535  return cd->valid;
536  }
537 
538  if (p->level4_comp_csum == -1)
539  p->level4_comp_csum = UDPV4Checksum(p->ip4h->s_ip_addrs,
540  (uint16_t *)p->udph,
541  (p->payload_len +
543  p->udph->uh_sum);
544 
545  if (p->level4_comp_csum == 0 && cd->valid == 1)
546  return 1;
547  else if (p->level4_comp_csum != 0 && cd->valid == 0)
548  return 1;
549  else
550  return 0;
551 }
552 
553 /**
554  * \brief Creates a SigMatch for the udpv4-csum keyword being sent as argument,
555  * and appends it to the Signature(s). Accepts 2 values for the
556  * keyword - "valid" and "invalid", both with and without quotes
557  *
558  * \param de_ctx Pointer to the detection engine context
559  * \param s Pointer to signature for the current Signature being parsed
560  * from the rules
561  * \param csum_str Pointer to the string holding the keyword value
562  *
563  * \retval 0 on success, -1 on failure
564  */
565 static int DetectUDPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
566 {
567  DetectCsumData *cd = NULL;
568  SigMatch *sm = NULL;
569 
570  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
571 
572  sm = SigMatchAlloc();
573  if (sm == NULL)
574  goto error;
575 
576  sm->type = DETECT_UDPV4_CSUM;
577 
578  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
579  goto error;
580  memset(cd, 0, sizeof(DetectCsumData));
581 
582  if (DetectCsumParseArg(csum_str, cd) == 0)
583  goto error;
584 
585  sm->ctx = (SigMatchCtx *)cd;
586 
588 
589  return 0;
590 
591 error:
592  if (cd != NULL) DetectUDPV4CsumFree(de_ctx, cd);
593  if (sm != NULL) SCFree(sm);
594 
595  return -1;
596 }
597 
598 static void DetectUDPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
599 {
600  DetectCsumData *cd = (DetectCsumData *)ptr;
601 
602  if (cd != NULL)
603  SCFree(cd);
604 
605  return;
606 }
607 
608 /**
609  * \brief Checks if the packet sent as the argument, has a valid or invalid
610  * udpv6 checksum, based on whether udpv6-csum option for this rule
611  * has been supplied with "valid" or "invalid" argument
612  *
613  * \param t Pointer to the tv for this detection module instance
614  * \param det_ctx Pointer to the detection engine thread context
615  * \param p Pointer to the Packet currently being matched
616  * \param s Pointer to the Signature, the packet is being currently
617  * matched with
618  * \param m Pointer to the keyword_structure(SigMatch) from the above
619  * Signature, the Packet is being currently matched with
620  *
621  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
622  */
623 static int DetectUDPV6CsumMatch(DetectEngineThreadCtx *det_ctx,
624  Packet *p, const Signature *s, const SigMatchCtx *ctx)
625 {
626  const DetectCsumData *cd = (const DetectCsumData *)ctx;
627 
628  if (p->ip6h == NULL || p->udph == NULL || p->proto != IPPROTO_UDP || PKT_IS_PSEUDOPKT(p))
629  return 0;
630 
631  if (p->flags & PKT_IGNORE_CHECKSUM) {
632  return cd->valid;
633  }
634 
635  if (p->level4_comp_csum == -1)
636  p->level4_comp_csum = UDPV6Checksum(p->ip6h->s_ip6_addrs,
637  (uint16_t *)p->udph,
638  (p->payload_len +
640  p->udph->uh_sum);
641 
642  if (p->level4_comp_csum == 0 && cd->valid == 1)
643  return 1;
644  else if (p->level4_comp_csum != 0 && cd->valid == 0)
645  return 1;
646  else
647  return 0;
648 }
649 
650 /**
651  * \brief Creates a SigMatch for the udpv6-csum keyword being sent as argument,
652  * and appends it to the Signature(s). Accepts 2 values for the
653  * keyword - "valid" and "invalid", both with and without quotes
654  *
655  * \param de_ctx Pointer to the detection engine context
656  * \param s Pointer to signature for the current Signature being parsed
657  * from the rules
658  * \param csum_str Pointer to the string holding the keyword value
659  *
660  * \retval 0 on success, -1 on failure
661  */
662 static int DetectUDPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
663 {
664  DetectCsumData *cd = NULL;
665  SigMatch *sm = NULL;
666 
667  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
668 
669  sm = SigMatchAlloc();
670  if (sm == NULL)
671  goto error;
672 
673  sm->type = DETECT_UDPV6_CSUM;
674 
675  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
676  goto error;
677  memset(cd, 0, sizeof(DetectCsumData));
678 
679  if (DetectCsumParseArg(csum_str, cd) == 0)
680  goto error;
681 
682  sm->ctx = (void *)cd;
683 
685 
686  return 0;
687 
688 error:
689  if (cd != NULL) DetectUDPV6CsumFree(de_ctx, cd);
690  if (sm != NULL) SCFree(sm);
691 
692  return -1;
693 }
694 
695 static void DetectUDPV6CsumFree(DetectEngineCtx *de_ctx, void *ptr)
696 {
697  DetectCsumData *cd = (DetectCsumData *)ptr;
698 
699  if (cd != NULL)
700  SCFree(cd);
701 
702  return;
703 }
704 
705 /**
706  * \brief Checks if the packet sent as the argument, has a valid or invalid
707  * icmpv4 checksum, based on whether icmpv4-csum option for this rule
708  * has been supplied with "valid" or "invalid" argument
709  *
710  * \param t Pointer to the tv for this detection module instance
711  * \param det_ctx Pointer to the detection engine thread context
712  * \param p Pointer to the Packet currently being matched
713  * \param s Pointer to the Signature, the packet is being currently
714  * matched with
715  * \param m Pointer to the keyword_structure(SigMatch) from the above
716  * Signature, the Packet is being currently matched with
717  *
718  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
719  */
720 static int DetectICMPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
721  Packet *p, const Signature *s, const SigMatchCtx *ctx)
722 {
723  const DetectCsumData *cd = (const DetectCsumData *)ctx;
724 
725  if (p->ip4h == NULL || p->icmpv4h == NULL || p->proto != IPPROTO_ICMP || PKT_IS_PSEUDOPKT(p))
726  return 0;
727 
728  if (p->flags & PKT_IGNORE_CHECKSUM) {
729  return cd->valid;
730  }
731 
732  if (p->level4_comp_csum == -1)
733  p->level4_comp_csum = ICMPV4CalculateChecksum((uint16_t *)p->icmpv4h,
735  IPV4_GET_RAW_HLEN(p->ip4h) * 4);
736 
737  if (p->level4_comp_csum == p->icmpv4h->checksum && cd->valid == 1)
738  return 1;
739  else if (p->level4_comp_csum != p->icmpv4h->checksum && cd->valid == 0)
740  return 1;
741  else
742  return 0;
743 }
744 
745 /**
746  * \brief Creates a SigMatch for the icmpv4-csum keyword being sent as argument,
747  * and appends it to the Signature(s). Accepts 2 values for the
748  * keyword - "valid" and "invalid", both with and without quotes
749  *
750  * \param de_ctx Pointer to the detection engine context
751  * \param s Pointer to signature for the current Signature being parsed
752  * from the rules
753  * \param csum_str Pointer to the string holding the keyword value
754  *
755  * \retval 0 on success, -1 on failure
756  */
757 static int DetectICMPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
758 {
759  DetectCsumData *cd = NULL;
760  SigMatch *sm = NULL;
761 
762  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
763 
764  sm = SigMatchAlloc();
765  if (sm == NULL)
766  goto error;
767 
768  sm->type = DETECT_ICMPV4_CSUM;
769 
770  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
771  goto error;
772  memset(cd, 0, sizeof(DetectCsumData));
773 
774  if (DetectCsumParseArg(csum_str, cd) == 0)
775  goto error;
776 
777  sm->ctx = (SigMatchCtx *)cd;
778 
780 
781  return 0;
782 
783 error:
784  if (cd != NULL) DetectICMPV4CsumFree(de_ctx, cd);
785  if (sm != NULL) SCFree(sm);
786 
787  return -1;
788 }
789 
790 static void DetectICMPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
791 {
792  DetectCsumData *cd = (DetectCsumData *)ptr;
793 
794  if (cd != NULL)
795  SCFree(cd);
796 
797  return;
798 }
799 
800 /**
801  * \brief Checks if the packet sent as the argument, has a valid or invalid
802  * icmpv6 checksum, based on whether icmpv6-csum option for this rule
803  * has been supplied with "valid" or "invalid" argument
804  *
805  * \param t Pointer to the tv for this detection module instance
806  * \param det_ctx Pointer to the detection engine thread context
807  * \param p Pointer to the Packet currently being matched
808  * \param s Pointer to the Signature, the packet is being currently
809  * matched with
810  * \param m Pointer to the keyword_structure(SigMatch) from the above
811  * Signature, the Packet is being currently matched with
812  *
813  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
814  */
815 static int DetectICMPV6CsumMatch(DetectEngineThreadCtx *det_ctx,
816  Packet *p, const Signature *s, const SigMatchCtx *ctx)
817 {
818  const DetectCsumData *cd = (const DetectCsumData *)ctx;
819 
820  if (p->ip6h == NULL || p->icmpv6h == NULL || p->proto != IPPROTO_ICMPV6 || PKT_IS_PSEUDOPKT(p) ||
821  (GET_PKT_LEN(p) - ((uint8_t *)p->icmpv6h - GET_PKT_DATA(p))) <= 0) {
822  return 0;
823  }
824 
825  if (p->flags & PKT_IGNORE_CHECKSUM) {
826  return cd->valid;
827  }
828 
829  if (p->level4_comp_csum == -1) {
830  uint16_t len = IPV6_GET_RAW_PLEN(p->ip6h) -
831  (uint16_t)((uint8_t *)p->icmpv6h - (uint8_t *)p->ip6h - IPV6_HEADER_LEN);
832  p->level4_comp_csum = ICMPV6CalculateChecksum(p->ip6h->s_ip6_addrs,
833  (uint16_t *)p->icmpv6h,
834  len);
835  }
836 
837  if (p->level4_comp_csum == p->icmpv6h->csum && cd->valid == 1)
838  return 1;
839  else if (p->level4_comp_csum != p->icmpv6h->csum && cd->valid == 0)
840  return 1;
841  else
842  return 0;
843 }
844 
845 /**
846  * \brief Creates a SigMatch for the icmpv6-csum keyword being sent as argument,
847  * and appends it to the Signature(s). Accepts 2 values for the
848  * keyword - "valid" and "invalid", both with and without quotes
849  *
850  * \param de_ctx Pointer to the detection engine context
851  * \param s Pointer to signature for the current Signature being parsed
852  * from the rules
853  * \param csum_str Pointer to the string holding the keyword value
854  *
855  * \retval 0 on success, -1 on failure
856  */
857 static int DetectICMPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
858 {
859  DetectCsumData *cd = NULL;
860  SigMatch *sm = NULL;
861 
862  sm = SigMatchAlloc();
863  if (sm == NULL)
864  goto error;
865 
866  sm->type = DETECT_ICMPV6_CSUM;
867 
868  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
869  goto error;
870  memset(cd, 0, sizeof(DetectCsumData));
871 
872  if (DetectCsumParseArg(csum_str, cd) == 0)
873  goto error;
874 
875  sm->ctx = (SigMatchCtx *)cd;
876 
878 
879  return 0;
880 
881 error:
882  if (cd != NULL) DetectICMPV6CsumFree(de_ctx, cd);
883  if (sm != NULL) SCFree(sm);
884 
885  return -1;
886 }
887 
888 static void DetectICMPV6CsumFree(DetectEngineCtx *de_ctx, void *ptr)
889 {
890  DetectCsumData *cd = (DetectCsumData *)ptr;
891 
892  if (cd != NULL)
893  SCFree(cd);
894 
895  return;
896 }
897 
898 /* ---------------------------------- Unit Tests --------------------------- */
899 
900 #ifdef UNITTESTS
901 #include "util-unittest-helper.h"
902 #include "detect-engine.h"
903 #include "detect-engine-alert.h"
904 #include "packet.h"
905 
906 #define mystr(s) #s
907 #define TEST1(kwstr) {\
908  DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
909  FAIL_IF_NULL(de_ctx);\
910  de_ctx->flags = DE_QUIET;\
911  \
912  Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
913  FAIL_IF_NULL(s);\
914  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:invalid; sid:2;)");\
915  FAIL_IF_NULL(s);\
916  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaLid; sid:3;)");\
917  FAIL_IF_NULL(s);\
918  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:VALID; sid:4;)");\
919  FAIL_IF_NULL(s);\
920  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:iNvaLid; sid:5;)");\
921  FAIL_IF_NULL(s);\
922  DetectEngineCtxFree(de_ctx);\
923 }
924 
925 
926 static int DetectCsumValidArgsTestParse01(void)
927 {
928  TEST1(ipv4);
929  TEST1(tcpv4);
930  TEST1(tcpv6);
931  TEST1(udpv4);
932  TEST1(udpv6);
933  TEST1(icmpv4);
934  TEST1(icmpv6);
935  PASS;
936 }
937 #undef TEST1
938 
939 #define TEST2(kwstr) { \
940  DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
941  FAIL_IF_NULL(de_ctx);\
942  Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaid; sid:1;)");\
943  FAIL_IF(s);\
944  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:invaalid; sid:2;)");\
945  FAIL_IF(s);\
946  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaLiid; sid:3;)");\
947  FAIL_IF(s);\
948  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:VALieD; sid:4;)");\
949  FAIL_IF(s);\
950  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:iNvamid; sid:5;)");\
951  FAIL_IF(s);\
952  DetectEngineCtxFree(de_ctx);\
953 }
954 
955 static int DetectCsumInvalidArgsTestParse02(void)
956 {
957  TEST2(ipv4);
958  TEST2(tcpv4);
959  TEST2(tcpv6);
960  TEST2(udpv4);
961  TEST2(udpv6);
962  TEST2(icmpv4);
963  TEST2(icmpv6);
964  PASS;
965 }
966 #undef TEST2
967 
968 #define TEST3(kwstr, kwtype) { \
969  DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
970  FAIL_IF_NULL(de_ctx);\
971  Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
972  FAIL_IF_NULL(s);\
973  SigMatch *sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
974  FAIL_IF_NULL(sm);\
975  FAIL_IF_NULL(sm->ctx);\
976  FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 1);\
977  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:INVALID; sid:2;)");\
978  FAIL_IF_NULL(s);\
979  sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
980  FAIL_IF_NULL(sm);\
981  FAIL_IF_NULL(sm->ctx);\
982  FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 0);\
983  DetectEngineCtxFree(de_ctx);\
984 }
985 
986 static int DetectCsumValidArgsTestParse03(void)
987 {
988  TEST3(ipv4, DETECT_IPV4_CSUM);
989  TEST3(tcpv4, DETECT_TCPV4_CSUM);
990  TEST3(tcpv6, DETECT_TCPV6_CSUM);
991  TEST3(udpv4, DETECT_UDPV4_CSUM);
992  TEST3(udpv6, DETECT_UDPV6_CSUM);
993  TEST3(icmpv4, DETECT_ICMPV4_CSUM);
994  TEST3(icmpv6, DETECT_ICMPV6_CSUM);
995  PASS;
996 }
997 #undef TEST3
998 #undef mystr
999 
1000 #include "stream-tcp.h"
1001 
1002 static int DetectCsumICMPV6Test01(void)
1003 {
1004  DetectEngineCtx *de_ctx = NULL;
1005  Signature *s = NULL;
1006  ThreadVars tv;
1007  DetectEngineThreadCtx *det_ctx = NULL;
1009 
1010  Packet *p = PacketGetFromAlloc();
1011  FAIL_IF_NULL(p);
1012 
1013  uint8_t pkt[] = {
1014  0x00, 0x30, 0x18, 0xa8, 0x7c, 0x23, 0x2c, 0x41,
1015  0x38, 0xa7, 0xea, 0xeb, 0x86, 0xdd, 0x60, 0x00,
1016  0x00, 0x00, 0x00, 0x40, 0x3c, 0x40, 0xad, 0xa1,
1017  0x09, 0x80, 0x00, 0x01, 0xd6, 0xf3, 0x20, 0x01,
1018  0xf4, 0xbe, 0xea, 0x3c, 0x00, 0x01, 0x00, 0x00,
1019  0x00, 0x00, 0x32, 0xb2, 0x00, 0x01, 0x32, 0xb2,
1020  0x09, 0x80, 0x20, 0x01, 0x00, 0x00, 0x3c, 0x00,
1021  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00,
1022  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
1023  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
1024  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00,
1025  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
1026  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x3a, 0x00,
1027  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00,
1028  0x63, 0xc2, 0x00, 0x00, 0x00, 0x00 };
1029 
1030  PacketCopyData(p, pkt, sizeof(pkt));
1031 
1032  memset(&tv, 0, sizeof(tv));
1033  memset(&dtv, 0, sizeof(dtv));
1034 
1035  StreamTcpInitConfig(true);
1037 
1041  de_ctx->flags |= DE_QUIET;
1042 
1043  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any any "
1044  "(icmpv6-csum:valid; sid:1;)");
1045  FAIL_IF_NULL(s);
1047 
1048  DecodeEthernet(&tv, &dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p));
1049 
1050  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1051 
1052  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1053 
1054  FAIL_IF(!PacketAlertCheck(p, 1));
1055 
1056  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1058 
1059  StreamTcpFreeConfig(true);
1060  PacketRecycle(p);
1061  FlowShutdown();
1062  SCFree(p);
1063  PASS;
1064 }
1065 
1066 static void DetectCsumRegisterTests(void)
1067 {
1068  UtRegisterTest("DetectCsumValidArgsTestParse01",
1069  DetectCsumValidArgsTestParse01);
1070  UtRegisterTest("DetectCsumInvalidArgsTestParse02",
1071  DetectCsumInvalidArgsTestParse02);
1072  UtRegisterTest("DetectCsumValidArgsTestParse03",
1073  DetectCsumValidArgsTestParse03);
1074 
1075  UtRegisterTest("DetectCsumICMPV6Test01",
1076  DetectCsumICMPV6Test01);
1077 }
1078 #endif /* UNITTESTS */
host.h
Packet_::proto
uint8_t proto
Definition: decode.h:450
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
DETECT_CSUM_VALID
#define DETECT_CSUM_VALID
Definition: detect-csum.c:42
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1225
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:292
SigTableElmt_::name
const char * name
Definition: detect.h:1235
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1058
stream-tcp.h
DETECT_ICMPV4_CSUM
@ DETECT_ICMPV4_CSUM
Definition: detect-engine-register.h:97
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ICMPV6Hdr_::csum
uint16_t csum
Definition: decode-icmpv6.h:147
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:463
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:168
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
DETECT_UDPV6_CSUM
@ DETECT_UDPV6_CSUM
Definition: detect-engine-register.h:96
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2444
DetectCsumData
struct DetectCsumData_ DetectCsumData
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1788
DETECT_CSUM_INVALID
#define DETECT_CSUM_INVALID
Definition: detect-csum.c:43
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:574
util-unittest.h
util-unittest-helper.h
DETECT_TCPV4_CSUM
@ DETECT_TCPV4_CSUM
Definition: detect-engine-register.h:93
Packet_::level3_comp_csum
int32_t level3_comp_csum
Definition: decode.h:527
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:543
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:361
decode.h
Packet_::level4_comp_csum
int32_t level4_comp_csum
Definition: decode.h:529
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1024
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:219
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:96
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:834
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
util-profiling.h
Packet_::icmpv6h
ICMPV6Hdr * icmpv6h
Definition: decode.h:563
Packet_
Definition: decode.h:428
detect-engine-build.h
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:218
detect-engine-alert.h
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:531
PKT_IGNORE_CHECKSUM
#define PKT_IGNORE_CHECKSUM
Definition: decode.h:1018
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1203
DETECT_IPV4_CSUM
@ DETECT_IPV4_CSUM
Definition: detect-engine-register.h:92
DetectCsumData_::valid
int16_t valid
Definition: detect-csum.c:48
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:238
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:669
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:403
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:553
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:690
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectCsumRegister
void DetectCsumRegister(void)
Registers handlers for all the checksum keywords. The checksum keywords that are registered are ipv4-...
Definition: detect-csum.c:139
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:790
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:561
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
IPV4_GET_HLEN
#define IPV4_GET_HLEN(p)
Definition: decode-ipv4.h:124
DetectCsumData_
Definition: detect-csum.c:45
str
#define str(s)
Definition: suricata-common.h:280
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:665
DETECT_ICMPV6_CSUM
@ DETECT_ICMPV6_CSUM
Definition: detect-engine-register.h:98
TEST1
#define TEST1(kwstr)
Definition: detect-csum.c:907
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2405
IPV4Hdr_::ip_csum
uint16_t ip_csum
Definition: decode-ipv4.h:80
TCP_GET_HLEN
#define TCP_GET_HLEN(p)
Definition: decode-tcp.h:111
TEST3
#define TEST3(kwstr, kwtype)
Definition: detect-csum.c:968
Packet_::udph
UDPHdr * udph
Definition: decode.h:555
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:40
TEST2
#define TEST2(kwstr)
Definition: detect-csum.c:939
IPV6_HEADER_LEN
#define IPV6_HEADER_LEN
Definition: decode-ipv6.h:27
IPV4_GET_RAW_IPLEN
#define IPV4_GET_RAW_IPLEN(ip4h)
Definition: decode-ipv4.h:98
detect-csum.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:785
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:533
DETECT_TCPV6_CSUM
@ DETECT_TCPV6_CSUM
Definition: detect-engine-register.h:94
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:352
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227
DETECT_UDPV4_CSUM
@ DETECT_UDPV4_CSUM
Definition: detect-engine-register.h:95