suricata
detect-csum.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Implements checksum keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 
33 #include "detect-csum.h"
34 
35 #include "util-unittest.h"
36 #include "util-debug.h"
37 
38 #include "pkt-var.h"
39 #include "host.h"
40 #include "util-profiling.h"
41 
42 /* prototypes for the "ipv4-csum" rule keyword */
43 static int DetectIPV4CsumMatch(DetectEngineThreadCtx *,
44  Packet *, const Signature *, const SigMatchCtx *);
45 static int DetectIPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
46 static void DetectIPV4CsumFree(DetectEngineCtx *, void *);
47 
48 /* prototypes for the "tcpv4-csum" rule keyword */
49 static int DetectTCPV4CsumMatch(DetectEngineThreadCtx *,
50  Packet *, const Signature *, const SigMatchCtx *);
51 static int DetectTCPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
52 static void DetectTCPV4CsumFree(DetectEngineCtx *, void *);
53 
54 /* prototypes for the "tcpv6-csum" rule keyword */
55 static int DetectTCPV6CsumMatch(DetectEngineThreadCtx *,
56  Packet *, const Signature *, const SigMatchCtx *);
57 static int DetectTCPV6CsumSetup(DetectEngineCtx *, Signature *, const char *);
58 static void DetectTCPV6CsumFree(DetectEngineCtx *, void *);
59 
60 /* prototypes for the "udpv4-csum" rule keyword */
61 static int DetectUDPV4CsumMatch(DetectEngineThreadCtx *,
62  Packet *, const Signature *, const SigMatchCtx *);
63 static int DetectUDPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
64 static void DetectUDPV4CsumFree(DetectEngineCtx *, void *);
65 
66 /* prototypes for the "udpv6-csum" rule keyword */
67 static int DetectUDPV6CsumMatch(DetectEngineThreadCtx *,
68  Packet *, const Signature *, const SigMatchCtx *);
69 static int DetectUDPV6CsumSetup(DetectEngineCtx *, Signature *, const char *);
70 static void DetectUDPV6CsumFree(DetectEngineCtx *de_ctx, void *);
71 
72 /* prototypes for the "icmpv4-csum" rule keyword */
73 static int DetectICMPV4CsumMatch(DetectEngineThreadCtx *,
74  Packet *, const Signature *, const SigMatchCtx *);
75 static int DetectICMPV4CsumSetup(DetectEngineCtx *, Signature *, const char *);
76 static void DetectICMPV4CsumFree(DetectEngineCtx *, void *);
77 
78 /* prototypes for the "icmpv6-csum" rule keyword */
79 static int DetectICMPV6CsumMatch(DetectEngineThreadCtx *,
80  Packet *, const Signature *, const SigMatchCtx *);
81 static int DetectICMPV6CsumSetup(DetectEngineCtx *, Signature *, const char *);
82 static void DetectICMPV6CsumFree(DetectEngineCtx *, void *);
83 
84 #ifdef UNITTESTS
85 static void DetectCsumRegisterTests(void);
86 #endif
87 
88 /**
89  * \brief Registers handlers for all the checksum keywords. The checksum
90  * keywords that are registered are ipv4-sum, tcpv4-csum, tcpv6-csum,
91  * udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum.
92  *
93  * Each of the checksum keywords implemented here takes 2 arguments -
94  * "valid" or "invalid". If the rule keyword in the signature is
95  * specified as "valid", the Match function would return TRUE if the
96  * checksum for that particular packet and protocol is valid. Similarly
97  * for "invalid".
98  *
99  * The Setup functions takes 4 arguments -
100  *
101  * DetectEngineCtx * (de_ctx) - A pointer to the detection engine context
102  * Signature *(s) - Pointer to signature for the current Signature being
103  * parsed from the rules
104  * SigMatchCtx * (m) - Pointer to the head of the SigMatchs added to the
105  * current Signature being parsed
106  * char * (csum_str) - Pointer to a string holding the keyword value
107  *
108  * The Setup function returns 0 if it successfully parses the keyword
109  * value, and -1 otherwise.
110  *
111  * The Match function takes 5 arguments -
112  *
113  * ThreadVars * (t) - Pointer to the tv for the detection module instance
114  * DetectEngineThreadCtx * (det_ctx) - Pointer to the detection engine
115  * thread context
116  * Packet * (p) - Pointer to the Packet currently being handled
117  * Signature * (s) - Pointer to the Signature, the packet is being
118  * currently matched with
119  * SigMatchCtx * (m) - Pointer to the keyword structure from the above
120  * Signature, the Packet is being currently matched
121  * with
122  *
123  * The Match function returns 1 if the Packet contents match the keyword,
124  * and 0 otherwise
125  *
126  * The Free function takes a single argument -
127  *
128  * void * (ptr) - Pointer to the DetectCsumData for a keyword
129  */
131 {
132  sigmatch_table[DETECT_IPV4_CSUM].name = "ipv4-csum";
133  sigmatch_table[DETECT_IPV4_CSUM].Match = DetectIPV4CsumMatch;
134  sigmatch_table[DETECT_IPV4_CSUM].Setup = DetectIPV4CsumSetup;
135  sigmatch_table[DETECT_IPV4_CSUM].Free = DetectIPV4CsumFree;
136 #ifdef UNITTESTS
137  sigmatch_table[DETECT_IPV4_CSUM].RegisterTests = DetectCsumRegisterTests;
138 #endif
139 
140  sigmatch_table[DETECT_TCPV4_CSUM].name = "tcpv4-csum";
141  sigmatch_table[DETECT_TCPV4_CSUM].Match = DetectTCPV4CsumMatch;
142  sigmatch_table[DETECT_TCPV4_CSUM].Setup = DetectTCPV4CsumSetup;
143  sigmatch_table[DETECT_TCPV4_CSUM].Free = DetectTCPV4CsumFree;
144 
145  sigmatch_table[DETECT_TCPV6_CSUM].name = "tcpv6-csum";
146  sigmatch_table[DETECT_TCPV6_CSUM].Match = DetectTCPV6CsumMatch;
147  sigmatch_table[DETECT_TCPV6_CSUM].Setup = DetectTCPV6CsumSetup;
148  sigmatch_table[DETECT_TCPV6_CSUM].Free = DetectTCPV6CsumFree;
149 
150  sigmatch_table[DETECT_UDPV4_CSUM].name = "udpv4-csum";
151  sigmatch_table[DETECT_UDPV4_CSUM].Match = DetectUDPV4CsumMatch;
152  sigmatch_table[DETECT_UDPV4_CSUM].Setup = DetectUDPV4CsumSetup;
153  sigmatch_table[DETECT_UDPV4_CSUM].Free = DetectUDPV4CsumFree;
154 
155  sigmatch_table[DETECT_UDPV6_CSUM].name = "udpv6-csum";
156  sigmatch_table[DETECT_UDPV6_CSUM].Match = DetectUDPV6CsumMatch;
157  sigmatch_table[DETECT_UDPV6_CSUM].Setup = DetectUDPV6CsumSetup;
158  sigmatch_table[DETECT_UDPV6_CSUM].Free = DetectUDPV6CsumFree;
159 
160  sigmatch_table[DETECT_ICMPV4_CSUM].name = "icmpv4-csum";
161  sigmatch_table[DETECT_ICMPV4_CSUM].Match = DetectICMPV4CsumMatch;
162  sigmatch_table[DETECT_ICMPV4_CSUM].Setup = DetectICMPV4CsumSetup;
163  sigmatch_table[DETECT_ICMPV4_CSUM].Free = DetectICMPV4CsumFree;
164 
165  sigmatch_table[DETECT_ICMPV6_CSUM].name = "icmpv6-csum";
166  sigmatch_table[DETECT_ICMPV6_CSUM].Match = DetectICMPV6CsumMatch;
167  sigmatch_table[DETECT_ICMPV6_CSUM].Setup = DetectICMPV6CsumSetup;
168  sigmatch_table[DETECT_ICMPV6_CSUM].Free = DetectICMPV6CsumFree;
169 }
170 
171 /**
172  * \brief Validates and parses the argument supplied with the checksum keyword.
173  * Accepts strings both with and without quotes, i.e. valid, \"valid\",
174  * invalid and \"invalid\"
175  *
176  * \param key Pointer to a const character string holding the csum keyword value
177  * \param cd Pointer to the DetectCsumData structure that holds the keyword
178  * value sent as argument
179  *
180  * \retval 1 the keyvalue has been parsed successfully
181  * \retval 0 error
182  */
183 static int DetectCsumParseArg(const char *key, DetectCsumData *cd)
184 {
185  char *str;
186 
187  if (key[0] == '\"' && key[strlen(key) - 1] == '\"') {
188  str = SCStrdup(key + 1);
189  if (unlikely(str == NULL)) {
190  goto error;
191  }
192  str[strlen(key) - 2] = '\0';
193  } else {
194  str = SCStrdup(key);
195  if (unlikely(str == NULL)) {
196  goto error;
197  }
198  }
199 
200  if (strcasecmp(str, DETECT_CSUM_VALID) == 0 ||
201  strcasecmp(str, DETECT_CSUM_INVALID) == 0) {
202  cd->valid = (strcasecmp(key, DETECT_CSUM_VALID) == 0);
203  SCFree(str);
204  return 1;
205  }
206 
207 error:
208  if (str != NULL)
209  SCFree(str);
210  return 0;
211 }
212 
213 /**
214  * \brief Checks if the packet sent as the argument, has a valid or invalid
215  * ipv4 checksum, based on whether ipv4-csum option for this rule
216  * has been supplied with "valid" or "invalid" argument
217  *
218  * \param t Pointer to the tv for this detection module instance
219  * \param det_ctx Pointer to the detection engine thread context
220  * \param p Pointer to the Packet currently being matched
221  * \param s Pointer to the Signature, the packet is being currently
222  * matched with
223  * \param m Pointer to the keyword_structure(SigMatch) from the above
224  * Signature, the Packet is being currently matched with
225  *
226  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
227  */
228 static int DetectIPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
229  Packet *p, const Signature *s, const SigMatchCtx *ctx)
230 {
231  const DetectCsumData *cd = (const DetectCsumData *)ctx;
232 
233  if (p->ip4h == NULL || PKT_IS_PSEUDOPKT(p))
234  return 0;
235 
236  if (p->flags & PKT_IGNORE_CHECKSUM) {
237  return cd->valid;
238  }
239 
240  if (p->level3_comp_csum == -1)
241  p->level3_comp_csum = IPV4Checksum((uint16_t *)p->ip4h,
242  IPV4_GET_HLEN(p),
243  p->ip4h->ip_csum);
244 
245  if (p->level3_comp_csum == 0 && cd->valid == 1)
246  return 1;
247  else if (p->level3_comp_csum != 0 && cd->valid == 0)
248  return 1;
249  else
250  return 0;
251 }
252 
253 /**
254  * \brief Creates a SigMatch for the ipv4-csum keyword being sent as argument,
255  * and appends it to the Signature(s). Accepts 2 values for the
256  * keyword - "valid" and "invalid", both with and without quotes
257  *
258  * \param de_ctx Pointer to the detection engine context
259  * \param s Pointer to signature for the current Signature being parsed
260  * from the rules
261  * \param csum_str Pointer to the string holding the keyword value
262  *
263  * \retval 0 on success, -1 on failure
264  */
265 static int DetectIPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
266 {
267  DetectCsumData *cd = NULL;
268  SigMatch *sm = NULL;
269 
270  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
271 
272  sm = SigMatchAlloc();
273  if (sm == NULL)
274  goto error;
275 
276  sm->type = DETECT_IPV4_CSUM;
277 
278  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
279  goto error;
280  memset(cd, 0, sizeof(DetectCsumData));
281 
282  if (DetectCsumParseArg(csum_str, cd) == 0)
283  goto error;
284 
285  sm->ctx = (SigMatchCtx *)cd;
286 
288 
289  return 0;
290 
291 error:
292  if (cd != NULL) DetectIPV4CsumFree(de_ctx, cd);
293  if (sm != NULL) SCFree(sm);
294 
295  return -1;
296 }
297 
298 static void DetectIPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
299 {
300  DetectCsumData *cd = (DetectCsumData *)ptr;
301 
302  if (cd != NULL)
303  SCFree(cd);
304 
305  return;
306 }
307 
308 /**
309  * \brief Checks if the packet sent as the argument, has a valid or invalid
310  * tcpv4 checksum, based on whether tcpv4-csum option for this rule
311  * has been supplied with "valid" or "invalid" argument
312  *
313  * \param t Pointer to the tv for this detection module instance
314  * \param det_ctx Pointer to the detection engine thread context
315  * \param p Pointer to the Packet currently being matched
316  * \param s Pointer to the Signature, the packet is being currently
317  * matched with
318  * \param m Pointer to the keyword_structure(SigMatch) from the above
319  * Signature, the Packet is being currently matched with
320  *
321  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
322  */
323 static int DetectTCPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
324  Packet *p, const Signature *s, const SigMatchCtx *ctx)
325 {
326  const DetectCsumData *cd = (const DetectCsumData *)ctx;
327 
328  if (p->ip4h == NULL || p->tcph == NULL || p->proto != IPPROTO_TCP || PKT_IS_PSEUDOPKT(p))
329  return 0;
330 
331  if (p->flags & PKT_IGNORE_CHECKSUM) {
332  return cd->valid;
333  }
334 
335  if (p->level4_comp_csum == -1)
336  p->level4_comp_csum = TCPChecksum(p->ip4h->s_ip_addrs,
337  (uint16_t *)p->tcph,
338  (p->payload_len +
339  TCP_GET_HLEN(p)),
340  p->tcph->th_sum);
341 
342  if (p->level4_comp_csum == 0 && cd->valid == 1)
343  return 1;
344  else if (p->level4_comp_csum != 0 && cd->valid == 0)
345  return 1;
346  else
347  return 0;
348 }
349 
350 /**
351  * \brief Creates a SigMatch for the tcpv4-csum keyword being sent as argument,
352  * and appends it to the Signature(s). Accepts 2 values for the
353  * keyword - "valid" and "invalid", both with and without quotes
354  *
355  * \param de_ctx Pointer to the detection engine context
356  * \param s Pointer to signature for the current Signature being parsed
357  * from the rules
358  * \param csum_str Pointer to the string holding the keyword value
359  *
360  * \retval 0 on success, -1 on failure
361  */
362 static int DetectTCPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
363 {
364  DetectCsumData *cd = NULL;
365  SigMatch *sm = NULL;
366 
367  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
368 
369  sm = SigMatchAlloc();
370  if (sm == NULL)
371  goto error;
372 
373  sm->type = DETECT_TCPV4_CSUM;
374 
375  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
376  goto error;
377  memset(cd, 0, sizeof(DetectCsumData));
378 
379  if (DetectCsumParseArg(csum_str, cd) == 0)
380  goto error;
381 
382  sm->ctx = (SigMatchCtx *)cd;
383 
385 
386  return 0;
387 
388 error:
389  if (cd != NULL) DetectTCPV4CsumFree(de_ctx, cd);
390  if (sm != NULL) SCFree(sm);
391 
392  return -1;
393 }
394 
395 static void DetectTCPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
396 {
397  DetectCsumData *cd = (DetectCsumData *)ptr;
398 
399  if (cd != NULL)
400  SCFree(cd);
401 
402  return;
403 }
404 
405 /**
406  * \brief Checks if the packet sent as the argument, has a valid or invalid
407  * tcpv6 checksum, based on whether tcpv6-csum option for this rule
408  * has been supplied with "valid" or "invalid" argument
409  *
410  * \param t Pointer to the tv for this detection module instance
411  * \param det_ctx Pointer to the detection engine thread context
412  * \param p Pointer to the Packet currently being matched
413  * \param s Pointer to the Signature, the packet is being currently
414  * matched with
415  * \param m Pointer to the keyword_structure(SigMatch) from the above
416  * Signature, the Packet is being currently matched with
417  *
418  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
419  */
420 static int DetectTCPV6CsumMatch(DetectEngineThreadCtx *det_ctx,
421  Packet *p, const Signature *s, const SigMatchCtx *ctx)
422 {
423  const DetectCsumData *cd = (const DetectCsumData *)ctx;
424 
425  if (p->ip6h == NULL || p->tcph == NULL || p->proto != IPPROTO_TCP || PKT_IS_PSEUDOPKT(p))
426  return 0;
427 
428  if (p->flags & PKT_IGNORE_CHECKSUM) {
429  return cd->valid;
430  }
431 
432  if (p->level4_comp_csum == -1)
433  p->level4_comp_csum = TCPV6Checksum(p->ip6h->s_ip6_addrs,
434  (uint16_t *)p->tcph,
435  (p->payload_len +
436  TCP_GET_HLEN(p)),
437  p->tcph->th_sum);
438 
439  if (p->level4_comp_csum == 0 && cd->valid == 1)
440  return 1;
441  else if (p->level4_comp_csum != 0 && cd->valid == 0)
442  return 1;
443  else
444  return 0;
445 }
446 
447 /**
448  * \brief Creates a SigMatch for the tcpv6-csum keyword being sent as argument,
449  * and appends it to the Signature(s). Accepts 2 values for the
450  * keyword - "valid" and "invalid", both with and without quotes
451  *
452  * \param de_ctx Pointer to the detection engine context
453  * \param s Pointer to signature for the current Signature being parsed
454  * from the rules
455  * \param csum_str Pointer to the string holding the keyword value
456  *
457  * \retval 0 on success, -1 on failure
458  */
459 static int DetectTCPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
460 {
461  DetectCsumData *cd = NULL;
462  SigMatch *sm = NULL;
463 
464  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
465 
466  sm = SigMatchAlloc();
467  if (sm == NULL)
468  goto error;
469 
470  sm->type = DETECT_TCPV6_CSUM;
471 
472  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
473  goto error;
474  memset(cd, 0, sizeof(DetectCsumData));
475 
476  if (DetectCsumParseArg(csum_str, cd) == 0)
477  goto error;
478 
479  sm->ctx = (SigMatchCtx *)cd;
480 
482 
483  return 0;
484 
485 error:
486  if (cd != NULL) DetectTCPV6CsumFree(de_ctx, cd);
487  if (sm != NULL) SCFree(sm);
488 
489  return -1;
490 }
491 
492 static void DetectTCPV6CsumFree(DetectEngineCtx *de_ctx, void *ptr)
493 {
494  DetectCsumData *cd = (DetectCsumData *)ptr;
495 
496  if (cd != NULL)
497  SCFree(cd);
498 
499  return;
500 }
501 
502 /**
503  * \brief Checks if the packet sent as the argument, has a valid or invalid
504  * udpv4 checksum, based on whether udpv4-csum option for this rule
505  * has been supplied with "valid" or "invalid" argument
506  *
507  * \param t Pointer to the tv for this detection module instance
508  * \param det_ctx Pointer to the detection engine thread context
509  * \param p Pointer to the Packet currently being matched
510  * \param s Pointer to the Signature, the packet is being currently
511  * matched with
512  * \param m Pointer to the keyword_structure(SigMatch) from the above
513  * Signature, the Packet is being currently matched with
514  *
515  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
516  */
517 static int DetectUDPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
518  Packet *p, const Signature *s, const SigMatchCtx *ctx)
519 {
520  const DetectCsumData *cd = (const DetectCsumData *)ctx;
521 
522  if (p->ip4h == NULL || p->udph == NULL || p->proto != IPPROTO_UDP || PKT_IS_PSEUDOPKT(p) || p->udph->uh_sum == 0)
523  return 0;
524 
525  if (p->flags & PKT_IGNORE_CHECKSUM) {
526  return cd->valid;
527  }
528 
529  if (p->level4_comp_csum == -1)
530  p->level4_comp_csum = UDPV4Checksum(p->ip4h->s_ip_addrs,
531  (uint16_t *)p->udph,
532  (p->payload_len +
534  p->udph->uh_sum);
535 
536  if (p->level4_comp_csum == 0 && cd->valid == 1)
537  return 1;
538  else if (p->level4_comp_csum != 0 && cd->valid == 0)
539  return 1;
540  else
541  return 0;
542 }
543 
544 /**
545  * \brief Creates a SigMatch for the udpv4-csum keyword being sent as argument,
546  * and appends it to the Signature(s). Accepts 2 values for the
547  * keyword - "valid" and "invalid", both with and without quotes
548  *
549  * \param de_ctx Pointer to the detection engine context
550  * \param s Pointer to signature for the current Signature being parsed
551  * from the rules
552  * \param csum_str Pointer to the string holding the keyword value
553  *
554  * \retval 0 on success, -1 on failure
555  */
556 static int DetectUDPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
557 {
558  DetectCsumData *cd = NULL;
559  SigMatch *sm = NULL;
560 
561  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
562 
563  sm = SigMatchAlloc();
564  if (sm == NULL)
565  goto error;
566 
567  sm->type = DETECT_UDPV4_CSUM;
568 
569  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
570  goto error;
571  memset(cd, 0, sizeof(DetectCsumData));
572 
573  if (DetectCsumParseArg(csum_str, cd) == 0)
574  goto error;
575 
576  sm->ctx = (SigMatchCtx *)cd;
577 
579 
580  return 0;
581 
582 error:
583  if (cd != NULL) DetectUDPV4CsumFree(de_ctx, cd);
584  if (sm != NULL) SCFree(sm);
585 
586  return -1;
587 }
588 
589 static void DetectUDPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
590 {
591  DetectCsumData *cd = (DetectCsumData *)ptr;
592 
593  if (cd != NULL)
594  SCFree(cd);
595 
596  return;
597 }
598 
599 /**
600  * \brief Checks if the packet sent as the argument, has a valid or invalid
601  * udpv6 checksum, based on whether udpv6-csum option for this rule
602  * has been supplied with "valid" or "invalid" argument
603  *
604  * \param t Pointer to the tv for this detection module instance
605  * \param det_ctx Pointer to the detection engine thread context
606  * \param p Pointer to the Packet currently being matched
607  * \param s Pointer to the Signature, the packet is being currently
608  * matched with
609  * \param m Pointer to the keyword_structure(SigMatch) from the above
610  * Signature, the Packet is being currently matched with
611  *
612  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
613  */
614 static int DetectUDPV6CsumMatch(DetectEngineThreadCtx *det_ctx,
615  Packet *p, const Signature *s, const SigMatchCtx *ctx)
616 {
617  const DetectCsumData *cd = (const DetectCsumData *)ctx;
618 
619  if (p->ip6h == NULL || p->udph == NULL || p->proto != IPPROTO_UDP || PKT_IS_PSEUDOPKT(p))
620  return 0;
621 
622  if (p->flags & PKT_IGNORE_CHECKSUM) {
623  return cd->valid;
624  }
625 
626  if (p->level4_comp_csum == -1)
627  p->level4_comp_csum = UDPV6Checksum(p->ip6h->s_ip6_addrs,
628  (uint16_t *)p->udph,
629  (p->payload_len +
631  p->udph->uh_sum);
632 
633  if (p->level4_comp_csum == 0 && cd->valid == 1)
634  return 1;
635  else if (p->level4_comp_csum != 0 && cd->valid == 0)
636  return 1;
637  else
638  return 0;
639 }
640 
641 /**
642  * \brief Creates a SigMatch for the udpv6-csum keyword being sent as argument,
643  * and appends it to the Signature(s). Accepts 2 values for the
644  * keyword - "valid" and "invalid", both with and without quotes
645  *
646  * \param de_ctx Pointer to the detection engine context
647  * \param s Pointer to signature for the current Signature being parsed
648  * from the rules
649  * \param csum_str Pointer to the string holding the keyword value
650  *
651  * \retval 0 on success, -1 on failure
652  */
653 static int DetectUDPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
654 {
655  DetectCsumData *cd = NULL;
656  SigMatch *sm = NULL;
657 
658  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
659 
660  sm = SigMatchAlloc();
661  if (sm == NULL)
662  goto error;
663 
664  sm->type = DETECT_UDPV6_CSUM;
665 
666  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
667  goto error;
668  memset(cd, 0, sizeof(DetectCsumData));
669 
670  if (DetectCsumParseArg(csum_str, cd) == 0)
671  goto error;
672 
673  sm->ctx = (void *)cd;
674 
676 
677  return 0;
678 
679 error:
680  if (cd != NULL) DetectUDPV6CsumFree(de_ctx, cd);
681  if (sm != NULL) SCFree(sm);
682 
683  return -1;
684 }
685 
686 static void DetectUDPV6CsumFree(DetectEngineCtx *de_ctx, void *ptr)
687 {
688  DetectCsumData *cd = (DetectCsumData *)ptr;
689 
690  if (cd != NULL)
691  SCFree(cd);
692 
693  return;
694 }
695 
696 /**
697  * \brief Checks if the packet sent as the argument, has a valid or invalid
698  * icmpv4 checksum, based on whether icmpv4-csum option for this rule
699  * has been supplied with "valid" or "invalid" argument
700  *
701  * \param t Pointer to the tv for this detection module instance
702  * \param det_ctx Pointer to the detection engine thread context
703  * \param p Pointer to the Packet currently being matched
704  * \param s Pointer to the Signature, the packet is being currently
705  * matched with
706  * \param m Pointer to the keyword_structure(SigMatch) from the above
707  * Signature, the Packet is being currently matched with
708  *
709  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
710  */
711 static int DetectICMPV4CsumMatch(DetectEngineThreadCtx *det_ctx,
712  Packet *p, const Signature *s, const SigMatchCtx *ctx)
713 {
714  const DetectCsumData *cd = (const DetectCsumData *)ctx;
715 
716  if (p->ip4h == NULL || p->icmpv4h == NULL || p->proto != IPPROTO_ICMP || PKT_IS_PSEUDOPKT(p))
717  return 0;
718 
719  if (p->flags & PKT_IGNORE_CHECKSUM) {
720  return cd->valid;
721  }
722 
723  if (p->level4_comp_csum == -1)
724  p->level4_comp_csum = ICMPV4CalculateChecksum((uint16_t *)p->icmpv4h,
726  IPV4_GET_RAW_HLEN(p->ip4h) * 4);
727 
728  if (p->level4_comp_csum == p->icmpv4h->checksum && cd->valid == 1)
729  return 1;
730  else if (p->level4_comp_csum != p->icmpv4h->checksum && cd->valid == 0)
731  return 1;
732  else
733  return 0;
734 }
735 
736 /**
737  * \brief Creates a SigMatch for the icmpv4-csum keyword being sent as argument,
738  * and appends it to the Signature(s). Accepts 2 values for the
739  * keyword - "valid" and "invalid", both with and without quotes
740  *
741  * \param de_ctx Pointer to the detection engine context
742  * \param s Pointer to signature for the current Signature being parsed
743  * from the rules
744  * \param csum_str Pointer to the string holding the keyword value
745  *
746  * \retval 0 on success, -1 on failure
747  */
748 static int DetectICMPV4CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
749 {
750  DetectCsumData *cd = NULL;
751  SigMatch *sm = NULL;
752 
753  //printf("DetectCsumSetup: \'%s\'\n", csum_str);
754 
755  sm = SigMatchAlloc();
756  if (sm == NULL)
757  goto error;
758 
759  sm->type = DETECT_ICMPV4_CSUM;
760 
761  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
762  goto error;
763  memset(cd, 0, sizeof(DetectCsumData));
764 
765  if (DetectCsumParseArg(csum_str, cd) == 0)
766  goto error;
767 
768  sm->ctx = (SigMatchCtx *)cd;
769 
771 
772  return 0;
773 
774 error:
775  if (cd != NULL) DetectICMPV4CsumFree(de_ctx, cd);
776  if (sm != NULL) SCFree(sm);
777 
778  return -1;
779 }
780 
781 static void DetectICMPV4CsumFree(DetectEngineCtx *de_ctx, void *ptr)
782 {
783  DetectCsumData *cd = (DetectCsumData *)ptr;
784 
785  if (cd != NULL)
786  SCFree(cd);
787 
788  return;
789 }
790 
791 /**
792  * \brief Checks if the packet sent as the argument, has a valid or invalid
793  * icmpv6 checksum, based on whether icmpv6-csum option for this rule
794  * has been supplied with "valid" or "invalid" argument
795  *
796  * \param t Pointer to the tv for this detection module instance
797  * \param det_ctx Pointer to the detection engine thread context
798  * \param p Pointer to the Packet currently being matched
799  * \param s Pointer to the Signature, the packet is being currently
800  * matched with
801  * \param m Pointer to the keyword_structure(SigMatch) from the above
802  * Signature, the Packet is being currently matched with
803  *
804  * \retval 1 if the Packet contents match the keyword option; 0 otherwise
805  */
806 static int DetectICMPV6CsumMatch(DetectEngineThreadCtx *det_ctx,
807  Packet *p, const Signature *s, const SigMatchCtx *ctx)
808 {
809  const DetectCsumData *cd = (const DetectCsumData *)ctx;
810 
811  if (p->ip6h == NULL || p->icmpv6h == NULL || p->proto != IPPROTO_ICMPV6 || PKT_IS_PSEUDOPKT(p) ||
812  (GET_PKT_LEN(p) - ((uint8_t *)p->icmpv6h - GET_PKT_DATA(p))) <= 0) {
813  return 0;
814  }
815 
816  if (p->flags & PKT_IGNORE_CHECKSUM) {
817  return cd->valid;
818  }
819 
820  if (p->level4_comp_csum == -1) {
821  uint16_t len = IPV6_GET_RAW_PLEN(p->ip6h) -
822  ((uint8_t *)p->icmpv6h - (uint8_t *)p->ip6h - IPV6_HEADER_LEN);
823  p->level4_comp_csum = ICMPV6CalculateChecksum(p->ip6h->s_ip6_addrs,
824  (uint16_t *)p->icmpv6h,
825  len);
826  }
827 
828  if (p->level4_comp_csum == p->icmpv6h->csum && cd->valid == 1)
829  return 1;
830  else if (p->level4_comp_csum != p->icmpv6h->csum && cd->valid == 0)
831  return 1;
832  else
833  return 0;
834 }
835 
836 /**
837  * \brief Creates a SigMatch for the icmpv6-csum keyword being sent as argument,
838  * and appends it to the Signature(s). Accepts 2 values for the
839  * keyword - "valid" and "invalid", both with and without quotes
840  *
841  * \param de_ctx Pointer to the detection engine context
842  * \param s Pointer to signature for the current Signature being parsed
843  * from the rules
844  * \param csum_str Pointer to the string holding the keyword value
845  *
846  * \retval 0 on success, -1 on failure
847  */
848 static int DetectICMPV6CsumSetup(DetectEngineCtx *de_ctx, Signature *s, const char *csum_str)
849 {
850  DetectCsumData *cd = NULL;
851  SigMatch *sm = NULL;
852 
853  sm = SigMatchAlloc();
854  if (sm == NULL)
855  goto error;
856 
857  sm->type = DETECT_ICMPV6_CSUM;
858 
859  if ( (cd = SCMalloc(sizeof(DetectCsumData))) == NULL)
860  goto error;
861  memset(cd, 0, sizeof(DetectCsumData));
862 
863  if (DetectCsumParseArg(csum_str, cd) == 0)
864  goto error;
865 
866  sm->ctx = (SigMatchCtx *)cd;
867 
869 
870  return 0;
871 
872 error:
873  if (cd != NULL) DetectICMPV6CsumFree(de_ctx, cd);
874  if (sm != NULL) SCFree(sm);
875 
876  return -1;
877 }
878 
879 static void DetectICMPV6CsumFree(DetectEngineCtx *de_ctx, void *ptr)
880 {
881  DetectCsumData *cd = (DetectCsumData *)ptr;
882 
883  if (cd != NULL)
884  SCFree(cd);
885 
886  return;
887 }
888 
889 /* ---------------------------------- Unit Tests --------------------------- */
890 
891 #ifdef UNITTESTS
892 #include "detect-engine.h"
893 
894 #define mystr(s) #s
895 #define TEST1(kwstr) {\
896  DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
897  FAIL_IF_NULL(de_ctx);\
898  de_ctx->flags = DE_QUIET;\
899  \
900  Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
901  FAIL_IF_NULL(s);\
902  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:invalid; sid:2;)");\
903  FAIL_IF_NULL(s);\
904  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaLid; sid:3;)");\
905  FAIL_IF_NULL(s);\
906  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:VALID; sid:4;)");\
907  FAIL_IF_NULL(s);\
908  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:iNvaLid; sid:5;)");\
909  FAIL_IF_NULL(s);\
910  DetectEngineCtxFree(de_ctx);\
911 }
912 
913 
914 static int DetectCsumValidArgsTestParse01(void)
915 {
916  TEST1(ipv4);
917  TEST1(tcpv4);
918  TEST1(tcpv6);
919  TEST1(udpv4);
920  TEST1(udpv6);
921  TEST1(icmpv4);
922  TEST1(icmpv6);
923  PASS;
924 }
925 #undef TEST1
926 
927 #define TEST2(kwstr) { \
928  DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
929  FAIL_IF_NULL(de_ctx);\
930  Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaid; sid:1;)");\
931  FAIL_IF(s);\
932  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:invaalid; sid:2;)");\
933  FAIL_IF(s);\
934  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:vaLiid; sid:3;)");\
935  FAIL_IF(s);\
936  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:VALieD; sid:4;)");\
937  FAIL_IF(s);\
938  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:iNvamid; sid:5;)");\
939  FAIL_IF(s);\
940  DetectEngineCtxFree(de_ctx);\
941 }
942 
943 static int DetectCsumInvalidArgsTestParse02(void)
944 {
945  TEST2(ipv4);
946  TEST2(tcpv4);
947  TEST2(tcpv6);
948  TEST2(udpv4);
949  TEST2(udpv6);
950  TEST2(icmpv4);
951  TEST2(icmpv6);
952  PASS;
953 }
954 #undef TEST2
955 
956 #define TEST3(kwstr, kwtype) { \
957  DetectEngineCtx *de_ctx = DetectEngineCtxInit();\
958  FAIL_IF_NULL(de_ctx);\
959  Signature *s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:valid; sid:1;)");\
960  FAIL_IF_NULL(s);\
961  SigMatch *sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
962  FAIL_IF_NULL(sm);\
963  FAIL_IF_NULL(sm->ctx);\
964  FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 1);\
965  s = DetectEngineAppendSig(de_ctx, "alert ip any any -> any any ("mystr(kwstr)"-csum:INVALID; sid:2;)");\
966  FAIL_IF_NULL(s);\
967  sm = DetectGetLastSMFromLists(s, (kwtype), -1);\
968  FAIL_IF_NULL(sm);\
969  FAIL_IF_NULL(sm->ctx);\
970  FAIL_IF_NOT(((DetectCsumData *)sm->ctx)->valid == 0);\
971  DetectEngineCtxFree(de_ctx);\
972 }
973 
974 static int DetectCsumValidArgsTestParse03(void)
975 {
976  TEST3(ipv4, DETECT_IPV4_CSUM);
977  TEST3(tcpv4, DETECT_TCPV4_CSUM);
978  TEST3(tcpv6, DETECT_TCPV6_CSUM);
979  TEST3(udpv4, DETECT_UDPV4_CSUM);
980  TEST3(udpv6, DETECT_UDPV6_CSUM);
981  TEST3(icmpv4, DETECT_ICMPV4_CSUM);
982  TEST3(icmpv6, DETECT_ICMPV6_CSUM);
983  PASS;
984 }
985 #undef TEST3
986 #undef mystr
987 
988 #include "detect-engine.h"
989 #include "stream-tcp.h"
990 
991 static int DetectCsumICMPV6Test01(void)
992 {
993  DetectEngineCtx *de_ctx = NULL;
994  Signature *s = NULL;
995  ThreadVars tv;
996  DetectEngineThreadCtx *det_ctx = NULL;
998 
999  Packet *p = PacketGetFromAlloc();
1000  FAIL_IF_NULL(p);
1001 
1002  uint8_t pkt[] = {
1003  0x00, 0x30, 0x18, 0xa8, 0x7c, 0x23, 0x2c, 0x41,
1004  0x38, 0xa7, 0xea, 0xeb, 0x86, 0xdd, 0x60, 0x00,
1005  0x00, 0x00, 0x00, 0x40, 0x3c, 0x40, 0xad, 0xa1,
1006  0x09, 0x80, 0x00, 0x01, 0xd6, 0xf3, 0x20, 0x01,
1007  0xf4, 0xbe, 0xea, 0x3c, 0x00, 0x01, 0x00, 0x00,
1008  0x00, 0x00, 0x32, 0xb2, 0x00, 0x01, 0x32, 0xb2,
1009  0x09, 0x80, 0x20, 0x01, 0x00, 0x00, 0x3c, 0x00,
1010  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00,
1011  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
1012  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
1013  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00,
1014  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
1015  0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x3a, 0x00,
1016  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00,
1017  0x63, 0xc2, 0x00, 0x00, 0x00, 0x00 };
1018 
1019  PacketCopyData(p, pkt, sizeof(pkt));
1020 
1021  memset(&tv, 0, sizeof(tv));
1022  memset(&dtv, 0, sizeof(dtv));
1023 
1026 
1030  de_ctx->flags |= DE_QUIET;
1031 
1032  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any any "
1033  "(icmpv6-csum:valid; sid:1;)");
1034  FAIL_IF_NULL(s);
1036 
1037  DecodeEthernet(&tv, &dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p));
1038 
1039  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1040 
1041  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1042 
1043  FAIL_IF(!PacketAlertCheck(p, 1));
1044 
1045  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1047 
1049  PACKET_RECYCLE(p);
1050  FlowShutdown();
1051  SCFree(p);
1052  PASS;
1053 }
1054 
1055 static void DetectCsumRegisterTests(void)
1056 {
1057  UtRegisterTest("DetectCsumValidArgsTestParse01",
1058  DetectCsumValidArgsTestParse01);
1059  UtRegisterTest("DetectCsumInvalidArgsTestParse02",
1060  DetectCsumInvalidArgsTestParse02);
1061  UtRegisterTest("DetectCsumValidArgsTestParse03",
1062  DetectCsumValidArgsTestParse03);
1063 
1064  UtRegisterTest("DetectCsumICMPV6Test01",
1065  DetectCsumICMPV6Test01);
1066 }
1067 #endif /* UNITTESTS */
host.h
Packet_::proto
uint8_t proto
Definition: decode.h:436
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:262
SigTableElmt_::name
const char * name
Definition: detect.h:1211
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1147
stream-tcp.h
DETECT_ICMPV4_CSUM
@ DETECT_ICMPV4_CSUM
Definition: detect-engine-register.h:94
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ICMPV6Hdr_::csum
uint16_t csum
Definition: decode-icmpv6.h:148
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:449
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
DETECT_UDPV6_CSUM
@ DETECT_UDPV6_CSUM
Definition: detect-engine-register.h:93
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
FlowInitConfig
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:516
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:816
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:550
util-unittest.h
DETECT_TCPV4_CSUM
@ DETECT_TCPV4_CSUM
Definition: detect-engine-register.h:90
Packet_::level3_comp_csum
int32_t level3_comp_csum
Definition: decode.h:505
decode.h
Packet_::level4_comp_csum
int32_t level4_comp_csum
Definition: decode.h:507
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:231
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:95
DETECT_CSUM_VALID
#define DETECT_CSUM_VALID
Definition: detect-csum.h:27
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
util-profiling.h
Packet_::icmpv6h
ICMPV6Hdr * icmpv6h
Definition: decode.h:539
Packet_
Definition: decode.h:414
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:230
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:509
PKT_IGNORE_CHECKSUM
#define PKT_IGNORE_CHECKSUM
Definition: decode.h:1118
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
DETECT_IPV4_CSUM
@ DETECT_IPV4_CSUM
Definition: detect-engine-register.h:89
DetectCsumData_::valid
int16_t valid
Definition: detect-csum.h:33
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
SigMatch_::type
uint8_t type
Definition: detect.h:321
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:398
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:531
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:644
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectCsumRegister
void DetectCsumRegister(void)
Registers handlers for all the checksum keywords. The checksum keywords that are registered are ipv4-...
Definition: detect-csum.c:130
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:537
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:144
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
IPV4_GET_HLEN
#define IPV4_GET_HLEN(p)
Definition: decode-ipv4.h:123
DetectCsumData_
Definition: detect-csum.h:30
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:631
mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.c:49
DETECT_ICMPV6_CSUM
@ DETECT_ICMPV6_CSUM
Definition: detect-engine-register.h:95
TEST1
#define TEST1(kwstr)
Definition: detect-csum.c:895
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
IPV4Hdr_::ip_csum
uint16_t ip_csum
Definition: decode-ipv4.h:79
TCP_GET_HLEN
#define TCP_GET_HLEN(p)
Definition: decode-tcp.h:109
TEST3
#define TEST3(kwstr, kwtype)
Definition: detect-csum.c:956
Packet_::udph
UDPHdr * udph
Definition: decode.h:533
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:39
DETECT_CSUM_INVALID
#define DETECT_CSUM_INVALID
Definition: detect-csum.h:28
TEST2
#define TEST2(kwstr)
Definition: detect-csum.c:927
IPV6_HEADER_LEN
#define IPV6_HEADER_LEN
Definition: decode-ipv6.h:27
IPV4_GET_RAW_IPLEN
#define IPV4_GET_RAW_IPLEN(ip4h)
Definition: decode-ipv4.h:97
detect-csum.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:511
DETECT_TCPV6_CSUM
@ DETECT_TCPV6_CSUM
Definition: detect-engine-register.h:91
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:41
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
PACKET_RECYCLE
#define PACKET_RECYCLE(p)
Definition: decode.h:827
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
DETECT_UDPV4_CSUM
@ DETECT_UDPV4_CSUM
Definition: detect-engine-register.h:92