suricata
detect-detection-filter.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias <iglesiasg@gmail.com>
22  *
23  * Implements the detection_filter keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "host.h"
33 
35 #include "detect-threshold.h"
36 #include "detect-parse.h"
37 
38 #include "util-byte.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "util-debug.h"
42 
43 #define TRACK_DST 1
44 #define TRACK_SRC 2
45 
46 /**
47  *\brief Regex for parsing our detection_filter options
48  */
49 #define PARSE_REGEX "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$"
50 
51 static DetectParseRegex parse_regex;
52 
53 static int DetectDetectionFilterMatch(DetectEngineThreadCtx *,
54  Packet *, const Signature *, const SigMatchCtx *);
55 static int DetectDetectionFilterSetup(DetectEngineCtx *, Signature *, const char *);
56 #ifdef UNITTESTS
57 static void DetectDetectionFilterRegisterTests(void);
58 #endif
59 static void DetectDetectionFilterFree(DetectEngineCtx *, void *);
60 
61 /**
62  * \brief Registration function for detection_filter: keyword
63  */
65 {
66  sigmatch_table[DETECT_DETECTION_FILTER].name = "detection_filter";
67  sigmatch_table[DETECT_DETECTION_FILTER].desc = "alert on every match after a threshold has been reached";
68  sigmatch_table[DETECT_DETECTION_FILTER].url = "/rules/thresholding.html#detection-filter";
69  sigmatch_table[DETECT_DETECTION_FILTER].Match = DetectDetectionFilterMatch;
70  sigmatch_table[DETECT_DETECTION_FILTER].Setup = DetectDetectionFilterSetup;
71  sigmatch_table[DETECT_DETECTION_FILTER].Free = DetectDetectionFilterFree;
72 #ifdef UNITTESTS
73  sigmatch_table[DETECT_DETECTION_FILTER].RegisterTests = DetectDetectionFilterRegisterTests;
74 #endif
75  /* this is compatible to ip-only signatures */
77 
78  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
79 }
80 
81 static int DetectDetectionFilterMatch (DetectEngineThreadCtx *det_ctx,
82  Packet *p, const Signature *s, const SigMatchCtx *ctx)
83 {
84  return 1;
85 }
86 
87 /**
88  * \internal
89  * \brief This function is used to parse detection_filter options passed via detection_filter: keyword
90  *
91  * \param rawstr Pointer to the user provided detection_filter options
92  *
93  * \retval df pointer to DetectThresholdData on success
94  * \retval NULL on failure
95  */
96 static DetectThresholdData *DetectDetectionFilterParse (const char *rawstr)
97 {
98  DetectThresholdData *df = NULL;
99  int ret = 0, res = 0;
100  size_t pcre2_len;
101  const char *str_ptr = NULL;
102  char *args[6] = { NULL, NULL, NULL, NULL, NULL, NULL};
103  char *copy_str = NULL, *df_opt = NULL;
104  int seconds_found = 0, count_found = 0, track_found = 0;
105  int seconds_pos = 0, count_pos = 0;
106  uint16_t pos = 0;
107  int i = 0;
108  char *saveptr = NULL;
109 
110  copy_str = SCStrdup(rawstr);
111  if (unlikely(copy_str == NULL)) {
112  goto error;
113  }
114 
115  for (pos = 0, df_opt = strtok_r(copy_str,",", &saveptr);
116  pos < strlen(copy_str) && df_opt != NULL;
117  pos++, df_opt = strtok_r(NULL,",", &saveptr))
118  {
119  if(strstr(df_opt,"count"))
120  count_found++;
121  if(strstr(df_opt,"second"))
122  seconds_found++;
123  if(strstr(df_opt,"track"))
124  track_found++;
125  }
126  SCFree(copy_str);
127  copy_str = NULL;
128 
129  if (count_found != 1 || seconds_found != 1 || track_found != 1)
130  goto error;
131 
132  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
133  if (ret < 5) {
134  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
135  goto error;
136  }
137 
138  df = SCMalloc(sizeof(DetectThresholdData));
139  if (unlikely(df == NULL))
140  goto error;
141 
142  memset(df,0,sizeof(DetectThresholdData));
143 
144  df->type = TYPE_DETECTION;
145 
146  for (i = 0; i < (ret - 1); i++) {
147  res = pcre2_substring_get_bynumber(
148  parse_regex.match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
149  if (res < 0) {
150  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
151  goto error;
152  }
153 
154  args[i] = (char *)str_ptr;
155 
156  if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
157  df->track = TRACK_DST;
158  if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
159  df->track = TRACK_SRC;
160  if (strncasecmp(args[i],"count",strlen("count")) == 0)
161  count_pos = i+1;
162  if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
163  seconds_pos = i+1;
164  }
165 
166  if (args[count_pos] == NULL || args[seconds_pos] == NULL) {
167  goto error;
168  }
169 
170  if (StringParseUint32(&df->count, 10, strlen(args[count_pos]),
171  args[count_pos]) <= 0) {
172  goto error;
173  }
174 
175  if (StringParseUint32(&df->seconds, 10, strlen(args[seconds_pos]),
176  args[seconds_pos]) <= 0) {
177  goto error;
178  }
179 
180  if (df->count == 0 || df->seconds == 0) {
181  SCLogError(SC_ERR_INVALID_VALUE, "found an invalid value");
182  goto error;
183  }
184 
185  for (i = 0; i < 6; i++){
186  if (args[i] != NULL)
187  pcre2_substring_free((PCRE2_UCHAR *)args[i]);
188  }
189  return df;
190 
191 error:
192  for (i = 0; i < 6; i++){
193  if (args[i] != NULL)
194  pcre2_substring_free((PCRE2_UCHAR *)args[i]);
195  }
196  if (df != NULL)
197  SCFree(df);
198  return NULL;
199 }
200 
201 /**
202  * \internal
203  * \brief this function is used to add the parsed detection_filter into the current signature
204  *
205  * \param de_ctx pointer to the Detection Engine Context
206  * \param s pointer to the Current Signature
207  * \param m pointer to the Current SigMatch
208  * \param rawstr pointer to the user provided detection_filter options
209  *
210  * \retval 0 on Success
211  * \retval -1 on Failure
212  */
213 static int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
214 {
215  SCEnter();
216  DetectThresholdData *df = NULL;
217  SigMatch *sm = NULL;
218  SigMatch *tmpm = NULL;
219 
220  /* checks if there's a previous instance of threshold */
222  if (tmpm != NULL) {
223  SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
224  SCReturnInt(-1);
225  }
226  /* checks there's no previous instance of detection_filter */
228  if (tmpm != NULL) {
229  SCLogError(SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule");
230  SCReturnInt(-1);
231  }
232 
233  df = DetectDetectionFilterParse(rawstr);
234  if (df == NULL)
235  goto error;
236 
237  sm = SigMatchAlloc();
238  if (sm == NULL)
239  goto error;
240 
242  sm->ctx = (SigMatchCtx *)df;
243 
245 
246  return 0;
247 
248 error:
249  if (df)
250  SCFree(df);
251  if (sm)
252  SCFree(sm);
253  return -1;
254 }
255 
256 /**
257  * \internal
258  * \brief this function will free memory associated with DetectThresholdData
259  *
260  * \param df_ptr pointer to DetectDetectionFilterData
261  */
262 static void DetectDetectionFilterFree(DetectEngineCtx *de_ctx, void *df_ptr)
263 {
265  if (df)
266  SCFree(df);
267 }
268 
269 /*
270  * ONLY TESTS BELOW THIS COMMENT
271  */
272 #ifdef UNITTESTS
273 #include "detect-engine.h"
274 #include "detect-engine-mpm.h"
275 #include "detect-engine-threshold.h"
276 #include "util-time.h"
277 #include "util-hashlist.h"
278 
279 /**
280  * \test DetectDetectionFilterTestParse01 is a test for a valid detection_filter options
281  *
282  * \retval 1 on succces
283  * \retval 0 on failure
284  */
285 static int DetectDetectionFilterTestParse01 (void)
286 {
287  DetectThresholdData *df = NULL;
288  df = DetectDetectionFilterParse("track by_dst,count 10,seconds 60");
289  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
290  DetectDetectionFilterFree(NULL, df);
291  return 1;
292  }
293 
294  return 0;
295 }
296 
297 /**
298  * \test DetectDetectionFilterTestParse02 is a test for a invalid detection_filter options
299  *
300  * \retval 1 on succces
301  * \retval 0 on failure
302  */
303 static int DetectDetectionFilterTestParse02 (void)
304 {
305  DetectThresholdData *df = NULL;
306  df = DetectDetectionFilterParse("track both,count 10,seconds 60");
307  if (df && (df->track == TRACK_DST || df->track == TRACK_SRC) && (df->count == 10) && (df->seconds == 60)) {
308  DetectDetectionFilterFree(NULL, df);
309  return 0;
310  }
311 
312  return 1;
313 }
314 
315 /**
316  * \test DetectDetectionfilterTestParse03 is a test for a valid detection_filter options in any order
317  *
318  * \retval 1 on succces
319  * \retval 0 on failure
320  */
321 static int DetectDetectionFilterTestParse03 (void)
322 {
323  DetectThresholdData *df = NULL;
324  df = DetectDetectionFilterParse("track by_dst, seconds 60, count 10");
325  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
326  DetectDetectionFilterFree(NULL, df);
327  return 1;
328  }
329 
330  return 0;
331 }
332 
333 
334 /**
335  * \test DetectDetectionFilterTestParse04 is a test for an invalid detection_filter options in any order
336  *
337  * \retval 1 on succces
338  * \retval 0 on failure
339  */
340 static int DetectDetectionFilterTestParse04 (void)
341 {
342  DetectThresholdData *df = NULL;
343  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60, count 10");
344  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
345  DetectDetectionFilterFree(NULL, df);
346  return 0;
347  }
348 
349  return 1;
350 }
351 
352 /**
353  * \test DetectDetectionFilterTestParse05 is a test for a valid detection_filter options in any order
354  *
355  * \retval 1 on succces
356  * \retval 0 on failure
357  */
358 static int DetectDetectionFilterTestParse05 (void)
359 {
360  DetectThresholdData *df = NULL;
361  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60");
362  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
363  DetectDetectionFilterFree(NULL, df);
364  return 1;
365  }
366 
367  return 0;
368 }
369 
370 /**
371  * \test DetectDetectionFilterTestParse06 is a test for an invalid value in detection_filter
372  *
373  * \retval 1 on succces
374  * \retval 0 on failure
375  */
376 static int DetectDetectionFilterTestParse06 (void)
377 {
378  DetectThresholdData *df = NULL;
379  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 0");
380  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 0)) {
381  DetectDetectionFilterFree(NULL, df);
382  return 0;
383  }
384 
385  return 1;
386 }
387 
388 /**
389  * \test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword
390  * by setting up the signature and later testing its working by matching
391  * the received packet against the sig.
392  *
393  * \retval 1 on succces
394  * \retval 0 on failure
395  */
396 static int DetectDetectionFilterTestSig1(void)
397 {
398  Packet *p = NULL;
399  Signature *s = NULL;
400  ThreadVars th_v;
401  DetectEngineThreadCtx *det_ctx;
402  int result = 0;
403  int alerts = 0;
404 
406 
407  memset(&th_v, 0, sizeof(th_v));
408 
409  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
410 
412  if (de_ctx == NULL) {
413  goto end;
414  }
415 
416  de_ctx->flags |= DE_QUIET;
417 
418  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test\"; detection_filter: track by_dst, count 4, seconds 60; sid:1;)");
419  if (s == NULL) {
420  goto end;
421  }
422 
424  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
425 
426  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
427  alerts = PacketAlertCheck(p, 1);
428  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
429  alerts += PacketAlertCheck(p, 1);
430  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
431  alerts += PacketAlertCheck(p, 1);
432  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
433  alerts += PacketAlertCheck(p, 1);
434  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
435  alerts += PacketAlertCheck(p, 1);
436  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
437  alerts += PacketAlertCheck(p, 1);
438  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
439  alerts += PacketAlertCheck(p, 1);
440  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
441  alerts += PacketAlertCheck(p, 1);
442 
443  if(alerts == 4)
444  result = 1;
445 
448 
449  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
451 
452 end:
453  UTHFreePackets(&p, 1);
454  HostShutdown();
455  return result;
456 }
457 
458 /**
459  * \test DetectDetectionFilterTestSig2 is a test for checking the working of detection_filter keyword
460  * by setting up the signature and later testing its working by matching
461  * the received packet against the sig.
462  *
463  * \retval 1 on succces
464  * \retval 0 on failure
465  */
466 
467 static int DetectDetectionFilterTestSig2(void)
468 {
469  Packet *p = NULL;
470  Signature *s = NULL;
471  ThreadVars th_v;
472  DetectEngineThreadCtx *det_ctx;
473  int result = 0;
474  int alerts = 0;
475  struct timeval ts;
476 
478 
479  memset (&ts, 0, sizeof(struct timeval));
480  TimeGet(&ts);
481 
482  memset(&th_v, 0, sizeof(th_v));
483 
484  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
485 
487  if (de_ctx == NULL) {
488  goto end;
489  }
490 
491  de_ctx->flags |= DE_QUIET;
492 
493  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 4, seconds 60; sid:10;)");
494  if (s == NULL) {
495  goto end;
496  }
497 
499  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
500 
501  TimeGet(&p->ts);
502 
503  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
504  alerts = PacketAlertCheck(p, 10);
505  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
506  alerts += PacketAlertCheck(p, 10);
507  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
508  alerts += PacketAlertCheck(p, 10);
509 
511  TimeGet(&p->ts);
512 
513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
514  alerts += PacketAlertCheck(p, 10);
515  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
516  alerts += PacketAlertCheck(p, 10);
517  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
518  alerts += PacketAlertCheck(p, 10);
519  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
520  alerts += PacketAlertCheck(p, 10);
521 
522  if (alerts == 0)
523  result = 1;
524 
527 
528  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
530 end:
531  UTHFreePackets(&p, 1);
532  HostShutdown();
533  return result;
534 }
535 
536 /**
537  * \test drops
538  */
539 static int DetectDetectionFilterTestSig3(void)
540 {
541  Packet *p = NULL;
542  Signature *s = NULL;
543  ThreadVars th_v;
544  DetectEngineThreadCtx *det_ctx;
545  int result = 0;
546  int alerts = 0;
547  int drops = 0;
548  struct timeval ts;
549 
551 
552  memset (&ts, 0, sizeof(struct timeval));
553  TimeGet(&ts);
554 
555  memset(&th_v, 0, sizeof(th_v));
556 
557  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
558 
560  if (de_ctx == NULL) {
561  goto end;
562  }
563 
564  de_ctx->flags |= DE_QUIET;
565 
566  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 2, seconds 60; sid:10;)");
567  if (s == NULL) {
568  goto end;
569  }
570 
572  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
573 
574  TimeGet(&p->ts);
575 
576  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
577  alerts = PacketAlertCheck(p, 10);
578  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
579  p->action = 0;
580 
581  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
582  alerts += PacketAlertCheck(p, 10);
583  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
584  p->action = 0;
585 
586  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
587  alerts += PacketAlertCheck(p, 10);
588  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
589  p->action = 0;
590 
592  TimeGet(&p->ts);
593 
594  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
595  alerts += PacketAlertCheck(p, 10);
596  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
597  p->action = 0;
598 
599  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
600  alerts += PacketAlertCheck(p, 10);
601  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
602  p->action = 0;
603 
604  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
605  alerts += PacketAlertCheck(p, 10);
606  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
607  p->action = 0;
608 
609  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
610  alerts += PacketAlertCheck(p, 10);
611  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
612  p->action = 0;
613 
614  if (alerts == 3 && drops == 3)
615  result = 1;
616  else {
617  if (alerts != 3)
618  printf("alerts: %d != 3: ", alerts);
619  if (drops != 3)
620  printf("drops: %d != 3: ", drops);
621  }
622 
625 
626  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
628 end:
629  UTHFreePackets(&p, 1);
630  HostShutdown();
631  return result;
632 }
633 
634 static void DetectDetectionFilterRegisterTests(void)
635 {
636  UtRegisterTest("DetectDetectionFilterTestParse01",
637  DetectDetectionFilterTestParse01);
638  UtRegisterTest("DetectDetectionFilterTestParse02",
639  DetectDetectionFilterTestParse02);
640  UtRegisterTest("DetectDetectionFilterTestParse03",
641  DetectDetectionFilterTestParse03);
642  UtRegisterTest("DetectDetectionFilterTestParse04",
643  DetectDetectionFilterTestParse04);
644  UtRegisterTest("DetectDetectionFilterTestParse05",
645  DetectDetectionFilterTestParse05);
646  UtRegisterTest("DetectDetectionFilterTestParse06",
647  DetectDetectionFilterTestParse06);
648  UtRegisterTest("DetectDetectionFilterTestSig1",
649  DetectDetectionFilterTestSig1);
650  UtRegisterTest("DetectDetectionFilterTestSig2",
651  DetectDetectionFilterTestSig2);
652  UtRegisterTest("DetectDetectionFilterTestSig3",
653  DetectDetectionFilterTestSig3);
654 }
655 #endif /* UNITTESTS */
util-byte.h
host.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
SigTableElmt_::url
const char * url
Definition: detect.h:1270
ts
uint64_t ts
Definition: source-erf-file.c:54
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2474
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
util-hashlist.h
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our detection_filter options.
Definition: detect-detection-filter.c:49
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1267
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
DetectThresholdData_::count
uint32_t count
Definition: detect-threshold.h:58
Packet_::action
uint8_t action
Definition: decode.h:571
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1261
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:42
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:242
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
util-unittest.h
util-unittest-helper.h
DetectThresholdData_::type
uint8_t type
Definition: detect-threshold.h:60
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-detection-filter.h
DetectEngineThreadCtx_
Definition: detect.h:1060
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:55
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
util-time.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2016
TimeSetIncrementTime
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:182
Packet_
Definition: decode.h:427
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1235
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
DetectThresholdData_::track
uint8_t track
Definition: detect-threshold.h:61
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
Packet_::ts
struct timeval ts
Definition: decode.h:470
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3354
SigMatch_::type
uint16_t type
Definition: detect.h:322
DetectThresholdData_
Definition: detect-threshold.h:57
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:309
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:817
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:98
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
DetectDetectionFilterRegister
void DetectDetectionFilterRegister(void)
Registration function for detection_filter: keyword.
Definition: detect-detection-filter.c:64
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
detect-threshold.h
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:153
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
suricata.h
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:175
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
DetectThresholdData_::seconds
uint32_t seconds
Definition: detect-threshold.h:59
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1455
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
detect-engine-threshold.h
TYPE_DETECTION
#define TYPE_DETECTION
Definition: detect-threshold.h:34
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468