suricata
detect-detection-filter.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias <iglesiasg@gmail.com>
22  *
23  * Implements the detection_filter keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "host.h"
33 
35 #include "detect-threshold.h"
36 #include "detect-parse.h"
37 
38 #include "util-byte.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "util-debug.h"
42 
43 #define TRACK_DST 1
44 #define TRACK_SRC 2
45 
46 /**
47  *\brief Regex for parsing our detection_filter options
48  */
49 #define PARSE_REGEX "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$"
50 
51 static pcre *parse_regex;
52 static pcre_extra *parse_regex_study;
53 
54 static int DetectDetectionFilterMatch(ThreadVars *, DetectEngineThreadCtx *,
55  Packet *, const Signature *, const SigMatchCtx *);
56 static int DetectDetectionFilterSetup(DetectEngineCtx *, Signature *, const char *);
57 static void DetectDetectionFilterRegisterTests(void);
58 static void DetectDetectionFilterFree(void *);
59 
60 /**
61  * \brief Registration function for detection_filter: keyword
62  */
64 {
65  sigmatch_table[DETECT_DETECTION_FILTER].name = "detection_filter";
66  sigmatch_table[DETECT_DETECTION_FILTER].desc = "alert on every match after a threshold has been reached";
67  sigmatch_table[DETECT_DETECTION_FILTER].url = DOC_URL DOC_VERSION "/rules/thresholding.html#detection-filter";
68  sigmatch_table[DETECT_DETECTION_FILTER].Match = DetectDetectionFilterMatch;
69  sigmatch_table[DETECT_DETECTION_FILTER].Setup = DetectDetectionFilterSetup;
70  sigmatch_table[DETECT_DETECTION_FILTER].Free = DetectDetectionFilterFree;
71  sigmatch_table[DETECT_DETECTION_FILTER].RegisterTests = DetectDetectionFilterRegisterTests;
72  /* this is compatible to ip-only signatures */
74 
75  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
76 }
77 
78 static int DetectDetectionFilterMatch (ThreadVars *thv, DetectEngineThreadCtx *det_ctx,
79  Packet *p, const Signature *s, const SigMatchCtx *ctx)
80 {
81  return 1;
82 }
83 
84 /**
85  * \internal
86  * \brief This function is used to parse detection_filter options passed via detection_filter: keyword
87  *
88  * \param rawstr Pointer to the user provided detection_filter options
89  *
90  * \retval df pointer to DetectThresholdData on success
91  * \retval NULL on failure
92  */
93 static DetectThresholdData *DetectDetectionFilterParse (const char *rawstr)
94 {
95  DetectThresholdData *df = NULL;
96 #define MAX_SUBSTRINGS 30
97  int ret = 0, res = 0;
98  int ov[MAX_SUBSTRINGS];
99  const char *str_ptr = NULL;
100  char *args[6] = { NULL, NULL, NULL, NULL, NULL, NULL};
101  char *copy_str = NULL, *df_opt = NULL;
102  int seconds_found = 0, count_found = 0, track_found = 0;
103  int seconds_pos = 0, count_pos = 0;
104  uint16_t pos = 0;
105  int i = 0;
106  char *saveptr = NULL;
107 
108  copy_str = SCStrdup(rawstr);
109  if (unlikely(copy_str == NULL)) {
110  goto error;
111  }
112 
113  for (pos = 0, df_opt = strtok_r(copy_str,",", &saveptr);
114  pos < strlen(copy_str) && df_opt != NULL;
115  pos++, df_opt = strtok_r(NULL,",", &saveptr))
116  {
117  if(strstr(df_opt,"count"))
118  count_found++;
119  if(strstr(df_opt,"second"))
120  seconds_found++;
121  if(strstr(df_opt,"track"))
122  track_found++;
123  }
124  SCFree(copy_str);
125  copy_str = NULL;
126 
127  if (count_found != 1 || seconds_found != 1 || track_found != 1)
128  goto error;
129 
130  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
131  if (ret < 5) {
132  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
133  goto error;
134  }
135 
136  df = SCMalloc(sizeof(DetectThresholdData));
137  if (unlikely(df == NULL))
138  goto error;
139 
140  memset(df,0,sizeof(DetectThresholdData));
141 
142  df->type = TYPE_DETECTION;
143 
144  for (i = 0; i < (ret - 1); i++) {
145  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, i + 1, &str_ptr);
146  if (res < 0) {
147  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
148  goto error;
149  }
150 
151  args[i] = (char *)str_ptr;
152 
153  if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
154  df->track = TRACK_DST;
155  if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
156  df->track = TRACK_SRC;
157  if (strncasecmp(args[i],"count",strlen("count")) == 0)
158  count_pos = i+1;
159  if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
160  seconds_pos = i+1;
161  }
162 
163  if (args[count_pos] == NULL || args[seconds_pos] == NULL) {
164  goto error;
165  }
166 
167  if (ByteExtractStringUint32(&df->count, 10, strlen(args[count_pos]),
168  args[count_pos]) <= 0) {
169  goto error;
170  }
171 
172  if (ByteExtractStringUint32(&df->seconds, 10, strlen(args[seconds_pos]),
173  args[seconds_pos]) <= 0) {
174  goto error;
175  }
176 
177  if (df->count == 0 || df->seconds == 0) {
178  SCLogError(SC_ERR_INVALID_VALUE, "found an invalid value");
179  goto error;
180  }
181 
182  for (i = 0; i < 6; i++){
183  if (args[i] != NULL)
184  SCFree(args[i]);
185  }
186  return df;
187 
188 error:
189  for (i = 0; i < 6; i++){
190  if (args[i] != NULL)
191  SCFree(args[i]);
192  }
193  if (df != NULL)
194  SCFree(df);
195  return NULL;
196 }
197 
198 /**
199  * \internal
200  * \brief this function is used to add the parsed detection_filter into the current signature
201  *
202  * \param de_ctx pointer to the Detection Engine Context
203  * \param s pointer to the Current Signature
204  * \param m pointer to the Current SigMatch
205  * \param rawstr pointer to the user provided detection_filter options
206  *
207  * \retval 0 on Success
208  * \retval -1 on Failure
209  */
210 static int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
211 {
212  SCEnter();
213  DetectThresholdData *df = NULL;
214  SigMatch *sm = NULL;
215  SigMatch *tmpm = NULL;
216 
217  /* checks if there's a previous instance of threshold */
219  if (tmpm != NULL) {
220  SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
221  SCReturnInt(-1);
222  }
223  /* checks there's no previous instance of detection_filter */
225  if (tmpm != NULL) {
226  SCLogError(SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule");
227  SCReturnInt(-1);
228  }
229 
230  df = DetectDetectionFilterParse(rawstr);
231  if (df == NULL)
232  goto error;
233 
234  sm = SigMatchAlloc();
235  if (sm == NULL)
236  goto error;
237 
239  sm->ctx = (SigMatchCtx *)df;
240 
242 
243  return 0;
244 
245 error:
246  if (df)
247  SCFree(df);
248  if (sm)
249  SCFree(sm);
250  return -1;
251 }
252 
253 /**
254  * \internal
255  * \brief this function will free memory associated with DetectThresholdData
256  *
257  * \param df_ptr pointer to DetectDetectionFilterData
258  */
259 static void DetectDetectionFilterFree(void *df_ptr)
260 {
262  if (df)
263  SCFree(df);
264 }
265 
266 /*
267  * ONLY TESTS BELOW THIS COMMENT
268  */
269 #ifdef UNITTESTS
270 #include "detect-engine.h"
271 #include "detect-engine-mpm.h"
272 #include "detect-engine-threshold.h"
273 #include "util-time.h"
274 #include "util-hashlist.h"
275 
276 /**
277  * \test DetectDetectionFilterTestParse01 is a test for a valid detection_filter options
278  *
279  * \retval 1 on succces
280  * \retval 0 on failure
281  */
282 static int DetectDetectionFilterTestParse01 (void)
283 {
284  DetectThresholdData *df = NULL;
285  df = DetectDetectionFilterParse("track by_dst,count 10,seconds 60");
286  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
287  DetectDetectionFilterFree(df);
288  return 1;
289  }
290 
291  return 0;
292 }
293 
294 /**
295  * \test DetectDetectionFilterTestParse02 is a test for a invalid detection_filter options
296  *
297  * \retval 1 on succces
298  * \retval 0 on failure
299  */
300 static int DetectDetectionFilterTestParse02 (void)
301 {
302  DetectThresholdData *df = NULL;
303  df = DetectDetectionFilterParse("track both,count 10,seconds 60");
304  if (df && (df->track == TRACK_DST || df->track == TRACK_SRC) && (df->count == 10) && (df->seconds == 60)) {
305  DetectDetectionFilterFree(df);
306  return 0;
307  }
308 
309  return 1;
310 }
311 
312 /**
313  * \test DetectDetectionfilterTestParse03 is a test for a valid detection_filter options in any order
314  *
315  * \retval 1 on succces
316  * \retval 0 on failure
317  */
318 static int DetectDetectionFilterTestParse03 (void)
319 {
320  DetectThresholdData *df = NULL;
321  df = DetectDetectionFilterParse("track by_dst, seconds 60, count 10");
322  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
323  DetectDetectionFilterFree(df);
324  return 1;
325  }
326 
327  return 0;
328 }
329 
330 
331 /**
332  * \test DetectDetectionFilterTestParse04 is a test for an invalid detection_filter options in any order
333  *
334  * \retval 1 on succces
335  * \retval 0 on failure
336  */
337 static int DetectDetectionFilterTestParse04 (void)
338 {
339  DetectThresholdData *df = NULL;
340  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60, count 10");
341  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
342  DetectDetectionFilterFree(df);
343  return 0;
344  }
345 
346  return 1;
347 }
348 
349 /**
350  * \test DetectDetectionFilterTestParse05 is a test for a valid detection_filter options in any order
351  *
352  * \retval 1 on succces
353  * \retval 0 on failure
354  */
355 static int DetectDetectionFilterTestParse05 (void)
356 {
357  DetectThresholdData *df = NULL;
358  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60");
359  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
360  DetectDetectionFilterFree(df);
361  return 1;
362  }
363 
364  return 0;
365 }
366 
367 /**
368  * \test DetectDetectionFilterTestParse06 is a test for an invalid value in detection_filter
369  *
370  * \retval 1 on succces
371  * \retval 0 on failure
372  */
373 static int DetectDetectionFilterTestParse06 (void)
374 {
375  DetectThresholdData *df = NULL;
376  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 0");
377  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 0)) {
378  DetectDetectionFilterFree(df);
379  return 0;
380  }
381 
382  return 1;
383 }
384 
385 /**
386  * \test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword
387  * by setting up the signature and later testing its working by matching
388  * the received packet against the sig.
389  *
390  * \retval 1 on succces
391  * \retval 0 on failure
392  */
393 static int DetectDetectionFilterTestSig1(void)
394 {
395  Packet *p = NULL;
396  Signature *s = NULL;
397  ThreadVars th_v;
398  DetectEngineThreadCtx *det_ctx;
399  int result = 0;
400  int alerts = 0;
401 
403 
404  memset(&th_v, 0, sizeof(th_v));
405 
406  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
407 
409  if (de_ctx == NULL) {
410  goto end;
411  }
412 
413  de_ctx->flags |= DE_QUIET;
414 
415  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test\"; detection_filter: track by_dst, count 4, seconds 60; sid:1;)");
416  if (s == NULL) {
417  goto end;
418  }
419 
420  SigGroupBuild(de_ctx);
421  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
422 
423  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
424  alerts = PacketAlertCheck(p, 1);
425  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
426  alerts += PacketAlertCheck(p, 1);
427  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
428  alerts += PacketAlertCheck(p, 1);
429  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
430  alerts += PacketAlertCheck(p, 1);
431  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
432  alerts += PacketAlertCheck(p, 1);
433  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
434  alerts += PacketAlertCheck(p, 1);
435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
436  alerts += PacketAlertCheck(p, 1);
437  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
438  alerts += PacketAlertCheck(p, 1);
439 
440  if(alerts == 4)
441  result = 1;
442 
443  SigGroupCleanup(de_ctx);
444  SigCleanSignatures(de_ctx);
445 
446  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
447  DetectEngineCtxFree(de_ctx);
448 
449 end:
450  UTHFreePackets(&p, 1);
451  HostShutdown();
452  return result;
453 }
454 
455 /**
456  * \test DetectDetectionFilterTestSig2 is a test for checking the working of detection_filter keyword
457  * by setting up the signature and later testing its working by matching
458  * the received packet against the sig.
459  *
460  * \retval 1 on succces
461  * \retval 0 on failure
462  */
463 
464 static int DetectDetectionFilterTestSig2(void)
465 {
466  Packet *p = NULL;
467  Signature *s = NULL;
468  ThreadVars th_v;
469  DetectEngineThreadCtx *det_ctx;
470  int result = 0;
471  int alerts = 0;
472  struct timeval ts;
473 
475 
476  memset (&ts, 0, sizeof(struct timeval));
477  TimeGet(&ts);
478 
479  memset(&th_v, 0, sizeof(th_v));
480 
481  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
482 
484  if (de_ctx == NULL) {
485  goto end;
486  }
487 
488  de_ctx->flags |= DE_QUIET;
489 
490  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 4, seconds 60; sid:10;)");
491  if (s == NULL) {
492  goto end;
493  }
494 
495  SigGroupBuild(de_ctx);
496  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
497 
498  TimeGet(&p->ts);
499 
500  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
501  alerts = PacketAlertCheck(p, 10);
502  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
503  alerts += PacketAlertCheck(p, 10);
504  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
505  alerts += PacketAlertCheck(p, 10);
506 
508  TimeGet(&p->ts);
509 
510  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
511  alerts += PacketAlertCheck(p, 10);
512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
513  alerts += PacketAlertCheck(p, 10);
514  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
515  alerts += PacketAlertCheck(p, 10);
516  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
517  alerts += PacketAlertCheck(p, 10);
518 
519  if (alerts == 0)
520  result = 1;
521 
522  SigGroupCleanup(de_ctx);
523  SigCleanSignatures(de_ctx);
524 
525  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
526  DetectEngineCtxFree(de_ctx);
527 end:
528  UTHFreePackets(&p, 1);
529  HostShutdown();
530  return result;
531 }
532 
533 /**
534  * \test drops
535  */
536 static int DetectDetectionFilterTestSig3(void)
537 {
538  Packet *p = NULL;
539  Signature *s = NULL;
540  ThreadVars th_v;
541  DetectEngineThreadCtx *det_ctx;
542  int result = 0;
543  int alerts = 0;
544  int drops = 0;
545  struct timeval ts;
546 
548 
549  memset (&ts, 0, sizeof(struct timeval));
550  TimeGet(&ts);
551 
552  memset(&th_v, 0, sizeof(th_v));
553 
554  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
555 
557  if (de_ctx == NULL) {
558  goto end;
559  }
560 
561  de_ctx->flags |= DE_QUIET;
562 
563  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 2, seconds 60; sid:10;)");
564  if (s == NULL) {
565  goto end;
566  }
567 
568  SigGroupBuild(de_ctx);
569  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
570 
571  TimeGet(&p->ts);
572 
573  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
574  alerts = PacketAlertCheck(p, 10);
575  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
576  p->action = 0;
577 
578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
579  alerts += PacketAlertCheck(p, 10);
580  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
581  p->action = 0;
582 
583  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
584  alerts += PacketAlertCheck(p, 10);
585  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
586  p->action = 0;
587 
589  TimeGet(&p->ts);
590 
591  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
592  alerts += PacketAlertCheck(p, 10);
593  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
594  p->action = 0;
595 
596  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
597  alerts += PacketAlertCheck(p, 10);
598  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
599  p->action = 0;
600 
601  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
602  alerts += PacketAlertCheck(p, 10);
603  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
604  p->action = 0;
605 
606  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
607  alerts += PacketAlertCheck(p, 10);
608  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
609  p->action = 0;
610 
611  if (alerts == 3 && drops == 3)
612  result = 1;
613  else {
614  if (alerts != 3)
615  printf("alerts: %d != 3: ", alerts);
616  if (drops != 3)
617  printf("drops: %d != 3: ", drops);
618  }
619 
620  SigGroupCleanup(de_ctx);
621  SigCleanSignatures(de_ctx);
622 
623  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
624  DetectEngineCtxFree(de_ctx);
625 end:
626  UTHFreePackets(&p, 1);
627  HostShutdown();
628  return result;
629 }
630 #endif /* UNITTESTS */
631 
632 static void DetectDetectionFilterRegisterTests(void)
633 {
634 #ifdef UNITTESTS
635  UtRegisterTest("DetectDetectionFilterTestParse01",
636  DetectDetectionFilterTestParse01);
637  UtRegisterTest("DetectDetectionFilterTestParse02",
638  DetectDetectionFilterTestParse02);
639  UtRegisterTest("DetectDetectionFilterTestParse03",
640  DetectDetectionFilterTestParse03);
641  UtRegisterTest("DetectDetectionFilterTestParse04",
642  DetectDetectionFilterTestParse04);
643  UtRegisterTest("DetectDetectionFilterTestParse05",
644  DetectDetectionFilterTestParse05);
645  UtRegisterTest("DetectDetectionFilterTestParse06",
646  DetectDetectionFilterTestParse06);
647  UtRegisterTest("DetectDetectionFilterTestSig1",
648  DetectDetectionFilterTestSig1);
649  UtRegisterTest("DetectDetectionFilterTestSig2",
650  DetectDetectionFilterTestSig2);
651  UtRegisterTest("DetectDetectionFilterTestSig3",
652  DetectDetectionFilterTestSig3);
653 #endif /* UNITTESTS */
654 }
655 
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:300
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
#define HOST_QUIET
Definition: host.h:93
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define TRACK_DST
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:870
#define MAX_SUBSTRINGS
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:726
#define PARSE_REGEX
Regex for parsing our detection_filter options.
void SigCleanSignatures(DetectEngineCtx *de_ctx)
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:244
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1160
Signature container.
Definition: detect.h:492
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
main detection engine ctx
Definition: detect.h:720
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:168
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define DE_QUIET
Definition: detect.h:298
uint8_t flags
Definition: detect.h:721
void TimeGet(struct timeval *tv)
Definition: util-time.c:138
void(* Free)(void *)
Definition: detect.h:1151
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SCEnter(...)
Definition: util-debug.h:337
void DetectDetectionFilterRegister(void)
Registration function for detection_filter: keyword.
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:325
#define SCReturnInt(x)
Definition: util-debug.h:341
const char * desc
Definition: detect.h:1162
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
SigMatchCtx * ctx
Definition: detect.h:327
#define SCMalloc(a)
Definition: util-mem.h:174
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:167
#define SCFree(a)
Definition: util-mem.h:236
PoolThreadReserved res
#define TRACK_SRC
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us. ...
Definition: detect-parse.c:401
const char * url
Definition: detect.h:1163
#define SCStrdup(a)
Definition: util-mem.h:220
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1330
#define DOC_URL
Definition: suricata.h:86
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:450
#define ACTION_DROP
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1154
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
void(* RegisterTests)(void)
Definition: detect.h:1152
a single match condition for a signature
Definition: detect.h:324
#define TYPE_DETECTION
DetectEngineCtx * DetectEngineCtxInit(void)
uint8_t action
Definition: decode.h:549