suricata
detect-detection-filter.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias <iglesiasg@gmail.com>
22  *
23  * Implements the detection_filter keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "host.h"
33 
35 #include "detect-threshold.h"
36 #include "detect-parse.h"
37 
38 #include "util-byte.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "util-debug.h"
42 
43 #define TRACK_DST 1
44 #define TRACK_SRC 2
45 
46 /**
47  *\brief Regex for parsing our detection_filter options
48  */
49 #define PARSE_REGEX "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$"
50 
51 static DetectParseRegex parse_regex;
52 
53 static int DetectDetectionFilterMatch(DetectEngineThreadCtx *,
54  Packet *, const Signature *, const SigMatchCtx *);
55 static int DetectDetectionFilterSetup(DetectEngineCtx *, Signature *, const char *);
56 static void DetectDetectionFilterRegisterTests(void);
57 static void DetectDetectionFilterFree(DetectEngineCtx *, void *);
58 
59 /**
60  * \brief Registration function for detection_filter: keyword
61  */
63 {
64  sigmatch_table[DETECT_DETECTION_FILTER].name = "detection_filter";
65  sigmatch_table[DETECT_DETECTION_FILTER].desc = "alert on every match after a threshold has been reached";
66  sigmatch_table[DETECT_DETECTION_FILTER].url = "/rules/thresholding.html#detection-filter";
67  sigmatch_table[DETECT_DETECTION_FILTER].Match = DetectDetectionFilterMatch;
68  sigmatch_table[DETECT_DETECTION_FILTER].Setup = DetectDetectionFilterSetup;
69  sigmatch_table[DETECT_DETECTION_FILTER].Free = DetectDetectionFilterFree;
70  sigmatch_table[DETECT_DETECTION_FILTER].RegisterTests = DetectDetectionFilterRegisterTests;
71  /* this is compatible to ip-only signatures */
73 
74  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
75 }
76 
77 static int DetectDetectionFilterMatch (DetectEngineThreadCtx *det_ctx,
78  Packet *p, const Signature *s, const SigMatchCtx *ctx)
79 {
80  return 1;
81 }
82 
83 /**
84  * \internal
85  * \brief This function is used to parse detection_filter options passed via detection_filter: keyword
86  *
87  * \param rawstr Pointer to the user provided detection_filter options
88  *
89  * \retval df pointer to DetectThresholdData on success
90  * \retval NULL on failure
91  */
92 static DetectThresholdData *DetectDetectionFilterParse (const char *rawstr)
93 {
94  DetectThresholdData *df = NULL;
95  int ret = 0, res = 0;
96  int ov[MAX_SUBSTRINGS];
97  const char *str_ptr = NULL;
98  char *args[6] = { NULL, NULL, NULL, NULL, NULL, NULL};
99  char *copy_str = NULL, *df_opt = NULL;
100  int seconds_found = 0, count_found = 0, track_found = 0;
101  int seconds_pos = 0, count_pos = 0;
102  uint16_t pos = 0;
103  int i = 0;
104  char *saveptr = NULL;
105 
106  copy_str = SCStrdup(rawstr);
107  if (unlikely(copy_str == NULL)) {
108  goto error;
109  }
110 
111  for (pos = 0, df_opt = strtok_r(copy_str,",", &saveptr);
112  pos < strlen(copy_str) && df_opt != NULL;
113  pos++, df_opt = strtok_r(NULL,",", &saveptr))
114  {
115  if(strstr(df_opt,"count"))
116  count_found++;
117  if(strstr(df_opt,"second"))
118  seconds_found++;
119  if(strstr(df_opt,"track"))
120  track_found++;
121  }
122  SCFree(copy_str);
123  copy_str = NULL;
124 
125  if (count_found != 1 || seconds_found != 1 || track_found != 1)
126  goto error;
127 
128  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
129  if (ret < 5) {
130  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
131  goto error;
132  }
133 
134  df = SCMalloc(sizeof(DetectThresholdData));
135  if (unlikely(df == NULL))
136  goto error;
137 
138  memset(df,0,sizeof(DetectThresholdData));
139 
140  df->type = TYPE_DETECTION;
141 
142  for (i = 0; i < (ret - 1); i++) {
143  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, i + 1, &str_ptr);
144  if (res < 0) {
145  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
146  goto error;
147  }
148 
149  args[i] = (char *)str_ptr;
150 
151  if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
152  df->track = TRACK_DST;
153  if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
154  df->track = TRACK_SRC;
155  if (strncasecmp(args[i],"count",strlen("count")) == 0)
156  count_pos = i+1;
157  if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
158  seconds_pos = i+1;
159  }
160 
161  if (args[count_pos] == NULL || args[seconds_pos] == NULL) {
162  goto error;
163  }
164 
165  if (StringParseUint32(&df->count, 10, strlen(args[count_pos]),
166  args[count_pos]) <= 0) {
167  goto error;
168  }
169 
170  if (StringParseUint32(&df->seconds, 10, strlen(args[seconds_pos]),
171  args[seconds_pos]) <= 0) {
172  goto error;
173  }
174 
175  if (df->count == 0 || df->seconds == 0) {
176  SCLogError(SC_ERR_INVALID_VALUE, "found an invalid value");
177  goto error;
178  }
179 
180  for (i = 0; i < 6; i++){
181  if (args[i] != NULL)
182  SCFree(args[i]);
183  }
184  return df;
185 
186 error:
187  for (i = 0; i < 6; i++){
188  if (args[i] != NULL)
189  SCFree(args[i]);
190  }
191  if (df != NULL)
192  SCFree(df);
193  return NULL;
194 }
195 
196 /**
197  * \internal
198  * \brief this function is used to add the parsed detection_filter into the current signature
199  *
200  * \param de_ctx pointer to the Detection Engine Context
201  * \param s pointer to the Current Signature
202  * \param m pointer to the Current SigMatch
203  * \param rawstr pointer to the user provided detection_filter options
204  *
205  * \retval 0 on Success
206  * \retval -1 on Failure
207  */
208 static int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
209 {
210  SCEnter();
211  DetectThresholdData *df = NULL;
212  SigMatch *sm = NULL;
213  SigMatch *tmpm = NULL;
214 
215  /* checks if there's a previous instance of threshold */
217  if (tmpm != NULL) {
218  SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
219  SCReturnInt(-1);
220  }
221  /* checks there's no previous instance of detection_filter */
223  if (tmpm != NULL) {
224  SCLogError(SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule");
225  SCReturnInt(-1);
226  }
227 
228  df = DetectDetectionFilterParse(rawstr);
229  if (df == NULL)
230  goto error;
231 
232  sm = SigMatchAlloc();
233  if (sm == NULL)
234  goto error;
235 
237  sm->ctx = (SigMatchCtx *)df;
238 
240 
241  return 0;
242 
243 error:
244  if (df)
245  SCFree(df);
246  if (sm)
247  SCFree(sm);
248  return -1;
249 }
250 
251 /**
252  * \internal
253  * \brief this function will free memory associated with DetectThresholdData
254  *
255  * \param df_ptr pointer to DetectDetectionFilterData
256  */
257 static void DetectDetectionFilterFree(DetectEngineCtx *de_ctx, void *df_ptr)
258 {
260  if (df)
261  SCFree(df);
262 }
263 
264 /*
265  * ONLY TESTS BELOW THIS COMMENT
266  */
267 #ifdef UNITTESTS
268 #include "detect-engine.h"
269 #include "detect-engine-mpm.h"
270 #include "detect-engine-threshold.h"
271 #include "util-time.h"
272 #include "util-hashlist.h"
273 
274 /**
275  * \test DetectDetectionFilterTestParse01 is a test for a valid detection_filter options
276  *
277  * \retval 1 on succces
278  * \retval 0 on failure
279  */
280 static int DetectDetectionFilterTestParse01 (void)
281 {
282  DetectThresholdData *df = NULL;
283  df = DetectDetectionFilterParse("track by_dst,count 10,seconds 60");
284  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
285  DetectDetectionFilterFree(NULL, df);
286  return 1;
287  }
288 
289  return 0;
290 }
291 
292 /**
293  * \test DetectDetectionFilterTestParse02 is a test for a invalid detection_filter options
294  *
295  * \retval 1 on succces
296  * \retval 0 on failure
297  */
298 static int DetectDetectionFilterTestParse02 (void)
299 {
300  DetectThresholdData *df = NULL;
301  df = DetectDetectionFilterParse("track both,count 10,seconds 60");
302  if (df && (df->track == TRACK_DST || df->track == TRACK_SRC) && (df->count == 10) && (df->seconds == 60)) {
303  DetectDetectionFilterFree(NULL, df);
304  return 0;
305  }
306 
307  return 1;
308 }
309 
310 /**
311  * \test DetectDetectionfilterTestParse03 is a test for a valid detection_filter options in any order
312  *
313  * \retval 1 on succces
314  * \retval 0 on failure
315  */
316 static int DetectDetectionFilterTestParse03 (void)
317 {
318  DetectThresholdData *df = NULL;
319  df = DetectDetectionFilterParse("track by_dst, seconds 60, count 10");
320  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
321  DetectDetectionFilterFree(NULL, df);
322  return 1;
323  }
324 
325  return 0;
326 }
327 
328 
329 /**
330  * \test DetectDetectionFilterTestParse04 is a test for an invalid detection_filter options in any order
331  *
332  * \retval 1 on succces
333  * \retval 0 on failure
334  */
335 static int DetectDetectionFilterTestParse04 (void)
336 {
337  DetectThresholdData *df = NULL;
338  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60, count 10");
339  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
340  DetectDetectionFilterFree(NULL, df);
341  return 0;
342  }
343 
344  return 1;
345 }
346 
347 /**
348  * \test DetectDetectionFilterTestParse05 is a test for a valid detection_filter options in any order
349  *
350  * \retval 1 on succces
351  * \retval 0 on failure
352  */
353 static int DetectDetectionFilterTestParse05 (void)
354 {
355  DetectThresholdData *df = NULL;
356  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60");
357  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
358  DetectDetectionFilterFree(NULL, df);
359  return 1;
360  }
361 
362  return 0;
363 }
364 
365 /**
366  * \test DetectDetectionFilterTestParse06 is a test for an invalid value in detection_filter
367  *
368  * \retval 1 on succces
369  * \retval 0 on failure
370  */
371 static int DetectDetectionFilterTestParse06 (void)
372 {
373  DetectThresholdData *df = NULL;
374  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 0");
375  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 0)) {
376  DetectDetectionFilterFree(NULL, df);
377  return 0;
378  }
379 
380  return 1;
381 }
382 
383 /**
384  * \test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword
385  * by setting up the signature and later testing its working by matching
386  * the received packet against the sig.
387  *
388  * \retval 1 on succces
389  * \retval 0 on failure
390  */
391 static int DetectDetectionFilterTestSig1(void)
392 {
393  Packet *p = NULL;
394  Signature *s = NULL;
395  ThreadVars th_v;
396  DetectEngineThreadCtx *det_ctx;
397  int result = 0;
398  int alerts = 0;
399 
401 
402  memset(&th_v, 0, sizeof(th_v));
403 
404  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
405 
407  if (de_ctx == NULL) {
408  goto end;
409  }
410 
411  de_ctx->flags |= DE_QUIET;
412 
413  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test\"; detection_filter: track by_dst, count 4, seconds 60; sid:1;)");
414  if (s == NULL) {
415  goto end;
416  }
417 
419  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
420 
421  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
422  alerts = PacketAlertCheck(p, 1);
423  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
424  alerts += PacketAlertCheck(p, 1);
425  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
426  alerts += PacketAlertCheck(p, 1);
427  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
428  alerts += PacketAlertCheck(p, 1);
429  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
430  alerts += PacketAlertCheck(p, 1);
431  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
432  alerts += PacketAlertCheck(p, 1);
433  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
434  alerts += PacketAlertCheck(p, 1);
435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
436  alerts += PacketAlertCheck(p, 1);
437 
438  if(alerts == 4)
439  result = 1;
440 
443 
444  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
446 
447 end:
448  UTHFreePackets(&p, 1);
449  HostShutdown();
450  return result;
451 }
452 
453 /**
454  * \test DetectDetectionFilterTestSig2 is a test for checking the working of detection_filter keyword
455  * by setting up the signature and later testing its working by matching
456  * the received packet against the sig.
457  *
458  * \retval 1 on succces
459  * \retval 0 on failure
460  */
461 
462 static int DetectDetectionFilterTestSig2(void)
463 {
464  Packet *p = NULL;
465  Signature *s = NULL;
466  ThreadVars th_v;
467  DetectEngineThreadCtx *det_ctx;
468  int result = 0;
469  int alerts = 0;
470  struct timeval ts;
471 
473 
474  memset (&ts, 0, sizeof(struct timeval));
475  TimeGet(&ts);
476 
477  memset(&th_v, 0, sizeof(th_v));
478 
479  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
480 
482  if (de_ctx == NULL) {
483  goto end;
484  }
485 
486  de_ctx->flags |= DE_QUIET;
487 
488  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 4, seconds 60; sid:10;)");
489  if (s == NULL) {
490  goto end;
491  }
492 
494  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
495 
496  TimeGet(&p->ts);
497 
498  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
499  alerts = PacketAlertCheck(p, 10);
500  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
501  alerts += PacketAlertCheck(p, 10);
502  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
503  alerts += PacketAlertCheck(p, 10);
504 
506  TimeGet(&p->ts);
507 
508  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
509  alerts += PacketAlertCheck(p, 10);
510  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
511  alerts += PacketAlertCheck(p, 10);
512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
513  alerts += PacketAlertCheck(p, 10);
514  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
515  alerts += PacketAlertCheck(p, 10);
516 
517  if (alerts == 0)
518  result = 1;
519 
522 
523  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
525 end:
526  UTHFreePackets(&p, 1);
527  HostShutdown();
528  return result;
529 }
530 
531 /**
532  * \test drops
533  */
534 static int DetectDetectionFilterTestSig3(void)
535 {
536  Packet *p = NULL;
537  Signature *s = NULL;
538  ThreadVars th_v;
539  DetectEngineThreadCtx *det_ctx;
540  int result = 0;
541  int alerts = 0;
542  int drops = 0;
543  struct timeval ts;
544 
546 
547  memset (&ts, 0, sizeof(struct timeval));
548  TimeGet(&ts);
549 
550  memset(&th_v, 0, sizeof(th_v));
551 
552  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
553 
555  if (de_ctx == NULL) {
556  goto end;
557  }
558 
559  de_ctx->flags |= DE_QUIET;
560 
561  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 2, seconds 60; sid:10;)");
562  if (s == NULL) {
563  goto end;
564  }
565 
567  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
568 
569  TimeGet(&p->ts);
570 
571  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
572  alerts = PacketAlertCheck(p, 10);
573  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
574  p->action = 0;
575 
576  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
577  alerts += PacketAlertCheck(p, 10);
578  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
579  p->action = 0;
580 
581  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
582  alerts += PacketAlertCheck(p, 10);
583  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
584  p->action = 0;
585 
587  TimeGet(&p->ts);
588 
589  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
590  alerts += PacketAlertCheck(p, 10);
591  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
592  p->action = 0;
593 
594  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
595  alerts += PacketAlertCheck(p, 10);
596  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
597  p->action = 0;
598 
599  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
600  alerts += PacketAlertCheck(p, 10);
601  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
602  p->action = 0;
603 
604  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
605  alerts += PacketAlertCheck(p, 10);
606  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
607  p->action = 0;
608 
609  if (alerts == 3 && drops == 3)
610  result = 1;
611  else {
612  if (alerts != 3)
613  printf("alerts: %d != 3: ", alerts);
614  if (drops != 3)
615  printf("drops: %d != 3: ", drops);
616  }
617 
620 
621  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
623 end:
624  UTHFreePackets(&p, 1);
625  HostShutdown();
626  return result;
627 }
628 #endif /* UNITTESTS */
629 
630 static void DetectDetectionFilterRegisterTests(void)
631 {
632 #ifdef UNITTESTS
633  UtRegisterTest("DetectDetectionFilterTestParse01",
634  DetectDetectionFilterTestParse01);
635  UtRegisterTest("DetectDetectionFilterTestParse02",
636  DetectDetectionFilterTestParse02);
637  UtRegisterTest("DetectDetectionFilterTestParse03",
638  DetectDetectionFilterTestParse03);
639  UtRegisterTest("DetectDetectionFilterTestParse04",
640  DetectDetectionFilterTestParse04);
641  UtRegisterTest("DetectDetectionFilterTestParse05",
642  DetectDetectionFilterTestParse05);
643  UtRegisterTest("DetectDetectionFilterTestParse06",
644  DetectDetectionFilterTestParse06);
645  UtRegisterTest("DetectDetectionFilterTestSig1",
646  DetectDetectionFilterTestSig1);
647  UtRegisterTest("DetectDetectionFilterTestSig2",
648  DetectDetectionFilterTestSig2);
649  UtRegisterTest("DetectDetectionFilterTestSig3",
650  DetectDetectionFilterTestSig3);
651 #endif /* UNITTESTS */
652 }
653 
util-byte.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1212
ts
uint64_t ts
Definition: source-erf-file.c:54
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
util-hashlist.h
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our detection_filter options.
Definition: detect-detection-filter.c:49
SigTableElmt_::name
const char * name
Definition: detect.h:1209
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
DetectThresholdData_::count
uint32_t count
Definition: detect-threshold.h:58
Packet_::action
uint8_t action
Definition: decode.h:547
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2035
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:173
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1203
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2092
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:241
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
util-unittest.h
util-unittest-helper.h
DetectThresholdData_::type
uint8_t type
Definition: detect-threshold.h:60
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-detection-filter.h
DetectEngineThreadCtx_
Definition: detect.h:1009
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:54
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2472
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
util-time.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1943
TimeSetIncrementTime
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:182
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2402
Packet_
Definition: decode.h:411
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
DetectThresholdData_::track
uint8_t track
Definition: detect-threshold.h:61
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2796
Packet_::ts
struct timeval ts
Definition: decode.h:454
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3004
DetectThresholdData_
Definition: detect-threshold.h:57
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:305
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:97
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
DetectDetectionFilterRegister
void DetectDetectionFilterRegister(void)
Registration function for detection_filter: keyword.
Definition: detect-detection-filter.c:62
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
detect-threshold.h
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:153
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2047
suricata.h
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
DetectThresholdData_::seconds
uint32_t seconds
Definition: detect-threshold.h:59
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1380
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
detect-engine-threshold.h
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:850
TYPE_DETECTION
#define TYPE_DETECTION
Definition: detect-threshold.h:34
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467