suricata
detect-detection-filter.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias <iglesiasg@gmail.com>
22  *
23  * Implements the detection_filter keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "host.h"
33 
35 #include "detect-threshold.h"
36 #include "detect-parse.h"
37 
38 #include "util-byte.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 #include "util-debug.h"
42 
43 #define TRACK_DST 1
44 #define TRACK_SRC 2
45 
46 /**
47  *\brief Regex for parsing our detection_filter options
48  */
49 #define PARSE_REGEX "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$"
50 
51 static DetectParseRegex parse_regex;
52 
53 static int DetectDetectionFilterMatch(DetectEngineThreadCtx *,
54  Packet *, const Signature *, const SigMatchCtx *);
55 static int DetectDetectionFilterSetup(DetectEngineCtx *, Signature *, const char *);
56 #ifdef UNITTESTS
57 static void DetectDetectionFilterRegisterTests(void);
58 #endif
59 static void DetectDetectionFilterFree(DetectEngineCtx *, void *);
60 
61 /**
62  * \brief Registration function for detection_filter: keyword
63  */
65 {
66  sigmatch_table[DETECT_DETECTION_FILTER].name = "detection_filter";
67  sigmatch_table[DETECT_DETECTION_FILTER].desc = "alert on every match after a threshold has been reached";
68  sigmatch_table[DETECT_DETECTION_FILTER].url = "/rules/thresholding.html#detection-filter";
69  sigmatch_table[DETECT_DETECTION_FILTER].Match = DetectDetectionFilterMatch;
70  sigmatch_table[DETECT_DETECTION_FILTER].Setup = DetectDetectionFilterSetup;
71  sigmatch_table[DETECT_DETECTION_FILTER].Free = DetectDetectionFilterFree;
72 #ifdef UNITTESTS
73  sigmatch_table[DETECT_DETECTION_FILTER].RegisterTests = DetectDetectionFilterRegisterTests;
74 #endif
75  /* this is compatible to ip-only signatures */
77 
78  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
79 }
80 
81 static int DetectDetectionFilterMatch (DetectEngineThreadCtx *det_ctx,
82  Packet *p, const Signature *s, const SigMatchCtx *ctx)
83 {
84  return 1;
85 }
86 
87 /**
88  * \internal
89  * \brief This function is used to parse detection_filter options passed via detection_filter: keyword
90  *
91  * \param rawstr Pointer to the user provided detection_filter options
92  *
93  * \retval df pointer to DetectThresholdData on success
94  * \retval NULL on failure
95  */
96 static DetectThresholdData *DetectDetectionFilterParse (const char *rawstr)
97 {
98  DetectThresholdData *df = NULL;
99  int ret = 0, res = 0;
100  int ov[MAX_SUBSTRINGS];
101  const char *str_ptr = NULL;
102  char *args[6] = { NULL, NULL, NULL, NULL, NULL, NULL};
103  char *copy_str = NULL, *df_opt = NULL;
104  int seconds_found = 0, count_found = 0, track_found = 0;
105  int seconds_pos = 0, count_pos = 0;
106  uint16_t pos = 0;
107  int i = 0;
108  char *saveptr = NULL;
109 
110  copy_str = SCStrdup(rawstr);
111  if (unlikely(copy_str == NULL)) {
112  goto error;
113  }
114 
115  for (pos = 0, df_opt = strtok_r(copy_str,",", &saveptr);
116  pos < strlen(copy_str) && df_opt != NULL;
117  pos++, df_opt = strtok_r(NULL,",", &saveptr))
118  {
119  if(strstr(df_opt,"count"))
120  count_found++;
121  if(strstr(df_opt,"second"))
122  seconds_found++;
123  if(strstr(df_opt,"track"))
124  track_found++;
125  }
126  SCFree(copy_str);
127  copy_str = NULL;
128 
129  if (count_found != 1 || seconds_found != 1 || track_found != 1)
130  goto error;
131 
132  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
133  if (ret < 5) {
134  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
135  goto error;
136  }
137 
138  df = SCMalloc(sizeof(DetectThresholdData));
139  if (unlikely(df == NULL))
140  goto error;
141 
142  memset(df,0,sizeof(DetectThresholdData));
143 
144  df->type = TYPE_DETECTION;
145 
146  for (i = 0; i < (ret - 1); i++) {
147  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, i + 1, &str_ptr);
148  if (res < 0) {
149  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
150  goto error;
151  }
152 
153  args[i] = (char *)str_ptr;
154 
155  if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
156  df->track = TRACK_DST;
157  if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
158  df->track = TRACK_SRC;
159  if (strncasecmp(args[i],"count",strlen("count")) == 0)
160  count_pos = i+1;
161  if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
162  seconds_pos = i+1;
163  }
164 
165  if (args[count_pos] == NULL || args[seconds_pos] == NULL) {
166  goto error;
167  }
168 
169  if (StringParseUint32(&df->count, 10, strlen(args[count_pos]),
170  args[count_pos]) <= 0) {
171  goto error;
172  }
173 
174  if (StringParseUint32(&df->seconds, 10, strlen(args[seconds_pos]),
175  args[seconds_pos]) <= 0) {
176  goto error;
177  }
178 
179  if (df->count == 0 || df->seconds == 0) {
180  SCLogError(SC_ERR_INVALID_VALUE, "found an invalid value");
181  goto error;
182  }
183 
184  for (i = 0; i < 6; i++){
185  if (args[i] != NULL)
186  SCFree(args[i]);
187  }
188  return df;
189 
190 error:
191  for (i = 0; i < 6; i++){
192  if (args[i] != NULL)
193  SCFree(args[i]);
194  }
195  if (df != NULL)
196  SCFree(df);
197  return NULL;
198 }
199 
200 /**
201  * \internal
202  * \brief this function is used to add the parsed detection_filter into the current signature
203  *
204  * \param de_ctx pointer to the Detection Engine Context
205  * \param s pointer to the Current Signature
206  * \param m pointer to the Current SigMatch
207  * \param rawstr pointer to the user provided detection_filter options
208  *
209  * \retval 0 on Success
210  * \retval -1 on Failure
211  */
212 static int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
213 {
214  SCEnter();
215  DetectThresholdData *df = NULL;
216  SigMatch *sm = NULL;
217  SigMatch *tmpm = NULL;
218 
219  /* checks if there's a previous instance of threshold */
221  if (tmpm != NULL) {
222  SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
223  SCReturnInt(-1);
224  }
225  /* checks there's no previous instance of detection_filter */
227  if (tmpm != NULL) {
228  SCLogError(SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule");
229  SCReturnInt(-1);
230  }
231 
232  df = DetectDetectionFilterParse(rawstr);
233  if (df == NULL)
234  goto error;
235 
236  sm = SigMatchAlloc();
237  if (sm == NULL)
238  goto error;
239 
241  sm->ctx = (SigMatchCtx *)df;
242 
244 
245  return 0;
246 
247 error:
248  if (df)
249  SCFree(df);
250  if (sm)
251  SCFree(sm);
252  return -1;
253 }
254 
255 /**
256  * \internal
257  * \brief this function will free memory associated with DetectThresholdData
258  *
259  * \param df_ptr pointer to DetectDetectionFilterData
260  */
261 static void DetectDetectionFilterFree(DetectEngineCtx *de_ctx, void *df_ptr)
262 {
264  if (df)
265  SCFree(df);
266 }
267 
268 /*
269  * ONLY TESTS BELOW THIS COMMENT
270  */
271 #ifdef UNITTESTS
272 #include "detect-engine.h"
273 #include "detect-engine-mpm.h"
274 #include "detect-engine-threshold.h"
275 #include "util-time.h"
276 #include "util-hashlist.h"
277 
278 /**
279  * \test DetectDetectionFilterTestParse01 is a test for a valid detection_filter options
280  *
281  * \retval 1 on succces
282  * \retval 0 on failure
283  */
284 static int DetectDetectionFilterTestParse01 (void)
285 {
286  DetectThresholdData *df = NULL;
287  df = DetectDetectionFilterParse("track by_dst,count 10,seconds 60");
288  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
289  DetectDetectionFilterFree(NULL, df);
290  return 1;
291  }
292 
293  return 0;
294 }
295 
296 /**
297  * \test DetectDetectionFilterTestParse02 is a test for a invalid detection_filter options
298  *
299  * \retval 1 on succces
300  * \retval 0 on failure
301  */
302 static int DetectDetectionFilterTestParse02 (void)
303 {
304  DetectThresholdData *df = NULL;
305  df = DetectDetectionFilterParse("track both,count 10,seconds 60");
306  if (df && (df->track == TRACK_DST || df->track == TRACK_SRC) && (df->count == 10) && (df->seconds == 60)) {
307  DetectDetectionFilterFree(NULL, df);
308  return 0;
309  }
310 
311  return 1;
312 }
313 
314 /**
315  * \test DetectDetectionfilterTestParse03 is a test for a valid detection_filter options in any order
316  *
317  * \retval 1 on succces
318  * \retval 0 on failure
319  */
320 static int DetectDetectionFilterTestParse03 (void)
321 {
322  DetectThresholdData *df = NULL;
323  df = DetectDetectionFilterParse("track by_dst, seconds 60, count 10");
324  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
325  DetectDetectionFilterFree(NULL, df);
326  return 1;
327  }
328 
329  return 0;
330 }
331 
332 
333 /**
334  * \test DetectDetectionFilterTestParse04 is a test for an invalid detection_filter options in any order
335  *
336  * \retval 1 on succces
337  * \retval 0 on failure
338  */
339 static int DetectDetectionFilterTestParse04 (void)
340 {
341  DetectThresholdData *df = NULL;
342  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60, count 10");
343  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
344  DetectDetectionFilterFree(NULL, df);
345  return 0;
346  }
347 
348  return 1;
349 }
350 
351 /**
352  * \test DetectDetectionFilterTestParse05 is a test for a valid detection_filter options in any order
353  *
354  * \retval 1 on succces
355  * \retval 0 on failure
356  */
357 static int DetectDetectionFilterTestParse05 (void)
358 {
359  DetectThresholdData *df = NULL;
360  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60");
361  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 60)) {
362  DetectDetectionFilterFree(NULL, df);
363  return 1;
364  }
365 
366  return 0;
367 }
368 
369 /**
370  * \test DetectDetectionFilterTestParse06 is a test for an invalid value in detection_filter
371  *
372  * \retval 1 on succces
373  * \retval 0 on failure
374  */
375 static int DetectDetectionFilterTestParse06 (void)
376 {
377  DetectThresholdData *df = NULL;
378  df = DetectDetectionFilterParse("count 10, track by_dst, seconds 0");
379  if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 0)) {
380  DetectDetectionFilterFree(NULL, df);
381  return 0;
382  }
383 
384  return 1;
385 }
386 
387 /**
388  * \test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword
389  * by setting up the signature and later testing its working by matching
390  * the received packet against the sig.
391  *
392  * \retval 1 on succces
393  * \retval 0 on failure
394  */
395 static int DetectDetectionFilterTestSig1(void)
396 {
397  Packet *p = NULL;
398  Signature *s = NULL;
399  ThreadVars th_v;
400  DetectEngineThreadCtx *det_ctx;
401  int result = 0;
402  int alerts = 0;
403 
405 
406  memset(&th_v, 0, sizeof(th_v));
407 
408  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
409 
411  if (de_ctx == NULL) {
412  goto end;
413  }
414 
415  de_ctx->flags |= DE_QUIET;
416 
417  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test\"; detection_filter: track by_dst, count 4, seconds 60; sid:1;)");
418  if (s == NULL) {
419  goto end;
420  }
421 
423  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
424 
425  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
426  alerts = PacketAlertCheck(p, 1);
427  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
428  alerts += PacketAlertCheck(p, 1);
429  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
430  alerts += PacketAlertCheck(p, 1);
431  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
432  alerts += PacketAlertCheck(p, 1);
433  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
434  alerts += PacketAlertCheck(p, 1);
435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
436  alerts += PacketAlertCheck(p, 1);
437  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
438  alerts += PacketAlertCheck(p, 1);
439  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
440  alerts += PacketAlertCheck(p, 1);
441 
442  if(alerts == 4)
443  result = 1;
444 
447 
448  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
450 
451 end:
452  UTHFreePackets(&p, 1);
453  HostShutdown();
454  return result;
455 }
456 
457 /**
458  * \test DetectDetectionFilterTestSig2 is a test for checking the working of detection_filter keyword
459  * by setting up the signature and later testing its working by matching
460  * the received packet against the sig.
461  *
462  * \retval 1 on succces
463  * \retval 0 on failure
464  */
465 
466 static int DetectDetectionFilterTestSig2(void)
467 {
468  Packet *p = NULL;
469  Signature *s = NULL;
470  ThreadVars th_v;
471  DetectEngineThreadCtx *det_ctx;
472  int result = 0;
473  int alerts = 0;
474  struct timeval ts;
475 
477 
478  memset (&ts, 0, sizeof(struct timeval));
479  TimeGet(&ts);
480 
481  memset(&th_v, 0, sizeof(th_v));
482 
483  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
484 
486  if (de_ctx == NULL) {
487  goto end;
488  }
489 
490  de_ctx->flags |= DE_QUIET;
491 
492  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 4, seconds 60; sid:10;)");
493  if (s == NULL) {
494  goto end;
495  }
496 
498  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
499 
500  TimeGet(&p->ts);
501 
502  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
503  alerts = PacketAlertCheck(p, 10);
504  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
505  alerts += PacketAlertCheck(p, 10);
506  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
507  alerts += PacketAlertCheck(p, 10);
508 
510  TimeGet(&p->ts);
511 
512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
513  alerts += PacketAlertCheck(p, 10);
514  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
515  alerts += PacketAlertCheck(p, 10);
516  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
517  alerts += PacketAlertCheck(p, 10);
518  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
519  alerts += PacketAlertCheck(p, 10);
520 
521  if (alerts == 0)
522  result = 1;
523 
526 
527  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
529 end:
530  UTHFreePackets(&p, 1);
531  HostShutdown();
532  return result;
533 }
534 
535 /**
536  * \test drops
537  */
538 static int DetectDetectionFilterTestSig3(void)
539 {
540  Packet *p = NULL;
541  Signature *s = NULL;
542  ThreadVars th_v;
543  DetectEngineThreadCtx *det_ctx;
544  int result = 0;
545  int alerts = 0;
546  int drops = 0;
547  struct timeval ts;
548 
550 
551  memset (&ts, 0, sizeof(struct timeval));
552  TimeGet(&ts);
553 
554  memset(&th_v, 0, sizeof(th_v));
555 
556  p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
557 
559  if (de_ctx == NULL) {
560  goto end;
561  }
562 
563  de_ctx->flags |= DE_QUIET;
564 
565  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 2, seconds 60; sid:10;)");
566  if (s == NULL) {
567  goto end;
568  }
569 
571  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
572 
573  TimeGet(&p->ts);
574 
575  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
576  alerts = PacketAlertCheck(p, 10);
577  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
578  p->action = 0;
579 
580  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
581  alerts += PacketAlertCheck(p, 10);
582  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
583  p->action = 0;
584 
585  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
586  alerts += PacketAlertCheck(p, 10);
587  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
588  p->action = 0;
589 
591  TimeGet(&p->ts);
592 
593  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
594  alerts += PacketAlertCheck(p, 10);
595  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
596  p->action = 0;
597 
598  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
599  alerts += PacketAlertCheck(p, 10);
600  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
601  p->action = 0;
602 
603  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
604  alerts += PacketAlertCheck(p, 10);
605  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
606  p->action = 0;
607 
608  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
609  alerts += PacketAlertCheck(p, 10);
610  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
611  p->action = 0;
612 
613  if (alerts == 3 && drops == 3)
614  result = 1;
615  else {
616  if (alerts != 3)
617  printf("alerts: %d != 3: ", alerts);
618  if (drops != 3)
619  printf("drops: %d != 3: ", drops);
620  }
621 
624 
625  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
627 end:
628  UTHFreePackets(&p, 1);
629  HostShutdown();
630  return result;
631 }
632 
633 static void DetectDetectionFilterRegisterTests(void)
634 {
635  UtRegisterTest("DetectDetectionFilterTestParse01",
636  DetectDetectionFilterTestParse01);
637  UtRegisterTest("DetectDetectionFilterTestParse02",
638  DetectDetectionFilterTestParse02);
639  UtRegisterTest("DetectDetectionFilterTestParse03",
640  DetectDetectionFilterTestParse03);
641  UtRegisterTest("DetectDetectionFilterTestParse04",
642  DetectDetectionFilterTestParse04);
643  UtRegisterTest("DetectDetectionFilterTestParse05",
644  DetectDetectionFilterTestParse05);
645  UtRegisterTest("DetectDetectionFilterTestParse06",
646  DetectDetectionFilterTestParse06);
647  UtRegisterTest("DetectDetectionFilterTestSig1",
648  DetectDetectionFilterTestSig1);
649  UtRegisterTest("DetectDetectionFilterTestSig2",
650  DetectDetectionFilterTestSig2);
651  UtRegisterTest("DetectDetectionFilterTestSig3",
652  DetectDetectionFilterTestSig3);
653 }
654 #endif /* UNITTESTS */
util-byte.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
ts
uint64_t ts
Definition: source-erf-file.c:54
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
util-hashlist.h
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our detection_filter options.
Definition: detect-detection-filter.c:49
SigTableElmt_::name
const char * name
Definition: detect.h:1211
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
DetectThresholdData_::count
uint32_t count
Definition: detect-threshold.h:58
Packet_::action
uint8_t action
Definition: decode.h:553
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2051
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:173
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:242
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
util-unittest.h
util-unittest-helper.h
DetectThresholdData_::type
uint8_t type
Definition: detect-threshold.h:60
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-detection-filter.h
DetectEngineThreadCtx_
Definition: detect.h:1010
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:54
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2488
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
util-time.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1949
TimeSetIncrementTime
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:182
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2418
Packet_
Definition: decode.h:414
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1884
DetectThresholdData_::track
uint8_t track
Definition: detect-threshold.h:61
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
Packet_::ts
struct timeval ts
Definition: decode.h:457
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
DetectThresholdData_
Definition: detect-threshold.h:57
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:305
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:97
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
DetectDetectionFilterRegister
void DetectDetectionFilterRegister(void)
Registration function for detection_filter: keyword.
Definition: detect-detection-filter.c:64
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
detect-threshold.h
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:153
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
suricata.h
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
DetectThresholdData_::seconds
uint32_t seconds
Definition: detect-threshold.h:59
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1382
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
detect-engine-threshold.h
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:870
TYPE_DETECTION
#define TYPE_DETECTION
Definition: detect-threshold.h:34
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468