suricata
detect-detection-filter.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias <iglesiasg@gmail.com>
22  *
23  * Implements the detection_filter keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "decode.h"
29 #include "detect.h"
30 
31 #include "host.h"
32 
34 #include "detect-threshold.h"
35 #include "detect-parse.h"
36 
37 #include "util-byte.h"
38 #include "util-unittest.h"
39 #include "util-unittest-helper.h"
40 #include "util-debug.h"
41 #include "detect-engine-build.h"
42 
43 #define TRACK_DST 1
44 #define TRACK_SRC 2
45 
46 /**
47  *\brief Regex for parsing our detection_filter options
48  */
49 #define PARSE_REGEX \
50  "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|" \
51  "by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$"
52 
53 static DetectParseRegex parse_regex;
54 
55 static int DetectDetectionFilterMatch(
56  DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
57 static int DetectDetectionFilterSetup(DetectEngineCtx *, Signature *, const char *);
58 #ifdef UNITTESTS
59 static void DetectDetectionFilterRegisterTests(void);
60 #endif
61 static void DetectDetectionFilterFree(DetectEngineCtx *, void *);
62 
63 /**
64  * \brief Registration function for detection_filter: keyword
65  */
67 {
68  sigmatch_table[DETECT_DETECTION_FILTER].name = "detection_filter";
70  "alert on every match after a threshold has been reached";
71  sigmatch_table[DETECT_DETECTION_FILTER].url = "/rules/thresholding.html#detection-filter";
72  sigmatch_table[DETECT_DETECTION_FILTER].Match = DetectDetectionFilterMatch;
73  sigmatch_table[DETECT_DETECTION_FILTER].Setup = DetectDetectionFilterSetup;
74  sigmatch_table[DETECT_DETECTION_FILTER].Free = DetectDetectionFilterFree;
75 #ifdef UNITTESTS
76  sigmatch_table[DETECT_DETECTION_FILTER].RegisterTests = DetectDetectionFilterRegisterTests;
77 #endif
78  /* this is compatible to ip-only signatures */
80 
81  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
82 }
83 
84 static int DetectDetectionFilterMatch(
85  DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
86 {
87  return 1;
88 }
89 
90 /**
91  * \internal
92  * \brief This function is used to parse detection_filter options passed via detection_filter:
93  * keyword
94  *
95  * \param rawstr Pointer to the user provided detection_filter options
96  *
97  * \retval df pointer to DetectThresholdData on success
98  * \retval NULL on failure
99  */
100 static DetectThresholdData *DetectDetectionFilterParse(const char *rawstr)
101 {
102  DetectThresholdData *df = NULL;
103  int ret = 0, res = 0;
104  size_t pcre2_len;
105  const char *str_ptr = NULL;
106  char *args[6] = { NULL, NULL, NULL, NULL, NULL, NULL };
107  char *copy_str = NULL, *df_opt = NULL;
108  int seconds_found = 0, count_found = 0, track_found = 0;
109  int seconds_pos = 0, count_pos = 0;
110  size_t pos = 0;
111  int i = 0;
112  char *saveptr = NULL;
113 
114  copy_str = SCStrdup(rawstr);
115  if (unlikely(copy_str == NULL)) {
116  goto error;
117  }
118 
119  for (pos = 0, df_opt = strtok_r(copy_str, ",", &saveptr);
120  pos < strlen(copy_str) && df_opt != NULL;
121  pos++, df_opt = strtok_r(NULL, ",", &saveptr)) {
122  if (strstr(df_opt, "count"))
123  count_found++;
124  if (strstr(df_opt, "second"))
125  seconds_found++;
126  if (strstr(df_opt, "track"))
127  track_found++;
128  }
129  SCFree(copy_str);
130  copy_str = NULL;
131 
132  if (count_found != 1 || seconds_found != 1 || track_found != 1)
133  goto error;
134 
135  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
136  if (ret < 5) {
137  SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
138  goto error;
139  }
140 
141  df = SCMalloc(sizeof(DetectThresholdData));
142  if (unlikely(df == NULL))
143  goto error;
144 
145  memset(df, 0, sizeof(DetectThresholdData));
146 
147  df->type = TYPE_DETECTION;
148 
149  for (i = 0; i < (ret - 1); i++) {
150  res = pcre2_substring_get_bynumber(
151  parse_regex.match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
152  if (res < 0) {
153  SCLogError("pcre2_substring_get_bynumber failed");
154  goto error;
155  }
156 
157  args[i] = (char *)str_ptr;
158 
159  if (strncasecmp(args[i], "by_dst", strlen("by_dst")) == 0)
160  df->track = TRACK_DST;
161  if (strncasecmp(args[i], "by_src", strlen("by_src")) == 0)
162  df->track = TRACK_SRC;
163  if (strncasecmp(args[i], "count", strlen("count")) == 0)
164  count_pos = i + 1;
165  if (strncasecmp(args[i], "seconds", strlen("seconds")) == 0)
166  seconds_pos = i + 1;
167  }
168 
169  if (args[count_pos] == NULL || args[seconds_pos] == NULL) {
170  goto error;
171  }
172 
173  if (StringParseUint32(&df->count, 10, strlen(args[count_pos]), args[count_pos]) <= 0) {
174  goto error;
175  }
176 
177  if (StringParseUint32(&df->seconds, 10, strlen(args[seconds_pos]), args[seconds_pos]) <= 0) {
178  goto error;
179  }
180 
181  if (df->count == 0 || df->seconds == 0) {
182  SCLogError("found an invalid value");
183  goto error;
184  }
185 
186  for (i = 0; i < 6; i++) {
187  if (args[i] != NULL)
188  pcre2_substring_free((PCRE2_UCHAR *)args[i]);
189  }
190  return df;
191 
192 error:
193  for (i = 0; i < 6; i++) {
194  if (args[i] != NULL)
195  pcre2_substring_free((PCRE2_UCHAR *)args[i]);
196  }
197  if (df != NULL)
198  SCFree(df);
199  return NULL;
200 }
201 
202 /**
203  * \internal
204  * \brief this function is used to add the parsed detection_filter into the current signature
205  *
206  * \param de_ctx pointer to the Detection Engine Context
207  * \param s pointer to the Current Signature
208  * \param m pointer to the Current SigMatch
209  * \param rawstr pointer to the user provided detection_filter options
210  *
211  * \retval 0 on Success
212  * \retval -1 on Failure
213  */
214 static int DetectDetectionFilterSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
215 {
216  SCEnter();
217  DetectThresholdData *df = NULL;
218  SigMatch *sm = NULL;
219  SigMatch *tmpm = NULL;
220 
221  /* checks if there's a previous instance of threshold */
223  if (tmpm != NULL) {
224  SCLogError("\"detection_filter\" and \"threshold\" are not allowed in the same rule");
225  SCReturnInt(-1);
226  }
227  /* checks there's no previous instance of detection_filter */
229  if (tmpm != NULL) {
230  SCLogError("At most one \"detection_filter\" is allowed per rule");
231  SCReturnInt(-1);
232  }
233 
234  df = DetectDetectionFilterParse(rawstr);
235  if (df == NULL)
236  goto error;
237 
238  sm = SigMatchAlloc();
239  if (sm == NULL)
240  goto error;
241 
243  sm->ctx = (SigMatchCtx *)df;
244 
246 
247  return 0;
248 
249 error:
250  if (df)
251  SCFree(df);
252  if (sm)
253  SCFree(sm);
254  return -1;
255 }
256 
257 /**
258  * \internal
259  * \brief this function will free memory associated with DetectThresholdData
260  *
261  * \param df_ptr pointer to DetectDetectionFilterData
262  */
263 static void DetectDetectionFilterFree(DetectEngineCtx *de_ctx, void *df_ptr)
264 {
266  if (df)
267  SCFree(df);
268 }
269 
270 /*
271  * ONLY TESTS BELOW THIS COMMENT
272  */
273 #ifdef UNITTESTS
274 #include "detect-engine.h"
275 #include "detect-engine-mpm.h"
276 #include "detect-engine-threshold.h"
277 #include "detect-engine-alert.h"
278 #include "util-time.h"
279 #include "util-hashlist.h"
280 #include "action-globals.h"
281 #include "packet.h"
282 
283 /**
284  * \test DetectDetectionFilterTestParse01 is a test for a valid detection_filter options
285  *
286  */
287 static int DetectDetectionFilterTestParse01(void)
288 {
289  DetectThresholdData *df = DetectDetectionFilterParse("track by_dst,count 10,seconds 60");
290  FAIL_IF_NULL(df);
291  FAIL_IF_NOT(df->track == TRACK_DST);
292  FAIL_IF_NOT(df->count == 10);
293  FAIL_IF_NOT(df->seconds == 60);
294  DetectDetectionFilterFree(NULL, df);
295 
296  PASS;
297 }
298 
299 /**
300  * \test DetectDetectionFilterTestParse02 is a test for a invalid detection_filter options
301  *
302  */
303 static int DetectDetectionFilterTestParse02(void)
304 {
305  DetectThresholdData *df = DetectDetectionFilterParse("track both,count 10,seconds 60");
306  FAIL_IF_NOT_NULL(df);
307 
308  PASS;
309 }
310 
311 /**
312  * \test DetectDetectionfilterTestParse03 is a test for a valid detection_filter options in any
313  * order
314  *
315  */
316 static int DetectDetectionFilterTestParse03(void)
317 {
318  DetectThresholdData *df = DetectDetectionFilterParse("track by_dst, seconds 60, count 10");
319  FAIL_IF_NULL(df);
320  FAIL_IF_NOT(df->track == TRACK_DST);
321  FAIL_IF_NOT(df->count == 10);
322  FAIL_IF_NOT(df->seconds == 60);
323  DetectDetectionFilterFree(NULL, df);
324 
325  PASS;
326 }
327 
328 /**
329  * \test DetectDetectionFilterTestParse04 is a test for an invalid detection_filter options in any
330  * order
331  *
332  */
333 static int DetectDetectionFilterTestParse04(void)
334 {
335  DetectThresholdData *df =
336  DetectDetectionFilterParse("count 10, track by_dst, seconds 60, count 10");
337  FAIL_IF_NOT_NULL(df);
338 
339  PASS;
340 }
341 
342 /**
343  * \test DetectDetectionFilterTestParse05 is a test for a valid detection_filter options in any
344  * order
345  *
346  */
347 static int DetectDetectionFilterTestParse05(void)
348 {
349  DetectThresholdData *df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60");
350  FAIL_IF_NULL(df);
351  FAIL_IF_NOT(df->track == TRACK_DST);
352  FAIL_IF_NOT(df->count == 10);
353  FAIL_IF_NOT(df->seconds == 60);
354  DetectDetectionFilterFree(NULL, df);
355 
356  PASS;
357 }
358 
359 /**
360  * \test DetectDetectionFilterTestParse06 is a test for an invalid value in detection_filter
361  *
362  */
363 static int DetectDetectionFilterTestParse06(void)
364 {
365  DetectThresholdData *df = DetectDetectionFilterParse("count 10, track by_dst, seconds 0");
366  FAIL_IF_NOT_NULL(df);
367 
368  PASS;
369 }
370 
371 /**
372  * \test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter
373  * keyword by setting up the signature and later testing its working by matching the received packet
374  * against the sig.
375  *
376  */
377 static int DetectDetectionFilterTestSig1(void)
378 {
379  ThreadVars th_v;
380  DetectEngineThreadCtx *det_ctx;
381 
383 
384  memset(&th_v, 0, sizeof(th_v));
385 
386  Packet *p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
387 
390 
391  de_ctx->flags |= DE_QUIET;
392 
394  "alert tcp any any -> any 80 (msg:\"detection_filter Test\"; detection_filter: "
395  "track by_dst, count 4, seconds 60; sid:1;)");
396  FAIL_IF_NULL(s);
397 
399  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
400 
401  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
402  FAIL_IF(PacketAlertCheck(p, 1));
403  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
404  FAIL_IF(PacketAlertCheck(p, 1));
405  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
406  FAIL_IF(PacketAlertCheck(p, 1));
407  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
408  FAIL_IF(PacketAlertCheck(p, 1));
409  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
411  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
413  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
415  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
417 
418  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
420 
421  UTHFreePackets(&p, 1);
422  HostShutdown();
423 
424  PASS;
425 }
426 
427 /**
428  * \test DetectDetectionFilterTestSig2 is a test for checking the working of detection_filter
429  * keyword by setting up the signature and later testing its working by matching the received packet
430  * against the sig.
431  *
432  */
433 
434 static int DetectDetectionFilterTestSig2(void)
435 {
436  ThreadVars th_v;
437  DetectEngineThreadCtx *det_ctx;
438 
440 
441  memset(&th_v, 0, sizeof(th_v));
442 
443  Packet *p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
444 
446 
448 
449  de_ctx->flags |= DE_QUIET;
450 
452  "alert tcp any any -> any 80 (msg:\"detection_filter Test 2\"; "
453  "detection_filter: track by_dst, count 4, seconds 60; sid:10;)");
454  FAIL_IF_NULL(s);
455 
457  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
458 
459  p->ts = TimeGet();
460 
461  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
462  FAIL_IF(PacketAlertCheck(p, 10));
463  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
464  FAIL_IF(PacketAlertCheck(p, 10));
465  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
466  FAIL_IF(PacketAlertCheck(p, 10));
467 
469  p->ts = TimeGet();
470 
471  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
472  FAIL_IF(PacketAlertCheck(p, 10));
473  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
474  FAIL_IF(PacketAlertCheck(p, 10));
475  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
476  FAIL_IF(PacketAlertCheck(p, 10));
477  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
478  FAIL_IF(PacketAlertCheck(p, 10));
479 
480  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
482 
483  UTHFreePackets(&p, 1);
484  HostShutdown();
485 
486  PASS;
487 }
488 
489 /**
490  * \test drops
491  */
492 static int DetectDetectionFilterTestSig3(void)
493 {
494  ThreadVars th_v;
495  DetectEngineThreadCtx *det_ctx;
496 
498 
499  memset(&th_v, 0, sizeof(th_v));
500 
501  Packet *p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
502 
505 
506  de_ctx->flags |= DE_QUIET;
507 
509  "drop tcp any any -> any 80 (msg:\"detection_filter Test 2\"; "
510  "detection_filter: track by_dst, count 2, seconds 60; sid:10;)");
511  FAIL_IF_NULL(s);
512 
514  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
515 
516  p->ts = TimeGet();
517 
518  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
519  FAIL_IF(PacketAlertCheck(p, 10));
520  FAIL_IF(PacketTestAction(p, ACTION_DROP));
521  p->action = 0;
522 
523  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
524  FAIL_IF(PacketAlertCheck(p, 10));
525  FAIL_IF(PacketTestAction(p, ACTION_DROP));
526  p->action = 0;
527 
528  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
530  FAIL_IF_NOT(PacketTestAction(p, ACTION_DROP));
531  p->action = 0;
532 
534  p->ts = TimeGet();
535 
536  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
537  FAIL_IF(PacketAlertCheck(p, 10));
538  FAIL_IF(PacketTestAction(p, ACTION_DROP));
539  p->action = 0;
540 
541  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
542  FAIL_IF(PacketAlertCheck(p, 10));
543  FAIL_IF(PacketTestAction(p, ACTION_DROP));
544  p->action = 0;
545 
546  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
548  FAIL_IF_NOT(PacketTestAction(p, ACTION_DROP));
549  p->action = 0;
550 
551  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
553  FAIL_IF_NOT(PacketTestAction(p, ACTION_DROP));
554  p->action = 0;
555 
556  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
558 
559  UTHFreePackets(&p, 1);
560  HostShutdown();
561 
562  PASS;
563 }
564 
565 static void DetectDetectionFilterRegisterTests(void)
566 {
567  UtRegisterTest("DetectDetectionFilterTestParse01", DetectDetectionFilterTestParse01);
568  UtRegisterTest("DetectDetectionFilterTestParse02", DetectDetectionFilterTestParse02);
569  UtRegisterTest("DetectDetectionFilterTestParse03", DetectDetectionFilterTestParse03);
570  UtRegisterTest("DetectDetectionFilterTestParse04", DetectDetectionFilterTestParse04);
571  UtRegisterTest("DetectDetectionFilterTestParse05", DetectDetectionFilterTestParse05);
572  UtRegisterTest("DetectDetectionFilterTestParse06", DetectDetectionFilterTestParse06);
573  UtRegisterTest("DetectDetectionFilterTestSig1", DetectDetectionFilterTestSig1);
574  UtRegisterTest("DetectDetectionFilterTestSig2", DetectDetectionFilterTestSig2);
575  UtRegisterTest("DetectDetectionFilterTestSig3", DetectDetectionFilterTestSig3);
576 }
577 #endif /* UNITTESTS */
util-byte.h
host.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1241
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1228
util-hashlist.h
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our detection_filter options.
Definition: detect-detection-filter.c:49
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1238
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
DetectThresholdData_::count
uint32_t count
Definition: detect-threshold.h:55
action-globals.h
Packet_::action
uint8_t action
Definition: decode.h:577
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:93
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:244
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectThresholdData_::type
uint8_t type
Definition: detect-threshold.h:57
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-detection-filter.h
DetectEngineThreadCtx_
Definition: detect.h:1025
Packet_::ts
SCTime_t ts
Definition: decode.h:471
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:57
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2609
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
util-time.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
TimeSetIncrementTime
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:180
Packet_
Definition: decode.h:428
detect-engine-build.h
TimeGet
SCTime_t TimeGet(void)
Definition: util-time.c:152
detect-engine-alert.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1206
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:239
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
DetectThresholdData_::track
uint8_t track
Definition: detect-threshold.h:58
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
DetectThresholdData_
Definition: detect-threshold.h:54
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:306
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:100
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
DetectDetectionFilterRegister
void DetectDetectionFilterRegister(void)
Registration function for detection_filter: keyword.
Definition: detect-detection-filter.c:66
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
detect-threshold.h
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
suricata.h
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:175
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:474
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
DetectThresholdData_::seconds
uint32_t seconds
Definition: detect-threshold.h:56
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1425
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:354
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
detect-engine-threshold.h
TYPE_DETECTION
#define TYPE_DETECTION
Definition: detect-threshold.h:31
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468