Go to the documentation of this file.
51 static void DsizeRegisterTests(
void);
56 static bool PrefilterDsizeIsPrefilterable(
const Signature *s);
124 "the same sig. Invalidating signature.");
145 SCLogDebug(
"dd->arg1 %" PRIu16
", dd->arg2 %" PRIu16
", dd->mode %" PRIu8
"", dd->arg1,
166 SCDetectU16Free(de_ptr);
175 if (!PrefilterPacketHeaderExtraMatch(
ctx, p))
180 du16.mode =
ctx->v1.u8[0];
181 du16.arg1 =
ctx->v1.u16[1];
182 du16.arg2 =
ctx->v1.u16[2];
186 PrefilterAddSids(&det_ctx->
pmq,
ctx->sigs_array,
ctx->sigs_cnt);
196 static bool PrefilterDsizeIsPrefilterable(
const Signature *s)
241 uint16_t high = 65535;
274 SCLogDebug(
"low %u, high %u, mode %u", low, high, dd->mode);
308 if (total_length > dsize) {
309 SCLogDebug(
"required_dsize: %d exceeds dsize: %d", total_length, dsize);
313 if ((total_length +
offset) > dsize) {
314 SCLogDebug(
"length + offset: %d exceeds dsize: %d", total_length +
offset, dsize);
315 return total_length +
offset;
339 for ( ; sm != NULL; sm = sm->
next) {
351 cd->
depth = (uint16_t)dsize;
352 SCLogDebug(
"updated %u, content %u to have depth %u "
353 "because of dsize.", s->
id, cd->
id, cd->
depth);
373 static int DsizeTestParse01(
void)
380 DetectDsizeFree(NULL, dd);
388 static int DsizeTestParse02(
void)
394 DetectDsizeFree(NULL, dd);
402 static int DsizeTestParse03(
void)
409 DetectDsizeFree(NULL, dd);
417 static int DsizeTestParse04(
void)
425 DetectDsizeFree(NULL, dd);
433 static int DsizeTestParse05(
void)
441 DetectDsizeFree(NULL, dd);
449 static int DsizeTestParse06(
void)
456 DetectDsizeFree(NULL, dd);
464 static int DsizeTestParse07(
void)
471 DetectDsizeFree(NULL, dd);
479 static int DsizeTestParse08(
void)
486 DetectDsizeFree(NULL, dd);
494 static int DsizeTestParse09(
void)
498 DetectDsizeFree(NULL, dd);
506 static int DsizeTestParse10(
void)
510 DetectDsizeFree(NULL, dd);
519 static int DsizeTestParse11(
void)
521 const char *strings[] = {
"A",
">10<>10",
"<>10",
"1<>",
"",
" ",
"2<>1",
"1!", NULL };
522 for (
int i = 0; strings[i]; i++) {
534 static int DsizeTestMatch01(
void)
537 uint16_t dsizelow = 2;
538 uint16_t dsizehigh = 0;
541 du16.arg1 = dsizelow;
542 du16.arg2 = dsizehigh;
552 static int DsizeTestMatch02(
void)
555 uint16_t dsizelow = 1;
556 uint16_t dsizehigh = 0;
559 du16.arg1 = dsizelow;
560 du16.arg2 = dsizehigh;
571 static int DetectDsizeIcmpv6Test01(
void)
573 static uint8_t raw_icmpv6[] = {
574 0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
577 0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
579 0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
580 0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
581 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
582 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
583 0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
584 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
610 "alert icmp any any -> any any "
611 "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
615 "alert icmp any any -> any any "
616 "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
639 static void DsizeRegisterTests(
void)
655 UtRegisterTest(
"DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define SIG_MASK_REQUIRE_REAL_PKT
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
void PacketRecycle(Packet *p)
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
#define SIGMATCH_SUPPORT_FIREWALL
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
void FlowInitConfig(bool quiet)
initialize the configuration
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define DETECT_CONTENT_DEPTH
Per thread variable structure.
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
void SigParseRequiredContentSize(const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
Determine the size needed to accommodate the content elements of a signature.
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
SignatureInitData * init_data
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
void FlowShutdown(void)
shutdown the flow engine
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
Structure to hold thread specific data for all decode modules.
bool(* SupportsPrefilter)(const Signature *s)
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
DetectUintData_u16 DetectU16Data
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
#define DEBUG_VALIDATE_BUG_ON(exp)
void(* RegisterTests)(void)
#define SIG_FLAG_REQUIRE_PACKET