suricata
detect-dsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the dsize keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 
34 #include "flow-var.h"
35 
36 #include "detect-content.h"
37 #include "detect-dsize.h"
38 
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 
43 #include "pkt-var.h"
44 #include "host.h"
45 #include "util-profiling.h"
46 
47 static int DetectDsizeMatch (DetectEngineThreadCtx *, Packet *,
48  const Signature *, const SigMatchCtx *);
49 static int DetectDsizeSetup (DetectEngineCtx *, Signature *s, const char *str);
50 #ifdef UNITTESTS
51 static void DsizeRegisterTests(void);
52 #endif
53 static void DetectDsizeFree(DetectEngineCtx *, void *);
54 
55 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
56 static bool PrefilterDsizeIsPrefilterable(const Signature *s);
57 
58 /**
59  * \brief Registration function for dsize: keyword
60  */
62 {
63  sigmatch_table[DETECT_DSIZE].name = "dsize";
64  sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload";
65  sigmatch_table[DETECT_DSIZE].url = "/rules/payload-keywords.html#dsize";
66  sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch;
67  sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup;
68  sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree;
69 #ifdef UNITTESTS
70  sigmatch_table[DETECT_DSIZE].RegisterTests = DsizeRegisterTests;
71 #endif
72  sigmatch_table[DETECT_DSIZE].SupportsPrefilter = PrefilterDsizeIsPrefilterable;
73  sigmatch_table[DETECT_DSIZE].SetupPrefilter = PrefilterSetupDsize;
74 }
75 
76 /**
77  * \internal
78  * \brief This function is used to match flags on a packet with those passed via dsize:
79  *
80  * \param t pointer to thread vars
81  * \param det_ctx pointer to the pattern matcher thread
82  * \param p pointer to the current packet
83  * \param s pointer to the Signature
84  * \param m pointer to the sigmatch
85  *
86  * \retval 0 no match
87  * \retval 1 match
88  */
89 static int DetectDsizeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
90  const Signature *s, const SigMatchCtx *ctx)
91 {
92  SCEnter();
93  int ret = 0;
94 
95  if (PKT_IS_PSEUDOPKT(p)) {
96  SCReturnInt(0);
97  }
98 
99  const DetectU16Data *dd = (const DetectU16Data *)ctx;
100 
101  SCLogDebug("p->payload_len %"PRIu16"", p->payload_len);
102 
103  ret = DetectU16Match(p->payload_len, dd);
104 
105  SCReturnInt(ret);
106 }
107 
108 /**
109  * \internal
110  * \brief this function is used to add the parsed dsize into the current signature
111  *
112  * \param de_ctx pointer to the Detection Engine Context
113  * \param s pointer to the Current Signature
114  * \param rawstr pointer to the user provided flags options
115  *
116  * \retval 0 on Success
117  * \retval -1 on Failure
118  */
119 static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
120 {
121  DetectU16Data *dd = NULL;
122  SigMatch *sm = NULL;
123 
125  SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use 2 or more dsizes in "
126  "the same sig. Invalidating signature.");
127  goto error;
128  }
129 
130  SCLogDebug("\'%s\'", rawstr);
131 
132  dd = DetectU16Parse(rawstr);
133  if (dd == NULL) {
134  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
135  goto error;
136  }
137 
138  /* Okay so far so good, lets get this into a SigMatch
139  * and put it in the Signature. */
140  sm = SigMatchAlloc();
141  if (sm == NULL){
142  SCLogError(SC_ERR_MEM_ALLOC, "Failed to allocate memory for SigMatch");
143  rs_detect_u16_free(dd);
144  goto error;
145  }
146 
147  sm->type = DETECT_DSIZE;
148  sm->ctx = (SigMatchCtx *)dd;
149 
151 
152  SCLogDebug("dd->arg1 %" PRIu16 ", dd->arg2 %" PRIu16 ", dd->mode %" PRIu8 "", dd->arg1,
153  dd->arg2, dd->mode);
154  /* tell the sig it has a dsize to speed up engine init */
156  s->flags |= SIG_FLAG_DSIZE;
157 
158  if (s->init_data->dsize_sm == NULL) {
159  s->init_data->dsize_sm = sm;
160  }
161 
162  return 0;
163 
164 error:
165  return -1;
166 }
167 
168 /**
169  * \internal
170  * \brief this function will free memory associated with DetectU16Data
171  *
172  * \param de pointer to DetectU16Data
173  */
174 void DetectDsizeFree(DetectEngineCtx *de_ctx, void *de_ptr)
175 {
176  rs_detect_u16_free(de_ptr);
177 }
178 
179 /* prefilter code */
180 
181 static void
182 PrefilterPacketDsizeMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
183 {
184  if (PKT_IS_PSEUDOPKT(p)) {
185  SCReturn;
186  }
187 
188  const PrefilterPacketHeaderCtx *ctx = pectx;
189  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
190  return;
191 
192  const uint16_t dsize = p->payload_len;
193  DetectU16Data du16;
194  du16.mode = ctx->v1.u8[0];
195  du16.arg1 = ctx->v1.u16[1];
196  du16.arg2 = ctx->v1.u16[2];
197 
198  if (DetectU16Match(dsize, &du16)) {
199  SCLogDebug("packet matches dsize %u", dsize);
200  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
201  }
202 }
203 
204 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
205 {
207  PrefilterPacketU16Compare, PrefilterPacketDsizeMatch);
208 }
209 
210 static bool PrefilterDsizeIsPrefilterable(const Signature *s)
211 {
212  const SigMatch *sm;
213  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
214  switch (sm->type) {
215  case DETECT_DSIZE:
216  return true;
217  }
218  }
219  return false;
220 }
221 
222 /** \brief get max dsize "depth"
223  * \param s signature to get dsize value from
224  * \retval depth or negative value
225  */
227 {
228  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
229  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
230 
231  switch (dd->mode) {
232  case DETECT_UINT_LT:
233  case DETECT_UINT_EQ:
234  case DETECT_UINT_NE:
235  return dd->arg1;
236  case DETECT_UINT_RA:
237  return dd->arg2;
238  case DETECT_UINT_GT:
239  default:
240  SCReturnInt(-2);
241  }
242  }
243  SCReturnInt(-1);
244 }
245 
246 /** \brief set prefilter dsize pair
247  * \param s signature to get dsize value from
248  */
250 {
251  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
253 
254  uint16_t low = 0;
255  uint16_t high = 65535;
256 
257  switch (dd->mode) {
258  case DETECT_UINT_LT:
259  low = 0;
260  high = dd->arg1;
261  break;
262  case DETECT_UINT_LTE:
263  low = 0;
264  high = dd->arg1 + 1;
265  break;
266  case DETECT_UINT_EQ:
267  case DETECT_UINT_NE:
268  low = dd->arg1;
269  high = dd->arg1;
270  break;
271  case DETECT_UINT_RA:
272  low = dd->arg1;
273  high = dd->arg2;
274  break;
275  case DETECT_UINT_GT:
276  low = dd->arg1;
277  high = 65535;
278  break;
279  case DETECT_UINT_GTE:
280  low = dd->arg1 - 1;
281  high = 65535;
282  break;
283  }
284  s->dsize_mode = dd->mode;
285  s->dsize_low = low;
286  s->dsize_high = high;
287 
288  SCLogDebug("low %u, high %u, mode %u", low, high, dd->mode);
289  }
290 }
291 
292 /**
293  * \brief Determine the required dsize for the signature
294  * \param s signature to get dsize value from
295  *
296  * Note that negated content does not contribute to the maximum
297  * required dsize value. However, each negated content's values
298  * must not exceed the dsize value. See SigParseRequiredContentSize.
299  *
300  * \retval -1 Signature doesn't have a dsize keyword
301  * \retval >= 0 Dsize value required to not exclude content matches
302  */
304 {
305  SCEnter();
306 
307  if (!(s->flags & SIG_FLAG_DSIZE)) {
308  SCReturnInt(-1);
309  }
310 
311  const int dsize = SigParseGetMaxDsize(s);
312  if (dsize < 0) {
313  /* nothing to do */
314  SCReturnInt(-1);
315  }
316 
317  int total_length, offset;
318  SigParseRequiredContentSize(s, dsize, DETECT_SM_LIST_PMATCH, &total_length, &offset);
319  SCLogDebug("dsize: %d len: %d; offset: %d [%s]", dsize, total_length, offset, s->sig_str);
320 
321  if (total_length > dsize) {
322  SCLogDebug("required_dsize: %d exceeds dsize: %d", total_length, dsize);
323  return total_length;
324  }
325 
326  if ((total_length + offset) > dsize) {
327  SCLogDebug("length + offset: %d exceeds dsize: %d", total_length + offset, dsize);
328  return total_length + offset;
329  }
330 
331  SCReturnInt(-1);
332 }
333 
334 /**
335  * \brief Apply dsize as depth to content matches in the rule
336  * \param s signature to get dsize value from
337  */
339 {
340  SCEnter();
341 
342  if (s->flags & SIG_FLAG_DSIZE) {
344 
345  int dsize = SigParseGetMaxDsize(s);
346  if (dsize < 0) {
347  /* nothing to do */
348  return;
349  }
350 
352  for ( ; sm != NULL; sm = sm->next) {
353  if (sm->type != DETECT_CONTENT) {
354  continue;
355  }
356 
358  if (cd == NULL) {
359  continue;
360  }
361 
362  if (cd->depth == 0 || cd->depth >= dsize) {
364  cd->depth = (uint16_t)dsize;
365  SCLogDebug("updated %u, content %u to have depth %u "
366  "because of dsize.", s->id, cd->id, cd->depth);
367  }
368  }
369  }
370 }
371 
372 /*
373  * ONLY TESTS BELOW THIS COMMENT
374  */
375 
376 #ifdef UNITTESTS
377 #include "util-unittest-helper.h"
378 #include "detect-engine.h"
379 #include "detect-engine-alert.h"
380 #include "packet.h"
381 
382 /**
383  * \test this is a test for a valid dsize value 1
384  *
385  */
386 static int DsizeTestParse01(void)
387 {
388  DetectU16Data *dd = DetectU16Parse("1");
389  FAIL_IF_NULL(dd);
390  FAIL_IF_NOT(dd->arg1 == 1);
391  FAIL_IF_NOT(dd->arg2 == 0);
392 
393  DetectDsizeFree(NULL, dd);
394  PASS;
395 }
396 
397 /**
398  * \test this is a test for a valid dsize value >10
399  *
400  */
401 static int DsizeTestParse02(void)
402 {
403  DetectU16Data *dd = DetectU16Parse(">10");
404  FAIL_IF_NULL(dd);
405  FAIL_IF_NOT(dd->arg1 == 10);
406  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
407  DetectDsizeFree(NULL, dd);
408  PASS;
409 }
410 
411 /**
412  * \test this is a test for a valid dsize value <100
413  *
414  */
415 static int DsizeTestParse03(void)
416 {
417  DetectU16Data *dd = DetectU16Parse("<100");
418  FAIL_IF_NULL(dd);
419  FAIL_IF_NOT(dd->arg1 == 100);
420  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
421 
422  DetectDsizeFree(NULL, dd);
423  PASS;
424 }
425 
426 /**
427  * \test this is a test for a valid dsize value 1<>3
428  *
429  */
430 static int DsizeTestParse04(void)
431 {
432  DetectU16Data *dd = DetectU16Parse("1<>3");
433  FAIL_IF_NULL(dd);
434  FAIL_IF_NOT(dd->arg1 == 1);
435  FAIL_IF_NOT(dd->arg2 == 3);
436  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
437 
438  DetectDsizeFree(NULL, dd);
439  PASS;
440 }
441 
442 /**
443  * \test this is a test for a valid dsize value 1 <> 3
444  *
445  */
446 static int DsizeTestParse05(void)
447 {
448  DetectU16Data *dd = DetectU16Parse(" 1 <> 3 ");
449  FAIL_IF_NULL(dd);
450  FAIL_IF_NOT(dd->arg1 == 1);
451  FAIL_IF_NOT(dd->arg2 == 3);
452  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
453 
454  DetectDsizeFree(NULL, dd);
455  PASS;
456 }
457 
458 /**
459  * \test this is test for a valid dsize value > 2
460  *
461  */
462 static int DsizeTestParse06(void)
463 {
464  DetectU16Data *dd = DetectU16Parse("> 2 ");
465  FAIL_IF_NULL(dd);
466  FAIL_IF_NOT(dd->arg1 == 2);
467  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
468 
469  DetectDsizeFree(NULL, dd);
470  PASS;
471 }
472 
473 /**
474  * \test test for a valid dsize value < 12
475  *
476  */
477 static int DsizeTestParse07(void)
478 {
479  DetectU16Data *dd = DetectU16Parse("< 12 ");
480  FAIL_IF_NULL(dd);
481  FAIL_IF_NOT(dd->arg1 == 12);
482  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
483 
484  DetectDsizeFree(NULL, dd);
485  PASS;
486 }
487 
488 /**
489  * \test test for a valid dsize value 12
490  *
491  */
492 static int DsizeTestParse08(void)
493 {
494  DetectU16Data *dd = DetectU16Parse(" 12 ");
495  FAIL_IF_NULL(dd);
496  FAIL_IF_NOT(dd->arg1 == 12);
497  FAIL_IF_NOT(dd->mode == DETECT_UINT_EQ);
498 
499  DetectDsizeFree(NULL, dd);
500  PASS;
501 }
502 
503 /**
504  * \test this is a test for a valid dsize value !1
505  *
506  */
507 static int DsizeTestParse09(void)
508 {
509  DetectU16Data *dd = DetectU16Parse("!1");
510  FAIL_IF_NULL(dd);
511  DetectDsizeFree(NULL, dd);
512  PASS;
513 }
514 
515 /**
516  * \test this is a test for a valid dsize value ! 1
517  *
518  */
519 static int DsizeTestParse10(void)
520 {
521  DetectU16Data *dd = DetectU16Parse("! 1");
522  FAIL_IF_NULL(dd);
523  DetectDsizeFree(NULL, dd);
524  PASS;
525 }
526 
527 /**
528  * \test this is a test for invalid dsize values
529  * A, >10<>10, <>10, 1<>, "", " ", 2<>1, 1!
530  *
531  */
532 static int DsizeTestParse11(void)
533 {
534  const char *strings[] = { "A", ">10<>10", "<>10", "1<>", "", " ", "2<>1", "1!", NULL };
535  for (int i = 0; strings[i]; i++) {
536  DetectU16Data *dd = DetectU16Parse(strings[i]);
537  FAIL_IF_NOT_NULL(dd);
538  }
539 
540  PASS;
541 }
542 
543 /**
544  * \test this is a test for positive ! dsize matching
545  *
546  */
547 static int DsizeTestMatch01(void)
548 {
549  uint16_t psize = 1;
550  uint16_t dsizelow = 2;
551  uint16_t dsizehigh = 0;
552  DetectU16Data du16;
553  du16.mode = DETECT_UINT_NE;
554  du16.arg1 = dsizelow;
555  du16.arg2 = dsizehigh;
556  FAIL_IF_NOT(DetectU16Match(psize, &du16));
557 
558  PASS;
559 }
560 
561 /**
562  * \test this is a test for negative ! dsize matching
563  *
564  */
565 static int DsizeTestMatch02(void)
566 {
567  uint16_t psize = 1;
568  uint16_t dsizelow = 1;
569  uint16_t dsizehigh = 0;
570  DetectU16Data du16;
571  du16.mode = DETECT_UINT_NE;
572  du16.arg1 = dsizelow;
573  du16.arg2 = dsizehigh;
574  FAIL_IF(DetectU16Match(psize, &du16));
575 
576  PASS;
577 }
578 
579 /**
580  * \test DetectDsizeIcmpv6Test01 is a test for checking the working of
581  * dsize keyword by creating 2 rules and matching a crafted packet
582  * against them. Only the first one shall trigger.
583  */
584 static int DetectDsizeIcmpv6Test01(void)
585 {
586  static uint8_t raw_icmpv6[] = {
587  0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
588  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
589  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
590  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
591  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
592  0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
593  0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
594  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
595  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
596  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
597  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
598 
599  Packet *p = PacketGetFromAlloc();
600  FAIL_IF_NULL(p);
601 
602  IPV6Hdr ip6h;
603  ThreadVars tv;
605  ThreadVars th_v;
606  DetectEngineThreadCtx *det_ctx = NULL;
607 
608  memset(&tv, 0, sizeof(ThreadVars));
609  memset(&dtv, 0, sizeof(DecodeThreadVars));
610  memset(&ip6h, 0, sizeof(IPV6Hdr));
611  memset(&th_v, 0, sizeof(ThreadVars));
612 
614  p->src.family = AF_INET6;
615  p->dst.family = AF_INET6;
616  p->ip6h = &ip6h;
617 
618  DecodeIPV6(&tv, &dtv, p, raw_icmpv6, sizeof(raw_icmpv6));
619 
622 
623  de_ctx->flags |= DE_QUIET;
624 
626  "alert icmp any any -> any any "
627  "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
628  FAIL_IF_NULL(s);
629 
631  "alert icmp any any -> any any "
632  "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
633  FAIL_IF_NULL(s);
634 
636  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
637 
638  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
639  FAIL_IF(PacketAlertCheck(p, 1) == 0);
640  FAIL_IF(PacketAlertCheck(p, 2));
641 
642  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
644 
645  PacketRecycle(p);
646  FlowShutdown();
647  SCFree(p);
648 
649  PASS;
650 }
651 
652 /**
653  * \brief this function registers unit tests for dsize
654  */
655 static void DsizeRegisterTests(void)
656 {
657  UtRegisterTest("DsizeTestParse01", DsizeTestParse01);
658  UtRegisterTest("DsizeTestParse02", DsizeTestParse02);
659  UtRegisterTest("DsizeTestParse03", DsizeTestParse03);
660  UtRegisterTest("DsizeTestParse04", DsizeTestParse04);
661  UtRegisterTest("DsizeTestParse05", DsizeTestParse05);
662  UtRegisterTest("DsizeTestParse06", DsizeTestParse06);
663  UtRegisterTest("DsizeTestParse07", DsizeTestParse07);
664  UtRegisterTest("DsizeTestParse08", DsizeTestParse08);
665  UtRegisterTest("DsizeTestParse09", DsizeTestParse09);
666  UtRegisterTest("DsizeTestParse10", DsizeTestParse10);
667  UtRegisterTest("DsizeTestParse11", DsizeTestParse11);
668  UtRegisterTest("DsizeTestMatch01", DsizeTestMatch01);
669  UtRegisterTest("DsizeTestMatch02", DsizeTestMatch02);
670 
671  UtRegisterTest("DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
672 }
673 #endif /* UNITTESTS */
util-byte.h
host.h
DetectDsizeRegister
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
Definition: detect-dsize.c:61
SigTableElmt_::url
const char * url
Definition: detect.h:1238
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:79
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PrefilterPacketU16Set
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:126
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
detect-dsize.h
Signature_::sig_str
char * sig_str
Definition: detect.h:608
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1225
SigTableElmt_::name
const char * name
Definition: detect.h:1235
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1058
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1392
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
SigParseGetMaxDsize
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
Definition: detect-dsize.c:226
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:168
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1131
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2444
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1788
DetectContentData_
Definition: detect-content.h:86
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:574
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:545
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1223
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:543
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1024
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
DetectContentData_::id
PatIntId id
Definition: detect-content.h:98
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
SigParseSetDsizePair
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
Definition: detect-dsize.c:249
util-profiling.h
SCReturn
#define SCReturn
Definition: util-debug.h:300
Signature_::flags
uint32_t flags
Definition: detect.h:540
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:99
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:428
detect-engine-build.h
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:564
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:610
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1203
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:533
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:238
DETECT_DSIZE
@ DETECT_DSIZE
Definition: detect-engine-register.h:52
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
SignatureInitData_::dsize_sm
SigMatch * dsize_sm
Definition: detect.h:506
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectU16Match
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
Definition: detect-engine-uint.c:107
DetectU16Parse
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
Definition: detect-engine-uint.c:121
PrefilterPacketU16Compare
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:134
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:546
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:690
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
SigParseRequiredContentSize
void SigParseRequiredContentSize(const Signature *s, const int max_size, int list, int *len, int *offset)
Definition: detect-content.c:415
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:280
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:665
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1222
Signature_::id
uint32_t id
Definition: detect.h:573
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2405
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:547
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
Address_::family
char family
Definition: decode.h:115
Packet_::dst
Address dst
Definition: decode.h:433
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:40
SigParseApplyDsizeToContent
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
Definition: detect-dsize.c:338
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:471
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:785
detect-engine-prefilter-common.h
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:533
DetectU16Data
DetectUintData_u16 DetectU16Data
Definition: detect-engine-uint.h:42
SigParseMaxRequiredDsize
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
Definition: detect-dsize.c:303
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:352
Packet_::src
Address src
Definition: decode.h:432
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:206
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:215