Go to the documentation of this file.
51 static void DsizeRegisterTests(
void);
56 static bool PrefilterDsizeIsPrefilterable(
const Signature *s);
124 "the same sig. Invalidating signature.");
145 SCLogDebug(
"dd->arg1 %" PRIu16
", dd->arg2 %" PRIu16
", dd->mode %" PRIu8
"", dd->arg1,
166 SCDetectU16Free(de_ptr);
175 if (!PrefilterPacketHeaderExtraMatch(
ctx, p))
180 du16.mode =
ctx->v1.u8[0];
181 du16.arg1 =
ctx->v1.u16[1];
182 du16.arg2 =
ctx->v1.u16[2];
186 PrefilterAddSids(&det_ctx->
pmq,
ctx->sigs_array,
ctx->sigs_cnt);
196 static bool PrefilterDsizeIsPrefilterable(
const Signature *s)
243 uint16_t high = 65535;
276 SCLogDebug(
"low %u, high %u, mode %u", low, high, dd->mode);
310 if (total_length > dsize) {
311 SCLogDebug(
"required_dsize: %d exceeds dsize: %d", total_length, dsize);
315 if ((total_length +
offset) > dsize) {
316 SCLogDebug(
"length + offset: %d exceeds dsize: %d", total_length +
offset, dsize);
317 return total_length +
offset;
341 for ( ; sm != NULL; sm = sm->
next) {
353 cd->
depth = (uint16_t)dsize;
354 SCLogDebug(
"updated %u, content %u to have depth %u "
355 "because of dsize.", s->
id, cd->
id, cd->
depth);
375 static int DsizeTestParse01(
void)
382 DetectDsizeFree(NULL, dd);
390 static int DsizeTestParse02(
void)
396 DetectDsizeFree(NULL, dd);
404 static int DsizeTestParse03(
void)
411 DetectDsizeFree(NULL, dd);
419 static int DsizeTestParse04(
void)
427 DetectDsizeFree(NULL, dd);
435 static int DsizeTestParse05(
void)
443 DetectDsizeFree(NULL, dd);
451 static int DsizeTestParse06(
void)
458 DetectDsizeFree(NULL, dd);
466 static int DsizeTestParse07(
void)
473 DetectDsizeFree(NULL, dd);
481 static int DsizeTestParse08(
void)
488 DetectDsizeFree(NULL, dd);
496 static int DsizeTestParse09(
void)
500 DetectDsizeFree(NULL, dd);
508 static int DsizeTestParse10(
void)
512 DetectDsizeFree(NULL, dd);
521 static int DsizeTestParse11(
void)
523 const char *strings[] = {
"A",
">10<>10",
"<>10",
"1<>",
"",
" ",
"2<>1",
"1!", NULL };
524 for (
int i = 0; strings[i]; i++) {
536 static int DsizeTestMatch01(
void)
539 uint16_t dsizelow = 2;
540 uint16_t dsizehigh = 0;
543 du16.arg1 = dsizelow;
544 du16.arg2 = dsizehigh;
554 static int DsizeTestMatch02(
void)
557 uint16_t dsizelow = 1;
558 uint16_t dsizehigh = 0;
561 du16.arg1 = dsizelow;
562 du16.arg2 = dsizehigh;
573 static int DetectDsizeIcmpv6Test01(
void)
575 static uint8_t raw_icmpv6[] = {
576 0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
579 0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
581 0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
582 0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
584 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
585 0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
586 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
612 "alert icmp any any -> any any "
613 "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
617 "alert icmp any any -> any any "
618 "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
641 static void DsizeRegisterTests(
void)
657 UtRegisterTest(
"DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define SIG_MASK_REQUIRE_REAL_PKT
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
void PacketRecycle(Packet *p)
main detection engine ctx
int SigParseGetMaxDsize(const Signature *s, uint16_t *dsize)
get max dsize "depth"
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
#define SIGMATCH_SUPPORT_FIREWALL
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
void FlowInitConfig(bool quiet)
initialize the configuration
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define DETECT_CONTENT_DEPTH
Per thread variable structure.
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
void SigParseRequiredContentSize(const Signature *s, const uint64_t max_size, const SigMatch *sm, int *len, int *offset)
Determine the size needed to accommodate the content elements of a signature.
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
SignatureInitData * init_data
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
void FlowShutdown(void)
shutdown the flow engine
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
Structure to hold thread specific data for all decode modules.
bool(* SupportsPrefilter)(const Signature *s)
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
DetectUintData_u16 DetectU16Data
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
#define DEBUG_VALIDATE_BUG_ON(exp)
void(* RegisterTests)(void)
#define SIG_FLAG_REQUIRE_PACKET