suricata
detect-dsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the dsize keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 
34 #include "flow-var.h"
35 
36 #include "detect-content.h"
37 #include "detect-dsize.h"
38 
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 
43 #include "pkt-var.h"
44 #include "host.h"
45 #include "util-profiling.h"
46 
47 static int DetectDsizeMatch (DetectEngineThreadCtx *, Packet *,
48  const Signature *, const SigMatchCtx *);
49 static int DetectDsizeSetup (DetectEngineCtx *, Signature *s, const char *str);
50 #ifdef UNITTESTS
51 static void DsizeRegisterTests(void);
52 #endif
53 static void DetectDsizeFree(DetectEngineCtx *, void *);
54 
55 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
56 static bool PrefilterDsizeIsPrefilterable(const Signature *s);
57 
58 /**
59  * \brief Registration function for dsize: keyword
60  */
62 {
63  sigmatch_table[DETECT_DSIZE].name = "dsize";
64  sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload";
65  sigmatch_table[DETECT_DSIZE].url = "/rules/payload-keywords.html#dsize";
66  sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch;
67  sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup;
68  sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree;
70 #ifdef UNITTESTS
71  sigmatch_table[DETECT_DSIZE].RegisterTests = DsizeRegisterTests;
72 #endif
73  sigmatch_table[DETECT_DSIZE].SupportsPrefilter = PrefilterDsizeIsPrefilterable;
74  sigmatch_table[DETECT_DSIZE].SetupPrefilter = PrefilterSetupDsize;
75 }
76 
77 /**
78  * \internal
79  * \brief This function is used to match flags on a packet with those passed via dsize:
80  *
81  * \param t pointer to thread vars
82  * \param det_ctx pointer to the pattern matcher thread
83  * \param p pointer to the current packet
84  * \param s pointer to the Signature
85  * \param m pointer to the sigmatch
86  *
87  * \retval 0 no match
88  * \retval 1 match
89  */
90 static int DetectDsizeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
91  const Signature *s, const SigMatchCtx *ctx)
92 {
93  SCEnter();
94  int ret = 0;
95 
97 
98  const DetectU16Data *dd = (const DetectU16Data *)ctx;
99 
100  SCLogDebug("p->payload_len %"PRIu16"", p->payload_len);
101 
102  ret = DetectU16Match(p->payload_len, dd);
103 
104  SCReturnInt(ret);
105 }
106 
107 /**
108  * \internal
109  * \brief this function is used to add the parsed dsize into the current signature
110  *
111  * \param de_ctx pointer to the Detection Engine Context
112  * \param s pointer to the Current Signature
113  * \param rawstr pointer to the user provided flags options
114  *
115  * \retval 0 on Success
116  * \retval -1 on Failure
117  */
118 static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
119 {
120  DetectU16Data *dd = NULL;
121 
123  SCLogError("Can't use 2 or more dsizes in "
124  "the same sig. Invalidating signature.");
125  return -1;
126  }
127 
128  SCLogDebug("\'%s\'", rawstr);
129 
130  dd = DetectU16Parse(rawstr);
131  if (dd == NULL) {
132  SCLogError("Parsing \'%s\' failed", rawstr);
133  return -1;
134  }
135 
136  /* Okay so far so good, lets get this into a SigMatch
137  * and put it in the Signature. */
140  if (sm == NULL) {
141  SCDetectU16Free(dd);
142  return -1;
143  }
144 
145  SCLogDebug("dd->arg1 %" PRIu16 ", dd->arg2 %" PRIu16 ", dd->mode %" PRIu8 "", dd->arg1,
146  dd->arg2, dd->mode);
147  /* tell the sig it has a dsize to speed up engine init */
149  s->flags |= SIG_FLAG_DSIZE;
150 
151  if (s->init_data->dsize_sm == NULL) {
152  s->init_data->dsize_sm = sm;
153  }
154 
155  return 0;
156 }
157 
158 /**
159  * \internal
160  * \brief this function will free memory associated with DetectU16Data
161  *
162  * \param de pointer to DetectU16Data
163  */
164 void DetectDsizeFree(DetectEngineCtx *de_ctx, void *de_ptr)
165 {
166  SCDetectU16Free(de_ptr);
167 }
168 
169 /* prefilter code */
170 
171 static void
172 PrefilterPacketDsizeMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
173 {
174  const PrefilterPacketHeaderCtx *ctx = pectx;
175  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
176  return;
177 
178  const uint16_t dsize = p->payload_len;
179  DetectU16Data du16;
180  du16.mode = ctx->v1.u8[0];
181  du16.arg1 = ctx->v1.u16[1];
182  du16.arg2 = ctx->v1.u16[2];
183 
184  if (DetectU16Match(dsize, &du16)) {
185  SCLogDebug("packet matches dsize %u", dsize);
186  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
187  }
188 }
189 
190 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
191 {
193  PrefilterPacketU16Set, PrefilterPacketU16Compare, PrefilterPacketDsizeMatch);
194 }
195 
196 static bool PrefilterDsizeIsPrefilterable(const Signature *s)
197 {
198  const SigMatch *sm;
199  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
200  switch (sm->type) {
201  case DETECT_DSIZE:
202  return true;
203  }
204  }
205  return false;
206 }
207 
208 /** \brief get max dsize "depth"
209  * \param s signature to get dsize value from
210  * \retval depth or negative value
211  */
212 int SigParseGetMaxDsize(const Signature *s, uint16_t *dsize)
213 {
214  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
215  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
216 
217  switch (dd->mode) {
218  case DETECT_UINT_LT:
219  case DETECT_UINT_EQ:
220  case DETECT_UINT_NE:
221  *dsize = dd->arg1;
222  SCReturnInt(0);
223  case DETECT_UINT_RA:
224  *dsize = dd->arg2;
225  SCReturnInt(0);
226  case DETECT_UINT_GT:
227  default:
228  SCReturnInt(-2);
229  }
230  }
231  SCReturnInt(-1);
232 }
233 
234 /** \brief set prefilter dsize pair
235  * \param s signature to get dsize value from
236  */
238 {
239  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
240  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
241 
242  uint16_t low = 0;
243  uint16_t high = 65535;
244 
245  switch (dd->mode) {
246  case DETECT_UINT_LT:
247  low = 0;
248  high = dd->arg1;
249  break;
250  case DETECT_UINT_LTE:
251  low = 0;
252  high = dd->arg1 + 1;
253  break;
254  case DETECT_UINT_EQ:
255  case DETECT_UINT_NE:
256  low = dd->arg1;
257  high = dd->arg1;
258  break;
259  case DETECT_UINT_RA:
260  low = dd->arg1;
261  high = dd->arg2;
262  break;
263  case DETECT_UINT_GT:
264  low = dd->arg1;
265  high = 65535;
266  break;
267  case DETECT_UINT_GTE:
268  low = dd->arg1 - 1;
269  high = 65535;
270  break;
271  }
272  s->dsize_mode = dd->mode;
273  s->dsize_low = low;
274  s->dsize_high = high;
275 
276  SCLogDebug("low %u, high %u, mode %u", low, high, dd->mode);
277  }
278 }
279 
280 /**
281  * \brief Determine the required dsize for the signature
282  * \param s signature to get dsize value from
283  *
284  * Note that negated content does not contribute to the maximum
285  * required dsize value. However, each negated content's values
286  * must not exceed the dsize value. See SigParseRequiredContentSize.
287  *
288  * \retval -1 Signature doesn't have a dsize keyword
289  * \retval >= 0 Dsize value required to not exclude content matches
290  */
292 {
293  SCEnter();
294 
295  if (!(s->flags & SIG_FLAG_DSIZE)) {
296  SCReturnInt(-1);
297  }
298 
299  uint16_t dsize;
300  if (SigParseGetMaxDsize(s, &dsize) < 0) {
301  /* nothing to do */
302  SCReturnInt(-1);
303  }
304 
305  int total_length, offset;
307  s, dsize, s->init_data->smlists[DETECT_SM_LIST_PMATCH], &total_length, &offset);
308  SCLogDebug("dsize: %d len: %d; offset: %d [%s]", dsize, total_length, offset, s->sig_str);
309 
310  if (total_length > dsize) {
311  SCLogDebug("required_dsize: %d exceeds dsize: %d", total_length, dsize);
312  return total_length;
313  }
314 
315  if ((total_length + offset) > dsize) {
316  SCLogDebug("length + offset: %d exceeds dsize: %d", total_length + offset, dsize);
317  return total_length + offset;
318  }
319 
320  SCReturnInt(-1);
321 }
322 
323 /**
324  * \brief Apply dsize as depth to content matches in the rule
325  * \param s signature to get dsize value from
326  */
328 {
329  SCEnter();
330 
331  if (s->flags & SIG_FLAG_DSIZE) {
333 
334  uint16_t dsize;
335  if (SigParseGetMaxDsize(s, &dsize) < 0) {
336  /* nothing to do */
337  return;
338  }
339 
341  for ( ; sm != NULL; sm = sm->next) {
342  if (sm->type != DETECT_CONTENT) {
343  continue;
344  }
345 
347  if (cd == NULL) {
348  continue;
349  }
350 
351  if (cd->depth == 0 || cd->depth >= dsize) {
353  cd->depth = (uint16_t)dsize;
354  SCLogDebug("updated %u, content %u to have depth %u "
355  "because of dsize.", s->id, cd->id, cd->depth);
356  }
357  }
358  }
359 }
360 
361 /*
362  * ONLY TESTS BELOW THIS COMMENT
363  */
364 
365 #ifdef UNITTESTS
366 #include "util-unittest-helper.h"
367 #include "detect-engine.h"
368 #include "detect-engine-alert.h"
369 #include "packet.h"
370 
371 /**
372  * \test this is a test for a valid dsize value 1
373  *
374  */
375 static int DsizeTestParse01(void)
376 {
377  DetectU16Data *dd = DetectU16Parse("1");
378  FAIL_IF_NULL(dd);
379  FAIL_IF_NOT(dd->arg1 == 1);
380  FAIL_IF_NOT(dd->arg2 == 0);
381 
382  DetectDsizeFree(NULL, dd);
383  PASS;
384 }
385 
386 /**
387  * \test this is a test for a valid dsize value >10
388  *
389  */
390 static int DsizeTestParse02(void)
391 {
392  DetectU16Data *dd = DetectU16Parse(">10");
393  FAIL_IF_NULL(dd);
394  FAIL_IF_NOT(dd->arg1 == 10);
395  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
396  DetectDsizeFree(NULL, dd);
397  PASS;
398 }
399 
400 /**
401  * \test this is a test for a valid dsize value <100
402  *
403  */
404 static int DsizeTestParse03(void)
405 {
406  DetectU16Data *dd = DetectU16Parse("<100");
407  FAIL_IF_NULL(dd);
408  FAIL_IF_NOT(dd->arg1 == 100);
409  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
410 
411  DetectDsizeFree(NULL, dd);
412  PASS;
413 }
414 
415 /**
416  * \test this is a test for a valid dsize value 1<>3
417  *
418  */
419 static int DsizeTestParse04(void)
420 {
421  DetectU16Data *dd = DetectU16Parse("1<>3");
422  FAIL_IF_NULL(dd);
423  FAIL_IF_NOT(dd->arg1 == 1);
424  FAIL_IF_NOT(dd->arg2 == 3);
425  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
426 
427  DetectDsizeFree(NULL, dd);
428  PASS;
429 }
430 
431 /**
432  * \test this is a test for a valid dsize value 1 <> 3
433  *
434  */
435 static int DsizeTestParse05(void)
436 {
437  DetectU16Data *dd = DetectU16Parse(" 1 <> 3 ");
438  FAIL_IF_NULL(dd);
439  FAIL_IF_NOT(dd->arg1 == 1);
440  FAIL_IF_NOT(dd->arg2 == 3);
441  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
442 
443  DetectDsizeFree(NULL, dd);
444  PASS;
445 }
446 
447 /**
448  * \test this is test for a valid dsize value > 2
449  *
450  */
451 static int DsizeTestParse06(void)
452 {
453  DetectU16Data *dd = DetectU16Parse("> 2 ");
454  FAIL_IF_NULL(dd);
455  FAIL_IF_NOT(dd->arg1 == 2);
456  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
457 
458  DetectDsizeFree(NULL, dd);
459  PASS;
460 }
461 
462 /**
463  * \test test for a valid dsize value < 12
464  *
465  */
466 static int DsizeTestParse07(void)
467 {
468  DetectU16Data *dd = DetectU16Parse("< 12 ");
469  FAIL_IF_NULL(dd);
470  FAIL_IF_NOT(dd->arg1 == 12);
471  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
472 
473  DetectDsizeFree(NULL, dd);
474  PASS;
475 }
476 
477 /**
478  * \test test for a valid dsize value 12
479  *
480  */
481 static int DsizeTestParse08(void)
482 {
483  DetectU16Data *dd = DetectU16Parse(" 12 ");
484  FAIL_IF_NULL(dd);
485  FAIL_IF_NOT(dd->arg1 == 12);
486  FAIL_IF_NOT(dd->mode == DETECT_UINT_EQ);
487 
488  DetectDsizeFree(NULL, dd);
489  PASS;
490 }
491 
492 /**
493  * \test this is a test for a valid dsize value !1
494  *
495  */
496 static int DsizeTestParse09(void)
497 {
498  DetectU16Data *dd = DetectU16Parse("!1");
499  FAIL_IF_NULL(dd);
500  DetectDsizeFree(NULL, dd);
501  PASS;
502 }
503 
504 /**
505  * \test this is a test for a valid dsize value ! 1
506  *
507  */
508 static int DsizeTestParse10(void)
509 {
510  DetectU16Data *dd = DetectU16Parse("! 1");
511  FAIL_IF_NULL(dd);
512  DetectDsizeFree(NULL, dd);
513  PASS;
514 }
515 
516 /**
517  * \test this is a test for invalid dsize values
518  * A, >10<>10, <>10, 1<>, "", " ", 2<>1, 1!
519  *
520  */
521 static int DsizeTestParse11(void)
522 {
523  const char *strings[] = { "A", ">10<>10", "<>10", "1<>", "", " ", "2<>1", "1!", NULL };
524  for (int i = 0; strings[i]; i++) {
525  DetectU16Data *dd = DetectU16Parse(strings[i]);
526  FAIL_IF_NOT_NULL(dd);
527  }
528 
529  PASS;
530 }
531 
532 /**
533  * \test this is a test for positive ! dsize matching
534  *
535  */
536 static int DsizeTestMatch01(void)
537 {
538  uint16_t psize = 1;
539  uint16_t dsizelow = 2;
540  uint16_t dsizehigh = 0;
541  DetectU16Data du16;
542  du16.mode = DETECT_UINT_NE;
543  du16.arg1 = dsizelow;
544  du16.arg2 = dsizehigh;
545  FAIL_IF_NOT(DetectU16Match(psize, &du16));
546 
547  PASS;
548 }
549 
550 /**
551  * \test this is a test for negative ! dsize matching
552  *
553  */
554 static int DsizeTestMatch02(void)
555 {
556  uint16_t psize = 1;
557  uint16_t dsizelow = 1;
558  uint16_t dsizehigh = 0;
559  DetectU16Data du16;
560  du16.mode = DETECT_UINT_NE;
561  du16.arg1 = dsizelow;
562  du16.arg2 = dsizehigh;
563  FAIL_IF(DetectU16Match(psize, &du16));
564 
565  PASS;
566 }
567 
568 /**
569  * \test DetectDsizeIcmpv6Test01 is a test for checking the working of
570  * dsize keyword by creating 2 rules and matching a crafted packet
571  * against them. Only the first one shall trigger.
572  */
573 static int DetectDsizeIcmpv6Test01(void)
574 {
575  static uint8_t raw_icmpv6[] = {
576  0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
577  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
578  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
579  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
580  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
581  0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
582  0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
583  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
584  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
585  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
586  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
587 
588  Packet *p = PacketGetFromAlloc();
589  FAIL_IF_NULL(p);
590 
591  ThreadVars tv;
593  ThreadVars th_v;
594  DetectEngineThreadCtx *det_ctx = NULL;
595 
596  memset(&tv, 0, sizeof(ThreadVars));
597  memset(&dtv, 0, sizeof(DecodeThreadVars));
598  memset(&th_v, 0, sizeof(ThreadVars));
599 
601  p->src.family = AF_INET6;
602  p->dst.family = AF_INET6;
603 
604  DecodeIPV6(&tv, &dtv, p, raw_icmpv6, sizeof(raw_icmpv6));
605 
608 
609  de_ctx->flags |= DE_QUIET;
610 
612  "alert icmp any any -> any any "
613  "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
614  FAIL_IF_NULL(s);
615 
617  "alert icmp any any -> any any "
618  "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
619  FAIL_IF_NULL(s);
620 
622  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
623 
624  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
625  FAIL_IF(PacketAlertCheck(p, 1) == 0);
626  FAIL_IF(PacketAlertCheck(p, 2));
627 
628  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
630 
631  PacketRecycle(p);
632  FlowShutdown();
633  SCFree(p);
634 
635  PASS;
636 }
637 
638 /**
639  * \brief this function registers unit tests for dsize
640  */
641 static void DsizeRegisterTests(void)
642 {
643  UtRegisterTest("DsizeTestParse01", DsizeTestParse01);
644  UtRegisterTest("DsizeTestParse02", DsizeTestParse02);
645  UtRegisterTest("DsizeTestParse03", DsizeTestParse03);
646  UtRegisterTest("DsizeTestParse04", DsizeTestParse04);
647  UtRegisterTest("DsizeTestParse05", DsizeTestParse05);
648  UtRegisterTest("DsizeTestParse06", DsizeTestParse06);
649  UtRegisterTest("DsizeTestParse07", DsizeTestParse07);
650  UtRegisterTest("DsizeTestParse08", DsizeTestParse08);
651  UtRegisterTest("DsizeTestParse09", DsizeTestParse09);
652  UtRegisterTest("DsizeTestParse10", DsizeTestParse10);
653  UtRegisterTest("DsizeTestParse11", DsizeTestParse11);
654  UtRegisterTest("DsizeTestMatch01", DsizeTestMatch01);
655  UtRegisterTest("DsizeTestMatch02", DsizeTestMatch02);
656 
657  UtRegisterTest("DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
658 }
659 #endif /* UNITTESTS */
util-byte.h
host.h
DetectDsizeRegister
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
Definition: detect-dsize.c:61
SigTableElmt_::url
const char * url
Definition: detect.h:1431
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:118
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIG_MASK_REQUIRE_REAL_PKT
#define SIG_MASK_REQUIRE_REAL_PKT
Definition: detect.h:315
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:644
PrefilterPacketU16Set
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:126
SigTableElmt_::desc
const char * desc
Definition: detect.h:1430
detect-dsize.h
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
Signature_::sig_str
char * sig_str
Definition: detect.h:747
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1418
SigTableElmt_::name
const char * name
Definition: detect.h:1428
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1305
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1598
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:145
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1324
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1422
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:931
SigParseGetMaxDsize
int SigParseGetMaxDsize(const Signature *s, uint16_t *dsize)
get max dsize "depth"
Definition: detect-dsize.c:212
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2674
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
DE_QUIET
#define DE_QUIET
Definition: detect.h:329
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2347
DetectContentData_
Definition: detect-content.h:93
SIGMATCH_SUPPORT_FIREWALL
#define SIGMATCH_SUPPORT_FIREWALL
Definition: detect.h:1651
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1413
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:597
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:677
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1416
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:546
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1223
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3400
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:116
DetectContentData_::id
PatIntId id
Definition: detect-content.h:105
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
SigParseSetDsizePair
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
Definition: detect-dsize.c:237
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:671
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
Packet_
Definition: decode.h:492
detect-engine-build.h
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
SigParseRequiredContentSize
void SigParseRequiredContentSize(const Signature *s, const uint64_t max_size, const SigMatch *sm, int *len, int *offset)
Determine the size needed to accommodate the content elements of a signature.
Definition: detect-content.c:410
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:560
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:749
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:406
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1396
DETECT_DSIZE
@ DETECT_DSIZE
Definition: detect-engine-register.h:52
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2129
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
SignatureInitData_::dsize_sm
SigMatch * dsize_sm
Definition: detect.h:617
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectU16Match
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
Definition: detect-engine-uint.c:107
DetectU16Parse
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
Definition: detect-engine-uint.c:121
PrefilterPacketU16Compare
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:134
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:678
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:690
packet.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3626
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:308
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:954
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1415
Signature_::id
uint32_t id
Definition: detect.h:715
detect-parse.h
Signature_
Signature container.
Definition: detect.h:670
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2635
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:679
Address_::family
char family
Definition: decode.h:113
Packet_::dst
Address dst
Definition: decode.h:497
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
SigParseApplyDsizeToContent
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
Definition: detect-dsize.c:327
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:640
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:464
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:933
detect-engine-prefilter-common.h
DetectU16Data
DetectUintData_u16 DetectU16Data
Definition: detect-engine-uint.h:42
SigParseMaxRequiredDsize
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
Definition: detect-dsize.c:291
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Packet_::src
Address src
Definition: decode.h:496
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1420
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:247
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:253