suricata
detect-dsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the dsize keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 
34 #include "flow-var.h"
35 
36 #include "detect-content.h"
37 #include "detect-dsize.h"
38 
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 
43 #include "pkt-var.h"
44 #include "host.h"
45 #include "util-profiling.h"
46 
47 static int DetectDsizeMatch (DetectEngineThreadCtx *, Packet *,
48  const Signature *, const SigMatchCtx *);
49 static int DetectDsizeSetup (DetectEngineCtx *, Signature *s, const char *str);
50 #ifdef UNITTESTS
51 static void DsizeRegisterTests(void);
52 #endif
53 static void DetectDsizeFree(DetectEngineCtx *, void *);
54 
55 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
56 static bool PrefilterDsizeIsPrefilterable(const Signature *s);
57 
58 /**
59  * \brief Registration function for dsize: keyword
60  */
62 {
63  sigmatch_table[DETECT_DSIZE].name = "dsize";
64  sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload";
65  sigmatch_table[DETECT_DSIZE].url = "/rules/payload-keywords.html#dsize";
66  sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch;
67  sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup;
68  sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree;
69 #ifdef UNITTESTS
70  sigmatch_table[DETECT_DSIZE].RegisterTests = DsizeRegisterTests;
71 #endif
72  sigmatch_table[DETECT_DSIZE].SupportsPrefilter = PrefilterDsizeIsPrefilterable;
73  sigmatch_table[DETECT_DSIZE].SetupPrefilter = PrefilterSetupDsize;
74 }
75 
76 /**
77  * \internal
78  * \brief This function is used to match flags on a packet with those passed via dsize:
79  *
80  * \param t pointer to thread vars
81  * \param det_ctx pointer to the pattern matcher thread
82  * \param p pointer to the current packet
83  * \param s pointer to the Signature
84  * \param m pointer to the sigmatch
85  *
86  * \retval 0 no match
87  * \retval 1 match
88  */
89 static int DetectDsizeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
90  const Signature *s, const SigMatchCtx *ctx)
91 {
92  SCEnter();
93  int ret = 0;
94 
95  if (PKT_IS_PSEUDOPKT(p)) {
96  SCReturnInt(0);
97  }
98 
99  const DetectU16Data *dd = (const DetectU16Data *)ctx;
100 
101  SCLogDebug("p->payload_len %"PRIu16"", p->payload_len);
102 
103  ret = DetectU16Match(p->payload_len, dd);
104 
105  SCReturnInt(ret);
106 }
107 
108 /**
109  * \internal
110  * \brief this function is used to add the parsed dsize into the current signature
111  *
112  * \param de_ctx pointer to the Detection Engine Context
113  * \param s pointer to the Current Signature
114  * \param rawstr pointer to the user provided flags options
115  *
116  * \retval 0 on Success
117  * \retval -1 on Failure
118  */
119 static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
120 {
121  DetectU16Data *dd = NULL;
122  SigMatch *sm = NULL;
123 
125  SCLogError("Can't use 2 or more dsizes in "
126  "the same sig. Invalidating signature.");
127  goto error;
128  }
129 
130  SCLogDebug("\'%s\'", rawstr);
131 
132  dd = DetectU16Parse(rawstr);
133  if (dd == NULL) {
134  SCLogError("Parsing \'%s\' failed", rawstr);
135  goto error;
136  }
137 
138  /* Okay so far so good, lets get this into a SigMatch
139  * and put it in the Signature. */
140  sm = SigMatchAlloc();
141  if (sm == NULL){
142  SCLogError("Failed to allocate memory for SigMatch");
143  rs_detect_u16_free(dd);
144  goto error;
145  }
146 
147  sm->type = DETECT_DSIZE;
148  sm->ctx = (SigMatchCtx *)dd;
149 
151 
152  SCLogDebug("dd->arg1 %" PRIu16 ", dd->arg2 %" PRIu16 ", dd->mode %" PRIu8 "", dd->arg1,
153  dd->arg2, dd->mode);
154  /* tell the sig it has a dsize to speed up engine init */
156  s->flags |= SIG_FLAG_DSIZE;
157 
158  if (s->init_data->dsize_sm == NULL) {
159  s->init_data->dsize_sm = sm;
160  }
161 
162  return 0;
163 
164 error:
165  return -1;
166 }
167 
168 /**
169  * \internal
170  * \brief this function will free memory associated with DetectU16Data
171  *
172  * \param de pointer to DetectU16Data
173  */
174 void DetectDsizeFree(DetectEngineCtx *de_ctx, void *de_ptr)
175 {
176  rs_detect_u16_free(de_ptr);
177 }
178 
179 /* prefilter code */
180 
181 static void
182 PrefilterPacketDsizeMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
183 {
184  if (PKT_IS_PSEUDOPKT(p)) {
185  SCReturn;
186  }
187 
188  const PrefilterPacketHeaderCtx *ctx = pectx;
189  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
190  return;
191 
192  const uint16_t dsize = p->payload_len;
193  DetectU16Data du16;
194  du16.mode = ctx->v1.u8[0];
195  du16.arg1 = ctx->v1.u16[1];
196  du16.arg2 = ctx->v1.u16[2];
197 
198  if (DetectU16Match(dsize, &du16)) {
199  SCLogDebug("packet matches dsize %u", dsize);
200  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
201  }
202 }
203 
204 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
205 {
207  PrefilterPacketU16Compare, PrefilterPacketDsizeMatch);
208 }
209 
210 static bool PrefilterDsizeIsPrefilterable(const Signature *s)
211 {
212  const SigMatch *sm;
213  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
214  switch (sm->type) {
215  case DETECT_DSIZE:
216  return true;
217  }
218  }
219  return false;
220 }
221 
222 /** \brief get max dsize "depth"
223  * \param s signature to get dsize value from
224  * \retval depth or negative value
225  */
227 {
228  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
229  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
230 
231  switch (dd->mode) {
232  case DETECT_UINT_LT:
233  case DETECT_UINT_EQ:
234  case DETECT_UINT_NE:
235  return dd->arg1;
236  case DETECT_UINT_RA:
237  return dd->arg2;
238  case DETECT_UINT_GT:
239  default:
240  SCReturnInt(-2);
241  }
242  }
243  SCReturnInt(-1);
244 }
245 
246 /** \brief set prefilter dsize pair
247  * \param s signature to get dsize value from
248  */
250 {
251  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
253 
254  uint16_t low = 0;
255  uint16_t high = 65535;
256 
257  switch (dd->mode) {
258  case DETECT_UINT_LT:
259  low = 0;
260  high = dd->arg1;
261  break;
262  case DETECT_UINT_LTE:
263  low = 0;
264  high = dd->arg1 + 1;
265  break;
266  case DETECT_UINT_EQ:
267  case DETECT_UINT_NE:
268  low = dd->arg1;
269  high = dd->arg1;
270  break;
271  case DETECT_UINT_RA:
272  low = dd->arg1;
273  high = dd->arg2;
274  break;
275  case DETECT_UINT_GT:
276  low = dd->arg1;
277  high = 65535;
278  break;
279  case DETECT_UINT_GTE:
280  low = dd->arg1 - 1;
281  high = 65535;
282  break;
283  }
284  s->dsize_mode = dd->mode;
285  s->dsize_low = low;
286  s->dsize_high = high;
287 
288  SCLogDebug("low %u, high %u, mode %u", low, high, dd->mode);
289  }
290 }
291 
292 /**
293  * \brief Determine the required dsize for the signature
294  * \param s signature to get dsize value from
295  *
296  * Note that negated content does not contribute to the maximum
297  * required dsize value. However, each negated content's values
298  * must not exceed the dsize value. See SigParseRequiredContentSize.
299  *
300  * \retval -1 Signature doesn't have a dsize keyword
301  * \retval >= 0 Dsize value required to not exclude content matches
302  */
304 {
305  SCEnter();
306 
307  if (!(s->flags & SIG_FLAG_DSIZE)) {
308  SCReturnInt(-1);
309  }
310 
311  const int dsize = SigParseGetMaxDsize(s);
312  if (dsize < 0) {
313  /* nothing to do */
314  SCReturnInt(-1);
315  }
316 
317  int total_length, offset;
319  s, dsize, s->init_data->smlists[DETECT_SM_LIST_PMATCH], &total_length, &offset);
320  SCLogDebug("dsize: %d len: %d; offset: %d [%s]", dsize, total_length, offset, s->sig_str);
321 
322  if (total_length > dsize) {
323  SCLogDebug("required_dsize: %d exceeds dsize: %d", total_length, dsize);
324  return total_length;
325  }
326 
327  if ((total_length + offset) > dsize) {
328  SCLogDebug("length + offset: %d exceeds dsize: %d", total_length + offset, dsize);
329  return total_length + offset;
330  }
331 
332  SCReturnInt(-1);
333 }
334 
335 /**
336  * \brief Apply dsize as depth to content matches in the rule
337  * \param s signature to get dsize value from
338  */
340 {
341  SCEnter();
342 
343  if (s->flags & SIG_FLAG_DSIZE) {
345 
346  int dsize = SigParseGetMaxDsize(s);
347  if (dsize < 0) {
348  /* nothing to do */
349  return;
350  }
351 
353  for ( ; sm != NULL; sm = sm->next) {
354  if (sm->type != DETECT_CONTENT) {
355  continue;
356  }
357 
359  if (cd == NULL) {
360  continue;
361  }
362 
363  if (cd->depth == 0 || cd->depth >= dsize) {
365  cd->depth = (uint16_t)dsize;
366  SCLogDebug("updated %u, content %u to have depth %u "
367  "because of dsize.", s->id, cd->id, cd->depth);
368  }
369  }
370  }
371 }
372 
373 /*
374  * ONLY TESTS BELOW THIS COMMENT
375  */
376 
377 #ifdef UNITTESTS
378 #include "util-unittest-helper.h"
379 #include "detect-engine.h"
380 #include "detect-engine-alert.h"
381 #include "packet.h"
382 
383 /**
384  * \test this is a test for a valid dsize value 1
385  *
386  */
387 static int DsizeTestParse01(void)
388 {
389  DetectU16Data *dd = DetectU16Parse("1");
390  FAIL_IF_NULL(dd);
391  FAIL_IF_NOT(dd->arg1 == 1);
392  FAIL_IF_NOT(dd->arg2 == 0);
393 
394  DetectDsizeFree(NULL, dd);
395  PASS;
396 }
397 
398 /**
399  * \test this is a test for a valid dsize value >10
400  *
401  */
402 static int DsizeTestParse02(void)
403 {
404  DetectU16Data *dd = DetectU16Parse(">10");
405  FAIL_IF_NULL(dd);
406  FAIL_IF_NOT(dd->arg1 == 10);
407  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
408  DetectDsizeFree(NULL, dd);
409  PASS;
410 }
411 
412 /**
413  * \test this is a test for a valid dsize value <100
414  *
415  */
416 static int DsizeTestParse03(void)
417 {
418  DetectU16Data *dd = DetectU16Parse("<100");
419  FAIL_IF_NULL(dd);
420  FAIL_IF_NOT(dd->arg1 == 100);
421  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
422 
423  DetectDsizeFree(NULL, dd);
424  PASS;
425 }
426 
427 /**
428  * \test this is a test for a valid dsize value 1<>3
429  *
430  */
431 static int DsizeTestParse04(void)
432 {
433  DetectU16Data *dd = DetectU16Parse("1<>3");
434  FAIL_IF_NULL(dd);
435  FAIL_IF_NOT(dd->arg1 == 1);
436  FAIL_IF_NOT(dd->arg2 == 3);
437  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
438 
439  DetectDsizeFree(NULL, dd);
440  PASS;
441 }
442 
443 /**
444  * \test this is a test for a valid dsize value 1 <> 3
445  *
446  */
447 static int DsizeTestParse05(void)
448 {
449  DetectU16Data *dd = DetectU16Parse(" 1 <> 3 ");
450  FAIL_IF_NULL(dd);
451  FAIL_IF_NOT(dd->arg1 == 1);
452  FAIL_IF_NOT(dd->arg2 == 3);
453  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
454 
455  DetectDsizeFree(NULL, dd);
456  PASS;
457 }
458 
459 /**
460  * \test this is test for a valid dsize value > 2
461  *
462  */
463 static int DsizeTestParse06(void)
464 {
465  DetectU16Data *dd = DetectU16Parse("> 2 ");
466  FAIL_IF_NULL(dd);
467  FAIL_IF_NOT(dd->arg1 == 2);
468  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
469 
470  DetectDsizeFree(NULL, dd);
471  PASS;
472 }
473 
474 /**
475  * \test test for a valid dsize value < 12
476  *
477  */
478 static int DsizeTestParse07(void)
479 {
480  DetectU16Data *dd = DetectU16Parse("< 12 ");
481  FAIL_IF_NULL(dd);
482  FAIL_IF_NOT(dd->arg1 == 12);
483  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
484 
485  DetectDsizeFree(NULL, dd);
486  PASS;
487 }
488 
489 /**
490  * \test test for a valid dsize value 12
491  *
492  */
493 static int DsizeTestParse08(void)
494 {
495  DetectU16Data *dd = DetectU16Parse(" 12 ");
496  FAIL_IF_NULL(dd);
497  FAIL_IF_NOT(dd->arg1 == 12);
498  FAIL_IF_NOT(dd->mode == DETECT_UINT_EQ);
499 
500  DetectDsizeFree(NULL, dd);
501  PASS;
502 }
503 
504 /**
505  * \test this is a test for a valid dsize value !1
506  *
507  */
508 static int DsizeTestParse09(void)
509 {
510  DetectU16Data *dd = DetectU16Parse("!1");
511  FAIL_IF_NULL(dd);
512  DetectDsizeFree(NULL, dd);
513  PASS;
514 }
515 
516 /**
517  * \test this is a test for a valid dsize value ! 1
518  *
519  */
520 static int DsizeTestParse10(void)
521 {
522  DetectU16Data *dd = DetectU16Parse("! 1");
523  FAIL_IF_NULL(dd);
524  DetectDsizeFree(NULL, dd);
525  PASS;
526 }
527 
528 /**
529  * \test this is a test for invalid dsize values
530  * A, >10<>10, <>10, 1<>, "", " ", 2<>1, 1!
531  *
532  */
533 static int DsizeTestParse11(void)
534 {
535  const char *strings[] = { "A", ">10<>10", "<>10", "1<>", "", " ", "2<>1", "1!", NULL };
536  for (int i = 0; strings[i]; i++) {
537  DetectU16Data *dd = DetectU16Parse(strings[i]);
538  FAIL_IF_NOT_NULL(dd);
539  }
540 
541  PASS;
542 }
543 
544 /**
545  * \test this is a test for positive ! dsize matching
546  *
547  */
548 static int DsizeTestMatch01(void)
549 {
550  uint16_t psize = 1;
551  uint16_t dsizelow = 2;
552  uint16_t dsizehigh = 0;
553  DetectU16Data du16;
554  du16.mode = DETECT_UINT_NE;
555  du16.arg1 = dsizelow;
556  du16.arg2 = dsizehigh;
557  FAIL_IF_NOT(DetectU16Match(psize, &du16));
558 
559  PASS;
560 }
561 
562 /**
563  * \test this is a test for negative ! dsize matching
564  *
565  */
566 static int DsizeTestMatch02(void)
567 {
568  uint16_t psize = 1;
569  uint16_t dsizelow = 1;
570  uint16_t dsizehigh = 0;
571  DetectU16Data du16;
572  du16.mode = DETECT_UINT_NE;
573  du16.arg1 = dsizelow;
574  du16.arg2 = dsizehigh;
575  FAIL_IF(DetectU16Match(psize, &du16));
576 
577  PASS;
578 }
579 
580 /**
581  * \test DetectDsizeIcmpv6Test01 is a test for checking the working of
582  * dsize keyword by creating 2 rules and matching a crafted packet
583  * against them. Only the first one shall trigger.
584  */
585 static int DetectDsizeIcmpv6Test01(void)
586 {
587  static uint8_t raw_icmpv6[] = {
588  0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
589  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
590  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
591  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
592  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
593  0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
594  0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
595  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
596  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
597  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
598  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
599 
600  Packet *p = PacketGetFromAlloc();
601  FAIL_IF_NULL(p);
602 
603  IPV6Hdr ip6h;
604  ThreadVars tv;
606  ThreadVars th_v;
607  DetectEngineThreadCtx *det_ctx = NULL;
608 
609  memset(&tv, 0, sizeof(ThreadVars));
610  memset(&dtv, 0, sizeof(DecodeThreadVars));
611  memset(&ip6h, 0, sizeof(IPV6Hdr));
612  memset(&th_v, 0, sizeof(ThreadVars));
613 
615  p->src.family = AF_INET6;
616  p->dst.family = AF_INET6;
617  p->ip6h = &ip6h;
618 
619  DecodeIPV6(&tv, &dtv, p, raw_icmpv6, sizeof(raw_icmpv6));
620 
623 
624  de_ctx->flags |= DE_QUIET;
625 
627  "alert icmp any any -> any any "
628  "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
629  FAIL_IF_NULL(s);
630 
632  "alert icmp any any -> any any "
633  "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
634  FAIL_IF_NULL(s);
635 
637  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
638 
639  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
640  FAIL_IF(PacketAlertCheck(p, 1) == 0);
641  FAIL_IF(PacketAlertCheck(p, 2));
642 
643  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
645 
646  PacketRecycle(p);
647  FlowShutdown();
648  SCFree(p);
649 
650  PASS;
651 }
652 
653 /**
654  * \brief this function registers unit tests for dsize
655  */
656 static void DsizeRegisterTests(void)
657 {
658  UtRegisterTest("DsizeTestParse01", DsizeTestParse01);
659  UtRegisterTest("DsizeTestParse02", DsizeTestParse02);
660  UtRegisterTest("DsizeTestParse03", DsizeTestParse03);
661  UtRegisterTest("DsizeTestParse04", DsizeTestParse04);
662  UtRegisterTest("DsizeTestParse05", DsizeTestParse05);
663  UtRegisterTest("DsizeTestParse06", DsizeTestParse06);
664  UtRegisterTest("DsizeTestParse07", DsizeTestParse07);
665  UtRegisterTest("DsizeTestParse08", DsizeTestParse08);
666  UtRegisterTest("DsizeTestParse09", DsizeTestParse09);
667  UtRegisterTest("DsizeTestParse10", DsizeTestParse10);
668  UtRegisterTest("DsizeTestParse11", DsizeTestParse11);
669  UtRegisterTest("DsizeTestMatch01", DsizeTestMatch01);
670  UtRegisterTest("DsizeTestMatch02", DsizeTestMatch02);
671 
672  UtRegisterTest("DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
673 }
674 #endif /* UNITTESTS */
util-byte.h
host.h
DetectDsizeRegister
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
Definition: detect-dsize.c:61
SigTableElmt_::url
const char * url
Definition: detect.h:1287
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:110
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:566
PrefilterPacketU16Set
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:126
SigTableElmt_::desc
const char * desc
Definition: detect.h:1286
detect-dsize.h
Signature_::sig_str
char * sig_str
Definition: detect.h:651
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1274
SigTableElmt_::name
const char * name
Definition: detect.h:1284
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1053
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1438
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
SigParseGetMaxDsize
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
Definition: detect-dsize.c:226
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:168
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1181
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:826
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
DE_QUIET
#define DE_QUIET
Definition: detect.h:314
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1824
DetectContentData_
Definition: detect-content.h:93
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2569
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1269
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:578
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:588
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1272
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:549
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1074
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:344
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:108
DetectContentData_::id
PatIntId id
Definition: detect-content.h:105
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:343
SigParseSetDsizePair
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
Definition: detect-dsize.c:249
util-profiling.h
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:582
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
SigParseRequiredContentSize
void SigParseRequiredContentSize(const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
Definition: detect-content.c:411
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:430
detect-engine-build.h
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:564
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:653
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1252
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
DETECT_DSIZE
@ DETECT_DSIZE
Definition: detect-engine-register.h:52
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1973
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:335
SignatureInitData_::dsize_sm
SigMatch * dsize_sm
Definition: detect.h:540
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3308
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectU16Match
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
Definition: detect-engine-uint.c:107
DetectU16Parse
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
Definition: detect-engine-uint.c:121
PrefilterPacketU16Compare
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:134
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3522
SigMatch_::type
uint16_t type
Definition: detect.h:341
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:589
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:697
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:286
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:668
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1271
Signature_::id
uint32_t id
Definition: detect.h:616
detect-parse.h
Signature_
Signature container.
Definition: detect.h:581
SigMatch_
a single match condition for a signature
Definition: detect.h:340
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:590
Address_::family
char family
Definition: decode.h:116
Packet_::dst
Address dst
Definition: decode.h:435
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:41
SigParseApplyDsizeToContent
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
Definition: detect-dsize.c:339
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:586
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:828
detect-engine-prefilter-common.h
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:537
DetectU16Data
DetectUintData_u16 DetectU16Data
Definition: detect-engine-uint.h:42
SigParseMaxRequiredDsize
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
Definition: detect-dsize.c:303
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
Packet_::src
Address src
Definition: decode.h:434
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1276
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:237
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:242