suricata
detect-dsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the dsize keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 
34 #include "flow-var.h"
35 
36 #include "detect-content.h"
37 #include "detect-dsize.h"
38 
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 
43 #include "pkt-var.h"
44 #include "host.h"
45 #include "util-profiling.h"
46 
47 static int DetectDsizeMatch (DetectEngineThreadCtx *, Packet *,
48  const Signature *, const SigMatchCtx *);
49 static int DetectDsizeSetup (DetectEngineCtx *, Signature *s, const char *str);
50 #ifdef UNITTESTS
51 static void DsizeRegisterTests(void);
52 #endif
53 static void DetectDsizeFree(DetectEngineCtx *, void *);
54 
55 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
56 static bool PrefilterDsizeIsPrefilterable(const Signature *s);
57 
58 /**
59  * \brief Registration function for dsize: keyword
60  */
62 {
63  sigmatch_table[DETECT_DSIZE].name = "dsize";
64  sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload";
65  sigmatch_table[DETECT_DSIZE].url = "/rules/payload-keywords.html#dsize";
66  sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch;
67  sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup;
68  sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree;
69 #ifdef UNITTESTS
70  sigmatch_table[DETECT_DSIZE].RegisterTests = DsizeRegisterTests;
71 #endif
72  sigmatch_table[DETECT_DSIZE].SupportsPrefilter = PrefilterDsizeIsPrefilterable;
73  sigmatch_table[DETECT_DSIZE].SetupPrefilter = PrefilterSetupDsize;
74 }
75 
76 /**
77  * \internal
78  * \brief This function is used to match flags on a packet with those passed via dsize:
79  *
80  * \param t pointer to thread vars
81  * \param det_ctx pointer to the pattern matcher thread
82  * \param p pointer to the current packet
83  * \param s pointer to the Signature
84  * \param m pointer to the sigmatch
85  *
86  * \retval 0 no match
87  * \retval 1 match
88  */
89 static int DetectDsizeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
90  const Signature *s, const SigMatchCtx *ctx)
91 {
92  SCEnter();
93  int ret = 0;
94 
96 
97  const DetectU16Data *dd = (const DetectU16Data *)ctx;
98 
99  SCLogDebug("p->payload_len %"PRIu16"", p->payload_len);
100 
101  ret = DetectU16Match(p->payload_len, dd);
102 
103  SCReturnInt(ret);
104 }
105 
106 /**
107  * \internal
108  * \brief this function is used to add the parsed dsize into the current signature
109  *
110  * \param de_ctx pointer to the Detection Engine Context
111  * \param s pointer to the Current Signature
112  * \param rawstr pointer to the user provided flags options
113  *
114  * \retval 0 on Success
115  * \retval -1 on Failure
116  */
117 static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
118 {
119  DetectU16Data *dd = NULL;
120 
122  SCLogError("Can't use 2 or more dsizes in "
123  "the same sig. Invalidating signature.");
124  return -1;
125  }
126 
127  SCLogDebug("\'%s\'", rawstr);
128 
129  dd = DetectU16Parse(rawstr);
130  if (dd == NULL) {
131  SCLogError("Parsing \'%s\' failed", rawstr);
132  return -1;
133  }
134 
135  /* Okay so far so good, lets get this into a SigMatch
136  * and put it in the Signature. */
139  if (sm == NULL) {
140  rs_detect_u16_free(dd);
141  return -1;
142  }
143 
144  SCLogDebug("dd->arg1 %" PRIu16 ", dd->arg2 %" PRIu16 ", dd->mode %" PRIu8 "", dd->arg1,
145  dd->arg2, dd->mode);
146  /* tell the sig it has a dsize to speed up engine init */
148  s->flags |= SIG_FLAG_DSIZE;
149 
150  if (s->init_data->dsize_sm == NULL) {
151  s->init_data->dsize_sm = sm;
152  }
153 
154  return 0;
155 }
156 
157 /**
158  * \internal
159  * \brief this function will free memory associated with DetectU16Data
160  *
161  * \param de pointer to DetectU16Data
162  */
163 void DetectDsizeFree(DetectEngineCtx *de_ctx, void *de_ptr)
164 {
165  rs_detect_u16_free(de_ptr);
166 }
167 
168 /* prefilter code */
169 
170 static void
171 PrefilterPacketDsizeMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
172 {
173  const PrefilterPacketHeaderCtx *ctx = pectx;
174  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
175  return;
176 
177  const uint16_t dsize = p->payload_len;
178  DetectU16Data du16;
179  du16.mode = ctx->v1.u8[0];
180  du16.arg1 = ctx->v1.u16[1];
181  du16.arg2 = ctx->v1.u16[2];
182 
183  if (DetectU16Match(dsize, &du16)) {
184  SCLogDebug("packet matches dsize %u", dsize);
185  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
186  }
187 }
188 
189 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
190 {
192  PrefilterPacketU16Set, PrefilterPacketU16Compare, PrefilterPacketDsizeMatch);
193 }
194 
195 static bool PrefilterDsizeIsPrefilterable(const Signature *s)
196 {
197  const SigMatch *sm;
198  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
199  switch (sm->type) {
200  case DETECT_DSIZE:
201  return true;
202  }
203  }
204  return false;
205 }
206 
207 /** \brief get max dsize "depth"
208  * \param s signature to get dsize value from
209  * \retval depth or negative value
210  */
212 {
213  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
214  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
215 
216  switch (dd->mode) {
217  case DETECT_UINT_LT:
218  case DETECT_UINT_EQ:
219  case DETECT_UINT_NE:
220  return dd->arg1;
221  case DETECT_UINT_RA:
222  return dd->arg2;
223  case DETECT_UINT_GT:
224  default:
225  SCReturnInt(-2);
226  }
227  }
228  SCReturnInt(-1);
229 }
230 
231 /** \brief set prefilter dsize pair
232  * \param s signature to get dsize value from
233  */
235 {
236  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
237  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
238 
239  uint16_t low = 0;
240  uint16_t high = 65535;
241 
242  switch (dd->mode) {
243  case DETECT_UINT_LT:
244  low = 0;
245  high = dd->arg1;
246  break;
247  case DETECT_UINT_LTE:
248  low = 0;
249  high = dd->arg1 + 1;
250  break;
251  case DETECT_UINT_EQ:
252  case DETECT_UINT_NE:
253  low = dd->arg1;
254  high = dd->arg1;
255  break;
256  case DETECT_UINT_RA:
257  low = dd->arg1;
258  high = dd->arg2;
259  break;
260  case DETECT_UINT_GT:
261  low = dd->arg1;
262  high = 65535;
263  break;
264  case DETECT_UINT_GTE:
265  low = dd->arg1 - 1;
266  high = 65535;
267  break;
268  }
269  s->dsize_mode = dd->mode;
270  s->dsize_low = low;
271  s->dsize_high = high;
272 
273  SCLogDebug("low %u, high %u, mode %u", low, high, dd->mode);
274  }
275 }
276 
277 /**
278  * \brief Determine the required dsize for the signature
279  * \param s signature to get dsize value from
280  *
281  * Note that negated content does not contribute to the maximum
282  * required dsize value. However, each negated content's values
283  * must not exceed the dsize value. See SigParseRequiredContentSize.
284  *
285  * \retval -1 Signature doesn't have a dsize keyword
286  * \retval >= 0 Dsize value required to not exclude content matches
287  */
289 {
290  SCEnter();
291 
292  if (!(s->flags & SIG_FLAG_DSIZE)) {
293  SCReturnInt(-1);
294  }
295 
296  const int dsize = SigParseGetMaxDsize(s);
297  if (dsize < 0) {
298  /* nothing to do */
299  SCReturnInt(-1);
300  }
301 
302  int total_length, offset;
304  s, dsize, s->init_data->smlists[DETECT_SM_LIST_PMATCH], &total_length, &offset);
305  SCLogDebug("dsize: %d len: %d; offset: %d [%s]", dsize, total_length, offset, s->sig_str);
306 
307  if (total_length > dsize) {
308  SCLogDebug("required_dsize: %d exceeds dsize: %d", total_length, dsize);
309  return total_length;
310  }
311 
312  if ((total_length + offset) > dsize) {
313  SCLogDebug("length + offset: %d exceeds dsize: %d", total_length + offset, dsize);
314  return total_length + offset;
315  }
316 
317  SCReturnInt(-1);
318 }
319 
320 /**
321  * \brief Apply dsize as depth to content matches in the rule
322  * \param s signature to get dsize value from
323  */
325 {
326  SCEnter();
327 
328  if (s->flags & SIG_FLAG_DSIZE) {
330 
331  int dsize = SigParseGetMaxDsize(s);
332  if (dsize < 0) {
333  /* nothing to do */
334  return;
335  }
336 
338  for ( ; sm != NULL; sm = sm->next) {
339  if (sm->type != DETECT_CONTENT) {
340  continue;
341  }
342 
344  if (cd == NULL) {
345  continue;
346  }
347 
348  if (cd->depth == 0 || cd->depth >= dsize) {
350  cd->depth = (uint16_t)dsize;
351  SCLogDebug("updated %u, content %u to have depth %u "
352  "because of dsize.", s->id, cd->id, cd->depth);
353  }
354  }
355  }
356 }
357 
358 /*
359  * ONLY TESTS BELOW THIS COMMENT
360  */
361 
362 #ifdef UNITTESTS
363 #include "util-unittest-helper.h"
364 #include "detect-engine.h"
365 #include "detect-engine-alert.h"
366 #include "packet.h"
367 
368 /**
369  * \test this is a test for a valid dsize value 1
370  *
371  */
372 static int DsizeTestParse01(void)
373 {
374  DetectU16Data *dd = DetectU16Parse("1");
375  FAIL_IF_NULL(dd);
376  FAIL_IF_NOT(dd->arg1 == 1);
377  FAIL_IF_NOT(dd->arg2 == 0);
378 
379  DetectDsizeFree(NULL, dd);
380  PASS;
381 }
382 
383 /**
384  * \test this is a test for a valid dsize value >10
385  *
386  */
387 static int DsizeTestParse02(void)
388 {
389  DetectU16Data *dd = DetectU16Parse(">10");
390  FAIL_IF_NULL(dd);
391  FAIL_IF_NOT(dd->arg1 == 10);
392  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
393  DetectDsizeFree(NULL, dd);
394  PASS;
395 }
396 
397 /**
398  * \test this is a test for a valid dsize value <100
399  *
400  */
401 static int DsizeTestParse03(void)
402 {
403  DetectU16Data *dd = DetectU16Parse("<100");
404  FAIL_IF_NULL(dd);
405  FAIL_IF_NOT(dd->arg1 == 100);
406  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
407 
408  DetectDsizeFree(NULL, dd);
409  PASS;
410 }
411 
412 /**
413  * \test this is a test for a valid dsize value 1<>3
414  *
415  */
416 static int DsizeTestParse04(void)
417 {
418  DetectU16Data *dd = DetectU16Parse("1<>3");
419  FAIL_IF_NULL(dd);
420  FAIL_IF_NOT(dd->arg1 == 1);
421  FAIL_IF_NOT(dd->arg2 == 3);
422  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
423 
424  DetectDsizeFree(NULL, dd);
425  PASS;
426 }
427 
428 /**
429  * \test this is a test for a valid dsize value 1 <> 3
430  *
431  */
432 static int DsizeTestParse05(void)
433 {
434  DetectU16Data *dd = DetectU16Parse(" 1 <> 3 ");
435  FAIL_IF_NULL(dd);
436  FAIL_IF_NOT(dd->arg1 == 1);
437  FAIL_IF_NOT(dd->arg2 == 3);
438  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
439 
440  DetectDsizeFree(NULL, dd);
441  PASS;
442 }
443 
444 /**
445  * \test this is test for a valid dsize value > 2
446  *
447  */
448 static int DsizeTestParse06(void)
449 {
450  DetectU16Data *dd = DetectU16Parse("> 2 ");
451  FAIL_IF_NULL(dd);
452  FAIL_IF_NOT(dd->arg1 == 2);
453  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
454 
455  DetectDsizeFree(NULL, dd);
456  PASS;
457 }
458 
459 /**
460  * \test test for a valid dsize value < 12
461  *
462  */
463 static int DsizeTestParse07(void)
464 {
465  DetectU16Data *dd = DetectU16Parse("< 12 ");
466  FAIL_IF_NULL(dd);
467  FAIL_IF_NOT(dd->arg1 == 12);
468  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
469 
470  DetectDsizeFree(NULL, dd);
471  PASS;
472 }
473 
474 /**
475  * \test test for a valid dsize value 12
476  *
477  */
478 static int DsizeTestParse08(void)
479 {
480  DetectU16Data *dd = DetectU16Parse(" 12 ");
481  FAIL_IF_NULL(dd);
482  FAIL_IF_NOT(dd->arg1 == 12);
483  FAIL_IF_NOT(dd->mode == DETECT_UINT_EQ);
484 
485  DetectDsizeFree(NULL, dd);
486  PASS;
487 }
488 
489 /**
490  * \test this is a test for a valid dsize value !1
491  *
492  */
493 static int DsizeTestParse09(void)
494 {
495  DetectU16Data *dd = DetectU16Parse("!1");
496  FAIL_IF_NULL(dd);
497  DetectDsizeFree(NULL, dd);
498  PASS;
499 }
500 
501 /**
502  * \test this is a test for a valid dsize value ! 1
503  *
504  */
505 static int DsizeTestParse10(void)
506 {
507  DetectU16Data *dd = DetectU16Parse("! 1");
508  FAIL_IF_NULL(dd);
509  DetectDsizeFree(NULL, dd);
510  PASS;
511 }
512 
513 /**
514  * \test this is a test for invalid dsize values
515  * A, >10<>10, <>10, 1<>, "", " ", 2<>1, 1!
516  *
517  */
518 static int DsizeTestParse11(void)
519 {
520  const char *strings[] = { "A", ">10<>10", "<>10", "1<>", "", " ", "2<>1", "1!", NULL };
521  for (int i = 0; strings[i]; i++) {
522  DetectU16Data *dd = DetectU16Parse(strings[i]);
523  FAIL_IF_NOT_NULL(dd);
524  }
525 
526  PASS;
527 }
528 
529 /**
530  * \test this is a test for positive ! dsize matching
531  *
532  */
533 static int DsizeTestMatch01(void)
534 {
535  uint16_t psize = 1;
536  uint16_t dsizelow = 2;
537  uint16_t dsizehigh = 0;
538  DetectU16Data du16;
539  du16.mode = DETECT_UINT_NE;
540  du16.arg1 = dsizelow;
541  du16.arg2 = dsizehigh;
542  FAIL_IF_NOT(DetectU16Match(psize, &du16));
543 
544  PASS;
545 }
546 
547 /**
548  * \test this is a test for negative ! dsize matching
549  *
550  */
551 static int DsizeTestMatch02(void)
552 {
553  uint16_t psize = 1;
554  uint16_t dsizelow = 1;
555  uint16_t dsizehigh = 0;
556  DetectU16Data du16;
557  du16.mode = DETECT_UINT_NE;
558  du16.arg1 = dsizelow;
559  du16.arg2 = dsizehigh;
560  FAIL_IF(DetectU16Match(psize, &du16));
561 
562  PASS;
563 }
564 
565 /**
566  * \test DetectDsizeIcmpv6Test01 is a test for checking the working of
567  * dsize keyword by creating 2 rules and matching a crafted packet
568  * against them. Only the first one shall trigger.
569  */
570 static int DetectDsizeIcmpv6Test01(void)
571 {
572  static uint8_t raw_icmpv6[] = {
573  0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
574  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
575  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
576  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
577  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
578  0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
579  0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
580  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
581  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
582  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
583  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
584 
585  Packet *p = PacketGetFromAlloc();
586  FAIL_IF_NULL(p);
587 
588  ThreadVars tv;
590  ThreadVars th_v;
591  DetectEngineThreadCtx *det_ctx = NULL;
592 
593  memset(&tv, 0, sizeof(ThreadVars));
594  memset(&dtv, 0, sizeof(DecodeThreadVars));
595  memset(&th_v, 0, sizeof(ThreadVars));
596 
598  p->src.family = AF_INET6;
599  p->dst.family = AF_INET6;
600 
601  DecodeIPV6(&tv, &dtv, p, raw_icmpv6, sizeof(raw_icmpv6));
602 
605 
606  de_ctx->flags |= DE_QUIET;
607 
609  "alert icmp any any -> any any "
610  "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
611  FAIL_IF_NULL(s);
612 
614  "alert icmp any any -> any any "
615  "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
616  FAIL_IF_NULL(s);
617 
619  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
620 
621  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
622  FAIL_IF(PacketAlertCheck(p, 1) == 0);
623  FAIL_IF(PacketAlertCheck(p, 2));
624 
625  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
627 
628  PacketRecycle(p);
629  FlowShutdown();
630  SCFree(p);
631 
632  PASS;
633 }
634 
635 /**
636  * \brief this function registers unit tests for dsize
637  */
638 static void DsizeRegisterTests(void)
639 {
640  UtRegisterTest("DsizeTestParse01", DsizeTestParse01);
641  UtRegisterTest("DsizeTestParse02", DsizeTestParse02);
642  UtRegisterTest("DsizeTestParse03", DsizeTestParse03);
643  UtRegisterTest("DsizeTestParse04", DsizeTestParse04);
644  UtRegisterTest("DsizeTestParse05", DsizeTestParse05);
645  UtRegisterTest("DsizeTestParse06", DsizeTestParse06);
646  UtRegisterTest("DsizeTestParse07", DsizeTestParse07);
647  UtRegisterTest("DsizeTestParse08", DsizeTestParse08);
648  UtRegisterTest("DsizeTestParse09", DsizeTestParse09);
649  UtRegisterTest("DsizeTestParse10", DsizeTestParse10);
650  UtRegisterTest("DsizeTestParse11", DsizeTestParse11);
651  UtRegisterTest("DsizeTestMatch01", DsizeTestMatch01);
652  UtRegisterTest("DsizeTestMatch02", DsizeTestMatch02);
653 
654  UtRegisterTest("DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
655 }
656 #endif /* UNITTESTS */
util-byte.h
host.h
DetectDsizeRegister
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
Definition: detect-dsize.c:61
SigTableElmt_::url
const char * url
Definition: detect.h:1312
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:116
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIG_MASK_REQUIRE_REAL_PKT
#define SIG_MASK_REQUIRE_REAL_PKT
Definition: detect.h:306
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:588
PrefilterPacketU16Set
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:126
SigTableElmt_::desc
const char * desc
Definition: detect.h:1311
detect-dsize.h
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:128
Signature_::sig_str
char * sig_str
Definition: detect.h:670
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1299
SigTableElmt_::name
const char * name
Definition: detect.h:1309
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1321
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1465
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:72
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
SigParseGetMaxDsize
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
Definition: detect-dsize.c:211
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:143
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1205
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2623
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1950
DetectContentData_
Definition: detect-content.h:93
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2591
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1294
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:575
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:610
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1297
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:533
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1098
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3365
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:353
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
DetectContentData_::id
PatIntId id
Definition: detect-content.h:105
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:352
SigParseSetDsizePair
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
Definition: detect-dsize.c:234
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:604
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
SigParseRequiredContentSize
void SigParseRequiredContentSize(const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
Determine the size needed to accommodate the content elements of a signature.
Definition: detect-content.c:408
Packet_
Definition: decode.h:476
detect-engine-build.h
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:560
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:672
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:404
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1277
DETECT_DSIZE
@ DETECT_DSIZE
Definition: detect-engine-register.h:54
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2145
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
SignatureInitData_::dsize_sm
SigMatch * dsize_sm
Definition: detect.h:559
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectU16Match
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
Definition: detect-engine-uint.c:107
DetectU16Parse
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
Definition: detect-engine-uint.c:121
PrefilterPacketU16Compare
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:134
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:350
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:611
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:680
packet.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3592
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:932
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1296
Signature_::id
uint32_t id
Definition: detect.h:638
detect-parse.h
Signature_
Signature container.
Definition: detect.h:603
SigMatch_
a single match condition for a signature
Definition: detect.h:349
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2584
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:612
Address_::family
char family
Definition: decode.h:109
Packet_::dst
Address dst
Definition: decode.h:481
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
SigParseApplyDsizeToContent
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
Definition: detect-dsize.c:324
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:607
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:845
detect-engine-prefilter-common.h
DetectU16Data
DetectUintData_u16 DetectU16Data
Definition: detect-engine-uint.h:42
SigParseMaxRequiredDsize
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
Definition: detect-dsize.c:288
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Packet_::src
Address src
Definition: decode.h:480
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1301
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:245
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:250