Go to the documentation of this file.
51 static void DsizeRegisterTests(
void);
56 static bool PrefilterDsizeIsPrefilterable(
const Signature *s);
126 "the same sig. Invalidating signature.");
142 SCLogError(
"Failed to allocate memory for SigMatch");
143 rs_detect_u16_free(dd);
152 SCLogDebug(
"dd->arg1 %" PRIu16
", dd->arg2 %" PRIu16
", dd->mode %" PRIu8
"", dd->arg1,
176 rs_detect_u16_free(de_ptr);
189 if (!PrefilterPacketHeaderExtraMatch(ctx, p))
194 du16.mode = ctx->
v1.
u8[0];
195 du16.arg1 = ctx->
v1.
u16[1];
196 du16.arg2 = ctx->
v1.
u16[2];
210 static bool PrefilterDsizeIsPrefilterable(
const Signature *s)
255 uint16_t high = 65535;
288 SCLogDebug(
"low %u, high %u, mode %u", low, high, dd->mode);
321 if (total_length > dsize) {
322 SCLogDebug(
"required_dsize: %d exceeds dsize: %d", total_length, dsize);
326 if ((total_length +
offset) > dsize) {
327 SCLogDebug(
"length + offset: %d exceeds dsize: %d", total_length +
offset, dsize);
328 return total_length +
offset;
352 for ( ; sm != NULL; sm = sm->
next) {
364 cd->
depth = (uint16_t)dsize;
365 SCLogDebug(
"updated %u, content %u to have depth %u "
366 "because of dsize.", s->
id, cd->
id, cd->
depth);
386 static int DsizeTestParse01(
void)
393 DetectDsizeFree(NULL, dd);
401 static int DsizeTestParse02(
void)
407 DetectDsizeFree(NULL, dd);
415 static int DsizeTestParse03(
void)
422 DetectDsizeFree(NULL, dd);
430 static int DsizeTestParse04(
void)
438 DetectDsizeFree(NULL, dd);
446 static int DsizeTestParse05(
void)
454 DetectDsizeFree(NULL, dd);
462 static int DsizeTestParse06(
void)
469 DetectDsizeFree(NULL, dd);
477 static int DsizeTestParse07(
void)
484 DetectDsizeFree(NULL, dd);
492 static int DsizeTestParse08(
void)
499 DetectDsizeFree(NULL, dd);
507 static int DsizeTestParse09(
void)
511 DetectDsizeFree(NULL, dd);
519 static int DsizeTestParse10(
void)
523 DetectDsizeFree(NULL, dd);
532 static int DsizeTestParse11(
void)
534 const char *strings[] = {
"A",
">10<>10",
"<>10",
"1<>",
"",
" ",
"2<>1",
"1!", NULL };
535 for (
int i = 0; strings[i]; i++) {
547 static int DsizeTestMatch01(
void)
550 uint16_t dsizelow = 2;
551 uint16_t dsizehigh = 0;
554 du16.arg1 = dsizelow;
555 du16.arg2 = dsizehigh;
565 static int DsizeTestMatch02(
void)
568 uint16_t dsizelow = 1;
569 uint16_t dsizehigh = 0;
572 du16.arg1 = dsizelow;
573 du16.arg2 = dsizehigh;
584 static int DetectDsizeIcmpv6Test01(
void)
586 static uint8_t raw_icmpv6[] = {
587 0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
588 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
589 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
590 0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
591 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
592 0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
593 0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
594 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
596 0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
597 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
610 memset(&ip6h, 0,
sizeof(
IPV6Hdr));
626 "alert icmp any any -> any any "
627 "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
631 "alert icmp any any -> any any "
632 "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
655 static void DsizeRegisterTests(
void)
671 UtRegisterTest(
"DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
void(* Free)(DetectEngineCtx *, void *)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
void PacketRecycle(Packet *p)
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
void FlowInitConfig(bool quiet)
initialize the configuration
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define DETECT_CONTENT_DEPTH
Per thread variable structure.
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
SignatureInitData * init_data
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
struct SigMatch_ ** smlists
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void FlowShutdown(void)
shutdown the flow engine
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
void SigParseRequiredContentSize(const Signature *s, const int max_size, int list, int *len, int *offset)
#define SCLogError(...)
Macro used to log ERROR messages.
Structure to hold thread specific data for all decode modules.
bool(* SupportsPrefilter)(const Signature *s)
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
DetectUintData_u16 DetectU16Data
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)
#define SIG_FLAG_REQUIRE_PACKET