suricata
detect-dsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the dsize keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 
34 #include "flow-var.h"
35 
36 #include "detect-content.h"
37 #include "detect-dsize.h"
38 
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 
43 #include "pkt-var.h"
44 #include "host.h"
45 #include "util-profiling.h"
46 
47 static int DetectDsizeMatch (DetectEngineThreadCtx *, Packet *,
48  const Signature *, const SigMatchCtx *);
49 static int DetectDsizeSetup (DetectEngineCtx *, Signature *s, const char *str);
50 #ifdef UNITTESTS
51 static void DsizeRegisterTests(void);
52 #endif
53 static void DetectDsizeFree(DetectEngineCtx *, void *);
54 
55 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
56 static bool PrefilterDsizeIsPrefilterable(const Signature *s);
57 
58 /**
59  * \brief Registration function for dsize: keyword
60  */
62 {
63  sigmatch_table[DETECT_DSIZE].name = "dsize";
64  sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload";
65  sigmatch_table[DETECT_DSIZE].url = "/rules/payload-keywords.html#dsize";
66  sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch;
67  sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup;
68  sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree;
69 #ifdef UNITTESTS
70  sigmatch_table[DETECT_DSIZE].RegisterTests = DsizeRegisterTests;
71 #endif
72  sigmatch_table[DETECT_DSIZE].SupportsPrefilter = PrefilterDsizeIsPrefilterable;
73  sigmatch_table[DETECT_DSIZE].SetupPrefilter = PrefilterSetupDsize;
74 }
75 
76 /**
77  * \internal
78  * \brief This function is used to match flags on a packet with those passed via dsize:
79  *
80  * \param t pointer to thread vars
81  * \param det_ctx pointer to the pattern matcher thread
82  * \param p pointer to the current packet
83  * \param s pointer to the Signature
84  * \param m pointer to the sigmatch
85  *
86  * \retval 0 no match
87  * \retval 1 match
88  */
89 static int DetectDsizeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
90  const Signature *s, const SigMatchCtx *ctx)
91 {
92  SCEnter();
93  int ret = 0;
94 
96 
97  const DetectU16Data *dd = (const DetectU16Data *)ctx;
98 
99  SCLogDebug("p->payload_len %"PRIu16"", p->payload_len);
100 
101  ret = DetectU16Match(p->payload_len, dd);
102 
103  SCReturnInt(ret);
104 }
105 
106 /**
107  * \internal
108  * \brief this function is used to add the parsed dsize into the current signature
109  *
110  * \param de_ctx pointer to the Detection Engine Context
111  * \param s pointer to the Current Signature
112  * \param rawstr pointer to the user provided flags options
113  *
114  * \retval 0 on Success
115  * \retval -1 on Failure
116  */
117 static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
118 {
119  DetectU16Data *dd = NULL;
120 
122  SCLogError("Can't use 2 or more dsizes in "
123  "the same sig. Invalidating signature.");
124  goto error;
125  }
126 
127  SCLogDebug("\'%s\'", rawstr);
128 
129  dd = DetectU16Parse(rawstr);
130  if (dd == NULL) {
131  SCLogError("Parsing \'%s\' failed", rawstr);
132  goto error;
133  }
134 
135  /* Okay so far so good, lets get this into a SigMatch
136  * and put it in the Signature. */
139  if (sm == NULL) {
140  rs_detect_u16_free(dd);
141  goto error;
142  }
143 
144  SCLogDebug("dd->arg1 %" PRIu16 ", dd->arg2 %" PRIu16 ", dd->mode %" PRIu8 "", dd->arg1,
145  dd->arg2, dd->mode);
146  /* tell the sig it has a dsize to speed up engine init */
148  s->flags |= SIG_FLAG_DSIZE;
149 
150  if (s->init_data->dsize_sm == NULL) {
151  s->init_data->dsize_sm = sm;
152  }
153 
154  return 0;
155 
156 error:
157  return -1;
158 }
159 
160 /**
161  * \internal
162  * \brief this function will free memory associated with DetectU16Data
163  *
164  * \param de pointer to DetectU16Data
165  */
166 void DetectDsizeFree(DetectEngineCtx *de_ctx, void *de_ptr)
167 {
168  rs_detect_u16_free(de_ptr);
169 }
170 
171 /* prefilter code */
172 
173 static void
174 PrefilterPacketDsizeMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
175 {
176  const PrefilterPacketHeaderCtx *ctx = pectx;
177  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
178  return;
179 
180  const uint16_t dsize = p->payload_len;
181  DetectU16Data du16;
182  du16.mode = ctx->v1.u8[0];
183  du16.arg1 = ctx->v1.u16[1];
184  du16.arg2 = ctx->v1.u16[2];
185 
186  if (DetectU16Match(dsize, &du16)) {
187  SCLogDebug("packet matches dsize %u", dsize);
188  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
189  }
190 }
191 
192 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
193 {
195  PrefilterPacketU16Set, PrefilterPacketU16Compare, PrefilterPacketDsizeMatch);
196 }
197 
198 static bool PrefilterDsizeIsPrefilterable(const Signature *s)
199 {
200  const SigMatch *sm;
201  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
202  switch (sm->type) {
203  case DETECT_DSIZE:
204  return true;
205  }
206  }
207  return false;
208 }
209 
210 /** \brief get max dsize "depth"
211  * \param s signature to get dsize value from
212  * \retval depth or negative value
213  */
215 {
216  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
217  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
218 
219  switch (dd->mode) {
220  case DETECT_UINT_LT:
221  case DETECT_UINT_EQ:
222  case DETECT_UINT_NE:
223  return dd->arg1;
224  case DETECT_UINT_RA:
225  return dd->arg2;
226  case DETECT_UINT_GT:
227  default:
228  SCReturnInt(-2);
229  }
230  }
231  SCReturnInt(-1);
232 }
233 
234 /** \brief set prefilter dsize pair
235  * \param s signature to get dsize value from
236  */
238 {
239  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
240  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
241 
242  uint16_t low = 0;
243  uint16_t high = 65535;
244 
245  switch (dd->mode) {
246  case DETECT_UINT_LT:
247  low = 0;
248  high = dd->arg1;
249  break;
250  case DETECT_UINT_LTE:
251  low = 0;
252  high = dd->arg1 + 1;
253  break;
254  case DETECT_UINT_EQ:
255  case DETECT_UINT_NE:
256  low = dd->arg1;
257  high = dd->arg1;
258  break;
259  case DETECT_UINT_RA:
260  low = dd->arg1;
261  high = dd->arg2;
262  break;
263  case DETECT_UINT_GT:
264  low = dd->arg1;
265  high = 65535;
266  break;
267  case DETECT_UINT_GTE:
268  low = dd->arg1 - 1;
269  high = 65535;
270  break;
271  }
272  s->dsize_mode = dd->mode;
273  s->dsize_low = low;
274  s->dsize_high = high;
275 
276  SCLogDebug("low %u, high %u, mode %u", low, high, dd->mode);
277  }
278 }
279 
280 /**
281  * \brief Determine the required dsize for the signature
282  * \param s signature to get dsize value from
283  *
284  * Note that negated content does not contribute to the maximum
285  * required dsize value. However, each negated content's values
286  * must not exceed the dsize value. See SigParseRequiredContentSize.
287  *
288  * \retval -1 Signature doesn't have a dsize keyword
289  * \retval >= 0 Dsize value required to not exclude content matches
290  */
292 {
293  SCEnter();
294 
295  if (!(s->flags & SIG_FLAG_DSIZE)) {
296  SCReturnInt(-1);
297  }
298 
299  const int dsize = SigParseGetMaxDsize(s);
300  if (dsize < 0) {
301  /* nothing to do */
302  SCReturnInt(-1);
303  }
304 
305  int total_length, offset;
307  s, dsize, s->init_data->smlists[DETECT_SM_LIST_PMATCH], &total_length, &offset);
308  SCLogDebug("dsize: %d len: %d; offset: %d [%s]", dsize, total_length, offset, s->sig_str);
309 
310  if (total_length > dsize) {
311  SCLogDebug("required_dsize: %d exceeds dsize: %d", total_length, dsize);
312  return total_length;
313  }
314 
315  if ((total_length + offset) > dsize) {
316  SCLogDebug("length + offset: %d exceeds dsize: %d", total_length + offset, dsize);
317  return total_length + offset;
318  }
319 
320  SCReturnInt(-1);
321 }
322 
323 /**
324  * \brief Apply dsize as depth to content matches in the rule
325  * \param s signature to get dsize value from
326  */
328 {
329  SCEnter();
330 
331  if (s->flags & SIG_FLAG_DSIZE) {
333 
334  int dsize = SigParseGetMaxDsize(s);
335  if (dsize < 0) {
336  /* nothing to do */
337  return;
338  }
339 
341  for ( ; sm != NULL; sm = sm->next) {
342  if (sm->type != DETECT_CONTENT) {
343  continue;
344  }
345 
347  if (cd == NULL) {
348  continue;
349  }
350 
351  if (cd->depth == 0 || cd->depth >= dsize) {
353  cd->depth = (uint16_t)dsize;
354  SCLogDebug("updated %u, content %u to have depth %u "
355  "because of dsize.", s->id, cd->id, cd->depth);
356  }
357  }
358  }
359 }
360 
361 /*
362  * ONLY TESTS BELOW THIS COMMENT
363  */
364 
365 #ifdef UNITTESTS
366 #include "util-unittest-helper.h"
367 #include "detect-engine.h"
368 #include "detect-engine-alert.h"
369 #include "packet.h"
370 
371 /**
372  * \test this is a test for a valid dsize value 1
373  *
374  */
375 static int DsizeTestParse01(void)
376 {
377  DetectU16Data *dd = DetectU16Parse("1");
378  FAIL_IF_NULL(dd);
379  FAIL_IF_NOT(dd->arg1 == 1);
380  FAIL_IF_NOT(dd->arg2 == 0);
381 
382  DetectDsizeFree(NULL, dd);
383  PASS;
384 }
385 
386 /**
387  * \test this is a test for a valid dsize value >10
388  *
389  */
390 static int DsizeTestParse02(void)
391 {
392  DetectU16Data *dd = DetectU16Parse(">10");
393  FAIL_IF_NULL(dd);
394  FAIL_IF_NOT(dd->arg1 == 10);
395  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
396  DetectDsizeFree(NULL, dd);
397  PASS;
398 }
399 
400 /**
401  * \test this is a test for a valid dsize value <100
402  *
403  */
404 static int DsizeTestParse03(void)
405 {
406  DetectU16Data *dd = DetectU16Parse("<100");
407  FAIL_IF_NULL(dd);
408  FAIL_IF_NOT(dd->arg1 == 100);
409  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
410 
411  DetectDsizeFree(NULL, dd);
412  PASS;
413 }
414 
415 /**
416  * \test this is a test for a valid dsize value 1<>3
417  *
418  */
419 static int DsizeTestParse04(void)
420 {
421  DetectU16Data *dd = DetectU16Parse("1<>3");
422  FAIL_IF_NULL(dd);
423  FAIL_IF_NOT(dd->arg1 == 1);
424  FAIL_IF_NOT(dd->arg2 == 3);
425  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
426 
427  DetectDsizeFree(NULL, dd);
428  PASS;
429 }
430 
431 /**
432  * \test this is a test for a valid dsize value 1 <> 3
433  *
434  */
435 static int DsizeTestParse05(void)
436 {
437  DetectU16Data *dd = DetectU16Parse(" 1 <> 3 ");
438  FAIL_IF_NULL(dd);
439  FAIL_IF_NOT(dd->arg1 == 1);
440  FAIL_IF_NOT(dd->arg2 == 3);
441  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
442 
443  DetectDsizeFree(NULL, dd);
444  PASS;
445 }
446 
447 /**
448  * \test this is test for a valid dsize value > 2
449  *
450  */
451 static int DsizeTestParse06(void)
452 {
453  DetectU16Data *dd = DetectU16Parse("> 2 ");
454  FAIL_IF_NULL(dd);
455  FAIL_IF_NOT(dd->arg1 == 2);
456  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
457 
458  DetectDsizeFree(NULL, dd);
459  PASS;
460 }
461 
462 /**
463  * \test test for a valid dsize value < 12
464  *
465  */
466 static int DsizeTestParse07(void)
467 {
468  DetectU16Data *dd = DetectU16Parse("< 12 ");
469  FAIL_IF_NULL(dd);
470  FAIL_IF_NOT(dd->arg1 == 12);
471  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
472 
473  DetectDsizeFree(NULL, dd);
474  PASS;
475 }
476 
477 /**
478  * \test test for a valid dsize value 12
479  *
480  */
481 static int DsizeTestParse08(void)
482 {
483  DetectU16Data *dd = DetectU16Parse(" 12 ");
484  FAIL_IF_NULL(dd);
485  FAIL_IF_NOT(dd->arg1 == 12);
486  FAIL_IF_NOT(dd->mode == DETECT_UINT_EQ);
487 
488  DetectDsizeFree(NULL, dd);
489  PASS;
490 }
491 
492 /**
493  * \test this is a test for a valid dsize value !1
494  *
495  */
496 static int DsizeTestParse09(void)
497 {
498  DetectU16Data *dd = DetectU16Parse("!1");
499  FAIL_IF_NULL(dd);
500  DetectDsizeFree(NULL, dd);
501  PASS;
502 }
503 
504 /**
505  * \test this is a test for a valid dsize value ! 1
506  *
507  */
508 static int DsizeTestParse10(void)
509 {
510  DetectU16Data *dd = DetectU16Parse("! 1");
511  FAIL_IF_NULL(dd);
512  DetectDsizeFree(NULL, dd);
513  PASS;
514 }
515 
516 /**
517  * \test this is a test for invalid dsize values
518  * A, >10<>10, <>10, 1<>, "", " ", 2<>1, 1!
519  *
520  */
521 static int DsizeTestParse11(void)
522 {
523  const char *strings[] = { "A", ">10<>10", "<>10", "1<>", "", " ", "2<>1", "1!", NULL };
524  for (int i = 0; strings[i]; i++) {
525  DetectU16Data *dd = DetectU16Parse(strings[i]);
526  FAIL_IF_NOT_NULL(dd);
527  }
528 
529  PASS;
530 }
531 
532 /**
533  * \test this is a test for positive ! dsize matching
534  *
535  */
536 static int DsizeTestMatch01(void)
537 {
538  uint16_t psize = 1;
539  uint16_t dsizelow = 2;
540  uint16_t dsizehigh = 0;
541  DetectU16Data du16;
542  du16.mode = DETECT_UINT_NE;
543  du16.arg1 = dsizelow;
544  du16.arg2 = dsizehigh;
545  FAIL_IF_NOT(DetectU16Match(psize, &du16));
546 
547  PASS;
548 }
549 
550 /**
551  * \test this is a test for negative ! dsize matching
552  *
553  */
554 static int DsizeTestMatch02(void)
555 {
556  uint16_t psize = 1;
557  uint16_t dsizelow = 1;
558  uint16_t dsizehigh = 0;
559  DetectU16Data du16;
560  du16.mode = DETECT_UINT_NE;
561  du16.arg1 = dsizelow;
562  du16.arg2 = dsizehigh;
563  FAIL_IF(DetectU16Match(psize, &du16));
564 
565  PASS;
566 }
567 
568 /**
569  * \test DetectDsizeIcmpv6Test01 is a test for checking the working of
570  * dsize keyword by creating 2 rules and matching a crafted packet
571  * against them. Only the first one shall trigger.
572  */
573 static int DetectDsizeIcmpv6Test01(void)
574 {
575  static uint8_t raw_icmpv6[] = {
576  0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
577  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
578  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
579  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
580  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
581  0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
582  0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
583  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
584  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
585  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
586  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
587 
588  Packet *p = PacketGetFromAlloc();
589  FAIL_IF_NULL(p);
590 
591  ThreadVars tv;
593  ThreadVars th_v;
594  DetectEngineThreadCtx *det_ctx = NULL;
595 
596  memset(&tv, 0, sizeof(ThreadVars));
597  memset(&dtv, 0, sizeof(DecodeThreadVars));
598  memset(&th_v, 0, sizeof(ThreadVars));
599 
601  p->src.family = AF_INET6;
602  p->dst.family = AF_INET6;
603 
604  DecodeIPV6(&tv, &dtv, p, raw_icmpv6, sizeof(raw_icmpv6));
605 
608 
609  de_ctx->flags |= DE_QUIET;
610 
612  "alert icmp any any -> any any "
613  "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
614  FAIL_IF_NULL(s);
615 
617  "alert icmp any any -> any any "
618  "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
619  FAIL_IF_NULL(s);
620 
622  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
623 
624  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
625  FAIL_IF(PacketAlertCheck(p, 1) == 0);
626  FAIL_IF(PacketAlertCheck(p, 2));
627 
628  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
630 
631  PacketRecycle(p);
632  FlowShutdown();
633  SCFree(p);
634 
635  PASS;
636 }
637 
638 /**
639  * \brief this function registers unit tests for dsize
640  */
641 static void DsizeRegisterTests(void)
642 {
643  UtRegisterTest("DsizeTestParse01", DsizeTestParse01);
644  UtRegisterTest("DsizeTestParse02", DsizeTestParse02);
645  UtRegisterTest("DsizeTestParse03", DsizeTestParse03);
646  UtRegisterTest("DsizeTestParse04", DsizeTestParse04);
647  UtRegisterTest("DsizeTestParse05", DsizeTestParse05);
648  UtRegisterTest("DsizeTestParse06", DsizeTestParse06);
649  UtRegisterTest("DsizeTestParse07", DsizeTestParse07);
650  UtRegisterTest("DsizeTestParse08", DsizeTestParse08);
651  UtRegisterTest("DsizeTestParse09", DsizeTestParse09);
652  UtRegisterTest("DsizeTestParse10", DsizeTestParse10);
653  UtRegisterTest("DsizeTestParse11", DsizeTestParse11);
654  UtRegisterTest("DsizeTestMatch01", DsizeTestMatch01);
655  UtRegisterTest("DsizeTestMatch02", DsizeTestMatch02);
656 
657  UtRegisterTest("DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
658 }
659 #endif /* UNITTESTS */
util-byte.h
host.h
DetectDsizeRegister
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
Definition: detect-dsize.c:61
SigTableElmt_::url
const char * url
Definition: detect.h:1304
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:116
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIG_MASK_REQUIRE_REAL_PKT
#define SIG_MASK_REQUIRE_REAL_PKT
Definition: detect.h:306
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:586
PrefilterPacketU16Set
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:126
SigTableElmt_::desc
const char * desc
Definition: detect.h:1303
detect-dsize.h
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:127
Signature_::sig_str
char * sig_str
Definition: detect.h:668
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1291
SigTableElmt_::name
const char * name
Definition: detect.h:1301
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1334
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1457
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:70
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
SigParseGetMaxDsize
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
Definition: detect-dsize.c:214
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:142
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1197
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1904
DetectContentData_
Definition: detect-content.h:93
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2598
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1286
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:589
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:608
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1289
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:530
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1090
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:353
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
DetectContentData_::id
PatIntId id
Definition: detect-content.h:105
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:352
SigParseSetDsizePair
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
Definition: detect-dsize.c:237
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:602
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
SigParseRequiredContentSize
void SigParseRequiredContentSize(const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
Determine the size needed to accommodate the content elements of a signature.
Definition: detect-content.c:408
Packet_
Definition: decode.h:482
detect-engine-build.h
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:560
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:670
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:404
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1269
DETECT_DSIZE
@ DETECT_DSIZE
Definition: detect-engine-register.h:52
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2161
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
SignatureInitData_::dsize_sm
SigMatch * dsize_sm
Definition: detect.h:557
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3307
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectU16Match
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
Definition: detect-engine-uint.c:107
DetectU16Parse
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
Definition: detect-engine-uint.c:121
PrefilterPacketU16Compare
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:134
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3534
SigMatch_::type
uint16_t type
Definition: detect.h:350
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:609
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:677
packet.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:946
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1288
Signature_::id
uint32_t id
Definition: detect.h:636
detect-parse.h
Signature_
Signature container.
Definition: detect.h:601
SigMatch_
a single match condition for a signature
Definition: detect.h:349
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:610
Address_::family
char family
Definition: decode.h:118
Packet_::dst
Address dst
Definition: decode.h:487
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
SigParseApplyDsizeToContent
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
Definition: detect-dsize.c:327
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:606
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:436
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
detect-engine-prefilter-common.h
DetectU16Data
DetectUintData_u16 DetectU16Data
Definition: detect-engine-uint.h:42
SigParseMaxRequiredDsize
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
Definition: detect-dsize.c:291
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Packet_::src
Address src
Definition: decode.h:486
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1293
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:245
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:250