suricata
detect-dsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the dsize keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 
34 #include "flow-var.h"
35 
36 #include "detect-content.h"
37 #include "detect-dsize.h"
38 
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 
43 #include "pkt-var.h"
44 #include "host.h"
45 #include "util-profiling.h"
46 
47 static int DetectDsizeMatch (DetectEngineThreadCtx *, Packet *,
48  const Signature *, const SigMatchCtx *);
49 static int DetectDsizeSetup (DetectEngineCtx *, Signature *s, const char *str);
50 #ifdef UNITTESTS
51 static void DsizeRegisterTests(void);
52 #endif
53 static void DetectDsizeFree(DetectEngineCtx *, void *);
54 
55 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
56 static bool PrefilterDsizeIsPrefilterable(const Signature *s);
57 
58 /**
59  * \brief Registration function for dsize: keyword
60  */
62 {
63  sigmatch_table[DETECT_DSIZE].name = "dsize";
64  sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload";
65  sigmatch_table[DETECT_DSIZE].url = "/rules/payload-keywords.html#dsize";
66  sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch;
67  sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup;
68  sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree;
70 #ifdef UNITTESTS
71  sigmatch_table[DETECT_DSIZE].RegisterTests = DsizeRegisterTests;
72 #endif
73  sigmatch_table[DETECT_DSIZE].SupportsPrefilter = PrefilterDsizeIsPrefilterable;
74  sigmatch_table[DETECT_DSIZE].SetupPrefilter = PrefilterSetupDsize;
75 }
76 
77 /**
78  * \internal
79  * \brief This function is used to match flags on a packet with those passed via dsize:
80  *
81  * \param t pointer to thread vars
82  * \param det_ctx pointer to the pattern matcher thread
83  * \param p pointer to the current packet
84  * \param s pointer to the Signature
85  * \param m pointer to the sigmatch
86  *
87  * \retval 0 no match
88  * \retval 1 match
89  */
90 static int DetectDsizeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
91  const Signature *s, const SigMatchCtx *ctx)
92 {
93  SCEnter();
94  int ret = 0;
95 
97 
98  const DetectU16Data *dd = (const DetectU16Data *)ctx;
99 
100  SCLogDebug("p->payload_len %"PRIu16"", p->payload_len);
101 
102  ret = DetectU16Match(p->payload_len, dd);
103 
104  SCReturnInt(ret);
105 }
106 
107 /**
108  * \internal
109  * \brief this function is used to add the parsed dsize into the current signature
110  *
111  * \param de_ctx pointer to the Detection Engine Context
112  * \param s pointer to the Current Signature
113  * \param rawstr pointer to the user provided flags options
114  *
115  * \retval 0 on Success
116  * \retval -1 on Failure
117  */
118 static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
119 {
120  DetectU16Data *dd = NULL;
121 
123  SCLogError("Can't use 2 or more dsizes in "
124  "the same sig. Invalidating signature.");
125  return -1;
126  }
127 
128  SCLogDebug("\'%s\'", rawstr);
129 
130  dd = DetectU16Parse(rawstr);
131  if (dd == NULL) {
132  SCLogError("Parsing \'%s\' failed", rawstr);
133  return -1;
134  }
135 
136  /* Okay so far so good, lets get this into a SigMatch
137  * and put it in the Signature. */
140  if (sm == NULL) {
141  SCDetectU16Free(dd);
142  return -1;
143  }
144 
145  SCLogDebug("dd->arg1 %" PRIu16 ", dd->arg2 %" PRIu16 ", dd->mode %" PRIu8 "", dd->arg1,
146  dd->arg2, dd->mode);
147  /* tell the sig it has a dsize to speed up engine init */
149  s->flags |= SIG_FLAG_DSIZE;
150 
151  if (s->init_data->dsize_sm == NULL) {
152  s->init_data->dsize_sm = sm;
153  }
154 
155  return 0;
156 }
157 
158 /**
159  * \internal
160  * \brief this function will free memory associated with DetectU16Data
161  *
162  * \param de pointer to DetectU16Data
163  */
164 void DetectDsizeFree(DetectEngineCtx *de_ctx, void *de_ptr)
165 {
166  SCDetectU16Free(de_ptr);
167 }
168 
169 /* prefilter code */
170 
171 static void
172 PrefilterPacketDsizeMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
173 {
174  const PrefilterPacketHeaderCtx *ctx = pectx;
175  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
176  return;
177 
178  const uint16_t dsize = p->payload_len;
179  DetectU16Data du16;
180  du16.mode = ctx->v1.u8[0];
181  du16.arg1 = ctx->v1.u16[1];
182  du16.arg2 = ctx->v1.u16[2];
183 
184  if (DetectU16Match(dsize, &du16)) {
185  SCLogDebug("packet matches dsize %u", dsize);
186  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
187  }
188 }
189 
190 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
191 {
193  PrefilterPacketU16Set, PrefilterPacketU16Compare, PrefilterPacketDsizeMatch);
194 }
195 
196 static bool PrefilterDsizeIsPrefilterable(const Signature *s)
197 {
198  const SigMatch *sm;
199  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
200  switch (sm->type) {
201  case DETECT_DSIZE:
202  return true;
203  }
204  }
205  return false;
206 }
207 
208 /** \brief get max dsize "depth"
209  * \param s signature to get dsize value from
210  * \retval depth or negative value
211  */
213 {
214  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
215  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
216 
217  switch (dd->mode) {
218  case DETECT_UINT_LT:
219  case DETECT_UINT_EQ:
220  case DETECT_UINT_NE:
221  return dd->arg1;
222  case DETECT_UINT_RA:
223  return dd->arg2;
224  case DETECT_UINT_GT:
225  default:
226  SCReturnInt(-2);
227  }
228  }
229  SCReturnInt(-1);
230 }
231 
232 /** \brief set prefilter dsize pair
233  * \param s signature to get dsize value from
234  */
236 {
237  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
238  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
239 
240  uint16_t low = 0;
241  uint16_t high = 65535;
242 
243  switch (dd->mode) {
244  case DETECT_UINT_LT:
245  low = 0;
246  high = dd->arg1;
247  break;
248  case DETECT_UINT_LTE:
249  low = 0;
250  high = dd->arg1 + 1;
251  break;
252  case DETECT_UINT_EQ:
253  case DETECT_UINT_NE:
254  low = dd->arg1;
255  high = dd->arg1;
256  break;
257  case DETECT_UINT_RA:
258  low = dd->arg1;
259  high = dd->arg2;
260  break;
261  case DETECT_UINT_GT:
262  low = dd->arg1;
263  high = 65535;
264  break;
265  case DETECT_UINT_GTE:
266  low = dd->arg1 - 1;
267  high = 65535;
268  break;
269  }
270  s->dsize_mode = dd->mode;
271  s->dsize_low = low;
272  s->dsize_high = high;
273 
274  SCLogDebug("low %u, high %u, mode %u", low, high, dd->mode);
275  }
276 }
277 
278 /**
279  * \brief Determine the required dsize for the signature
280  * \param s signature to get dsize value from
281  *
282  * Note that negated content does not contribute to the maximum
283  * required dsize value. However, each negated content's values
284  * must not exceed the dsize value. See SigParseRequiredContentSize.
285  *
286  * \retval -1 Signature doesn't have a dsize keyword
287  * \retval >= 0 Dsize value required to not exclude content matches
288  */
290 {
291  SCEnter();
292 
293  if (!(s->flags & SIG_FLAG_DSIZE)) {
294  SCReturnInt(-1);
295  }
296 
297  const int dsize = SigParseGetMaxDsize(s);
298  if (dsize < 0) {
299  /* nothing to do */
300  SCReturnInt(-1);
301  }
302 
303  int total_length, offset;
305  s, dsize, s->init_data->smlists[DETECT_SM_LIST_PMATCH], &total_length, &offset);
306  SCLogDebug("dsize: %d len: %d; offset: %d [%s]", dsize, total_length, offset, s->sig_str);
307 
308  if (total_length > dsize) {
309  SCLogDebug("required_dsize: %d exceeds dsize: %d", total_length, dsize);
310  return total_length;
311  }
312 
313  if ((total_length + offset) > dsize) {
314  SCLogDebug("length + offset: %d exceeds dsize: %d", total_length + offset, dsize);
315  return total_length + offset;
316  }
317 
318  SCReturnInt(-1);
319 }
320 
321 /**
322  * \brief Apply dsize as depth to content matches in the rule
323  * \param s signature to get dsize value from
324  */
326 {
327  SCEnter();
328 
329  if (s->flags & SIG_FLAG_DSIZE) {
331 
332  int dsize = SigParseGetMaxDsize(s);
333  if (dsize < 0) {
334  /* nothing to do */
335  return;
336  }
337 
339  for ( ; sm != NULL; sm = sm->next) {
340  if (sm->type != DETECT_CONTENT) {
341  continue;
342  }
343 
345  if (cd == NULL) {
346  continue;
347  }
348 
349  if (cd->depth == 0 || cd->depth >= dsize) {
351  cd->depth = (uint16_t)dsize;
352  SCLogDebug("updated %u, content %u to have depth %u "
353  "because of dsize.", s->id, cd->id, cd->depth);
354  }
355  }
356  }
357 }
358 
359 /*
360  * ONLY TESTS BELOW THIS COMMENT
361  */
362 
363 #ifdef UNITTESTS
364 #include "util-unittest-helper.h"
365 #include "detect-engine.h"
366 #include "detect-engine-alert.h"
367 #include "packet.h"
368 
369 /**
370  * \test this is a test for a valid dsize value 1
371  *
372  */
373 static int DsizeTestParse01(void)
374 {
375  DetectU16Data *dd = DetectU16Parse("1");
376  FAIL_IF_NULL(dd);
377  FAIL_IF_NOT(dd->arg1 == 1);
378  FAIL_IF_NOT(dd->arg2 == 0);
379 
380  DetectDsizeFree(NULL, dd);
381  PASS;
382 }
383 
384 /**
385  * \test this is a test for a valid dsize value >10
386  *
387  */
388 static int DsizeTestParse02(void)
389 {
390  DetectU16Data *dd = DetectU16Parse(">10");
391  FAIL_IF_NULL(dd);
392  FAIL_IF_NOT(dd->arg1 == 10);
393  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
394  DetectDsizeFree(NULL, dd);
395  PASS;
396 }
397 
398 /**
399  * \test this is a test for a valid dsize value <100
400  *
401  */
402 static int DsizeTestParse03(void)
403 {
404  DetectU16Data *dd = DetectU16Parse("<100");
405  FAIL_IF_NULL(dd);
406  FAIL_IF_NOT(dd->arg1 == 100);
407  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
408 
409  DetectDsizeFree(NULL, dd);
410  PASS;
411 }
412 
413 /**
414  * \test this is a test for a valid dsize value 1<>3
415  *
416  */
417 static int DsizeTestParse04(void)
418 {
419  DetectU16Data *dd = DetectU16Parse("1<>3");
420  FAIL_IF_NULL(dd);
421  FAIL_IF_NOT(dd->arg1 == 1);
422  FAIL_IF_NOT(dd->arg2 == 3);
423  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
424 
425  DetectDsizeFree(NULL, dd);
426  PASS;
427 }
428 
429 /**
430  * \test this is a test for a valid dsize value 1 <> 3
431  *
432  */
433 static int DsizeTestParse05(void)
434 {
435  DetectU16Data *dd = DetectU16Parse(" 1 <> 3 ");
436  FAIL_IF_NULL(dd);
437  FAIL_IF_NOT(dd->arg1 == 1);
438  FAIL_IF_NOT(dd->arg2 == 3);
439  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
440 
441  DetectDsizeFree(NULL, dd);
442  PASS;
443 }
444 
445 /**
446  * \test this is test for a valid dsize value > 2
447  *
448  */
449 static int DsizeTestParse06(void)
450 {
451  DetectU16Data *dd = DetectU16Parse("> 2 ");
452  FAIL_IF_NULL(dd);
453  FAIL_IF_NOT(dd->arg1 == 2);
454  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
455 
456  DetectDsizeFree(NULL, dd);
457  PASS;
458 }
459 
460 /**
461  * \test test for a valid dsize value < 12
462  *
463  */
464 static int DsizeTestParse07(void)
465 {
466  DetectU16Data *dd = DetectU16Parse("< 12 ");
467  FAIL_IF_NULL(dd);
468  FAIL_IF_NOT(dd->arg1 == 12);
469  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
470 
471  DetectDsizeFree(NULL, dd);
472  PASS;
473 }
474 
475 /**
476  * \test test for a valid dsize value 12
477  *
478  */
479 static int DsizeTestParse08(void)
480 {
481  DetectU16Data *dd = DetectU16Parse(" 12 ");
482  FAIL_IF_NULL(dd);
483  FAIL_IF_NOT(dd->arg1 == 12);
484  FAIL_IF_NOT(dd->mode == DETECT_UINT_EQ);
485 
486  DetectDsizeFree(NULL, dd);
487  PASS;
488 }
489 
490 /**
491  * \test this is a test for a valid dsize value !1
492  *
493  */
494 static int DsizeTestParse09(void)
495 {
496  DetectU16Data *dd = DetectU16Parse("!1");
497  FAIL_IF_NULL(dd);
498  DetectDsizeFree(NULL, dd);
499  PASS;
500 }
501 
502 /**
503  * \test this is a test for a valid dsize value ! 1
504  *
505  */
506 static int DsizeTestParse10(void)
507 {
508  DetectU16Data *dd = DetectU16Parse("! 1");
509  FAIL_IF_NULL(dd);
510  DetectDsizeFree(NULL, dd);
511  PASS;
512 }
513 
514 /**
515  * \test this is a test for invalid dsize values
516  * A, >10<>10, <>10, 1<>, "", " ", 2<>1, 1!
517  *
518  */
519 static int DsizeTestParse11(void)
520 {
521  const char *strings[] = { "A", ">10<>10", "<>10", "1<>", "", " ", "2<>1", "1!", NULL };
522  for (int i = 0; strings[i]; i++) {
523  DetectU16Data *dd = DetectU16Parse(strings[i]);
524  FAIL_IF_NOT_NULL(dd);
525  }
526 
527  PASS;
528 }
529 
530 /**
531  * \test this is a test for positive ! dsize matching
532  *
533  */
534 static int DsizeTestMatch01(void)
535 {
536  uint16_t psize = 1;
537  uint16_t dsizelow = 2;
538  uint16_t dsizehigh = 0;
539  DetectU16Data du16;
540  du16.mode = DETECT_UINT_NE;
541  du16.arg1 = dsizelow;
542  du16.arg2 = dsizehigh;
543  FAIL_IF_NOT(DetectU16Match(psize, &du16));
544 
545  PASS;
546 }
547 
548 /**
549  * \test this is a test for negative ! dsize matching
550  *
551  */
552 static int DsizeTestMatch02(void)
553 {
554  uint16_t psize = 1;
555  uint16_t dsizelow = 1;
556  uint16_t dsizehigh = 0;
557  DetectU16Data du16;
558  du16.mode = DETECT_UINT_NE;
559  du16.arg1 = dsizelow;
560  du16.arg2 = dsizehigh;
561  FAIL_IF(DetectU16Match(psize, &du16));
562 
563  PASS;
564 }
565 
566 /**
567  * \test DetectDsizeIcmpv6Test01 is a test for checking the working of
568  * dsize keyword by creating 2 rules and matching a crafted packet
569  * against them. Only the first one shall trigger.
570  */
571 static int DetectDsizeIcmpv6Test01(void)
572 {
573  static uint8_t raw_icmpv6[] = {
574  0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
575  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
576  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
577  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
578  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
579  0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
580  0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
581  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
582  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
583  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
584  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
585 
586  Packet *p = PacketGetFromAlloc();
587  FAIL_IF_NULL(p);
588 
589  ThreadVars tv;
591  ThreadVars th_v;
592  DetectEngineThreadCtx *det_ctx = NULL;
593 
594  memset(&tv, 0, sizeof(ThreadVars));
595  memset(&dtv, 0, sizeof(DecodeThreadVars));
596  memset(&th_v, 0, sizeof(ThreadVars));
597 
599  p->src.family = AF_INET6;
600  p->dst.family = AF_INET6;
601 
602  DecodeIPV6(&tv, &dtv, p, raw_icmpv6, sizeof(raw_icmpv6));
603 
606 
607  de_ctx->flags |= DE_QUIET;
608 
610  "alert icmp any any -> any any "
611  "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
612  FAIL_IF_NULL(s);
613 
615  "alert icmp any any -> any any "
616  "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
617  FAIL_IF_NULL(s);
618 
620  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
621 
622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
623  FAIL_IF(PacketAlertCheck(p, 1) == 0);
624  FAIL_IF(PacketAlertCheck(p, 2));
625 
626  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
628 
629  PacketRecycle(p);
630  FlowShutdown();
631  SCFree(p);
632 
633  PASS;
634 }
635 
636 /**
637  * \brief this function registers unit tests for dsize
638  */
639 static void DsizeRegisterTests(void)
640 {
641  UtRegisterTest("DsizeTestParse01", DsizeTestParse01);
642  UtRegisterTest("DsizeTestParse02", DsizeTestParse02);
643  UtRegisterTest("DsizeTestParse03", DsizeTestParse03);
644  UtRegisterTest("DsizeTestParse04", DsizeTestParse04);
645  UtRegisterTest("DsizeTestParse05", DsizeTestParse05);
646  UtRegisterTest("DsizeTestParse06", DsizeTestParse06);
647  UtRegisterTest("DsizeTestParse07", DsizeTestParse07);
648  UtRegisterTest("DsizeTestParse08", DsizeTestParse08);
649  UtRegisterTest("DsizeTestParse09", DsizeTestParse09);
650  UtRegisterTest("DsizeTestParse10", DsizeTestParse10);
651  UtRegisterTest("DsizeTestParse11", DsizeTestParse11);
652  UtRegisterTest("DsizeTestMatch01", DsizeTestMatch01);
653  UtRegisterTest("DsizeTestMatch02", DsizeTestMatch02);
654 
655  UtRegisterTest("DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
656 }
657 #endif /* UNITTESTS */
util-byte.h
host.h
DetectDsizeRegister
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
Definition: detect-dsize.c:61
SigTableElmt_::url
const char * url
Definition: detect.h:1405
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:118
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIG_MASK_REQUIRE_REAL_PKT
#define SIG_MASK_REQUIRE_REAL_PKT
Definition: detect.h:315
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:643
PrefilterPacketU16Set
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:126
SigTableElmt_::desc
const char * desc
Definition: detect.h:1404
detect-dsize.h
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
Signature_::sig_str
char * sig_str
Definition: detect.h:746
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1392
SigTableElmt_::name
const char * name
Definition: detect.h:1402
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1297
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1570
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
SigParseGetMaxDsize
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
Definition: detect-dsize.c:212
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:145
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1298
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1396
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:920
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2799
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
DE_QUIET
#define DE_QUIET
Definition: detect.h:329
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2319
DetectContentData_
Definition: detect-content.h:93
SIGMATCH_SUPPORT_FIREWALL
#define SIGMATCH_SUPPORT_FIREWALL
Definition: detect.h:1622
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3344
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1387
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:589
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:676
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1390
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:543
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1197
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3525
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:116
DetectContentData_::id
PatIntId id
Definition: detect-content.h:105
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
SigParseSetDsizePair
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
Definition: detect-dsize.c:235
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:670
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
SigParseRequiredContentSize
void SigParseRequiredContentSize(const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
Determine the size needed to accommodate the content elements of a signature.
Definition: detect-content.c:409
Packet_
Definition: decode.h:484
detect-engine-build.h
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:560
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:748
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:406
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1370
DETECT_DSIZE
@ DETECT_DSIZE
Definition: detect-engine-register.h:52
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2129
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
SignatureInitData_::dsize_sm
SigMatch * dsize_sm
Definition: detect.h:616
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectU16Match
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
Definition: detect-engine-uint.c:107
DetectU16Parse
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
Definition: detect-engine-uint.c:121
PrefilterPacketU16Compare
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:134
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:677
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:687
packet.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3751
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:300
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:946
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1389
Signature_::id
uint32_t id
Definition: detect.h:714
detect-parse.h
Signature_
Signature container.
Definition: detect.h:669
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2760
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:678
Address_::family
char family
Definition: decode.h:113
Packet_::dst
Address dst
Definition: decode.h:489
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
SigParseApplyDsizeToContent
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
Definition: detect-dsize.c:325
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:634
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:464
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:922
detect-engine-prefilter-common.h
DetectU16Data
DetectUintData_u16 DetectU16Data
Definition: detect-engine-uint.h:42
SigParseMaxRequiredDsize
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
Definition: detect-dsize.c:289
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Packet_::src
Address src
Definition: decode.h:488
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1394
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:247
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:253