suricata
detect-dsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the dsize keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 
34 #include "flow-var.h"
35 
36 #include "detect-content.h"
37 #include "detect-dsize.h"
38 
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 
43 #include "pkt-var.h"
44 #include "host.h"
45 #include "util-profiling.h"
46 
47 static int DetectDsizeMatch (DetectEngineThreadCtx *, Packet *,
48  const Signature *, const SigMatchCtx *);
49 static int DetectDsizeSetup (DetectEngineCtx *, Signature *s, const char *str);
50 #ifdef UNITTESTS
51 static void DsizeRegisterTests(void);
52 #endif
53 static void DetectDsizeFree(DetectEngineCtx *, void *);
54 
55 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
56 static bool PrefilterDsizeIsPrefilterable(const Signature *s);
57 
58 /**
59  * \brief Registration function for dsize: keyword
60  */
62 {
63  sigmatch_table[DETECT_DSIZE].name = "dsize";
64  sigmatch_table[DETECT_DSIZE].desc = "match on the size of the packet payload";
65  sigmatch_table[DETECT_DSIZE].url = "/rules/payload-keywords.html#dsize";
66  sigmatch_table[DETECT_DSIZE].Match = DetectDsizeMatch;
67  sigmatch_table[DETECT_DSIZE].Setup = DetectDsizeSetup;
68  sigmatch_table[DETECT_DSIZE].Free = DetectDsizeFree;
69 #ifdef UNITTESTS
70  sigmatch_table[DETECT_DSIZE].RegisterTests = DsizeRegisterTests;
71 #endif
72  sigmatch_table[DETECT_DSIZE].SupportsPrefilter = PrefilterDsizeIsPrefilterable;
73  sigmatch_table[DETECT_DSIZE].SetupPrefilter = PrefilterSetupDsize;
74 }
75 
76 /**
77  * \internal
78  * \brief This function is used to match flags on a packet with those passed via dsize:
79  *
80  * \param t pointer to thread vars
81  * \param det_ctx pointer to the pattern matcher thread
82  * \param p pointer to the current packet
83  * \param s pointer to the Signature
84  * \param m pointer to the sigmatch
85  *
86  * \retval 0 no match
87  * \retval 1 match
88  */
89 static int DetectDsizeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
90  const Signature *s, const SigMatchCtx *ctx)
91 {
92  SCEnter();
93  int ret = 0;
94 
95  if (PKT_IS_PSEUDOPKT(p)) {
96  SCReturnInt(0);
97  }
98 
99  const DetectU16Data *dd = (const DetectU16Data *)ctx;
100 
101  SCLogDebug("p->payload_len %"PRIu16"", p->payload_len);
102 
103  ret = DetectU16Match(p->payload_len, dd);
104 
105  SCReturnInt(ret);
106 }
107 
108 /**
109  * \internal
110  * \brief this function is used to add the parsed dsize into the current signature
111  *
112  * \param de_ctx pointer to the Detection Engine Context
113  * \param s pointer to the Current Signature
114  * \param rawstr pointer to the user provided flags options
115  *
116  * \retval 0 on Success
117  * \retval -1 on Failure
118  */
119 static int DetectDsizeSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
120 {
121  DetectU16Data *dd = NULL;
122 
124  SCLogError("Can't use 2 or more dsizes in "
125  "the same sig. Invalidating signature.");
126  goto error;
127  }
128 
129  SCLogDebug("\'%s\'", rawstr);
130 
131  dd = DetectU16Parse(rawstr);
132  if (dd == NULL) {
133  SCLogError("Parsing \'%s\' failed", rawstr);
134  goto error;
135  }
136 
137  /* Okay so far so good, lets get this into a SigMatch
138  * and put it in the Signature. */
141  if (sm == NULL) {
142  rs_detect_u16_free(dd);
143  goto error;
144  }
145 
146  SCLogDebug("dd->arg1 %" PRIu16 ", dd->arg2 %" PRIu16 ", dd->mode %" PRIu8 "", dd->arg1,
147  dd->arg2, dd->mode);
148  /* tell the sig it has a dsize to speed up engine init */
150  s->flags |= SIG_FLAG_DSIZE;
151 
152  if (s->init_data->dsize_sm == NULL) {
153  s->init_data->dsize_sm = sm;
154  }
155 
156  return 0;
157 
158 error:
159  return -1;
160 }
161 
162 /**
163  * \internal
164  * \brief this function will free memory associated with DetectU16Data
165  *
166  * \param de pointer to DetectU16Data
167  */
168 void DetectDsizeFree(DetectEngineCtx *de_ctx, void *de_ptr)
169 {
170  rs_detect_u16_free(de_ptr);
171 }
172 
173 /* prefilter code */
174 
175 static void
176 PrefilterPacketDsizeMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
177 {
178  if (PKT_IS_PSEUDOPKT(p)) {
179  SCReturn;
180  }
181 
182  const PrefilterPacketHeaderCtx *ctx = pectx;
183  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
184  return;
185 
186  const uint16_t dsize = p->payload_len;
187  DetectU16Data du16;
188  du16.mode = ctx->v1.u8[0];
189  du16.arg1 = ctx->v1.u16[1];
190  du16.arg2 = ctx->v1.u16[2];
191 
192  if (DetectU16Match(dsize, &du16)) {
193  SCLogDebug("packet matches dsize %u", dsize);
194  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
195  }
196 }
197 
198 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
199 {
201  PrefilterPacketU16Compare, PrefilterPacketDsizeMatch);
202 }
203 
204 static bool PrefilterDsizeIsPrefilterable(const Signature *s)
205 {
206  const SigMatch *sm;
207  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
208  switch (sm->type) {
209  case DETECT_DSIZE:
210  return true;
211  }
212  }
213  return false;
214 }
215 
216 /** \brief get max dsize "depth"
217  * \param s signature to get dsize value from
218  * \retval depth or negative value
219  */
221 {
222  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
223  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
224 
225  switch (dd->mode) {
226  case DETECT_UINT_LT:
227  case DETECT_UINT_EQ:
228  case DETECT_UINT_NE:
229  return dd->arg1;
230  case DETECT_UINT_RA:
231  return dd->arg2;
232  case DETECT_UINT_GT:
233  default:
234  SCReturnInt(-2);
235  }
236  }
237  SCReturnInt(-1);
238 }
239 
240 /** \brief set prefilter dsize pair
241  * \param s signature to get dsize value from
242  */
244 {
245  if (s->flags & SIG_FLAG_DSIZE && s->init_data->dsize_sm != NULL) {
246  const DetectU16Data *dd = (const DetectU16Data *)s->init_data->dsize_sm->ctx;
247 
248  uint16_t low = 0;
249  uint16_t high = 65535;
250 
251  switch (dd->mode) {
252  case DETECT_UINT_LT:
253  low = 0;
254  high = dd->arg1;
255  break;
256  case DETECT_UINT_LTE:
257  low = 0;
258  high = dd->arg1 + 1;
259  break;
260  case DETECT_UINT_EQ:
261  case DETECT_UINT_NE:
262  low = dd->arg1;
263  high = dd->arg1;
264  break;
265  case DETECT_UINT_RA:
266  low = dd->arg1;
267  high = dd->arg2;
268  break;
269  case DETECT_UINT_GT:
270  low = dd->arg1;
271  high = 65535;
272  break;
273  case DETECT_UINT_GTE:
274  low = dd->arg1 - 1;
275  high = 65535;
276  break;
277  }
278  s->dsize_mode = dd->mode;
279  s->dsize_low = low;
280  s->dsize_high = high;
281 
282  SCLogDebug("low %u, high %u, mode %u", low, high, dd->mode);
283  }
284 }
285 
286 /**
287  * \brief Determine the required dsize for the signature
288  * \param s signature to get dsize value from
289  *
290  * Note that negated content does not contribute to the maximum
291  * required dsize value. However, each negated content's values
292  * must not exceed the dsize value. See SigParseRequiredContentSize.
293  *
294  * \retval -1 Signature doesn't have a dsize keyword
295  * \retval >= 0 Dsize value required to not exclude content matches
296  */
298 {
299  SCEnter();
300 
301  if (!(s->flags & SIG_FLAG_DSIZE)) {
302  SCReturnInt(-1);
303  }
304 
305  const int dsize = SigParseGetMaxDsize(s);
306  if (dsize < 0) {
307  /* nothing to do */
308  SCReturnInt(-1);
309  }
310 
311  int total_length, offset;
313  s, dsize, s->init_data->smlists[DETECT_SM_LIST_PMATCH], &total_length, &offset);
314  SCLogDebug("dsize: %d len: %d; offset: %d [%s]", dsize, total_length, offset, s->sig_str);
315 
316  if (total_length > dsize) {
317  SCLogDebug("required_dsize: %d exceeds dsize: %d", total_length, dsize);
318  return total_length;
319  }
320 
321  if ((total_length + offset) > dsize) {
322  SCLogDebug("length + offset: %d exceeds dsize: %d", total_length + offset, dsize);
323  return total_length + offset;
324  }
325 
326  SCReturnInt(-1);
327 }
328 
329 /**
330  * \brief Apply dsize as depth to content matches in the rule
331  * \param s signature to get dsize value from
332  */
334 {
335  SCEnter();
336 
337  if (s->flags & SIG_FLAG_DSIZE) {
339 
340  int dsize = SigParseGetMaxDsize(s);
341  if (dsize < 0) {
342  /* nothing to do */
343  return;
344  }
345 
347  for ( ; sm != NULL; sm = sm->next) {
348  if (sm->type != DETECT_CONTENT) {
349  continue;
350  }
351 
353  if (cd == NULL) {
354  continue;
355  }
356 
357  if (cd->depth == 0 || cd->depth >= dsize) {
359  cd->depth = (uint16_t)dsize;
360  SCLogDebug("updated %u, content %u to have depth %u "
361  "because of dsize.", s->id, cd->id, cd->depth);
362  }
363  }
364  }
365 }
366 
367 /*
368  * ONLY TESTS BELOW THIS COMMENT
369  */
370 
371 #ifdef UNITTESTS
372 #include "util-unittest-helper.h"
373 #include "detect-engine.h"
374 #include "detect-engine-alert.h"
375 #include "packet.h"
376 
377 /**
378  * \test this is a test for a valid dsize value 1
379  *
380  */
381 static int DsizeTestParse01(void)
382 {
383  DetectU16Data *dd = DetectU16Parse("1");
384  FAIL_IF_NULL(dd);
385  FAIL_IF_NOT(dd->arg1 == 1);
386  FAIL_IF_NOT(dd->arg2 == 0);
387 
388  DetectDsizeFree(NULL, dd);
389  PASS;
390 }
391 
392 /**
393  * \test this is a test for a valid dsize value >10
394  *
395  */
396 static int DsizeTestParse02(void)
397 {
398  DetectU16Data *dd = DetectU16Parse(">10");
399  FAIL_IF_NULL(dd);
400  FAIL_IF_NOT(dd->arg1 == 10);
401  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
402  DetectDsizeFree(NULL, dd);
403  PASS;
404 }
405 
406 /**
407  * \test this is a test for a valid dsize value <100
408  *
409  */
410 static int DsizeTestParse03(void)
411 {
412  DetectU16Data *dd = DetectU16Parse("<100");
413  FAIL_IF_NULL(dd);
414  FAIL_IF_NOT(dd->arg1 == 100);
415  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
416 
417  DetectDsizeFree(NULL, dd);
418  PASS;
419 }
420 
421 /**
422  * \test this is a test for a valid dsize value 1<>3
423  *
424  */
425 static int DsizeTestParse04(void)
426 {
427  DetectU16Data *dd = DetectU16Parse("1<>3");
428  FAIL_IF_NULL(dd);
429  FAIL_IF_NOT(dd->arg1 == 1);
430  FAIL_IF_NOT(dd->arg2 == 3);
431  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
432 
433  DetectDsizeFree(NULL, dd);
434  PASS;
435 }
436 
437 /**
438  * \test this is a test for a valid dsize value 1 <> 3
439  *
440  */
441 static int DsizeTestParse05(void)
442 {
443  DetectU16Data *dd = DetectU16Parse(" 1 <> 3 ");
444  FAIL_IF_NULL(dd);
445  FAIL_IF_NOT(dd->arg1 == 1);
446  FAIL_IF_NOT(dd->arg2 == 3);
447  FAIL_IF_NOT(dd->mode == DETECT_UINT_RA);
448 
449  DetectDsizeFree(NULL, dd);
450  PASS;
451 }
452 
453 /**
454  * \test this is test for a valid dsize value > 2
455  *
456  */
457 static int DsizeTestParse06(void)
458 {
459  DetectU16Data *dd = DetectU16Parse("> 2 ");
460  FAIL_IF_NULL(dd);
461  FAIL_IF_NOT(dd->arg1 == 2);
462  FAIL_IF_NOT(dd->mode == DETECT_UINT_GT);
463 
464  DetectDsizeFree(NULL, dd);
465  PASS;
466 }
467 
468 /**
469  * \test test for a valid dsize value < 12
470  *
471  */
472 static int DsizeTestParse07(void)
473 {
474  DetectU16Data *dd = DetectU16Parse("< 12 ");
475  FAIL_IF_NULL(dd);
476  FAIL_IF_NOT(dd->arg1 == 12);
477  FAIL_IF_NOT(dd->mode == DETECT_UINT_LT);
478 
479  DetectDsizeFree(NULL, dd);
480  PASS;
481 }
482 
483 /**
484  * \test test for a valid dsize value 12
485  *
486  */
487 static int DsizeTestParse08(void)
488 {
489  DetectU16Data *dd = DetectU16Parse(" 12 ");
490  FAIL_IF_NULL(dd);
491  FAIL_IF_NOT(dd->arg1 == 12);
492  FAIL_IF_NOT(dd->mode == DETECT_UINT_EQ);
493 
494  DetectDsizeFree(NULL, dd);
495  PASS;
496 }
497 
498 /**
499  * \test this is a test for a valid dsize value !1
500  *
501  */
502 static int DsizeTestParse09(void)
503 {
504  DetectU16Data *dd = DetectU16Parse("!1");
505  FAIL_IF_NULL(dd);
506  DetectDsizeFree(NULL, dd);
507  PASS;
508 }
509 
510 /**
511  * \test this is a test for a valid dsize value ! 1
512  *
513  */
514 static int DsizeTestParse10(void)
515 {
516  DetectU16Data *dd = DetectU16Parse("! 1");
517  FAIL_IF_NULL(dd);
518  DetectDsizeFree(NULL, dd);
519  PASS;
520 }
521 
522 /**
523  * \test this is a test for invalid dsize values
524  * A, >10<>10, <>10, 1<>, "", " ", 2<>1, 1!
525  *
526  */
527 static int DsizeTestParse11(void)
528 {
529  const char *strings[] = { "A", ">10<>10", "<>10", "1<>", "", " ", "2<>1", "1!", NULL };
530  for (int i = 0; strings[i]; i++) {
531  DetectU16Data *dd = DetectU16Parse(strings[i]);
532  FAIL_IF_NOT_NULL(dd);
533  }
534 
535  PASS;
536 }
537 
538 /**
539  * \test this is a test for positive ! dsize matching
540  *
541  */
542 static int DsizeTestMatch01(void)
543 {
544  uint16_t psize = 1;
545  uint16_t dsizelow = 2;
546  uint16_t dsizehigh = 0;
547  DetectU16Data du16;
548  du16.mode = DETECT_UINT_NE;
549  du16.arg1 = dsizelow;
550  du16.arg2 = dsizehigh;
551  FAIL_IF_NOT(DetectU16Match(psize, &du16));
552 
553  PASS;
554 }
555 
556 /**
557  * \test this is a test for negative ! dsize matching
558  *
559  */
560 static int DsizeTestMatch02(void)
561 {
562  uint16_t psize = 1;
563  uint16_t dsizelow = 1;
564  uint16_t dsizehigh = 0;
565  DetectU16Data du16;
566  du16.mode = DETECT_UINT_NE;
567  du16.arg1 = dsizelow;
568  du16.arg2 = dsizehigh;
569  FAIL_IF(DetectU16Match(psize, &du16));
570 
571  PASS;
572 }
573 
574 /**
575  * \test DetectDsizeIcmpv6Test01 is a test for checking the working of
576  * dsize keyword by creating 2 rules and matching a crafted packet
577  * against them. Only the first one shall trigger.
578  */
579 static int DetectDsizeIcmpv6Test01(void)
580 {
581  static uint8_t raw_icmpv6[] = {
582  0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
583  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
584  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
585  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
586  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
587  0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
588  0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
589  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
590  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
591  0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
592  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
593 
594  Packet *p = PacketGetFromAlloc();
595  FAIL_IF_NULL(p);
596 
597  IPV6Hdr ip6h;
598  ThreadVars tv;
600  ThreadVars th_v;
601  DetectEngineThreadCtx *det_ctx = NULL;
602 
603  memset(&tv, 0, sizeof(ThreadVars));
604  memset(&dtv, 0, sizeof(DecodeThreadVars));
605  memset(&ip6h, 0, sizeof(IPV6Hdr));
606  memset(&th_v, 0, sizeof(ThreadVars));
607 
609  p->src.family = AF_INET6;
610  p->dst.family = AF_INET6;
611  p->ip6h = &ip6h;
612 
613  DecodeIPV6(&tv, &dtv, p, raw_icmpv6, sizeof(raw_icmpv6));
614 
617 
618  de_ctx->flags |= DE_QUIET;
619 
621  "alert icmp any any -> any any "
622  "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
623  FAIL_IF_NULL(s);
624 
626  "alert icmp any any -> any any "
627  "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
628  FAIL_IF_NULL(s);
629 
631  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
632 
633  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
634  FAIL_IF(PacketAlertCheck(p, 1) == 0);
635  FAIL_IF(PacketAlertCheck(p, 2));
636 
637  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
639 
640  PacketRecycle(p);
641  FlowShutdown();
642  SCFree(p);
643 
644  PASS;
645 }
646 
647 /**
648  * \brief this function registers unit tests for dsize
649  */
650 static void DsizeRegisterTests(void)
651 {
652  UtRegisterTest("DsizeTestParse01", DsizeTestParse01);
653  UtRegisterTest("DsizeTestParse02", DsizeTestParse02);
654  UtRegisterTest("DsizeTestParse03", DsizeTestParse03);
655  UtRegisterTest("DsizeTestParse04", DsizeTestParse04);
656  UtRegisterTest("DsizeTestParse05", DsizeTestParse05);
657  UtRegisterTest("DsizeTestParse06", DsizeTestParse06);
658  UtRegisterTest("DsizeTestParse07", DsizeTestParse07);
659  UtRegisterTest("DsizeTestParse08", DsizeTestParse08);
660  UtRegisterTest("DsizeTestParse09", DsizeTestParse09);
661  UtRegisterTest("DsizeTestParse10", DsizeTestParse10);
662  UtRegisterTest("DsizeTestParse11", DsizeTestParse11);
663  UtRegisterTest("DsizeTestMatch01", DsizeTestMatch01);
664  UtRegisterTest("DsizeTestMatch02", DsizeTestMatch02);
665 
666  UtRegisterTest("DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
667 }
668 #endif /* UNITTESTS */
util-byte.h
host.h
DetectDsizeRegister
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
Definition: detect-dsize.c:61
SigTableElmt_::url
const char * url
Definition: detect.h:1295
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:113
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:577
PrefilterPacketU16Set
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:126
SigTableElmt_::desc
const char * desc
Definition: detect.h:1294
detect-dsize.h
Signature_::sig_str
char * sig_str
Definition: detect.h:659
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1282
SigTableElmt_::name
const char * name
Definition: detect.h:1292
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1058
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1444
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
SigParseGetMaxDsize
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
Definition: detect-dsize.c:220
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:168
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1200
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:835
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2580
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
DE_QUIET
#define DE_QUIET
Definition: detect.h:320
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1882
DetectContentData_
Definition: detect-content.h:93
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1277
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:578
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:599
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1280
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:547
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1091
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
pkt-var.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:350
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:111
DetectContentData_::id
PatIntId id
Definition: detect-content.h:105
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:349
SigParseSetDsizePair
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
Definition: detect-dsize.c:243
util-profiling.h
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:593
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
SigParseRequiredContentSize
void SigParseRequiredContentSize(const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
Determine the size needed to accommodate the content elements of a signature.
Definition: detect-content.c:408
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:430
detect-engine-build.h
DETECT_UINT_GTE
#define DETECT_UINT_GTE
Definition: detect-engine-uint.h:33
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:564
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:661
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1260
DETECT_DSIZE
@ DETECT_DSIZE
Definition: detect-engine-register.h:52
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:341
SignatureInitData_::dsize_sm
SigMatch * dsize_sm
Definition: detect.h:548
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3291
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectU16Match
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
Definition: detect-engine-uint.c:107
DetectU16Parse
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
Definition: detect-engine-uint.c:121
PrefilterPacketU16Compare
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:134
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3501
SigMatch_::type
uint16_t type
Definition: detect.h:347
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:600
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:695
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
DETECT_UINT_LTE
#define DETECT_UINT_LTE
Definition: detect-engine-uint.h:38
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:673
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1279
Signature_::id
uint32_t id
Definition: detect.h:627
detect-parse.h
Signature_
Signature container.
Definition: detect.h:592
SigMatch_
a single match condition for a signature
Definition: detect.h:346
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2541
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:601
Address_::family
char family
Definition: decode.h:116
Packet_::dst
Address dst
Definition: decode.h:435
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:41
SigParseApplyDsizeToContent
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
Definition: detect-dsize.c:333
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:619
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:837
detect-engine-prefilter-common.h
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:537
DetectU16Data
DetectUintData_u16 DetectU16Data
Definition: detect-engine-uint.h:42
SigParseMaxRequiredDsize
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
Definition: detect-dsize.c:297
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
Packet_::src
Address src
Definition: decode.h:434
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1284
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:240
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:245