Go to the documentation of this file.
51 static void DsizeRegisterTests(
void);
56 static bool PrefilterDsizeIsPrefilterable(
const Signature *s);
126 "the same sig. Invalidating signature.");
142 SCLogError(
"Failed to allocate memory for SigMatch");
143 rs_detect_u16_free(dd);
152 SCLogDebug(
"dd->arg1 %" PRIu16
", dd->arg2 %" PRIu16
", dd->mode %" PRIu8
"", dd->arg1,
176 rs_detect_u16_free(de_ptr);
189 if (!PrefilterPacketHeaderExtraMatch(ctx, p))
194 du16.mode = ctx->
v1.
u8[0];
195 du16.arg1 = ctx->
v1.
u16[1];
196 du16.arg2 = ctx->
v1.
u16[2];
210 static bool PrefilterDsizeIsPrefilterable(
const Signature *s)
255 uint16_t high = 65535;
288 SCLogDebug(
"low %u, high %u, mode %u", low, high, dd->mode);
322 if (total_length > dsize) {
323 SCLogDebug(
"required_dsize: %d exceeds dsize: %d", total_length, dsize);
327 if ((total_length +
offset) > dsize) {
328 SCLogDebug(
"length + offset: %d exceeds dsize: %d", total_length +
offset, dsize);
329 return total_length +
offset;
353 for ( ; sm != NULL; sm = sm->
next) {
365 cd->
depth = (uint16_t)dsize;
366 SCLogDebug(
"updated %u, content %u to have depth %u "
367 "because of dsize.", s->
id, cd->
id, cd->
depth);
387 static int DsizeTestParse01(
void)
394 DetectDsizeFree(NULL, dd);
402 static int DsizeTestParse02(
void)
408 DetectDsizeFree(NULL, dd);
416 static int DsizeTestParse03(
void)
423 DetectDsizeFree(NULL, dd);
431 static int DsizeTestParse04(
void)
439 DetectDsizeFree(NULL, dd);
447 static int DsizeTestParse05(
void)
455 DetectDsizeFree(NULL, dd);
463 static int DsizeTestParse06(
void)
470 DetectDsizeFree(NULL, dd);
478 static int DsizeTestParse07(
void)
485 DetectDsizeFree(NULL, dd);
493 static int DsizeTestParse08(
void)
500 DetectDsizeFree(NULL, dd);
508 static int DsizeTestParse09(
void)
512 DetectDsizeFree(NULL, dd);
520 static int DsizeTestParse10(
void)
524 DetectDsizeFree(NULL, dd);
533 static int DsizeTestParse11(
void)
535 const char *strings[] = {
"A",
">10<>10",
"<>10",
"1<>",
"",
" ",
"2<>1",
"1!", NULL };
536 for (
int i = 0; strings[i]; i++) {
548 static int DsizeTestMatch01(
void)
551 uint16_t dsizelow = 2;
552 uint16_t dsizehigh = 0;
555 du16.arg1 = dsizelow;
556 du16.arg2 = dsizehigh;
566 static int DsizeTestMatch02(
void)
569 uint16_t dsizelow = 1;
570 uint16_t dsizehigh = 0;
573 du16.arg1 = dsizelow;
574 du16.arg2 = dsizehigh;
585 static int DetectDsizeIcmpv6Test01(
void)
587 static uint8_t raw_icmpv6[] = {
588 0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
589 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
590 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
591 0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
592 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
593 0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
594 0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
597 0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
598 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
611 memset(&ip6h, 0,
sizeof(
IPV6Hdr));
627 "alert icmp any any -> any any "
628 "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
632 "alert icmp any any -> any any "
633 "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
656 static void DsizeRegisterTests(
void)
672 UtRegisterTest(
"DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
void(* Free)(DetectEngineCtx *, void *)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
void PacketRecycle(Packet *p)
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
void FlowInitConfig(bool quiet)
initialize the configuration
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define DETECT_CONTENT_DEPTH
Per thread variable structure.
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
void SigParseRequiredContentSize(const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
SignatureInitData * init_data
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void FlowShutdown(void)
shutdown the flow engine
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
Structure to hold thread specific data for all decode modules.
bool(* SupportsPrefilter)(const Signature *s)
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
DetectUintData_u16 DetectU16Data
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
void(* RegisterTests)(void)
#define SIG_FLAG_REQUIRE_PACKET