Go to the documentation of this file.
51 static void DsizeRegisterTests(
void);
56 static bool PrefilterDsizeIsPrefilterable(
const Signature *s);
125 "the same sig. Invalidating signature.");
142 rs_detect_u16_free(dd);
146 SCLogDebug(
"dd->arg1 %" PRIu16
", dd->arg2 %" PRIu16
", dd->mode %" PRIu8
"", dd->arg1,
170 rs_detect_u16_free(de_ptr);
183 if (!PrefilterPacketHeaderExtraMatch(ctx, p))
188 du16.mode = ctx->
v1.
u8[0];
189 du16.arg1 = ctx->
v1.
u16[1];
190 du16.arg2 = ctx->
v1.
u16[2];
204 static bool PrefilterDsizeIsPrefilterable(
const Signature *s)
249 uint16_t high = 65535;
282 SCLogDebug(
"low %u, high %u, mode %u", low, high, dd->mode);
316 if (total_length > dsize) {
317 SCLogDebug(
"required_dsize: %d exceeds dsize: %d", total_length, dsize);
321 if ((total_length +
offset) > dsize) {
322 SCLogDebug(
"length + offset: %d exceeds dsize: %d", total_length +
offset, dsize);
323 return total_length +
offset;
347 for ( ; sm != NULL; sm = sm->
next) {
359 cd->
depth = (uint16_t)dsize;
360 SCLogDebug(
"updated %u, content %u to have depth %u "
361 "because of dsize.", s->
id, cd->
id, cd->
depth);
381 static int DsizeTestParse01(
void)
388 DetectDsizeFree(NULL, dd);
396 static int DsizeTestParse02(
void)
402 DetectDsizeFree(NULL, dd);
410 static int DsizeTestParse03(
void)
417 DetectDsizeFree(NULL, dd);
425 static int DsizeTestParse04(
void)
433 DetectDsizeFree(NULL, dd);
441 static int DsizeTestParse05(
void)
449 DetectDsizeFree(NULL, dd);
457 static int DsizeTestParse06(
void)
464 DetectDsizeFree(NULL, dd);
472 static int DsizeTestParse07(
void)
479 DetectDsizeFree(NULL, dd);
487 static int DsizeTestParse08(
void)
494 DetectDsizeFree(NULL, dd);
502 static int DsizeTestParse09(
void)
506 DetectDsizeFree(NULL, dd);
514 static int DsizeTestParse10(
void)
518 DetectDsizeFree(NULL, dd);
527 static int DsizeTestParse11(
void)
529 const char *strings[] = {
"A",
">10<>10",
"<>10",
"1<>",
"",
" ",
"2<>1",
"1!", NULL };
530 for (
int i = 0; strings[i]; i++) {
542 static int DsizeTestMatch01(
void)
545 uint16_t dsizelow = 2;
546 uint16_t dsizehigh = 0;
549 du16.arg1 = dsizelow;
550 du16.arg2 = dsizehigh;
560 static int DsizeTestMatch02(
void)
563 uint16_t dsizelow = 1;
564 uint16_t dsizehigh = 0;
567 du16.arg1 = dsizelow;
568 du16.arg2 = dsizehigh;
579 static int DetectDsizeIcmpv6Test01(
void)
581 static uint8_t raw_icmpv6[] = {
582 0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
584 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
585 0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
586 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
587 0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
588 0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
589 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
590 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
591 0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
592 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
618 "alert icmp any any -> any any "
619 "(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
623 "alert icmp any any -> any any "
624 "(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
647 static void DsizeRegisterTests(
void)
663 UtRegisterTest(
"DetectDsizeIcmpv6Test01", DetectDsizeIcmpv6Test01);
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
void(* Free)(DetectEngineCtx *, void *)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
void PacketRecycle(Packet *p)
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
void FlowInitConfig(bool quiet)
initialize the configuration
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define DETECT_CONTENT_DEPTH
Per thread variable structure.
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
void SigParseRequiredContentSize(const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
Determine the size needed to accommodate the content elements of a signature.
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
SignatureInitData * init_data
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
DetectUintData_u16 * DetectU16Parse(const char *u16str)
This function is used to parse u16 options passed via some u16 keyword.
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void FlowShutdown(void)
shutdown the flow engine
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
Structure to hold thread specific data for all decode modules.
bool(* SupportsPrefilter)(const Signature *s)
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
DetectUintData_u16 DetectU16Data
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
void(* RegisterTests)(void)
#define SIG_FLAG_REQUIRE_PACKET