suricata
detect-engine-address-ipv4.c File Reference
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "flow-var.h"
#include "util-cidr.h"
#include "util-unittest.h"
#include "detect-engine-address.h"
#include "detect-engine-address-ipv4.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-port.h"
#include "util-error.h"
#include "util-debug.h"
Include dependency graph for detect-engine-address-ipv4.c:

Go to the source code of this file.

Functions

int DetectAddressCmpIPv4 (DetectAddress *a, DetectAddress *b)
 Compares 2 addresses(address ranges) and returns the relationship between the 2 addresses. More...
 
int DetectAddressCutIPv4 (DetectEngineCtx *de_ctx, DetectAddress *a, DetectAddress *b, DetectAddress **c)
 Cut groups and merge sigs. More...
 
int DetectAddressIsCompleteIPSpaceIPv4 (DetectAddress *ag)
 Check if the address group list covers the complete IPv4 IP space. More...
 
int DetectAddressCutNotIPv4 (DetectAddress *a, DetectAddress **b)
 Cuts and returns an address range, which is the complement of the address range that is supplied as the argument. More...
 
int DetectAddressJoinIPv4 (DetectEngineCtx *de_ctx, DetectAddress *target, DetectAddress *source)
 Extends a target address range if the the source address range is wider than the target address range on either sides. More...
 
void DetectAddressIPv4Tests (void)
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

IPV4 Address part of the detection engine.

Definition in file detect-engine-address-ipv4.c.

Function Documentation

int DetectAddressCmpIPv4 ( DetectAddress a,
DetectAddress b 
)

Compares 2 addresses(address ranges) and returns the relationship between the 2 addresses.

Parameters
aPointer to the first address instance to be compared.
bPointer to the second address instance to be compared.
Return values
ADDRESS_EQIf the 2 address ranges a and b, are equal.
ADDRESS_ESb encapsulates a. b_ip1[...a_ip1...a_ip2...]b_ip2.
ADDRESS_EBa encapsulates b. a_ip1[...b_ip1....b_ip2...]a_ip2.
ADDRESS_LEa_ip1(...b_ip1==a_ip2...)b_ip2
ADDRESS_LTa_ip1(...b_ip1...a_ip2...)b_ip2
ADDRESS_GEb_ip1(...a_ip1==b_ip2...)a_ip2
ADDRESS_GTa_ip1 > b_ip2, i.e. the address range for 'a' starts only after the end of the address range for 'b'

Definition at line 59 of file detect-engine-address-ipv4.c.

References ADDRESS_EB, ADDRESS_EQ, ADDRESS_ER, ADDRESS_ES, ADDRESS_GE, ADDRESS_GT, ADDRESS_LE, ADDRESS_LT, DetectAddress_::ip, DetectAddress_::ip2, SCLogDebug, and SCNtohl.

Referenced by DetectAddressCmp(), DetectAddressCutIPv4(), and DetectAddressJoinIPv4().

Here is the caller graph for this function:

int DetectAddressCutIPv4 ( DetectEngineCtx de_ctx,
DetectAddress a,
DetectAddress b,
DetectAddress **  c 
)

Cut groups and merge sigs.

a = 1.2.3.4, b = 1.2.3.4-1.2.3.5 must result in: a == 1.2.3.4, b == 1.2.3.5, c == NULL

a = 1.2.3.4, b = 1.2.3.3-1.2.3.5 must result in: a == 1.2.3.3, b == 1.2.3.4, c == 1.2.3.5

a = 1.2.3.0/24 b = 1.2.3.128-1.2.4.10 must result in: a == 1.2.3.0/24, b == 1.2.4.0-1.2.4.10, c == NULL

a = 1.2.3.4, b = 1.2.3.0/24 must result in: a == 1.2.3.0-1.2.3.3, b == 1.2.3.4, c == 1.2.3.5-1.2.3.255

Return values
0On success.
-1On failure.

Definition at line 113 of file detect-engine-address-ipv4.c.

References ADDRESS_EB, ADDRESS_ES, ADDRESS_GE, ADDRESS_LE, DetectAddressCmpIPv4(), DetectAddressFree(), DetectAddressInit(), Address_::family, DetectAddress_::ip, DetectAddress_::ip2, SCLogDebug, and SCNtohl.

Referenced by DetectAddressHeadFree().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectAddressCutNotIPv4 ( DetectAddress a,
DetectAddress **  b 
)

Cuts and returns an address range, which is the complement of the address range that is supplied as the argument.

For example:

If a = 0.0.0.0-1.2.3.4, then a = 1.2.3.4-255.255.255.255 and b = NULL If a = 1.2.3.4-255.255.255.255, then a = 0.0.0.0-1.2.3.4 and b = NULL If a = 1.2.3.4-192.168.1.1, then a = 0.0.0.0-1.2.3.3 and b = 192.168.1.2-255.255.255.255

Parameters
aPointer to an address range (DetectAddress) instance whose complement has to be returned in a and b.
bPointer to DetectAddress pointer, that will be supplied back with a new DetectAddress instance, if the complement demands so.
Return values
0On success.
-1On failure.

Definition at line 368 of file detect-engine-address-ipv4.c.

References DetectAddressInit(), Address_::family, DetectAddress_::ip, DetectAddress_::ip2, and SCNtohl.

Referenced by DetectAddressHeadFree(), and DetectAddressJoinIPv4().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectAddressIPv4Tests ( void  )

Definition at line 1438 of file detect-engine-address-ipv4.c.

References UtRegisterTest().

Referenced by DetectAddressTests().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectAddressIsCompleteIPSpaceIPv4 ( DetectAddress ag)

Check if the address group list covers the complete IPv4 IP space.

Parameters
agPointer to a DetectAddress list head, which has to be checked to see if the address ranges in it, cover the entire IPv4 IP space.
Return values
1Yes, it covers the entire IPv4 address range.
0No, it doesn't cover the entire IPv4 address range.

Definition at line 314 of file detect-engine-address-ipv4.c.

References DetectAddress_::ip, DetectAddress_::ip2, DetectAddress_::next, and SCNtohl.

Referenced by DetectAddressJoinIPv4(), and DetectAddressParseString().

Here is the caller graph for this function:

int DetectAddressJoinIPv4 ( DetectEngineCtx de_ctx,
DetectAddress target,
DetectAddress source 
)

Extends a target address range if the the source address range is wider than the target address range on either sides.

Every address is a range, i.e. address->ip1....address->ip2. For example 1.2.3.4 to 192.168.1.1. if source->ip1 is smaller than target->ip1, it indicates that the source's left address limit is greater(range wise) than the target's left address limit, and hence we reassign the target's left address limit to source's left address limit. Similary if source->ip2 is greater than target->ip2, it indicates that the source's right address limit is greater(range wise) than the target's right address limit, and hence we reassign the target's right address limit to source's right address limit.

Parameters
de_ctxPointer to the detection engine context.
targetPointer to the target DetectAddress instance that has to be updated.
sourcePointer to the source DetectAddress instance that is used to decided whether we extend the target's address range.
Return values
0On success.
-1On failure.

Definition at line 429 of file detect-engine-address-ipv4.c.

References ADDRESS_EB, ADDRESS_EQ, ADDRESS_ES, ADDRESS_GE, ADDRESS_GT, ADDRESS_LE, ADDRESS_LT, DetectAddressCmpIPv4(), DetectAddressCutNotIPv4(), DetectAddressFree(), DetectAddressInit(), DetectAddressIsCompleteIPSpaceIPv4(), DetectAddressJoinIPv4(), DetectAddress_::ip, DetectAddress_::ip2, DetectAddress_::next, and SCNtohl.

Referenced by DetectAddressJoin(), and DetectAddressJoinIPv4().

Here is the call graph for this function:

Here is the caller graph for this function: