62 #include <netinet/in.h> 87 for (; i < head->
netmask / 32 || i < 1; i++) {
88 if (item->
ip[i] < head->
ip[i])
110 char *ip = NULL, *ip2 = NULL;
114 while (*str !=
'\0' && *str ==
' ')
118 strlcpy(buf, str,
sizeof(buf));
122 if (strcasecmp(str,
"any") == 0) {
124 SCLogDebug(
"adding 0.0.0.0/0 and ::/0 as we\'re handling \'any\'");
126 IPOnlyCIDRItemParseSingle(dd,
"0.0.0.0/0");
129 dd->
next = IPOnlyCIDRItemNew();
130 if (dd->
next == NULL)
133 IPOnlyCIDRItemParseSingle(dd->
next,
"::/0");
147 if ((strchr(str,
':')) == NULL) {
153 if ((mask = strchr(ip,
'/')) != NULL) {
155 ip[mask - ip] =
'\0';
157 uint32_t netmask = 0;
160 if ((strchr (mask,
'.')) == NULL) {
163 for (u = 0; u < strlen(mask); u++) {
164 if(!isdigit((
unsigned char)mask[u]))
168 int cidr = atoi(mask);
169 if (cidr < 0 || cidr > 32)
175 r = inet_pton(AF_INET, mask, &in);
182 while ((0x01 & netmask) == 0) {
184 netmask = netmask >> 1;
189 r = inet_pton(AF_INET, ip, &in);
193 dd->
ip[0] = in.s_addr;
195 }
else if ((ip2 = strchr(ip,
'-')) != NULL) {
202 uint32_t first, last;
204 r = inet_pton(AF_INET, ip, &in);
207 tmp_ip[0] = in.s_addr;
209 r = inet_pton(AF_INET, ip2, &in);
212 tmp_ip2[0] = in.s_addr;
222 dd->
ip[0] =htonl(first);
225 for (first++; first <= last; first++) {
233 new->ip[0] = htonl(first);
240 r = inet_pton(AF_INET, ip, &in);
245 dd->
ip[0] = in.s_addr;
255 if ((mask = strchr(ip,
'/')) != NULL) {
259 r = inet_pton(AF_INET6, ip, &in6);
266 memcpy(dd->
ip, &in6.s6_addr,
sizeof(ip6addr));
268 r = inet_pton(AF_INET6, ip, &in6);
272 memcpy(dd->
ip, &in6.s6_addr,
sizeof(dd->
ip));
302 if (IPOnlyCIDRItemParseSingle(gh, s) == -1) {
304 "address parsing error \"%s\"", s);
338 if (item->
netmask == head->
netmask && !IPOnlyCIDRItemCompare(head, item)) {
344 for (prev = it = head;
376 SCLogDebug(
"Head is NULL to insert item (%p)",item);
388 while (prev != NULL) {
396 head = IPOnlyCIDRItemInsertReal(head, prev);
416 if (tmphead == NULL) {
427 SCLogDebug(
"Item(%p) %"PRIu32
" removed", it, i);
445 while (tmphead != NULL) {
447 tmphead = tmphead->
next;
460 while (tmphead != NULL) {
462 SCLogDebug(
"Item %"PRIu32
" has netmask %"PRIu8
" negated:" 463 " %s; IP: %s; signum: %"PRIu32, i, tmphead->
netmask,
464 (tmphead->
negated) ?
"yes":
"no",
465 inet_ntoa(*(
struct in_addr*)&tmphead->
ip[0]),
467 tmphead = tmphead->
next;
477 static void SigNumArrayPrint(
void *tmp)
482 for (u = 0; u < sna->
size; u++) {
483 uint8_t bitarray = sna->
array[u];
488 printf(
", %"PRIu32
"", u * 8 + i);
492 bitarray = bitarray >> 1;
517 if (new->array == NULL) {
521 memset(new->array, 0, io_ctx->
max_idx / 8 + 1);
522 new->size = io_ctx->
max_idx / 8 + 1;
547 new->size = orig->
size;
550 if (new->array == NULL) {
554 memcpy(new->array, orig->
array, orig->
size);
562 static void SigNumArrayFree(
void *tmp)
569 if (sna->
array != NULL)
590 int o_set = 0, n_set = 0, d_set = 0;
592 size_t size = strlen(s);
594 const char *rule_var_address = NULL;
595 char *temp_rule_var_address = NULL;
598 head = subhead = NULL;
600 SCLogDebug(
"s %s negate %s", s, negate ?
"true" :
"false");
602 for (u = 0, x = 0; u < size && x <
sizeof(
address); u++) {
606 if (!o_set && s[u] ==
'!') {
609 }
else if (s[u] ==
'[') {
615 }
else if (s[u] ==
']') {
617 address[x - 1] =
'\0';
620 if ( (subhead = IPOnlyCIDRListParse2(de_ctx, address,
621 (negate + n_set) % 2)) == NULL)
624 head = IPOnlyCIDRItemInsert(head, subhead);
628 }
else if (depth == 0 && s[u] ==
',') {
631 }
else if (d_set == 1) {
632 address[x - 1] =
'\0';
636 if (rule_var_address == NULL)
639 if ((negate + n_set) % 2) {
640 temp_rule_var_address =
SCMalloc(strlen(rule_var_address) + 3);
641 if (
unlikely(temp_rule_var_address == NULL)) {
645 snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
646 "[%s]", rule_var_address);
648 temp_rule_var_address =
SCStrdup(rule_var_address);
649 if (
unlikely(temp_rule_var_address == NULL)) {
654 subhead = IPOnlyCIDRListParse2(de_ctx, temp_rule_var_address,
655 (negate + n_set) % 2);
656 head = IPOnlyCIDRItemInsert(head, subhead);
661 SCFree(temp_rule_var_address);
664 address[x - 1] =
'\0';
666 subhead = IPOnlyCIDRItemNew();
670 if (!((negate + n_set) % 2))
675 if (IPOnlyCIDRItemSetup(subhead, address) < 0) {
680 head = IPOnlyCIDRItemInsert(head, subhead);
685 }
else if (depth == 0 && s[u] ==
'$') {
687 }
else if (depth == 0 && u == size - 1) {
688 if (x ==
sizeof(address)) {
689 address[x - 1] =
'\0';
698 if (rule_var_address == NULL)
701 if ((negate + n_set) % 2) {
702 temp_rule_var_address =
SCMalloc(strlen(rule_var_address) + 3);
703 if (
unlikely(temp_rule_var_address == NULL)) {
706 snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
707 "[%s]", rule_var_address);
709 temp_rule_var_address =
SCStrdup(rule_var_address);
710 if (
unlikely(temp_rule_var_address == NULL)) {
714 subhead = IPOnlyCIDRListParse2(de_ctx, temp_rule_var_address,
715 (negate + n_set) % 2);
716 head = IPOnlyCIDRItemInsert(head, subhead);
720 SCFree(temp_rule_var_address);
722 subhead = IPOnlyCIDRItemNew();
726 if (!((negate + n_set) % 2))
731 if (IPOnlyCIDRItemSetup(subhead, address) < 0) {
736 head = IPOnlyCIDRItemInsert(head, subhead);
769 *gh = IPOnlyCIDRListParse2(de_ctx, str, 0);
771 SCLogDebug(
"IPOnlyCIDRListParse2 returned null");
794 Signature *s,
const char *addrstr,
char flag)
796 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
801 if (strcasecmp(addrstr,
"any") == 0) {
804 if (IPOnlyCIDRListParse(de_ctx, &s->
CidrSrc, (
char *)
"0.0.0.0/0") < 0)
807 if (IPOnlyCIDRListParse(de_ctx, &tmp, (
char *)
"::/0") < 0)
812 }
else if (IPOnlyCIDRListParse(de_ctx, &s->
CidrSrc, (
char *)addrstr) < 0) {
818 if (strcasecmp(addrstr,
"any") == 0) {
821 if (IPOnlyCIDRListParse(de_ctx, &tmp, (
char *)
"0.0.0.0/0") < 0)
824 if (IPOnlyCIDRListParse(de_ctx, &s->
CidrDst, (
char *)
"::/0") < 0)
829 }
else if (IPOnlyCIDRListParse(de_ctx, &s->
CidrDst, (
char *)addrstr) < 0) {
985 void *user_data_src = NULL, *user_data_dst = NULL;
1005 src = user_data_src;
1006 dst = user_data_dst;
1008 if (src == NULL || dst == NULL)
1012 for (u = 0; u < src->
size; u++) {
1026 for (; i < 8; i++, bitarray = bitarray >> 1) {
1027 if (bitarray & 0x01) {
1045 if (p->
proto == IPPROTO_TCP || p->
proto == IPPROTO_UDP || p->
proto == IPPROTO_SCTP) {
1051 if (dport == NULL) {
1061 if (sport == NULL) {
1067 SCLogDebug(
"port-less protocol and sig needs ports");
1071 if (!IPOnlyMatchCompatSMs(tv, det_ctx, s, p)) {
1075 SCLogDebug(
"Signum %"PRIu32
" match (sid: %"PRIu32
", msg: %s)",
1076 u * 8 + i, s->
id, s->
msg);
1082 SCLogDebug(
"running match functions, sm %p", smd);
1132 for (src = (de_ctx->
io_ctx).ip_src; src != NULL; ) {
1133 if (src->
family == AF_INET) {
1143 void *user_data = NULL;
1146 (de_ctx->
io_ctx).tree_ipv4src,
1150 (de_ctx->
io_ctx).tree_ipv4src,
1152 if (user_data == NULL) {
1158 (de_ctx->
io_ctx).tree_ipv4src,
1160 if (user_data == NULL) {
1167 uint8_t tmp = 1 << (src->
signum % 8);
1178 (de_ctx->
io_ctx).tree_ipv4src, sna);
1181 (de_ctx->
io_ctx).tree_ipv4src,
1186 "src ipv4 radix tree");
1195 uint8_t tmp = 1 << (src->
signum % 8);
1206 (de_ctx->
io_ctx).tree_ipv4src, sna);
1209 (de_ctx->
io_ctx).tree_ipv4src, sna,
1216 " src ipv4 radix tree ip %s netmask %"PRIu8, tmpstr, src->
netmask);
1228 uint8_t tmp = 1 << (src->
signum % 8);
1237 }
else if (src->
family == AF_INET6) {
1240 void *user_data = NULL;
1243 (de_ctx->
io_ctx).tree_ipv6src,
1247 (de_ctx->
io_ctx).tree_ipv6src,
1250 if (user_data == NULL) {
1253 (de_ctx->
io_ctx).tree_ipv6src,
1256 if (user_data == NULL) {
1261 uint8_t tmp = 1 << (src->
signum % 8);
1272 (de_ctx->
io_ctx).tree_ipv6src, sna);
1275 (de_ctx->
io_ctx).tree_ipv6src,
1286 uint8_t tmp = 1 << (src->
signum % 8);
1296 (de_ctx->
io_ctx).tree_ipv6src, sna);
1299 (de_ctx->
io_ctx).tree_ipv6src,
1310 uint8_t tmp = 1 << (src->
signum % 8);
1327 for (dst = (de_ctx->
io_ctx).ip_dst; dst != NULL; ) {
1328 if (dst->
family == AF_INET) {
1331 SCLogDebug(
"Item has netmask %"PRIu8
" negated: %s; IP: %s; signum:" 1333 inet_ntoa(*(
struct in_addr*)&dst->
ip[0]), dst->
signum);
1335 void *user_data = NULL;
1338 (de_ctx->
io_ctx).tree_ipv4dst,
1342 (de_ctx->
io_ctx).tree_ipv4dst,
1346 if (user_data == NULL) {
1354 (de_ctx->
io_ctx).tree_ipv4dst,
1356 if (user_data == NULL) {
1363 uint8_t tmp = 1 << (dst->
signum % 8);
1373 (de_ctx->
io_ctx).tree_ipv4dst, sna);
1376 (de_ctx->
io_ctx).tree_ipv4dst,
1390 uint8_t tmp = 1 << (dst->
signum % 8);
1400 (de_ctx->
io_ctx).tree_ipv4dst, sna);
1403 (de_ctx->
io_ctx).tree_ipv4dst,
1417 uint8_t tmp = 1 << (dst->
signum % 8);
1425 }
else if (dst->
family == AF_INET6) {
1428 void *user_data = NULL;
1431 (de_ctx->
io_ctx).tree_ipv6dst,
1435 (de_ctx->
io_ctx).tree_ipv6dst,
1438 if (user_data == NULL) {
1443 (de_ctx->
io_ctx).tree_ipv6dst,
1446 if (user_data == NULL) {
1451 uint8_t tmp = 1 << (dst->
signum % 8);
1461 (de_ctx->
io_ctx).tree_ipv6dst, sna);
1464 (de_ctx->
io_ctx).tree_ipv6dst,
1476 uint8_t tmp = 1 << (dst->
signum % 8);
1486 (de_ctx->
io_ctx).tree_ipv6dst, sna);
1489 (de_ctx->
io_ctx).tree_ipv6dst,
1501 uint8_t tmp = 1 << (dst->
signum % 8);
1573 static int IPOnlyTestSig01(
void)
1579 Signature *s =
SigInit(de_ctx,
"alert tcp any any -> any any (sid:400001; rev:1;)");
1593 static int IPOnlyTestSig02 (
void)
1599 Signature *s =
SigInit(de_ctx,
"alert tcp any any -> any 80 (sid:400001; rev:1;)");
1613 static int IPOnlyTestSig03 (
void)
1625 s =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre and content) \"; content:\"php\"; pcre:\"/require(_once)?/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1631 printf(
"got a IPOnly signature (content): ");
1637 s =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (content) \"; content:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1643 printf(
"got a IPOnly signature (content): ");
1649 s =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (uricontent) \"; uricontent:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1655 printf(
"got a IPOnly signature (uricontent): ");
1661 s =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre) \"; pcre:\"/e?idps rule[sz]/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1667 printf(
"got a IPOnly signature (pcre): ");
1673 s =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flow) \"; flow:to_server; classtype:misc-activity; sid:400001; rev:1;)");
1679 printf(
"got a IPOnly signature (flow): ");
1685 s =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (dsize) \"; dsize:100; classtype:misc-activity; sid:400001; rev:1;)");
1691 printf(
"got a IPOnly signature (dsize): ");
1697 s =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowbits) \"; flowbits:unset; classtype:misc-activity; sid:400001; rev:1;)");
1703 printf(
"got a IPOnly signature (flowbits): ");
1709 s =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowvar) \"; pcre:\"/(?<flow_var>.*)/i\"; flowvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1715 printf(
"got a IPOnly signature (flowvar): ");
1721 s =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pktvar) \"; pcre:\"/(?<pkt_var>.*)/i\"; pktvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1727 printf(
"got a IPOnly signature (pktvar): ");
1741 static int IPOnlyTestSig04 (
void)
1748 new = IPOnlyCIDRItemNew();
1751 head = IPOnlyCIDRItemInsert(head,
new);
1753 new = IPOnlyCIDRItemNew();
1756 head = IPOnlyCIDRItemInsert(head,
new);
1758 new = IPOnlyCIDRItemNew();
1761 head = IPOnlyCIDRItemInsert(head,
new);
1763 new = IPOnlyCIDRItemNew();
1766 head = IPOnlyCIDRItemInsert(head,
new);
1768 new = IPOnlyCIDRItemNew();
1771 head = IPOnlyCIDRItemInsert(head,
new);
1773 IPOnlyCIDRListPrint(head);
1775 if (new->netmask != 9) {
1780 if (new->netmask != 10) {
1785 if (new->netmask != 10) {
1790 if (new->netmask != 10) {
1795 if (new->netmask != 11) {
1809 static int IPOnlyTestSig05(
void)
1812 uint8_t *buf = (uint8_t *)
"Hi all!";
1813 uint16_t buflen = strlen((
char *)buf);
1815 uint8_t numpkts = 1;
1816 uint8_t numsigs = 7;
1822 const char *sigs[numsigs];
1823 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1824 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1825 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1826 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1827 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1828 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1829 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1832 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1833 uint32_t results[7] = { 1, 1, 1, 1, 1, 1, 1};
1835 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1846 static int IPOnlyTestSig06(
void)
1849 uint8_t *buf = (uint8_t *)
"Hi all!";
1850 uint16_t buflen = strlen((
char *)buf);
1852 uint8_t numpkts = 1;
1853 uint8_t numsigs = 7;
1857 p[0] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"80.58.0.33",
"195.235.113.3");
1859 const char *sigs[numsigs];
1860 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1861 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1862 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1863 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1864 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1865 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1866 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1869 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1870 uint32_t results[7] = { 0, 0, 0, 0, 0, 0, 0};
1872 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1887 static int IPOnlyTestSig07(
void)
1890 uint8_t *buf = (uint8_t *)
"Hi all!";
1891 uint16_t buflen = strlen((
char *)buf);
1893 uint8_t numpkts = 1;
1894 uint8_t numsigs = 7;
1900 char *sigs[numsigs];
1901 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1902 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1903 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1904 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1905 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1906 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1907 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1910 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1911 uint32_t results[7] = { 1, 1, 1, 1, 1, 1, 1};
1913 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1925 static int IPOnlyTestSig08(
void)
1928 uint8_t *buf = (uint8_t *)
"Hi all!";
1929 uint16_t buflen = strlen((
char *)buf);
1931 uint8_t numpkts = 1;
1932 uint8_t numsigs = 7;
1938 const char *sigs[numsigs];
1939 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1940 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1941 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1942 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1943 sigs[4]=
"alert tcp any any -> !192.168.1.5 any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1944 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1945 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1948 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1949 uint32_t results[7] = { 0, 0, 0, 0, 0, 0, 0};
1951 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1962 static int IPOnlyTestSig09(
void)
1965 uint8_t *buf = (uint8_t *)
"Hi all!";
1966 uint16_t buflen = strlen((
char *)buf);
1968 uint8_t numpkts = 1;
1969 uint8_t numsigs = 7;
1973 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
1975 const char *sigs[numsigs];
1976 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1977 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1978 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1979 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:0/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1980 sigs[4]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1981 sigs[5]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1982 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1985 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1986 uint32_t results[7] = { 1, 1, 1, 1, 1, 1, 1};
1988 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1999 static int IPOnlyTestSig10(
void)
2002 uint8_t *buf = (uint8_t *)
"Hi all!";
2003 uint16_t buflen = strlen((
char *)buf);
2005 uint8_t numpkts = 1;
2006 uint8_t numsigs = 7;
2010 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565");
2012 const char *sigs[numsigs];
2013 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2014 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2015 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2016 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> !3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2017 sigs[4]=
"alert tcp !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2018 sigs[5]=
"alert tcp any any -> !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2019 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDB:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
2022 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2023 uint32_t results[7] = { 0, 0, 0, 0, 0, 0, 0};
2025 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2040 static int IPOnlyTestSig11(
void)
2043 uint8_t *buf = (uint8_t *)
"Hi all!";
2044 uint16_t buflen = strlen((
char *)buf);
2046 uint8_t numpkts = 2;
2047 uint8_t numsigs = 7;
2051 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
2054 char *sigs[numsigs];
2055 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2056 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2057 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2058 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2059 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2060 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2061 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2064 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2065 uint32_t results[2][7] = {{ 1, 1, 1, 1, 1, 1, 1}, { 1, 1, 1, 1, 1, 1, 1}};
2067 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2079 static int IPOnlyTestSig12(
void)
2082 uint8_t *buf = (uint8_t *)
"Hi all!";
2083 uint16_t buflen = strlen((
char *)buf);
2085 uint8_t numpkts = 2;
2086 uint8_t numsigs = 7;
2090 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565");
2093 const char *sigs[numsigs];
2094 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2095 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2096 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2097 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2098 sigs[4]=
"alert tcp any any -> [!3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565,!80.198.1.5] any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2099 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2100 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2103 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2104 uint32_t results[2][7] = {{ 0, 0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0, 0, 0}};
2106 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2113 static int IPOnlyTestSig13(
void)
2120 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; " 2121 "flowbits:set,myflow1; sid:1; rev:1;)");
2130 static int IPOnlyTestSig14(
void)
2137 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; " 2138 "flowbits:set,myflow1; flowbits:isset,myflow2; sid:1; rev:1;)");
2147 static int IPOnlyTestSig15(
void)
2150 uint8_t *buf = (uint8_t *)
"Hi all!";
2151 uint16_t buflen = strlen((
char *)buf);
2153 uint8_t numpkts = 1;
2154 uint8_t numsigs = 7;
2159 memset(&f, 0,
sizeof(
Flow));
2170 const char *sigs[numsigs];
2171 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; " 2172 "flowbits:set,one; sid:1;)";
2173 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; " 2174 "flowbits:set,two; sid:2;)";
2175 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; " 2176 "flowbits:set,three; sid:3;)";
2177 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; " 2178 "flowbits:set,four; sid:4;)";
2179 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; " 2180 "flowbits:set,five; sid:5;)";
2181 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; " 2182 "flowbits:set,six; sid:6;)";
2183 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; " 2184 "flowbits:set,seven; content:\"Hi all\"; sid:7;)";
2187 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2188 uint32_t results[7] = { 1, 1, 1, 1, 1, 1, 1};
2190 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2201 static int IPOnlyTestSig16(
void)
2204 uint8_t *buf = (uint8_t *)
"Hi all!";
2205 uint16_t buflen = strlen((
char *)buf);
2207 uint8_t numpkts = 1;
2208 uint8_t numsigs = 2;
2214 const char *sigs[numsigs];
2215 sigs[0]=
"alert tcp !100.100.0.1 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2216 sigs[1]=
"alert tcp any any -> !50.0.0.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2219 uint32_t sid[2] = { 1, 2};
2220 uint32_t results[2] = { 1, 1};
2222 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2232 static int IPOnlyTestSig17(
void)
2235 uint8_t *buf = (uint8_t *)
"Hi all!";
2236 uint16_t buflen = strlen((
char *)buf);
2238 uint8_t numpkts = 1;
2239 uint8_t numsigs = 2;
2245 const char *sigs[numsigs];
2246 sigs[0]=
"alert ip 100.100.0.0 80 -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2247 sigs[1]=
"alert ip any any -> 50.0.0.0 123 (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2249 uint32_t sid[2] = { 1, 2};
2250 uint32_t results[2] = { 0, 0};
2252 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
#define GET_IPV4_SRC_ADDR_U32(p)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
SCRadixTree * tree_ipv6src
#define DETECT_PROTO_IPV6
void IPOnlyAddSignature(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx, Signature *s)
Add a signature to the lists of Adrresses in CIDR format (sorted) this step is necesary to build the ...
#define KEYWORD_PROFILING_END(ctx, type, m)
const char * SCRuleVarsGetConfVar(const DetectEngineCtx *de_ctx, const char *conf_var_name, SCRuleVarsType conf_vars_type)
struct HtpBodyChunk_ * next
size_t strlcpy(char *dst, const char *src, size_t siz)
#define KEYWORD_PROFILING_SET_LIST(ctx, list)
uint8_t * sig_match_array
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define GET_IPV4_DST_ADDR_U32(p)
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
SCRadixNode * SCRadixFindKeyIPV4ExactMatch(uint8_t *key_stream, SCRadixTree *tree, void **user_data_result)
Checks if an IPV4 address is present in the tree.
SCRadixNode * SCRadixFindKeyIPV6BestMatch(uint8_t *key_stream, SCRadixTree *tree, void **user_data_result)
Checks if an IPV6 address is present in the tree under a netblock.
SCRadixTree * SCRadixCreateRadixTree(void(*Free)(void *), void(*PrintData)(void *))
Creates a new Radix tree.
#define PACKET_ALERT_FLAG_DROP_FLOW
int IPOnlySigParseAddress(const DetectEngineCtx *de_ctx, Signature *s, const char *addrstr, char flag)
Parses an address group sent as a character string and updates the IPOnlyCIDRItem lists src and dst o...
void IPOnlyMatchPacket(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineIPOnlyCtx *io_ctx, DetectEngineIPOnlyThreadCtx *io_tctx, Packet *p)
Match a packet against the IP Only detection engine contexts.
void IPOnlyPrepare(DetectEngineCtx *de_ctx)
Build the radix trees from the lists of parsed adresses in CIDR format the result should be 4 radix t...
main detection engine ctx
void IPOnlyDeinit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Deinitialize the IP Only detection engine context.
SCRadixNode * SCRadixAddKeyIPV4Netblock(uint8_t *key_stream, SCRadixTree *tree, void *user, uint8_t netmask)
Adds a new IPV4 netblock to the Radix tree.
#define KEYWORD_PROFILING_START
void SCRadixReleaseRadixTree(SCRadixTree *tree)
Frees a Radix tree and all its nodes.
#define DetectEngineGetMaxSigId(de_ctx)
SCRadixTree * tree_ipv6dst
void DetectEngineIPOnlyThreadInit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyThreadCtx *io_tctx)
Setup the IP Only thread detection engine context.
#define GET_IPV6_DST_ADDR(p)
DetectPort * DetectPortLookupGroup(DetectPort *dp, uint16_t port)
Function that find the group matching address in a group head.
SCRadixNode * SCRadixFindKeyIPV6Netblock(uint8_t *key_stream, SCRadixTree *tree, uint8_t netmask, void **user_data_result)
Checks if an IPV6 Netblock address is present in the tree.
SCRadixNode * SCRadixAddKeyIPV4(uint8_t *key_stream, SCRadixTree *tree, void *user)
Adds a new IPV4 address to the Radix tree.
SCRadixTree * tree_ipv4src
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
void SigFree(Signature *)
void IPOnlyCIDRListFree(IPOnlyCIDRItem *tmphead)
This function free a IPOnlyCIDRItem list.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Structure for the node in the radix tree.
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
#define FLOW_PKT_TOSERVER
void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t alert_flags)
Apply action(s) and Set 'drop' sig info, if applicable.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
void DetectEngineIPOnlyThreadDeinit(DetectEngineIPOnlyThreadCtx *io_tctx)
Deinitialize the IP Only thread detection engine context.
void IPOnlyRegisterTests(void)
DetectEngineIPOnlyCtx io_ctx
#define DETECT_PROTO_IPV4
SCRadixNode * SCRadixFindKeyIPV4Netblock(uint8_t *key_stream, SCRadixTree *tree, uint8_t netmask, void **user_data_result)
Checks if an IPV4 Netblock address is present in the tree.
SCRadixNode * SCRadixFindKeyIPV4BestMatch(uint8_t *key_stream, SCRadixTree *tree, void **user_data_result)
Checks if an IPV4 address is present in the tree under a netblock.
IP only rules matching ctx.
#define GET_IPV6_SRC_ADDR(p)
struct IPOnlyCIDRItem_ * next
void IPOnlyPrint(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Print stats of the IP Only engine.
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, const Signature *s)
Test is a initialized signature is IP only.
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perfom a generic check taking care of as maximum common unittest elemen...
SCRadixNode * SCRadixFindKeyIPV6ExactMatch(uint8_t *key_stream, SCRadixTree *tree, void **user_data_result)
Checks if an IPV6 address is present in the tree.
SCRadixTree * tree_ipv4dst
#define FLOW_INITIALIZE(f)
#define IP_GET_IPPROTO(p)
#define SCReturnPtr(x, type)
int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet *p, uint64_t tx_id, uint8_t flags)
append a signature match to a packet
#define SIGMATCH_IPONLY_COMPAT
SCRadixNode * SCRadixAddKeyIPV6Netblock(uint8_t *key_stream, SCRadixTree *tree, void *user, uint8_t netmask)
Adds a new IPV6 netblock to the Radix tree.
void IPOnlyInit(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx)
Setup the IP Only detection engine context.
SCRadixNode * SCRadixAddKeyIPV6(uint8_t *key_stream, SCRadixTree *tree, void *user)
Adds a new IPV6 address to the Radix tree.
Per thread variable structure.
Packet * UTHBuildPacketIPV6SrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports (IPV6) ...
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports...
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
Port structure for detection engine.
DetectEngineCtx * DetectEngineCtxInit(void)
#define DEBUG_VALIDATE_BUG_ON(exp)