Go to the documentation of this file.
41 #define PARSE_REGEX "^(\\s*only\\s*)|\\s*([0-9]+)\\s*,\\s*([0-9]+)\\s*$"
47 static void DetectFastPatternRegisterTests(
void);
81 if (list_id == tmp->list_id) {
90 if (priority < tmp->priority)
101 new->list_id = list_id;
102 new->priority = priority;
112 new->list_id = list_id;
113 new->priority = priority;
133 Add(&g_fp_support_smlist_list, list_id, priority);
215 int ret = 0,
res = 0;
217 char arg_substr[128] =
"";
222 if (pm1 == NULL && pm2 == NULL) {
224 "the rule, without a content context. Please use a "
225 "content based keyword before using fast_pattern");
235 }
else if (pm1 && !pm2) {
250 "used with negated content, along with relative modifiers");
254 if (arg == NULL|| strcmp(arg,
"") == 0) {
257 "options for the same content");
261 uint32_t list_id = 0;
269 "can be used on only one content in a rule");
292 "used with negated content or with any of the relative "
293 "modifiers like distance, within, offset, depth");
299 }
else if (ret == 4) {
300 pcre2len =
sizeof(arg_substr);
301 res = pcre2_substring_copy_bynumber(
302 parse_regex.
match, 2, (PCRE2_UCHAR8 *)arg_substr, &pcre2len);
305 "for fast_pattern offset");
310 (
const char *)arg_substr) < 0) {
312 " \"%s\"", arg_substr);
316 pcre2len =
sizeof(arg_substr);
317 res = pcre2_substring_copy_bynumber(
318 parse_regex.
match, 3, (PCRE2_UCHAR8 *)arg_substr, &pcre2len);
321 "for fast_pattern offset");
326 (
const char *)arg_substr) < 0) {
328 "pattern: \"%s\"", arg_substr);
333 if (
offset > (65535 - length)) {
335 "exceeds limit pattern length limit");
341 "offset (%u)) exceeds pattern length (%u)",
352 ", string %s", ret, arg);
367 static int DetectFastPatternStickySingle(
const char *sticky,
const int list)
372 snprintf(
string,
sizeof(
string),
373 "alert tcp any any -> any any "
374 "(%s%scontent:\"one\"; fast_pattern; sid:1;)",
375 sticky ? sticky :
"", sticky ?
"; " :
" ");
388 static int DetectFastPatternModifierSingle(
const char *sticky,
const int list)
393 snprintf(
string,
sizeof(
string),
394 "alert tcp any any -> any any "
395 "(content:\"one\"; %s%sfast_pattern; sid:1;)",
396 sticky ? sticky :
"", sticky ?
"; " :
" ");
409 static int DetectFastPatternStickySingleNoFP(
const char *sticky,
const int list)
414 snprintf(
string,
sizeof(
string),
415 "alert tcp any any -> any any "
416 "(%s%scontent:\"one\"; sid:1;)",
417 sticky ? sticky :
"", sticky ?
"; " :
" ");
430 static int DetectFastPatternModifierSingleNoFP(
const char *sticky,
const int list)
435 snprintf(
string,
sizeof(
string),
436 "alert tcp any any -> any any "
437 "(content:\"one\"; %s%ssid:1;)",
438 sticky ? sticky :
"", sticky ?
"; " :
" ");
451 static int DetectFastPatternStickySingleBadArg(
const char *sticky)
457 snprintf(
string,
sizeof(
string),
458 "alert tcp any any -> any any "
459 "(%s%scontent:\"one\"; fast_pattern:boo; sid:1;)",
460 sticky ? sticky :
"", sticky ?
"; " :
" ");
464 snprintf(
string,
sizeof(
string),
465 "alert tcp any any -> any any "
466 "(%s%scontent:\"one\"; fast_pattern:only; content:\"two\"; distance:10; sid:1;)",
467 sticky ? sticky :
"", sticky ?
"; " :
" ");
471 snprintf(
string,
sizeof(
string),
472 "alert tcp any any -> any any "
473 "(%s%scontent:\"one\"; content:\"two\"; fast_pattern:only; distance:10; sid:1;)",
474 sticky ? sticky :
"", sticky ?
"; " :
" ");
478 snprintf(
string,
sizeof(
string),
479 "alert tcp any any -> any any "
480 "(%s%scontent:\"one\"; content:\"two\"; distance:10; fast_pattern:only; sid:1;)",
481 sticky ? sticky :
"", sticky ?
"; " :
" ");
485 snprintf(
string,
sizeof(
string),
486 "alert tcp any any -> any any "
487 "(%s%scontent:\"one\"; fast_pattern:5,6; sid:1;)",
488 sticky ? sticky :
"", sticky ?
"; " :
" ");
495 static int DetectFastPatternModifierBadRules(
const char *sticky)
501 snprintf(
string,
sizeof(
string),
502 "alert tcp any any -> any any "
503 "(content:\"one\"; %s%sfast_pattern:boo; sid:1;)",
504 sticky ? sticky :
"", sticky ?
"; " :
" ");
508 snprintf(
string,
sizeof(
string),
509 "alert tcp any any -> any any "
510 "(content:\"one\"; %s%sfast_pattern:only; content:\"two\"; %s%sdistance:10; sid:1;)",
511 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
516 snprintf(
string,
sizeof(
string),
"alert tcp any any -> any any "
517 "(content:\"one\"; %s%s content:\"two\"; %s%sdistance:10; fast_pattern:only; sid:1;)",
518 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
523 snprintf(
string,
sizeof(
string),
524 "alert tcp any any -> any any "
525 "(content:\"one\"; %s%sfast_pattern:only; content:\"two\"; %s%swithin:10; sid:1;)",
526 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
530 snprintf(
string,
sizeof(
string),
531 "alert tcp any any -> any any "
532 "(content:\"one\"; %s%s content:\"two\"; %s%swithin:10; fast_pattern:only; sid:1;)",
533 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
537 snprintf(
string,
sizeof(
string),
538 "alert tcp any any -> any any "
539 "(content:\"one\"; %s%sfast_pattern:only; offset:10; sid:1;)",
540 sticky ? sticky :
"", sticky ?
"; " :
" ");
544 snprintf(
string,
sizeof(
string),
545 "alert tcp any any -> any any "
546 "(content:\"one\"; %s%s offset:10; fast_pattern:only; sid:1;)",
547 sticky ? sticky :
"", sticky ?
"; " :
" ");
551 snprintf(
string,
sizeof(
string),
552 "alert tcp any any -> any any "
553 "(content:\"one\"; %s%sfast_pattern:only; depth:10; sid:1;)",
554 sticky ? sticky :
"", sticky ?
"; " :
" ");
558 snprintf(
string,
sizeof(
string),
559 "alert tcp any any -> any any "
560 "(content:\"one\"; %s%s depth:10; fast_pattern:only; sid:1;)",
561 sticky ? sticky :
"", sticky ?
"; " :
" ");
565 snprintf(
string,
sizeof(
string),
566 "alert tcp any any -> any any "
567 "(content:\"one\"; %s%s content:!\"two\"; %s%sfast_pattern:only; sid:1;)",
568 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
572 snprintf(
string,
sizeof(
string),
573 "alert tcp any any -> any any "
574 "(content:\"one\"; %s%sfast_pattern:5,6; sid:1;)",
575 sticky ? sticky :
"", sticky ?
"; " :
" ");
579 snprintf(
string,
sizeof(
string),
580 "alert tcp any any -> any any "
581 "(content:\"one\"; %s%sfast_pattern:65977,2; sid:1;)",
582 sticky ? sticky :
"", sticky ?
"; " :
" ");
586 snprintf(
string,
sizeof(
string),
587 "alert tcp any any -> any any "
588 "(content:\"one\"; %s%sfast_pattern:2,65977; sid:1;)",
589 sticky ? sticky :
"", sticky ?
"; " :
" ");
593 snprintf(
string,
sizeof(
string),
594 "alert tcp any any -> any any "
595 "(content:\"one\"; %s%sfast_pattern:2,65534; sid:1;)",
596 sticky ? sticky :
"", sticky ?
"; " :
" ");
600 snprintf(
string,
sizeof(
string),
601 "alert tcp any any -> any any "
602 "(content:\"one\"; %s%sfast_pattern:65534,2; sid:1;)",
603 sticky ? sticky :
"", sticky ?
"; " :
" ");
607 snprintf(
string,
sizeof(
string),
608 "alert tcp any any -> any any "
609 "(content:\"one\"; %s%scontent:!\"two\"; fast_pattern:1,2; %s%sdistance:10; sid:1;)",
610 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
614 snprintf(
string,
sizeof(
string),
615 "alert tcp any any -> any any "
616 "(content:\"one\"; %s%scontent:!\"two\"; fast_pattern:1,2; %s%swithin:10; sid:1;)",
617 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
621 snprintf(
string,
sizeof(
string),
622 "alert tcp any any -> any any "
623 "(content:\"one\"; %s%scontent:!\"two\"; fast_pattern:1,2; %s%sdepth:10; sid:1;)",
624 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
628 snprintf(
string,
sizeof(
string),
629 "alert tcp any any -> any any "
630 "(content:\"one\"; %s%scontent:!\"two\"; fast_pattern:1,2; %s%soffset:10; sid:1;)",
631 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
638 static int DetectFastPatternStickySingleFPOnly(
const char *sticky,
const int list)
643 snprintf(
string,
sizeof(
string),
644 "alert tcp any any -> any any "
645 "(%s%scontent:\"one\"; fast_pattern:only; sid:1;)",
646 sticky ? sticky :
"", sticky ?
"; " :
" ");
660 static int DetectFastPatternModifierFPOnly(
const char *sticky,
const int list)
665 snprintf(
string,
sizeof(
string),
666 "alert tcp any any -> any any "
667 "(content:\"one\"; %s%sfast_pattern:only; sid:1;)",
668 sticky ? sticky :
"", sticky ?
"; " :
" ");
679 snprintf(
string,
sizeof(
string),
680 "alert tcp any any -> any any "
681 "(content:\"one\"; %s%scontent:\"two\"; %s%sfast_pattern:only; sid:2;)",
682 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
700 snprintf(
string,
sizeof(
string),
701 "alert tcp any any -> any any "
702 "(content:\"one\"; %s%scontent:\"two\"; distance:10; %s%scontent:\"three\"; "
703 "%s%sfast_pattern:only; sid:3;)",
704 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ",
705 sticky ? sticky :
"", sticky ?
"; " :
" ");
731 snprintf(
string,
sizeof(
string),
732 "alert tcp any any -> any any "
733 "(content:\"one\"; %s%scontent:\"two\"; within:10; %s%scontent:\"three\"; "
734 "%s%sfast_pattern:only; sid:4;)",
735 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ",
736 sticky ? sticky :
"", sticky ?
"; " :
" ");
762 snprintf(
string,
sizeof(
string),
763 "alert tcp any any -> any any "
764 "(content:\"one\"; %s%scontent:\"two\"; offset:10; %s%scontent:\"three\"; "
765 "%s%sfast_pattern:only; sid:5;)",
766 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ",
767 sticky ? sticky :
"", sticky ?
"; " :
" ");
793 snprintf(
string,
sizeof(
string),
794 "alert tcp any any -> any any "
795 "(content:\"one\"; %s%scontent:\"two\"; depth:10; %s%scontent:\"three\"; "
796 "%s%sfast_pattern:only; sid:6;)",
797 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ",
798 sticky ? sticky :
"", sticky ?
"; " :
" ");
824 snprintf(
string,
sizeof(
string),
825 "alert tcp any any -> any any "
826 "(content:!\"one\"; %s%sfast_pattern; content:\"two\"; depth:10; %s%ssid:7;)",
827 sticky ? sticky :
"", sticky ?
"; " :
" ", sticky ? sticky :
"", sticky ?
"; " :
" ");
851 static int DetectFastPatternStickyFPChop(
const char *sticky,
const int list)
856 snprintf(
string,
sizeof(
string),
857 "alert tcp any any -> any any "
858 "(%s%scontent:\"onetwothree\"; fast_pattern:3,4; sid:1;)",
859 sticky ? sticky :
"", sticky ?
"; " :
" ");
873 snprintf(
string,
sizeof(
string),
874 "alert tcp any any -> any any "
875 "(%s%scontent:\"onetwothree\"; fast_pattern:3,4; content:\"xyz\"; distance:10; sid:2;)",
876 sticky ? sticky :
"", sticky ?
"; " :
" ");
894 static int DetectFastPatternModifierFPChop(
const char *sticky,
const int list)
899 snprintf(
string,
sizeof(
string),
900 "alert tcp any any -> any any "
901 "(content:\"onetwothree\"; %s%sfast_pattern:3,4; sid:1;)",
902 sticky ? sticky :
"", sticky ?
"; " :
" ");
916 snprintf(
string,
sizeof(
string),
917 "alert tcp any any -> any any "
918 "(content:!\"onetwothree\"; %s%sfast_pattern:3,4; sid:2;)",
919 sticky ? sticky :
"", sticky ?
"; " :
" ");
942 static int DetectFastPatternTest01(
void)
948 FAIL_IF_NOT(DetectFastPatternStickySingleBadArg(NULL));
949 FAIL_IF_NOT(DetectFastPatternModifierBadRules(NULL));
956 const char *buffer_name;
958 const char *mod_name;
960 {
"file_data",
"file.data", NULL },
961 {
"http_uri",
"http.uri",
"http_uri" },
962 {
"http_raw_uri",
"http.uri.raw",
"http_raw_uri" },
963 {
"http_user_agent",
"http.user_agent",
"http_user_agent" },
964 {
"http_header",
"http.header",
"http_header" },
967 {
"http_method",
"http.method",
"http_method" },
968 {
"http_cookie",
"http.cookie",
"http_cookie" },
969 {
"http_host",
"http.host",
"http_host" },
970 {
"http_raw_host",
"http.host.raw",
"http_raw_host" },
971 {
"http_stat_code",
"http.stat_code",
"http_stat_code" },
972 {
"http_stat_msg",
"http.stat_msg",
"http_stat_msg" },
973 {
"http_client_body",
"http.request_body",
"http_client_body" },
974 { NULL, NULL, NULL },
977 for (
int i = 0; keywords[i].buffer_name != NULL; i++) {
981 const char *k = keywords[i].sb_name;
983 FAIL_IF_NOT(DetectFastPatternStickySingle(k, list_id));
984 FAIL_IF_NOT(DetectFastPatternStickySingleNoFP(k, list_id));
985 FAIL_IF_NOT(DetectFastPatternStickySingleBadArg(k));
986 FAIL_IF_NOT(DetectFastPatternStickySingleFPOnly(k, list_id));
987 FAIL_IF_NOT(DetectFastPatternStickyFPChop(k, list_id));
989 k = keywords[i].mod_name;
991 FAIL_IF_NOT(DetectFastPatternModifierSingle(k, list_id));
992 FAIL_IF_NOT(DetectFastPatternModifierSingleNoFP(k, list_id));
994 FAIL_IF_NOT(DetectFastPatternModifierFPOnly(k, list_id));
995 FAIL_IF_NOT(DetectFastPatternModifierFPChop(k, list_id));
1007 static int DetectFastPatternTest14(
void)
1009 uint8_t *buf = (uint8_t *)
"Dummy is our name. Oh yes. From right here "
1010 "right now, all the way to hangover. right. strings5_imp now here "
1011 "comes our dark knight strings_string5. Yes here is our dark knight";
1012 uint16_t buflen = strlen((
char *)buf);
1016 memset(&th_v, 0,
sizeof(th_v));
1027 "alert tcp any any -> any any "
1028 "(msg:\"fast_pattern test\"; content:\"strings_string5\"; content:\"knight\"; "
1029 "fast_pattern; sid:1;)");
1033 "alert tcp any any -> any any "
1034 "(msg:\"test different content\"; content:\"Dummy is our name\"; sid:2;)");
1058 static int DetectFastPatternTest671(
void)
1066 de_ctx,
"alert tcp any any -> any any (content:\"onetwothreefour\"; sid:1;)");
1069 de_ctx,
"alert tcp any any -> any any (content:\"onetwothreefour\"; sid:2;)");
1072 de_ctx,
"alert tcp any any -> any any (content:\"uniquepattern\"; sid:3;)");
1075 "alert tcp any any -> any any (content:\"onetwothreefour\"; fast_pattern:3,5; sid:4;)");
1078 de_ctx,
"alert tcp any any -> any any (content:\"twoth\"; sid:5;)");
1081 "alert tcp any any -> any any (content:\"onetwothreefour\"; fast_pattern:0,15; "
1115 static int DetectFastPatternPrefilter(
void)
1119 const char *
string =
"alert tcp any any -> any any "
1120 "(content:\"one\"; prefilter; sid:1;)";
1133 static void DetectFastPatternRegisterTests(
void)
1135 UtRegisterTest(
"DetectFastPatternTest01", DetectFastPatternTest01);
1136 UtRegisterTest(
"DetectFastPatternTest14", DetectFastPatternTest14);
1143 UtRegisterTest(
"DetectFastPatternTest671", DetectFastPatternTest671);
1145 UtRegisterTest(
"DetectFastPatternPrefilter", DetectFastPatternPrefilter);
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define DETECT_CONTENT_FAST_PATTERN_CHOP
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
struct SCFPSupportSMList_ * next
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
struct HtpBodyChunk_ * next
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
@ SC_ERR_INVALID_SIGNATURE
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void SupportFastPatternForSigMatchTypes(void)
Registers the keywords(SMs) that should be given fp support.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
@ SC_ERR_PCRE_GET_SUBSTRING
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void DetectEngineRegisterFastPatternForId(DetectEngineCtx *de_ctx, int list_id, int priority)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int DetectBufferTypeGetByName(const char *name)
void FlowInitConfig(bool quiet)
initialize the configuration
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define DETECT_CONTENT_DISTANCE
SigMatch * DetectGetLastSMFromMpmLists(const DetectEngineCtx *de_ctx, const Signature *s)
get the last SigMatch from lists that support MPM.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
#define DETECT_CONTENT_DEPTH
Per thread variable structure.
#define DETECT_CONTENT_IS_SINGLE(c)
#define DETECT_CONTENT_NEGATED
void DetectEngineInitializeFastPatternList(DetectEngineCtx *de_ctx)
SignatureInitData * init_data
int FastPatternSupportEnabledForSigMatchList(const DetectEngineCtx *de_ctx, const int list_id)
Checks if a particular list(Signature->sm_lists[]) is in the list of lists that need to be searched f...
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
struct SigMatch_ ** smlists
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
bool DetectEngineBufferTypeSupportsMpmGetById(const DetectEngineCtx *de_ctx, const int id)
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void FlowShutdown(void)
shutdown the flow engine
void SupportFastPatternForSigMatchList(int list_id, int priority)
Lets one add a sm list id to be searched for potential fp supported keywords later.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
#define FatalError(x,...)
#define SIGMATCH_OPTIONAL_OPT
void DetectEngineFreeFastPatternList(DetectEngineCtx *de_ctx)
struct HtpBodyChunk_ * next
#define DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_FAST_PATTERN_ONLY
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectFastPatternRegister(void)
Registration function for fast_pattern keyword.
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
#define DETECT_CONTENT_FAST_PATTERN
SCFPSupportSMList * fp_support_smlist_list
#define DETECT_CONTENT_WITHIN
void(* RegisterTests)(void)
uint32_t smlists_array_size
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.