suricata
detect-flow.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * FLOW part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 #include "detect-engine.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 
38 #include "detect-flow.h"
39 
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "util-debug.h"
43 
44 /**
45  * \brief Regex for parsing our flow options
46  */
47 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
48 
49 static DetectParseRegex parse_regex;
50 
52  const Signature *, const SigMatchCtx *);
53 static int DetectFlowSetup (DetectEngineCtx *, Signature *, const char *);
54 #ifdef UNITTESTS
55 static void DetectFlowRegisterTests(void);
56 #endif
57 void DetectFlowFree(DetectEngineCtx *, void *);
58 
59 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
60 static bool PrefilterFlowIsPrefilterable(const Signature *s);
61 
62 /**
63  * \brief Registration function for flow: keyword
64  */
65 void DetectFlowRegister (void)
66 {
68  sigmatch_table[DETECT_FLOW].desc = "match on direction and state of the flow";
69  sigmatch_table[DETECT_FLOW].url = "/rules/flow-keywords.html#flow";
71  sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup;
73 #ifdef UNITTESTS
74  sigmatch_table[DETECT_FLOW].RegisterTests = DetectFlowRegisterTests;
75 #endif
76  sigmatch_table[DETECT_FLOW].SupportsPrefilter = PrefilterFlowIsPrefilterable;
77  sigmatch_table[DETECT_FLOW].SetupPrefilter = PrefilterSetupFlow;
78 
79  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
80 }
81 
82 /**
83  * \param pflags packet flags (p->flags)
84  * \param pflowflags packet flow flags (p->flowflags)
85  * \param tflags detection flags (det_ctx->flags)
86  * \param dflags detect flow flags
87  * \param match_cnt number of matches to trigger
88  */
89 static inline int FlowMatch(const uint32_t pflags, const uint8_t pflowflags,
90  const uint16_t tflags, const uint16_t dflags, const uint8_t match_cnt)
91 {
92  uint8_t cnt = 0;
93 
94  if ((dflags & DETECT_FLOW_FLAG_NO_FRAG) &&
95  (!(pflags & PKT_REBUILT_FRAGMENT))) {
96  cnt++;
97  } else if ((dflags & DETECT_FLOW_FLAG_ONLY_FRAG) &&
98  (pflags & PKT_REBUILT_FRAGMENT)) {
99  cnt++;
100  }
101 
102  if ((dflags & DETECT_FLOW_FLAG_TOSERVER) && (pflowflags & FLOW_PKT_TOSERVER)) {
103  cnt++;
104  } else if ((dflags & DETECT_FLOW_FLAG_TOCLIENT) && (pflowflags & FLOW_PKT_TOCLIENT)) {
105  cnt++;
106  }
107 
108  if ((dflags & DETECT_FLOW_FLAG_ESTABLISHED) && (pflowflags & FLOW_PKT_ESTABLISHED)) {
109  cnt++;
110  } else if (dflags & DETECT_FLOW_FLAG_NOT_ESTABLISHED && (!(pflowflags & FLOW_PKT_ESTABLISHED))) {
111  cnt++;
112  } else if (dflags & DETECT_FLOW_FLAG_STATELESS) {
113  cnt++;
114  }
115 
117  if (dflags & DETECT_FLOW_FLAG_ONLYSTREAM)
118  cnt++;
119  } else {
120  if (dflags & DETECT_FLOW_FLAG_NOSTREAM)
121  cnt++;
122  }
123 
124  return (match_cnt == cnt) ? 1 : 0;
125 }
126 
127 /**
128  * \brief This function is used to match flow flags set on a packet with those passed via flow:
129  *
130  * \param t pointer to thread vars
131  * \param det_ctx pointer to the pattern matcher thread
132  * \param p pointer to the current packet
133  * \param m pointer to the sigmatch that we will cast into DetectFlowData
134  *
135  * \retval 0 no match
136  * \retval 1 match
137  */
139  const Signature *s, const SigMatchCtx *ctx)
140 {
141  SCEnter();
142 
143  SCLogDebug("pkt %p", p);
144 
145  if (p->flowflags & FLOW_PKT_TOSERVER) {
146  SCLogDebug("FLOW_PKT_TOSERVER");
147  } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
148  SCLogDebug("FLOW_PKT_TOCLIENT");
149  }
150 
151  if (p->flowflags & FLOW_PKT_ESTABLISHED) {
152  SCLogDebug("FLOW_PKT_ESTABLISHED");
153  }
154 
155  const DetectFlowData *fd = (const DetectFlowData *)ctx;
156 
157  const int ret = FlowMatch(p->flags, p->flowflags, det_ctx->flags, fd->flags, fd->match_cnt);
158  SCLogDebug("returning %" PRId32 " fd->match_cnt %" PRId32 " fd->flags 0x%02X p->flowflags 0x%02X",
159  ret, fd->match_cnt, fd->flags, p->flowflags);
160  SCReturnInt(ret);
161 }
162 
163 /**
164  * \brief This function is used to parse flow options passed via flow: keyword
165  *
166  * \param de_ctx Pointer to the detection engine context
167  * \param flowstr Pointer to the user provided flow options
168  *
169  * \retval fd pointer to DetectFlowData on success
170  * \retval NULL on failure
171  */
172 static DetectFlowData *DetectFlowParse (DetectEngineCtx *de_ctx, const char *flowstr)
173 {
174  DetectFlowData *fd = NULL;
175  char *args[3] = {NULL,NULL,NULL};
176  int ret = 0, res = 0;
177  size_t pcre2len;
178  char str1[16] = "", str2[16] = "", str3[16] = "";
179 
180  ret = DetectParsePcreExec(&parse_regex, flowstr, 0, 0);
181  if (ret < 1 || ret > 4) {
182  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, flowstr);
183  goto error;
184  }
185 
186  if (ret > 1) {
187  pcre2len = sizeof(str1);
188  res = SC_Pcre2SubstringCopy(parse_regex.match, 1, (PCRE2_UCHAR8 *)str1, &pcre2len);
189  if (res < 0) {
190  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
191  goto error;
192  }
193  args[0] = (char *)str1;
194 
195  if (ret > 2) {
196  pcre2len = sizeof(str2);
197  res = pcre2_substring_copy_bynumber(
198  parse_regex.match, 2, (PCRE2_UCHAR8 *)str2, &pcre2len);
199  if (res < 0) {
200  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
201  goto error;
202  }
203  args[1] = (char *)str2;
204  }
205  if (ret > 3) {
206  pcre2len = sizeof(str3);
207  res = pcre2_substring_copy_bynumber(
208  parse_regex.match, 3, (PCRE2_UCHAR8 *)str3, &pcre2len);
209  if (res < 0) {
210  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
211  goto error;
212  }
213  args[2] = (char *)str3;
214  }
215  }
216 
217  fd = SCMalloc(sizeof(DetectFlowData));
218  if (unlikely(fd == NULL))
219  goto error;
220  fd->flags = 0;
221  fd->match_cnt = 0;
222 
223  int i;
224  for (i = 0; i < (ret - 1); i++) {
225  if (args[i]) {
226  /* inspect our options and set the flags */
227  if (strcasecmp(args[i], "established") == 0) {
229  SCLogError(SC_ERR_FLAGS_MODIFIER, "DETECT_FLOW_FLAG_ESTABLISHED flag is already set");
230  goto error;
231  } else if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
232  SCLogError(SC_ERR_FLAGS_MODIFIER, "DETECT_FLOW_FLAG_STATELESS already set");
233  goto error;
234  }
236  } else if (strcasecmp(args[i], "not_established") == 0) {
238  SCLogError(SC_ERR_FLAGS_MODIFIER, "DETECT_FLOW_FLAG_NOT_ESTABLISHED flag is already set");
239  goto error;
240  } else if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
241  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set DETECT_FLOW_FLAG_NOT_ESTABLISHED, DETECT_FLOW_FLAG_ESTABLISHED already set");
242  goto error;
243  }
245  } else if (strcasecmp(args[i], "stateless") == 0) {
246  if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
247  SCLogError(SC_ERR_FLAGS_MODIFIER, "DETECT_FLOW_FLAG_STATELESS flag is already set");
248  goto error;
249  } else if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
250  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set DETECT_FLOW_FLAG_STATELESS, DETECT_FLOW_FLAG_ESTABLISHED already set");
251  goto error;
252  }
254  } else if (strcasecmp(args[i], "to_client") == 0 || strcasecmp(args[i], "from_server") == 0) {
255  if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
256  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set DETECT_FLOW_FLAG_TOCLIENT flag is already set");
257  goto error;
258  } else if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
259  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set to_client, DETECT_FLOW_FLAG_TOSERVER already set");
260  goto error;
261  }
263  } else if (strcasecmp(args[i], "to_server") == 0 || strcasecmp(args[i], "from_client") == 0){
264  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
265  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set DETECT_FLOW_FLAG_TOSERVER flag is already set");
266  goto error;
267  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
268  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set to_server, DETECT_FLOW_FLAG_TO_CLIENT flag already set");
269  goto error;
270  }
272  } else if (strcasecmp(args[i], "only_stream") == 0) {
274  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set only_stream flag is already set");
275  goto error;
276  } else if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
277  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set only_stream flag, DETECT_FLOW_FLAG_NOSTREAM already set");
278  goto error;
279  }
281  } else if (strcasecmp(args[i], "no_stream") == 0) {
282  if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
283  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set no_stream flag is already set");
284  goto error;
285  } else if (fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
286  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set no_stream flag, DETECT_FLOW_FLAG_ONLYSTREAM already set");
287  goto error;
288  }
290  } else if (strcasecmp(args[i], "no_frag") == 0) {
291  if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
292  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set no_frag flag is already set");
293  goto error;
294  } else if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
295  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set no_frag flag, only_frag already set");
296  goto error;
297  }
299  } else if (strcasecmp(args[i], "only_frag") == 0) {
300  if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
301  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set only_frag flag is already set");
302  goto error;
303  } else if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
304  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set only_frag flag, no_frag already set");
305  goto error;
306  }
308  } else {
309  SCLogError(SC_ERR_INVALID_VALUE, "invalid flow option \"%s\"", args[i]);
310  goto error;
311  }
312 
313  fd->match_cnt++;
314  //printf("args[%" PRId32 "]: %s match_cnt: %" PRId32 " flags: 0x%02X\n", i, args[i], fd->match_cnt, fd->flags);
315  }
316  }
317  return fd;
318 
319 error:
320  if (fd != NULL)
321  DetectFlowFree(de_ctx, fd);
322  return NULL;
323 
324 }
325 
327 {
328 #define SIG_FLAG_BOTH (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)
329  BUG_ON(flags == 0);
332 
333  SCLogDebug("want %08lx", flags & SIG_FLAG_BOTH);
334  SCLogDebug("have %08lx", s->flags & SIG_FLAG_BOTH);
335 
336  if (flags & SIG_FLAG_TOSERVER) {
337  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
338  /* both is set if we just have 'flow:established' */
339  s->flags &= ~SIG_FLAG_TOCLIENT;
340  } else if (s->flags & SIG_FLAG_TOCLIENT) {
341  return -1;
342  }
343  s->flags |= SIG_FLAG_TOSERVER;
344  } else {
345  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
346  /* both is set if we just have 'flow:established' */
347  s->flags &= ~SIG_FLAG_TOSERVER;
348  } else if (s->flags & SIG_FLAG_TOSERVER) {
349  return -1;
350  }
351  s->flags |= SIG_FLAG_TOCLIENT;
352  }
353  return 0;
354 #undef SIG_FLAG_BOTH
355 }
356 
357 /**
358  * \brief this function is used to add the parsed flowdata into the current signature
359  *
360  * \param de_ctx pointer to the Detection Engine Context
361  * \param s pointer to the Current Signature
362  * \param flowstr pointer to the user provided flow options
363  *
364  * \retval 0 on Success
365  * \retval -1 on Failure
366  */
367 int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *flowstr)
368 {
369  /* ensure only one flow option */
371  SCLogError (SC_ERR_INVALID_SIGNATURE, "A signature may have only one flow option.");
372  return -1;
373  }
374 
375  DetectFlowData *fd = DetectFlowParse(de_ctx, flowstr);
376  if (fd == NULL)
377  return -1;
378 
379  SigMatch *sm = SigMatchAlloc();
380  if (sm == NULL)
381  goto error;
382 
383  sm->type = DETECT_FLOW;
384  sm->ctx = (SigMatchCtx *)fd;
385 
386  /* set the signature direction flags */
387  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
388  s->flags |= SIG_FLAG_TOSERVER;
389  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
390  s->flags |= SIG_FLAG_TOCLIENT;
391  } else {
392  s->flags |= SIG_FLAG_TOSERVER;
393  s->flags |= SIG_FLAG_TOCLIENT;
394  }
397  }
398  if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
400  } else if (fd->flags == DETECT_FLOW_FLAG_TOSERVER ||
402  {
403  /* no direct flow is needed for just direction,
404  * no sigmatch is needed either. */
405  SigMatchFree(de_ctx, sm);
406  sm = NULL;
407  } else {
409  }
410 
411  if (sm != NULL) {
413  }
414  return 0;
415 
416 error:
417  if (fd != NULL)
418  DetectFlowFree(de_ctx, fd);
419  return -1;
420 
421 }
422 
423 /**
424  * \brief this function will free memory associated with DetectFlowData
425  *
426  * \param fd pointer to DetectFlowData
427  */
429 {
430  DetectFlowData *fd = (DetectFlowData *)ptr;
431  SCFree(fd);
432 }
433 
434 static void
435 PrefilterPacketFlowMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
436 {
437  const PrefilterPacketHeaderCtx *ctx = pectx;
438 
439  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
440  return;
441 
442  if (FlowMatch(p->flags, p->flowflags, det_ctx->flags, ctx->v1.u8[0], ctx->v1.u8[1]))
443  {
444  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
445  }
446 }
447 
448 static void
449 PrefilterPacketFlowSet(PrefilterPacketHeaderValue *v, void *smctx)
450 {
451  const DetectFlowData *fb = smctx;
452  v->u8[0] = fb->flags;
453  v->u8[1] = fb->match_cnt;
454 }
455 
456 static bool
457 PrefilterPacketFlowCompare(PrefilterPacketHeaderValue v, void *smctx)
458 {
459  const DetectFlowData *fb = smctx;
460  if (v.u8[0] == fb->flags &&
461  v.u8[1] == fb->match_cnt)
462  {
463  return true;
464  }
465  return false;
466 }
467 
468 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
469 {
471  PrefilterPacketFlowSet,
472  PrefilterPacketFlowCompare,
473  PrefilterPacketFlowMatch);
474 }
475 
476 static bool PrefilterFlowIsPrefilterable(const Signature *s)
477 {
478  const SigMatch *sm;
479  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
480  switch (sm->type) {
481  case DETECT_FLOW:
482  return true;
483  }
484  }
485  return false;
486 }
487 
488 #ifdef UNITTESTS
489 
490 /**
491  * \test DetectFlowTestParse01 is a test to make sure that we return "something"
492  * when given valid flow opt
493  */
494 static int DetectFlowTestParse01 (void)
495 {
496  DetectFlowData *fd = NULL;
497  fd = DetectFlowParse(NULL, "established");
498  FAIL_IF_NULL(fd);
499  DetectFlowFree(NULL, fd);
500  PASS;
501 }
502 
503 /**
504  * \test DetectFlowTestParse02 is a test for setting the established flow opt
505  */
506 static int DetectFlowTestParse02 (void)
507 {
508  DetectFlowData *fd = NULL;
509  fd = DetectFlowParse(NULL, "established");
510  FAIL_IF_NULL(fd);
512  fd->match_cnt == 1);
513  PASS;
514 }
515 
516 /**
517  * \test DetectFlowTestParse03 is a test for setting the stateless flow opt
518  */
519 static int DetectFlowTestParse03 (void)
520 {
521  DetectFlowData *fd = NULL;
522  fd = DetectFlowParse(NULL, "stateless");
523  FAIL_IF_NULL(fd);
525  DetectFlowFree(NULL, fd);
526  PASS;
527 }
528 
529 /**
530  * \test DetectFlowTestParse04 is a test for setting the to_client flow opt
531  */
532 static int DetectFlowTestParse04 (void)
533 {
534  DetectFlowData *fd = NULL;
535  fd = DetectFlowParse(NULL, "to_client");
536  FAIL_IF_NULL(fd);
538  DetectFlowFree(NULL, fd);
539  PASS;
540 }
541 
542 /**
543  * \test DetectFlowTestParse05 is a test for setting the to_server flow opt
544  */
545 static int DetectFlowTestParse05 (void)
546 {
547  DetectFlowData *fd = NULL;
548  fd = DetectFlowParse(NULL, "to_server");
549  FAIL_IF_NULL(fd);
551  DetectFlowFree(NULL, fd);
552  PASS;
553 }
554 
555 /**
556  * \test DetectFlowTestParse06 is a test for setting the from_server flow opt
557  */
558 static int DetectFlowTestParse06 (void)
559 {
560  DetectFlowData *fd = NULL;
561  fd = DetectFlowParse(NULL, "from_server");
562  FAIL_IF_NULL(fd);
564  DetectFlowFree(NULL, fd);
565  PASS;
566 }
567 
568 /**
569  * \test DetectFlowTestParse07 is a test for setting the from_client flow opt
570  */
571 static int DetectFlowTestParse07 (void)
572 {
573  DetectFlowData *fd = NULL;
574  fd = DetectFlowParse(NULL, "from_client");
575  FAIL_IF_NULL(fd);
577  DetectFlowFree(NULL, fd);
578  PASS;
579 }
580 
581 /**
582  * \test DetectFlowTestParse08 is a test for setting the established,to_client flow opts
583  */
584 static int DetectFlowTestParse08 (void)
585 {
586  DetectFlowData *fd = NULL;
587  fd = DetectFlowParse(NULL, "established,to_client");
588  FAIL_IF_NULL(fd);
590  DetectFlowFree(NULL, fd);
591  PASS;
592 }
593 
594 /**
595  * \test DetectFlowTestParse09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
596  */
597 static int DetectFlowTestParse09 (void)
598 {
599  DetectFlowData *fd = NULL;
600  fd = DetectFlowParse(NULL, "to_client,stateless");
601  FAIL_IF_NULL(fd);
604  fd->match_cnt == 2);
605  DetectFlowFree(NULL, fd);
606  PASS;
607 }
608 
609 /**
610  * \test DetectFlowTestParse10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
611  */
612 static int DetectFlowTestParse10 (void)
613 {
614  DetectFlowData *fd = NULL;
615  fd = DetectFlowParse(NULL, "from_server,stateless");
616  FAIL_IF_NULL(fd);
619  fd->match_cnt == 2);
620  DetectFlowFree(NULL, fd);
621  PASS;
622 }
623 
624 /**
625  * \test DetectFlowTestParse11 is a test for setting the from_server,stateless flow opts with spaces all around
626  */
627 static int DetectFlowTestParse11 (void)
628 {
629  DetectFlowData *fd = NULL;
630  fd = DetectFlowParse(NULL, " from_server , stateless ");
631  FAIL_IF_NULL(fd);
634  fd->match_cnt == 2);
635  DetectFlowFree(NULL, fd);
636  PASS;
637 }
638 
639 /**
640  * \test DetectFlowTestParseNocase01 is a test to make sure that we return "something"
641  * when given valid flow opt
642  */
643 static int DetectFlowTestParseNocase01 (void)
644 {
645  DetectFlowData *fd = NULL;
646  fd = DetectFlowParse(NULL, "ESTABLISHED");
647  FAIL_IF_NULL(fd);
648  DetectFlowFree(NULL, fd);
649  PASS;
650 }
651 
652 /**
653  * \test DetectFlowTestParseNocase02 is a test for setting the established flow opt
654  */
655 static int DetectFlowTestParseNocase02 (void)
656 {
657  DetectFlowData *fd = NULL;
658  fd = DetectFlowParse(NULL, "ESTABLISHED");
659  FAIL_IF_NULL(fd);
661  fd->match_cnt == 1);
662  DetectFlowFree(NULL, fd);
663  PASS;
664 }
665 
666 /**
667  * \test DetectFlowTestParseNocase03 is a test for setting the stateless flow opt
668  */
669 static int DetectFlowTestParseNocase03 (void)
670 {
671  DetectFlowData *fd = NULL;
672  fd = DetectFlowParse(NULL, "STATELESS");
673  FAIL_IF_NULL(fd);
675  PASS;
676 }
677 
678 /**
679  * \test DetectFlowTestParseNocase04 is a test for setting the to_client flow opt
680  */
681 static int DetectFlowTestParseNocase04 (void)
682 {
683  DetectFlowData *fd = NULL;
684  fd = DetectFlowParse(NULL, "TO_CLIENT");
685  FAIL_IF_NULL(fd);
687  DetectFlowFree(NULL, fd);
688  PASS;
689 }
690 
691 /**
692  * \test DetectFlowTestParseNocase05 is a test for setting the to_server flow opt
693  */
694 static int DetectFlowTestParseNocase05 (void)
695 {
696  DetectFlowData *fd = NULL;
697  fd = DetectFlowParse(NULL, "TO_SERVER");
698  FAIL_IF_NULL(fd);
700  DetectFlowFree(NULL, fd);
701  PASS;
702 }
703 
704 /**
705  * \test DetectFlowTestParseNocase06 is a test for setting the from_server flow opt
706  */
707 static int DetectFlowTestParseNocase06 (void)
708 {
709  DetectFlowData *fd = NULL;
710  fd = DetectFlowParse(NULL, "FROM_SERVER");
711  FAIL_IF_NULL(fd);
713  DetectFlowFree(NULL, fd);
714  PASS;
715 }
716 
717 /**
718  * \test DetectFlowTestParseNocase07 is a test for setting the from_client flow opt
719  */
720 static int DetectFlowTestParseNocase07 (void)
721 {
722  DetectFlowData *fd = NULL;
723  fd = DetectFlowParse(NULL, "FROM_CLIENT");
724  FAIL_IF_NULL(fd);
726  DetectFlowFree(NULL, fd);
727  PASS;
728 }
729 
730 /**
731  * \test DetectFlowTestParseNocase08 is a test for setting the established,to_client flow opts
732  */
733 static int DetectFlowTestParseNocase08 (void)
734 {
735  DetectFlowData *fd = NULL;
736  fd = DetectFlowParse(NULL, "ESTABLISHED,TO_CLIENT");
737  FAIL_IF_NULL(fd);
740  fd->match_cnt == 2);
741  DetectFlowFree(NULL, fd);
742  PASS;
743 }
744 
745 /**
746  * \test DetectFlowTestParseNocase09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
747  */
748 static int DetectFlowTestParseNocase09 (void)
749 {
750  DetectFlowData *fd = NULL;
751  fd = DetectFlowParse(NULL, "TO_CLIENT,STATELESS");
752  FAIL_IF_NULL(fd);
755  fd->match_cnt == 2);
756  DetectFlowFree(NULL, fd);
757  PASS;
758 }
759 
760 /**
761  * \test DetectFlowTestParseNocase10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
762  */
763 static int DetectFlowTestParseNocase10 (void)
764 {
765  DetectFlowData *fd = NULL;
766  fd = DetectFlowParse(NULL, "FROM_SERVER,STATELESS");
767  FAIL_IF_NULL(fd);
770  fd->match_cnt == 2);
771  DetectFlowFree(NULL, fd);
772  PASS;
773 }
774 
775 /**
776  * \test DetectFlowTestParseNocase11 is a test for setting the from_server,stateless flow opts with spaces all around
777  */
778 static int DetectFlowTestParseNocase11 (void)
779 {
780  DetectFlowData *fd = NULL;
781  fd = DetectFlowParse(NULL, " FROM_SERVER , STATELESS ");
782  FAIL_IF_NULL(fd);
785  fd->match_cnt == 2);
786  DetectFlowFree(NULL, fd);
787  PASS;
788 }
789 
790 /**
791  * \test DetectFlowTestParse12 is a test for setting an invalid seperator :
792  */
793 static int DetectFlowTestParse12 (void)
794 {
795  DetectFlowData *fd = NULL;
796  fd = DetectFlowParse(NULL, "from_server:stateless");
797  FAIL_IF_NOT_NULL(fd);
798  PASS;
799 }
800 
801 /**
802  * \test DetectFlowTestParse13 is a test for an invalid option
803  */
804 static int DetectFlowTestParse13 (void)
805 {
806  DetectFlowData *fd = NULL;
807  fd = DetectFlowParse(NULL, "invalidoptiontest");
808  FAIL_IF_NOT_NULL(fd);
809  PASS;
810 }
811 
812 /**
813  * \test DetectFlowTestParse14 is a test for a empty option
814  */
815 static int DetectFlowTestParse14 (void)
816 {
817  DetectFlowData *fd = NULL;
818  fd = DetectFlowParse(NULL, "");
819  FAIL_IF_NOT_NULL(fd);
820  PASS;
821 }
822 
823 /**
824  * \test DetectFlowTestParse15 is a test for an invalid combo of options established,stateless
825  */
826 static int DetectFlowTestParse15 (void)
827 {
828  DetectFlowData *fd = NULL;
829  fd = DetectFlowParse(NULL, "established,stateless");
830  FAIL_IF_NOT_NULL(fd);
831  PASS;
832 }
833 
834 /**
835  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,to_server
836  */
837 static int DetectFlowTestParse16 (void)
838 {
839  DetectFlowData *fd = NULL;
840  fd = DetectFlowParse(NULL, "to_client,to_server");
841  FAIL_IF_NOT_NULL(fd);
842  PASS;
843 }
844 
845 /**
846  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,from_server
847  * flowbit flags are the same
848  */
849 static int DetectFlowTestParse17 (void)
850 {
851  DetectFlowData *fd = NULL;
852  fd = DetectFlowParse(NULL, "to_client,from_server");
853  FAIL_IF_NOT_NULL(fd);
854  PASS;
855 }
856 
857 /**
858  * \test DetectFlowTestParse18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
859  */
860 static int DetectFlowTestParse18 (void)
861 {
862  DetectFlowData *fd = NULL;
863  fd = DetectFlowParse(NULL, "from_server,established,only_stream");
864  FAIL_IF_NULL(fd);
868  fd->match_cnt == 3);
869  DetectFlowFree(NULL, fd);
870  PASS;
871 }
872 
873 /**
874  * \test DetectFlowTestParseNocase18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
875  */
876 static int DetectFlowTestParseNocase18 (void)
877 {
878  DetectFlowData *fd = NULL;
879  fd = DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,ONLY_STREAM");
880  FAIL_IF_NULL(fd);
884  fd->match_cnt == 3);
885  DetectFlowFree(NULL, fd);
886  PASS;
887 }
888 
889 
890 /**
891  * \test DetectFlowTestParse19 is a test for one to many options passed to DetectFlowParse
892  */
893 static int DetectFlowTestParse19 (void)
894 {
895  DetectFlowData *fd = NULL;
896  fd = DetectFlowParse(NULL, "from_server,established,only_stream,a");
897  FAIL_IF_NOT_NULL(fd);
898  PASS;
899 }
900 
901 /**
902  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
903  */
904 static int DetectFlowTestParse20 (void)
905 {
906  DetectFlowData *fd = NULL;
907  fd = DetectFlowParse(NULL, "from_server,established,no_stream");
908  FAIL_IF_NULL(fd);
912  fd->match_cnt == 3);
913  DetectFlowFree(NULL, fd);
914  PASS;
915 }
916 
917 /**
918  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
919  */
920 static int DetectFlowTestParseNocase20 (void)
921 {
922  DetectFlowData *fd = NULL;
923  fd = DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,NO_STREAM");
924  FAIL_IF_NULL(fd);
928  fd->match_cnt == 3);
929  DetectFlowFree(NULL, fd);
930  PASS;
931 }
932 
933 /**
934  * \test DetectFlowTestParse21 is a test for an invalid opt between to valid opts
935  */
936 static int DetectFlowTestParse21 (void)
937 {
938  DetectFlowData *fd = NULL;
939  fd = DetectFlowParse(NULL, "from_server,a,no_stream");
940  FAIL_IF_NOT_NULL(fd);
941  PASS;
942 }
943 
944 static int DetectFlowSigTest01(void)
945 {
946  uint8_t *buf = (uint8_t *)"supernovaduper";
947  uint16_t buflen = strlen((char *)buf);
948  ThreadVars th_v;
950  memset(&dtv, 0, sizeof(DecodeThreadVars));
951  memset(&th_v, 0, sizeof(th_v));
952 
953  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
954  FAIL_IF_NULL(p);
955 
956  const char *sig1 = "alert tcp any any -> any any (msg:\"dummy\"; "
957  "content:\"nova\"; flow:no_stream; sid:1;)";
958 
961  de_ctx->flags |= DE_QUIET;
962 
963  de_ctx->sig_list = SigInit(de_ctx, sig1);
965 
967  DetectEngineThreadCtx *det_ctx = NULL;
968  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
969  FAIL_IF_NULL(det_ctx);
970 
971  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
972  FAIL_IF(PacketAlertCheck(p, 1) != 1);
973 
974  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
976  UTHFreePacket(p);
977 
978  PASS;
979 }
980 
981 /**
982  * \test Test parsing of the not_established keyword.
983  */
984 static int DetectFlowTestParseNotEstablished(void)
985 {
986  DetectFlowData *fd = NULL;
987  fd = DetectFlowParse(NULL, "not_established");
988  FAIL_IF_NULL(fd);
990  DetectFlowFree(NULL, fd);
991  PASS;
992 }
993 
994 /**
995  * \test Test parsing of the "no_frag" flow argument.
996  */
997 static int DetectFlowTestParseNoFrag(void)
998 {
999  DetectFlowData *fd = NULL;
1000  fd = DetectFlowParse(NULL, "no_frag");
1001  FAIL_IF_NULL(fd);
1003  DetectFlowFree(NULL, fd);
1004  PASS;
1005 }
1006 
1007 /**
1008  * \test Test parsing of the "only_frag" flow argument.
1009  */
1010 static int DetectFlowTestParseOnlyFrag(void)
1011 {
1012  DetectFlowData *fd = NULL;
1013  fd = DetectFlowParse(NULL, "only_frag");
1014  FAIL_IF_NULL(fd);
1016  DetectFlowFree(NULL, fd);
1017  PASS;
1018 }
1019 
1020 /**
1021  * \test Test that parsing of only_frag and no_frag together fails.
1022  */
1023 static int DetectFlowTestParseNoFragOnlyFrag(void)
1024 {
1025  DetectFlowData *fd = NULL;
1026  fd = DetectFlowParse(NULL, "no_frag,only_frag");
1027  FAIL_IF_NOT_NULL(fd);
1028  PASS;
1029 }
1030 
1031 /**
1032  * \test Test no_frag matching.
1033  */
1034 static int DetectFlowTestNoFragMatch(void)
1035 {
1036  uint32_t pflags = 0;
1037  DetectFlowData *fd = DetectFlowParse(NULL, "no_frag");
1038  FAIL_IF_NULL(fd);
1040  FAIL_IF_NOT(fd->match_cnt == 1);
1041  FAIL_IF_NOT(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1042  pflags |= PKT_REBUILT_FRAGMENT;
1043  FAIL_IF(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1044  PASS;
1045 }
1046 
1047 /**
1048  * \test Test only_frag matching.
1049  */
1050 static int DetectFlowTestOnlyFragMatch(void)
1051 {
1052  uint32_t pflags = 0;
1053  DetectFlowData *fd = DetectFlowParse(NULL, "only_frag");
1054  FAIL_IF_NULL(fd);
1056  FAIL_IF_NOT(fd->match_cnt == 1);
1057  FAIL_IF(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1058  pflags |= PKT_REBUILT_FRAGMENT;
1059  FAIL_IF_NOT(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1060  PASS;
1061 }
1062 
1063 /**
1064  * \brief this function registers unit tests for DetectFlow
1065  */
1066 static void DetectFlowRegisterTests(void)
1067 {
1068  UtRegisterTest("DetectFlowTestParse01", DetectFlowTestParse01);
1069  UtRegisterTest("DetectFlowTestParse02", DetectFlowTestParse02);
1070  UtRegisterTest("DetectFlowTestParse03", DetectFlowTestParse03);
1071  UtRegisterTest("DetectFlowTestParse04", DetectFlowTestParse04);
1072  UtRegisterTest("DetectFlowTestParse05", DetectFlowTestParse05);
1073  UtRegisterTest("DetectFlowTestParse06", DetectFlowTestParse06);
1074  UtRegisterTest("DetectFlowTestParse07", DetectFlowTestParse07);
1075  UtRegisterTest("DetectFlowTestParse08", DetectFlowTestParse08);
1076  UtRegisterTest("DetectFlowTestParse09", DetectFlowTestParse09);
1077  UtRegisterTest("DetectFlowTestParse10", DetectFlowTestParse10);
1078  UtRegisterTest("DetectFlowTestParse11", DetectFlowTestParse11);
1079  UtRegisterTest("DetectFlowTestParseNocase01", DetectFlowTestParseNocase01);
1080  UtRegisterTest("DetectFlowTestParseNocase02", DetectFlowTestParseNocase02);
1081  UtRegisterTest("DetectFlowTestParseNocase03", DetectFlowTestParseNocase03);
1082  UtRegisterTest("DetectFlowTestParseNocase04", DetectFlowTestParseNocase04);
1083  UtRegisterTest("DetectFlowTestParseNocase05", DetectFlowTestParseNocase05);
1084  UtRegisterTest("DetectFlowTestParseNocase06", DetectFlowTestParseNocase06);
1085  UtRegisterTest("DetectFlowTestParseNocase07", DetectFlowTestParseNocase07);
1086  UtRegisterTest("DetectFlowTestParseNocase08", DetectFlowTestParseNocase08);
1087  UtRegisterTest("DetectFlowTestParseNocase09", DetectFlowTestParseNocase09);
1088  UtRegisterTest("DetectFlowTestParseNocase10", DetectFlowTestParseNocase10);
1089  UtRegisterTest("DetectFlowTestParseNocase11", DetectFlowTestParseNocase11);
1090  UtRegisterTest("DetectFlowTestParse12", DetectFlowTestParse12);
1091  UtRegisterTest("DetectFlowTestParse13", DetectFlowTestParse13);
1092  UtRegisterTest("DetectFlowTestParse14", DetectFlowTestParse14);
1093  UtRegisterTest("DetectFlowTestParse15", DetectFlowTestParse15);
1094  UtRegisterTest("DetectFlowTestParse16", DetectFlowTestParse16);
1095  UtRegisterTest("DetectFlowTestParse17", DetectFlowTestParse17);
1096  UtRegisterTest("DetectFlowTestParse18", DetectFlowTestParse18);
1097  UtRegisterTest("DetectFlowTestParseNocase18", DetectFlowTestParseNocase18);
1098  UtRegisterTest("DetectFlowTestParse19", DetectFlowTestParse19);
1099  UtRegisterTest("DetectFlowTestParse20", DetectFlowTestParse20);
1100  UtRegisterTest("DetectFlowTestParseNocase20", DetectFlowTestParseNocase20);
1101  UtRegisterTest("DetectFlowTestParse21", DetectFlowTestParse21);
1102  UtRegisterTest("DetectFlowTestParseNotEstablished",
1103  DetectFlowTestParseNotEstablished);
1104  UtRegisterTest("DetectFlowTestParseNoFrag", DetectFlowTestParseNoFrag);
1105  UtRegisterTest("DetectFlowTestParseOnlyFrag",
1106  DetectFlowTestParseOnlyFrag);
1107  UtRegisterTest("DetectFlowTestParseNoFragOnlyFrag",
1108  DetectFlowTestParseNoFragOnlyFrag);
1109  UtRegisterTest("DetectFlowTestNoFragMatch", DetectFlowTestNoFragMatch);
1110  UtRegisterTest("DetectFlowTestOnlyFragMatch", DetectFlowTestOnlyFragMatch);
1111 
1112  UtRegisterTest("DetectFlowSigTest01", DetectFlowSigTest01);
1113 }
1114 #endif /* UNITTESTS */
DETECT_FLOW_FLAG_TOCLIENT
#define DETECT_FLOW_FLAG_TOCLIENT
Definition: detect-flow.h:28
DETECT_FLOW_FLAG_STATELESS
#define DETECT_FLOW_FLAG_STATELESS
Definition: detect-flow.h:31
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
SigTableElmt_::url
const char * url
Definition: detect.h:1270
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2474
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:250
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
DetectFlowData_
Definition: detect-flow.h:37
DetectParseRegex
Definition: detect-parse.h:42
DETECT_FLOW_FLAG_NOSTREAM
#define DETECT_FLOW_FLAG_NOSTREAM
Definition: detect-flow.h:33
SigTableElmt_::name
const char * name
Definition: detect.h:1267
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1425
SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:258
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_FLOW
@ DETECT_FLOW
Definition: detect-engine-register.h:52
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
Packet_::flags
uint32_t flags
Definition: decode.h:462
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
DetectFlowData_::match_cnt
uint8_t match_cnt
Definition: detect-flow.h:39
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1167
DetectFlowData_::flags
uint16_t flags
Definition: detect-flow.h:38
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:41
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:22
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:224
DetectEngineThreadCtx_::flags
uint16_t flags
Definition: detect.h:1128
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:511
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:40
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:458
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
DetectFlowSetupImplicit
int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
Definition: detect-flow.c:326
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1255
DETECT_FLOW_FLAG_ONLYSTREAM
#define DETECT_FLOW_FLAG_ONLYSTREAM
Definition: detect-flow.h:32
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:33
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our flow options.
Definition: detect-flow.c:47
DETECT_FLOW_FLAG_TOSERVER
#define DETECT_FLOW_FLAG_TOSERVER
Definition: detect-flow.h:27
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:325
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:281
Signature_::flags
uint32_t flags
Definition: detect.h:549
Packet_
Definition: decode.h:427
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:619
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1235
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:542
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:226
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:34
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3354
SigMatch_::type
uint16_t type
Definition: detect.h:322
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:817
DetectFlowRegister
void DetectFlowRegister(void)
Registration function for flow: keyword.
Definition: detect-flow.c:65
SIG_FLAG_BOTH
#define SIG_FLAG_BOTH
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
DETECT_FLOW_FLAG_NOT_ESTABLISHED
#define DETECT_FLOW_FLAG_NOT_ESTABLISHED
Definition: detect-flow.h:30
detect-flow.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_FLOW_FLAG_ONLY_FRAG
#define DETECT_FLOW_FLAG_ONLY_FRAG
Definition: detect-flow.h:35
DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH
#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH
Definition: detect.h:283
PKT_REBUILT_FRAGMENT
#define PKT_REBUILT_FRAGMENT
Definition: decode.h:1211
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:654
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1254
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
DETECT_FLOW_FLAG_ESTABLISHED
#define DETECT_FLOW_FLAG_ESTABLISHED
Definition: detect-flow.h:29
detect-parse.h
DetectFlowFree
void DetectFlowFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectFlowData
Definition: detect-flow.c:428
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2573
SC_ERR_FLAGS_MODIFIER
@ SC_ERR_FLAGS_MODIFIER
Definition: util-error.h:133
DetectFlowMatch
int DetectFlowMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
This function is used to match flow flags set on a packet with those passed via flow:
Definition: detect-flow.c:138
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:21
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
detect-engine-prefilter-common.h
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
DETECT_FLOW_FLAG_NO_FRAG
#define DETECT_FLOW_FLAG_NO_FRAG
Definition: detect-flow.h:34
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223