suricata
detect-flow.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * FLOW part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-prefilter-common.h"
33 #include "detect-engine-build.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 
38 #include "detect-flow.h"
39 
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "util-debug.h"
43 
44 /**
45  * \brief Regex for parsing our flow options
46  */
47 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
48 
49 static DetectParseRegex parse_regex;
50 
51 int DetectFlowMatch (DetectEngineThreadCtx *, Packet *,
52  const Signature *, const SigMatchCtx *);
53 static int DetectFlowSetup (DetectEngineCtx *, Signature *, const char *);
54 #ifdef UNITTESTS
55 static void DetectFlowRegisterTests(void);
56 #endif
57 void DetectFlowFree(DetectEngineCtx *, void *);
58 
59 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
60 static bool PrefilterFlowIsPrefilterable(const Signature *s);
61 
62 /**
63  * \brief Registration function for flow: keyword
64  */
65 void DetectFlowRegister (void)
66 {
67  sigmatch_table[DETECT_FLOW].name = "flow";
68  sigmatch_table[DETECT_FLOW].desc = "match on direction and state of the flow";
69  sigmatch_table[DETECT_FLOW].url = "/rules/flow-keywords.html#flow";
70  sigmatch_table[DETECT_FLOW].Match = DetectFlowMatch;
71  sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup;
72  sigmatch_table[DETECT_FLOW].Free = DetectFlowFree;
73 #ifdef UNITTESTS
74  sigmatch_table[DETECT_FLOW].RegisterTests = DetectFlowRegisterTests;
75 #endif
76  sigmatch_table[DETECT_FLOW].SupportsPrefilter = PrefilterFlowIsPrefilterable;
77  sigmatch_table[DETECT_FLOW].SetupPrefilter = PrefilterSetupFlow;
78 
79  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
80 }
81 
82 /**
83  * \param pflags packet flags (p->flags)
84  * \param pflowflags packet flow flags (p->flowflags)
85  * \param tflags detection flags (det_ctx->flags)
86  * \param dflags detect flow flags
87  * \param match_cnt number of matches to trigger
88  */
89 static inline int FlowMatch(const uint32_t pflags, const uint8_t pflowflags, const uint16_t tflags,
90  const uint16_t dflags, const uint16_t match_cnt)
91 {
92  uint8_t cnt = 0;
93 
94  if ((dflags & DETECT_FLOW_FLAG_NO_FRAG) &&
95  (!(pflags & PKT_REBUILT_FRAGMENT))) {
96  cnt++;
97  } else if ((dflags & DETECT_FLOW_FLAG_ONLY_FRAG) &&
98  (pflags & PKT_REBUILT_FRAGMENT)) {
99  cnt++;
100  }
101 
102  if ((dflags & DETECT_FLOW_FLAG_TOSERVER) && (pflowflags & FLOW_PKT_TOSERVER)) {
103  cnt++;
104  } else if ((dflags & DETECT_FLOW_FLAG_TOCLIENT) && (pflowflags & FLOW_PKT_TOCLIENT)) {
105  cnt++;
106  }
107 
108  if ((dflags & DETECT_FLOW_FLAG_ESTABLISHED) && (pflowflags & FLOW_PKT_ESTABLISHED)) {
109  cnt++;
110  } else if (dflags & DETECT_FLOW_FLAG_NOT_ESTABLISHED && (!(pflowflags & FLOW_PKT_ESTABLISHED))) {
111  cnt++;
112  } else if (dflags & DETECT_FLOW_FLAG_STATELESS) {
113  cnt++;
114  }
115 
116  if (tflags & DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH) {
117  if (dflags & DETECT_FLOW_FLAG_ONLYSTREAM)
118  cnt++;
119  } else {
120  if (dflags & DETECT_FLOW_FLAG_NOSTREAM)
121  cnt++;
122  }
123 
124  return (match_cnt == cnt) ? 1 : 0;
125 }
126 
127 /**
128  * \brief This function is used to match flow flags set on a packet with those passed via flow:
129  *
130  * \param t pointer to thread vars
131  * \param det_ctx pointer to the pattern matcher thread
132  * \param p pointer to the current packet
133  * \param m pointer to the sigmatch that we will cast into DetectFlowData
134  *
135  * \retval 0 no match
136  * \retval 1 match
137  */
138 int DetectFlowMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
139  const Signature *s, const SigMatchCtx *ctx)
140 {
141  SCEnter();
142 
143  SCLogDebug("pkt %p", p);
144 
145  if (p->flowflags & FLOW_PKT_TOSERVER) {
146  SCLogDebug("FLOW_PKT_TOSERVER");
147  } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
148  SCLogDebug("FLOW_PKT_TOCLIENT");
149  }
150 
151  if (p->flowflags & FLOW_PKT_ESTABLISHED) {
152  SCLogDebug("FLOW_PKT_ESTABLISHED");
153  }
154 
155  const DetectFlowData *fd = (const DetectFlowData *)ctx;
156 
157  const int ret = FlowMatch(p->flags, p->flowflags, det_ctx->flags, fd->flags, fd->match_cnt);
158  SCLogDebug("returning %" PRId32 " fd->match_cnt %" PRId32 " fd->flags 0x%02X p->flowflags 0x%02X",
159  ret, fd->match_cnt, fd->flags, p->flowflags);
160  SCReturnInt(ret);
161 }
162 
163 /**
164  * \brief This function is used to parse flow options passed via flow: keyword
165  *
166  * \param de_ctx Pointer to the detection engine context
167  * \param flowstr Pointer to the user provided flow options
168  *
169  * \retval fd pointer to DetectFlowData on success
170  * \retval NULL on failure
171  */
172 static DetectFlowData *DetectFlowParse (DetectEngineCtx *de_ctx, const char *flowstr)
173 {
174  DetectFlowData *fd = NULL;
175  char *args[3] = {NULL,NULL,NULL};
176  int res = 0;
177  size_t pcre2len;
178  char str1[16] = "", str2[16] = "", str3[16] = "";
179  pcre2_match_data *match = NULL;
180 
181  int ret = DetectParsePcreExec(&parse_regex, &match, flowstr, 0, 0);
182  if (ret < 1 || ret > 4) {
183  SCLogError("parse error, ret %" PRId32 ", string %s", ret, flowstr);
184  goto error;
185  }
186 
187  if (ret > 1) {
188  pcre2len = sizeof(str1);
189  res = SC_Pcre2SubstringCopy(match, 1, (PCRE2_UCHAR8 *)str1, &pcre2len);
190  if (res < 0) {
191  SCLogError("pcre2_substring_copy_bynumber failed");
192  goto error;
193  }
194  args[0] = (char *)str1;
195 
196  if (ret > 2) {
197  pcre2len = sizeof(str2);
198  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)str2, &pcre2len);
199  if (res < 0) {
200  SCLogError("pcre2_substring_copy_bynumber failed");
201  goto error;
202  }
203  args[1] = (char *)str2;
204  }
205  if (ret > 3) {
206  pcre2len = sizeof(str3);
207  res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)str3, &pcre2len);
208  if (res < 0) {
209  SCLogError("pcre2_substring_copy_bynumber failed");
210  goto error;
211  }
212  args[2] = (char *)str3;
213  }
214  }
215 
216  fd = SCMalloc(sizeof(DetectFlowData));
217  if (unlikely(fd == NULL))
218  goto error;
219  fd->flags = 0;
220  fd->match_cnt = 0;
221 
222  int i;
223  for (i = 0; i < (ret - 1); i++) {
224  if (args[i]) {
225  /* inspect our options and set the flags */
226  if (strcasecmp(args[i], "established") == 0) {
227  if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
228  SCLogError("DETECT_FLOW_FLAG_ESTABLISHED flag is already set");
229  goto error;
230  } else if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
231  SCLogError("DETECT_FLOW_FLAG_STATELESS already set");
232  goto error;
233  }
234  fd->flags |= DETECT_FLOW_FLAG_ESTABLISHED;
235  } else if (strcasecmp(args[i], "not_established") == 0) {
236  if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
237  SCLogError("DETECT_FLOW_FLAG_NOT_ESTABLISHED flag is already set");
238  goto error;
239  } else if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
240  SCLogError("cannot set DETECT_FLOW_FLAG_NOT_ESTABLISHED, "
241  "DETECT_FLOW_FLAG_ESTABLISHED already set");
242  goto error;
243  }
244  fd->flags |= DETECT_FLOW_FLAG_NOT_ESTABLISHED;
245  } else if (strcasecmp(args[i], "stateless") == 0) {
246  if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
247  SCLogError("DETECT_FLOW_FLAG_STATELESS flag is already set");
248  goto error;
249  } else if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
250  SCLogError("cannot set DETECT_FLOW_FLAG_STATELESS, "
251  "DETECT_FLOW_FLAG_ESTABLISHED already set");
252  goto error;
253  }
254  fd->flags |= DETECT_FLOW_FLAG_STATELESS;
255  } else if (strcasecmp(args[i], "to_client") == 0 || strcasecmp(args[i], "from_server") == 0) {
256  if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
257  SCLogError("cannot set DETECT_FLOW_FLAG_TOCLIENT flag is already set");
258  goto error;
259  } else if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
260  SCLogError("cannot set to_client, DETECT_FLOW_FLAG_TOSERVER already set");
261  goto error;
262  }
263  fd->flags |= DETECT_FLOW_FLAG_TOCLIENT;
264  } else if (strcasecmp(args[i], "to_server") == 0 || strcasecmp(args[i], "from_client") == 0){
265  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
266  SCLogError("cannot set DETECT_FLOW_FLAG_TOSERVER flag is already set");
267  goto error;
268  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
269  SCLogError("cannot set to_server, DETECT_FLOW_FLAG_TO_CLIENT flag already set");
270  goto error;
271  }
272  fd->flags |= DETECT_FLOW_FLAG_TOSERVER;
273  } else if (strcasecmp(args[i], "only_stream") == 0) {
274  if (fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
275  SCLogError("cannot set only_stream flag is already set");
276  goto error;
277  } else if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
278  SCLogError(
279  "cannot set only_stream flag, DETECT_FLOW_FLAG_NOSTREAM already set");
280  goto error;
281  }
282  fd->flags |= DETECT_FLOW_FLAG_ONLYSTREAM;
283  } else if (strcasecmp(args[i], "no_stream") == 0) {
284  if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
285  SCLogError("cannot set no_stream flag is already set");
286  goto error;
287  } else if (fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
288  SCLogError(
289  "cannot set no_stream flag, DETECT_FLOW_FLAG_ONLYSTREAM already set");
290  goto error;
291  }
292  fd->flags |= DETECT_FLOW_FLAG_NOSTREAM;
293  } else if (strcasecmp(args[i], "no_frag") == 0) {
294  if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
295  SCLogError("cannot set no_frag flag is already set");
296  goto error;
297  } else if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
298  SCLogError("cannot set no_frag flag, only_frag already set");
299  goto error;
300  }
301  fd->flags |= DETECT_FLOW_FLAG_NO_FRAG;
302  } else if (strcasecmp(args[i], "only_frag") == 0) {
303  if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
304  SCLogError("cannot set only_frag flag is already set");
305  goto error;
306  } else if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
307  SCLogError("cannot set only_frag flag, no_frag already set");
308  goto error;
309  }
310  fd->flags |= DETECT_FLOW_FLAG_ONLY_FRAG;
311  } else {
312  SCLogError("invalid flow option \"%s\"", args[i]);
313  goto error;
314  }
315 
316  fd->match_cnt++;
317  //printf("args[%" PRId32 "]: %s match_cnt: %" PRId32 " flags: 0x%02X\n", i, args[i], fd->match_cnt, fd->flags);
318  }
319  }
320  pcre2_match_data_free(match);
321  return fd;
322 
323 error:
324  if (match) {
325  pcre2_match_data_free(match);
326  }
327  if (fd != NULL)
328  DetectFlowFree(de_ctx, fd);
329  return NULL;
330 
331 }
332 
333 int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
334 {
335 #define SIG_FLAG_BOTH (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)
336  BUG_ON(flags == 0);
337  BUG_ON(flags & ~SIG_FLAG_BOTH);
338  BUG_ON((flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH);
339 
340  SCLogDebug("want %08lx", flags & SIG_FLAG_BOTH);
341  SCLogDebug("have %08lx", s->flags & SIG_FLAG_BOTH);
342 
343  if (flags & SIG_FLAG_TOSERVER) {
344  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
345  /* both is set if we just have 'flow:established' */
346  s->flags &= ~SIG_FLAG_TOCLIENT;
347  } else if (s->flags & SIG_FLAG_TOCLIENT) {
348  return -1;
349  }
350  s->flags |= SIG_FLAG_TOSERVER;
351  } else {
352  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
353  /* both is set if we just have 'flow:established' */
354  s->flags &= ~SIG_FLAG_TOSERVER;
355  } else if (s->flags & SIG_FLAG_TOSERVER) {
356  return -1;
357  }
358  s->flags |= SIG_FLAG_TOCLIENT;
359  }
360  return 0;
361 #undef SIG_FLAG_BOTH
362 }
363 
364 /**
365  * \brief this function is used to add the parsed flowdata into the current signature
366  *
367  * \param de_ctx pointer to the Detection Engine Context
368  * \param s pointer to the Current Signature
369  * \param flowstr pointer to the user provided flow options
370  *
371  * \retval 0 on Success
372  * \retval -1 on Failure
373  */
374 int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *flowstr)
375 {
376  /* ensure only one flow option */
377  if (s->init_data->init_flags & SIG_FLAG_INIT_FLOW) {
378  SCLogError("A signature may have only one flow option.");
379  return -1;
380  }
381 
382  DetectFlowData *fd = DetectFlowParse(de_ctx, flowstr);
383  if (fd == NULL)
384  return -1;
385 
386  SigMatch *sm = SigMatchAlloc();
387  if (sm == NULL)
388  goto error;
389 
390  sm->type = DETECT_FLOW;
391  sm->ctx = (SigMatchCtx *)fd;
392 
393  /* set the signature direction flags */
394  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
395  s->flags |= SIG_FLAG_TOSERVER;
396  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
397  s->flags |= SIG_FLAG_TOCLIENT;
398  } else {
399  s->flags |= SIG_FLAG_TOSERVER;
400  s->flags |= SIG_FLAG_TOCLIENT;
401  }
402  if (fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
403  s->flags |= SIG_FLAG_REQUIRE_STREAM;
404  }
405  if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
406  s->flags |= SIG_FLAG_REQUIRE_PACKET;
407  } else if (fd->flags == DETECT_FLOW_FLAG_TOSERVER ||
408  fd->flags == DETECT_FLOW_FLAG_TOCLIENT)
409  {
410  /* no direct flow is needed for just direction,
411  * no sigmatch is needed either. */
412  SigMatchFree(de_ctx, sm);
413  sm = NULL;
414  } else {
415  s->init_data->init_flags |= SIG_FLAG_INIT_FLOW;
416  }
417 
418  if (sm != NULL) {
419  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
420  }
421  return 0;
422 
423 error:
424  if (fd != NULL)
425  DetectFlowFree(de_ctx, fd);
426  return -1;
427 
428 }
429 
430 /**
431  * \brief this function will free memory associated with DetectFlowData
432  *
433  * \param fd pointer to DetectFlowData
434  */
435 void DetectFlowFree(DetectEngineCtx *de_ctx, void *ptr)
436 {
437  DetectFlowData *fd = (DetectFlowData *)ptr;
438  SCFree(fd);
439 }
440 
441 static void
442 PrefilterPacketFlowMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
443 {
444  const PrefilterPacketHeaderCtx *ctx = pectx;
445 
446  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
447  return;
448 
449  if (FlowMatch(p->flags, p->flowflags, det_ctx->flags, ctx->v1.u16[0], ctx->v1.u16[1])) {
450  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
451  }
452 }
453 
454 static void
455 PrefilterPacketFlowSet(PrefilterPacketHeaderValue *v, void *smctx)
456 {
457  const DetectFlowData *fb = smctx;
458  v->u16[0] = fb->flags;
459  v->u16[1] = fb->match_cnt;
460 }
461 
462 static bool
463 PrefilterPacketFlowCompare(PrefilterPacketHeaderValue v, void *smctx)
464 {
465  const DetectFlowData *fb = smctx;
466  if (v.u16[0] == fb->flags && v.u16[1] == fb->match_cnt) {
467  return true;
468  }
469  return false;
470 }
471 
472 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
473 {
474  return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLOW,
475  PrefilterPacketFlowSet,
476  PrefilterPacketFlowCompare,
477  PrefilterPacketFlowMatch);
478 }
479 
480 static bool PrefilterFlowIsPrefilterable(const Signature *s)
481 {
482  const SigMatch *sm;
483  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
484  switch (sm->type) {
485  case DETECT_FLOW:
486  return true;
487  }
488  }
489  return false;
490 }
491 
492 #ifdef UNITTESTS
493 #include "detect-engine-alert.h"
494 
495 /**
496  * \test DetectFlowTestParse01 is a test to make sure that we return "something"
497  * when given valid flow opt
498  */
499 static int DetectFlowTestParse01 (void)
500 {
501  DetectFlowData *fd = NULL;
502  fd = DetectFlowParse(NULL, "established");
503  FAIL_IF_NULL(fd);
504  DetectFlowFree(NULL, fd);
505  PASS;
506 }
507 
508 /**
509  * \test DetectFlowTestParse02 is a test for setting the established flow opt
510  */
511 static int DetectFlowTestParse02 (void)
512 {
513  DetectFlowData *fd = NULL;
514  fd = DetectFlowParse(NULL, "established");
515  FAIL_IF_NULL(fd);
516  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_ESTABLISHED &&
517  fd->match_cnt == 1);
518  PASS;
519 }
520 
521 /**
522  * \test DetectFlowTestParse03 is a test for setting the stateless flow opt
523  */
524 static int DetectFlowTestParse03 (void)
525 {
526  DetectFlowData *fd = NULL;
527  fd = DetectFlowParse(NULL, "stateless");
528  FAIL_IF_NULL(fd);
529  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_STATELESS && fd->match_cnt == 1);
530  DetectFlowFree(NULL, fd);
531  PASS;
532 }
533 
534 /**
535  * \test DetectFlowTestParse04 is a test for setting the to_client flow opt
536  */
537 static int DetectFlowTestParse04 (void)
538 {
539  DetectFlowData *fd = NULL;
540  fd = DetectFlowParse(NULL, "to_client");
541  FAIL_IF_NULL(fd);
542  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
543  DetectFlowFree(NULL, fd);
544  PASS;
545 }
546 
547 /**
548  * \test DetectFlowTestParse05 is a test for setting the to_server flow opt
549  */
550 static int DetectFlowTestParse05 (void)
551 {
552  DetectFlowData *fd = NULL;
553  fd = DetectFlowParse(NULL, "to_server");
554  FAIL_IF_NULL(fd);
555  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
556  DetectFlowFree(NULL, fd);
557  PASS;
558 }
559 
560 /**
561  * \test DetectFlowTestParse06 is a test for setting the from_server flow opt
562  */
563 static int DetectFlowTestParse06 (void)
564 {
565  DetectFlowData *fd = NULL;
566  fd = DetectFlowParse(NULL, "from_server");
567  FAIL_IF_NULL(fd);
568  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
569  DetectFlowFree(NULL, fd);
570  PASS;
571 }
572 
573 /**
574  * \test DetectFlowTestParse07 is a test for setting the from_client flow opt
575  */
576 static int DetectFlowTestParse07 (void)
577 {
578  DetectFlowData *fd = NULL;
579  fd = DetectFlowParse(NULL, "from_client");
580  FAIL_IF_NULL(fd);
581  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
582  DetectFlowFree(NULL, fd);
583  PASS;
584 }
585 
586 /**
587  * \test DetectFlowTestParse08 is a test for setting the established,to_client flow opts
588  */
589 static int DetectFlowTestParse08 (void)
590 {
591  DetectFlowData *fd = NULL;
592  fd = DetectFlowParse(NULL, "established,to_client");
593  FAIL_IF_NULL(fd);
594  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED && fd->flags & DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 2);
595  DetectFlowFree(NULL, fd);
596  PASS;
597 }
598 
599 /**
600  * \test DetectFlowTestParse09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
601  */
602 static int DetectFlowTestParse09 (void)
603 {
604  DetectFlowData *fd = NULL;
605  fd = DetectFlowParse(NULL, "to_client,stateless");
606  FAIL_IF_NULL(fd);
607  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
608  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
609  fd->match_cnt == 2);
610  DetectFlowFree(NULL, fd);
611  PASS;
612 }
613 
614 /**
615  * \test DetectFlowTestParse10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
616  */
617 static int DetectFlowTestParse10 (void)
618 {
619  DetectFlowData *fd = NULL;
620  fd = DetectFlowParse(NULL, "from_server,stateless");
621  FAIL_IF_NULL(fd);
622  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
623  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
624  fd->match_cnt == 2);
625  DetectFlowFree(NULL, fd);
626  PASS;
627 }
628 
629 /**
630  * \test DetectFlowTestParse11 is a test for setting the from_server,stateless flow opts with spaces all around
631  */
632 static int DetectFlowTestParse11 (void)
633 {
634  DetectFlowData *fd = NULL;
635  fd = DetectFlowParse(NULL, " from_server , stateless ");
636  FAIL_IF_NULL(fd);
637  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
638  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
639  fd->match_cnt == 2);
640  DetectFlowFree(NULL, fd);
641  PASS;
642 }
643 
644 /**
645  * \test DetectFlowTestParseNocase01 is a test to make sure that we return "something"
646  * when given valid flow opt
647  */
648 static int DetectFlowTestParseNocase01 (void)
649 {
650  DetectFlowData *fd = NULL;
651  fd = DetectFlowParse(NULL, "ESTABLISHED");
652  FAIL_IF_NULL(fd);
653  DetectFlowFree(NULL, fd);
654  PASS;
655 }
656 
657 /**
658  * \test DetectFlowTestParseNocase02 is a test for setting the established flow opt
659  */
660 static int DetectFlowTestParseNocase02 (void)
661 {
662  DetectFlowData *fd = NULL;
663  fd = DetectFlowParse(NULL, "ESTABLISHED");
664  FAIL_IF_NULL(fd);
665  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_ESTABLISHED &&
666  fd->match_cnt == 1);
667  DetectFlowFree(NULL, fd);
668  PASS;
669 }
670 
671 /**
672  * \test DetectFlowTestParseNocase03 is a test for setting the stateless flow opt
673  */
674 static int DetectFlowTestParseNocase03 (void)
675 {
676  DetectFlowData *fd = NULL;
677  fd = DetectFlowParse(NULL, "STATELESS");
678  FAIL_IF_NULL(fd);
679  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_STATELESS && fd->match_cnt == 1); DetectFlowFree(NULL, fd);
680  PASS;
681 }
682 
683 /**
684  * \test DetectFlowTestParseNocase04 is a test for setting the to_client flow opt
685  */
686 static int DetectFlowTestParseNocase04 (void)
687 {
688  DetectFlowData *fd = NULL;
689  fd = DetectFlowParse(NULL, "TO_CLIENT");
690  FAIL_IF_NULL(fd);
691  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
692  DetectFlowFree(NULL, fd);
693  PASS;
694 }
695 
696 /**
697  * \test DetectFlowTestParseNocase05 is a test for setting the to_server flow opt
698  */
699 static int DetectFlowTestParseNocase05 (void)
700 {
701  DetectFlowData *fd = NULL;
702  fd = DetectFlowParse(NULL, "TO_SERVER");
703  FAIL_IF_NULL(fd);
704  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
705  DetectFlowFree(NULL, fd);
706  PASS;
707 }
708 
709 /**
710  * \test DetectFlowTestParseNocase06 is a test for setting the from_server flow opt
711  */
712 static int DetectFlowTestParseNocase06 (void)
713 {
714  DetectFlowData *fd = NULL;
715  fd = DetectFlowParse(NULL, "FROM_SERVER");
716  FAIL_IF_NULL(fd);
717  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
718  DetectFlowFree(NULL, fd);
719  PASS;
720 }
721 
722 /**
723  * \test DetectFlowTestParseNocase07 is a test for setting the from_client flow opt
724  */
725 static int DetectFlowTestParseNocase07 (void)
726 {
727  DetectFlowData *fd = NULL;
728  fd = DetectFlowParse(NULL, "FROM_CLIENT");
729  FAIL_IF_NULL(fd);
730  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
731  DetectFlowFree(NULL, fd);
732  PASS;
733 }
734 
735 /**
736  * \test DetectFlowTestParseNocase08 is a test for setting the established,to_client flow opts
737  */
738 static int DetectFlowTestParseNocase08 (void)
739 {
740  DetectFlowData *fd = NULL;
741  fd = DetectFlowParse(NULL, "ESTABLISHED,TO_CLIENT");
742  FAIL_IF_NULL(fd);
743  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
744  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
745  fd->match_cnt == 2);
746  DetectFlowFree(NULL, fd);
747  PASS;
748 }
749 
750 /**
751  * \test DetectFlowTestParseNocase09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
752  */
753 static int DetectFlowTestParseNocase09 (void)
754 {
755  DetectFlowData *fd = NULL;
756  fd = DetectFlowParse(NULL, "TO_CLIENT,STATELESS");
757  FAIL_IF_NULL(fd);
758  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
759  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
760  fd->match_cnt == 2);
761  DetectFlowFree(NULL, fd);
762  PASS;
763 }
764 
765 /**
766  * \test DetectFlowTestParseNocase10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
767  */
768 static int DetectFlowTestParseNocase10 (void)
769 {
770  DetectFlowData *fd = NULL;
771  fd = DetectFlowParse(NULL, "FROM_SERVER,STATELESS");
772  FAIL_IF_NULL(fd);
773  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
774  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
775  fd->match_cnt == 2);
776  DetectFlowFree(NULL, fd);
777  PASS;
778 }
779 
780 /**
781  * \test DetectFlowTestParseNocase11 is a test for setting the from_server,stateless flow opts with spaces all around
782  */
783 static int DetectFlowTestParseNocase11 (void)
784 {
785  DetectFlowData *fd = NULL;
786  fd = DetectFlowParse(NULL, " FROM_SERVER , STATELESS ");
787  FAIL_IF_NULL(fd);
788  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
789  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
790  fd->match_cnt == 2);
791  DetectFlowFree(NULL, fd);
792  PASS;
793 }
794 
795 /**
796  * \test DetectFlowTestParse12 is a test for setting an invalid separator :
797  */
798 static int DetectFlowTestParse12 (void)
799 {
800  DetectFlowData *fd = NULL;
801  fd = DetectFlowParse(NULL, "from_server:stateless");
802  FAIL_IF_NOT_NULL(fd);
803  PASS;
804 }
805 
806 /**
807  * \test DetectFlowTestParse13 is a test for an invalid option
808  */
809 static int DetectFlowTestParse13 (void)
810 {
811  DetectFlowData *fd = NULL;
812  fd = DetectFlowParse(NULL, "invalidoptiontest");
813  FAIL_IF_NOT_NULL(fd);
814  PASS;
815 }
816 
817 /**
818  * \test DetectFlowTestParse14 is a test for a empty option
819  */
820 static int DetectFlowTestParse14 (void)
821 {
822  DetectFlowData *fd = NULL;
823  fd = DetectFlowParse(NULL, "");
824  FAIL_IF_NOT_NULL(fd);
825  PASS;
826 }
827 
828 /**
829  * \test DetectFlowTestParse15 is a test for an invalid combo of options established,stateless
830  */
831 static int DetectFlowTestParse15 (void)
832 {
833  DetectFlowData *fd = NULL;
834  fd = DetectFlowParse(NULL, "established,stateless");
835  FAIL_IF_NOT_NULL(fd);
836  PASS;
837 }
838 
839 /**
840  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,to_server
841  */
842 static int DetectFlowTestParse16 (void)
843 {
844  DetectFlowData *fd = NULL;
845  fd = DetectFlowParse(NULL, "to_client,to_server");
846  FAIL_IF_NOT_NULL(fd);
847  PASS;
848 }
849 
850 /**
851  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,from_server
852  * flowbit flags are the same
853  */
854 static int DetectFlowTestParse17 (void)
855 {
856  DetectFlowData *fd = NULL;
857  fd = DetectFlowParse(NULL, "to_client,from_server");
858  FAIL_IF_NOT_NULL(fd);
859  PASS;
860 }
861 
862 /**
863  * \test DetectFlowTestParse18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
864  */
865 static int DetectFlowTestParse18 (void)
866 {
867  DetectFlowData *fd = NULL;
868  fd = DetectFlowParse(NULL, "from_server,established,only_stream");
869  FAIL_IF_NULL(fd);
870  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
871  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
872  fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM &&
873  fd->match_cnt == 3);
874  DetectFlowFree(NULL, fd);
875  PASS;
876 }
877 
878 /**
879  * \test DetectFlowTestParseNocase18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
880  */
881 static int DetectFlowTestParseNocase18 (void)
882 {
883  DetectFlowData *fd = NULL;
884  fd = DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,ONLY_STREAM");
885  FAIL_IF_NULL(fd);
886  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
887  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
888  fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM &&
889  fd->match_cnt == 3);
890  DetectFlowFree(NULL, fd);
891  PASS;
892 }
893 
894 
895 /**
896  * \test DetectFlowTestParse19 is a test for one to many options passed to DetectFlowParse
897  */
898 static int DetectFlowTestParse19 (void)
899 {
900  DetectFlowData *fd = NULL;
901  fd = DetectFlowParse(NULL, "from_server,established,only_stream,a");
902  FAIL_IF_NOT_NULL(fd);
903  PASS;
904 }
905 
906 /**
907  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
908  */
909 static int DetectFlowTestParse20 (void)
910 {
911  DetectFlowData *fd = NULL;
912  fd = DetectFlowParse(NULL, "from_server,established,no_stream");
913  FAIL_IF_NULL(fd);
914  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
915  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
916  fd->flags & DETECT_FLOW_FLAG_NOSTREAM &&
917  fd->match_cnt == 3);
918  DetectFlowFree(NULL, fd);
919  PASS;
920 }
921 
922 /**
923  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
924  */
925 static int DetectFlowTestParseNocase20 (void)
926 {
927  DetectFlowData *fd = NULL;
928  fd = DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,NO_STREAM");
929  FAIL_IF_NULL(fd);
930  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
931  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
932  fd->flags & DETECT_FLOW_FLAG_NOSTREAM &&
933  fd->match_cnt == 3);
934  DetectFlowFree(NULL, fd);
935  PASS;
936 }
937 
938 /**
939  * \test DetectFlowTestParse21 is a test for an invalid opt between to valid opts
940  */
941 static int DetectFlowTestParse21 (void)
942 {
943  DetectFlowData *fd = NULL;
944  fd = DetectFlowParse(NULL, "from_server,a,no_stream");
945  FAIL_IF_NOT_NULL(fd);
946  PASS;
947 }
948 
949 static int DetectFlowSigTest01(void)
950 {
951  uint8_t *buf = (uint8_t *)"supernovaduper";
952  uint16_t buflen = strlen((char *)buf);
953  ThreadVars th_v;
954  DecodeThreadVars dtv;
955  memset(&dtv, 0, sizeof(DecodeThreadVars));
956  memset(&th_v, 0, sizeof(th_v));
957 
958  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
959  FAIL_IF_NULL(p);
960 
961  const char *sig1 = "alert tcp any any -> any any (msg:\"dummy\"; "
962  "content:\"nova\"; flow:no_stream; sid:1;)";
963 
964  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
965  FAIL_IF_NULL(de_ctx);
966  de_ctx->flags |= DE_QUIET;
967 
968  de_ctx->sig_list = SigInit(de_ctx, sig1);
969  FAIL_IF_NULL(de_ctx->sig_list);
970 
971  SigGroupBuild(de_ctx);
972  DetectEngineThreadCtx *det_ctx = NULL;
973  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
974  FAIL_IF_NULL(det_ctx);
975 
976  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
977  FAIL_IF(PacketAlertCheck(p, 1) != 1);
978 
979  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
980  DetectEngineCtxFree(de_ctx);
981  UTHFreePacket(p);
982 
983  PASS;
984 }
985 
986 /**
987  * \test Test parsing of the not_established keyword.
988  */
989 static int DetectFlowTestParseNotEstablished(void)
990 {
991  DetectFlowData *fd = NULL;
992  fd = DetectFlowParse(NULL, "not_established");
993  FAIL_IF_NULL(fd);
994  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED);
995  DetectFlowFree(NULL, fd);
996  PASS;
997 }
998 
999 /**
1000  * \test Test parsing of the "no_frag" flow argument.
1001  */
1002 static int DetectFlowTestParseNoFrag(void)
1003 {
1004  DetectFlowData *fd = NULL;
1005  fd = DetectFlowParse(NULL, "no_frag");
1006  FAIL_IF_NULL(fd);
1007  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_NO_FRAG);
1008  DetectFlowFree(NULL, fd);
1009  PASS;
1010 }
1011 
1012 /**
1013  * \test Test parsing of the "only_frag" flow argument.
1014  */
1015 static int DetectFlowTestParseOnlyFrag(void)
1016 {
1017  DetectFlowData *fd = NULL;
1018  fd = DetectFlowParse(NULL, "only_frag");
1019  FAIL_IF_NULL(fd);
1020  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG);
1021  DetectFlowFree(NULL, fd);
1022  PASS;
1023 }
1024 
1025 /**
1026  * \test Test that parsing of only_frag and no_frag together fails.
1027  */
1028 static int DetectFlowTestParseNoFragOnlyFrag(void)
1029 {
1030  DetectFlowData *fd = NULL;
1031  fd = DetectFlowParse(NULL, "no_frag,only_frag");
1032  FAIL_IF_NOT_NULL(fd);
1033  PASS;
1034 }
1035 
1036 /**
1037  * \test Test no_frag matching.
1038  */
1039 static int DetectFlowTestNoFragMatch(void)
1040 {
1041  uint32_t pflags = 0;
1042  DetectFlowData *fd = DetectFlowParse(NULL, "no_frag");
1043  FAIL_IF_NULL(fd);
1044  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_NO_FRAG);
1045  FAIL_IF_NOT(fd->match_cnt == 1);
1046  FAIL_IF_NOT(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1047  pflags |= PKT_REBUILT_FRAGMENT;
1048  FAIL_IF(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1049  PASS;
1050 }
1051 
1052 /**
1053  * \test Test only_frag matching.
1054  */
1055 static int DetectFlowTestOnlyFragMatch(void)
1056 {
1057  uint32_t pflags = 0;
1058  DetectFlowData *fd = DetectFlowParse(NULL, "only_frag");
1059  FAIL_IF_NULL(fd);
1060  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG);
1061  FAIL_IF_NOT(fd->match_cnt == 1);
1062  FAIL_IF(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1063  pflags |= PKT_REBUILT_FRAGMENT;
1064  FAIL_IF_NOT(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1065  PASS;
1066 }
1067 
1068 /**
1069  * \brief this function registers unit tests for DetectFlow
1070  */
1071 static void DetectFlowRegisterTests(void)
1072 {
1073  UtRegisterTest("DetectFlowTestParse01", DetectFlowTestParse01);
1074  UtRegisterTest("DetectFlowTestParse02", DetectFlowTestParse02);
1075  UtRegisterTest("DetectFlowTestParse03", DetectFlowTestParse03);
1076  UtRegisterTest("DetectFlowTestParse04", DetectFlowTestParse04);
1077  UtRegisterTest("DetectFlowTestParse05", DetectFlowTestParse05);
1078  UtRegisterTest("DetectFlowTestParse06", DetectFlowTestParse06);
1079  UtRegisterTest("DetectFlowTestParse07", DetectFlowTestParse07);
1080  UtRegisterTest("DetectFlowTestParse08", DetectFlowTestParse08);
1081  UtRegisterTest("DetectFlowTestParse09", DetectFlowTestParse09);
1082  UtRegisterTest("DetectFlowTestParse10", DetectFlowTestParse10);
1083  UtRegisterTest("DetectFlowTestParse11", DetectFlowTestParse11);
1084  UtRegisterTest("DetectFlowTestParseNocase01", DetectFlowTestParseNocase01);
1085  UtRegisterTest("DetectFlowTestParseNocase02", DetectFlowTestParseNocase02);
1086  UtRegisterTest("DetectFlowTestParseNocase03", DetectFlowTestParseNocase03);
1087  UtRegisterTest("DetectFlowTestParseNocase04", DetectFlowTestParseNocase04);
1088  UtRegisterTest("DetectFlowTestParseNocase05", DetectFlowTestParseNocase05);
1089  UtRegisterTest("DetectFlowTestParseNocase06", DetectFlowTestParseNocase06);
1090  UtRegisterTest("DetectFlowTestParseNocase07", DetectFlowTestParseNocase07);
1091  UtRegisterTest("DetectFlowTestParseNocase08", DetectFlowTestParseNocase08);
1092  UtRegisterTest("DetectFlowTestParseNocase09", DetectFlowTestParseNocase09);
1093  UtRegisterTest("DetectFlowTestParseNocase10", DetectFlowTestParseNocase10);
1094  UtRegisterTest("DetectFlowTestParseNocase11", DetectFlowTestParseNocase11);
1095  UtRegisterTest("DetectFlowTestParse12", DetectFlowTestParse12);
1096  UtRegisterTest("DetectFlowTestParse13", DetectFlowTestParse13);
1097  UtRegisterTest("DetectFlowTestParse14", DetectFlowTestParse14);
1098  UtRegisterTest("DetectFlowTestParse15", DetectFlowTestParse15);
1099  UtRegisterTest("DetectFlowTestParse16", DetectFlowTestParse16);
1100  UtRegisterTest("DetectFlowTestParse17", DetectFlowTestParse17);
1101  UtRegisterTest("DetectFlowTestParse18", DetectFlowTestParse18);
1102  UtRegisterTest("DetectFlowTestParseNocase18", DetectFlowTestParseNocase18);
1103  UtRegisterTest("DetectFlowTestParse19", DetectFlowTestParse19);
1104  UtRegisterTest("DetectFlowTestParse20", DetectFlowTestParse20);
1105  UtRegisterTest("DetectFlowTestParseNocase20", DetectFlowTestParseNocase20);
1106  UtRegisterTest("DetectFlowTestParse21", DetectFlowTestParse21);
1107  UtRegisterTest("DetectFlowTestParseNotEstablished",
1108  DetectFlowTestParseNotEstablished);
1109  UtRegisterTest("DetectFlowTestParseNoFrag", DetectFlowTestParseNoFrag);
1110  UtRegisterTest("DetectFlowTestParseOnlyFrag",
1111  DetectFlowTestParseOnlyFrag);
1112  UtRegisterTest("DetectFlowTestParseNoFragOnlyFrag",
1113  DetectFlowTestParseNoFragOnlyFrag);
1114  UtRegisterTest("DetectFlowTestNoFragMatch", DetectFlowTestNoFragMatch);
1115  UtRegisterTest("DetectFlowTestOnlyFragMatch", DetectFlowTestOnlyFragMatch);
1116 
1117  UtRegisterTest("DetectFlowSigTest01", DetectFlowSigTest01);
1118 }
1119 #endif /* UNITTESTS */
DETECT_FLOW_FLAG_TOCLIENT
#define DETECT_FLOW_FLAG_TOCLIENT
Definition: detect-flow.h:28
DETECT_FLOW_FLAG_STATELESS
#define DETECT_FLOW_FLAG_STATELESS
Definition: detect-flow.h:31
SigTableElmt_::url
const char * url
Definition: detect.h:1288
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:567
SigTableElmt_::desc
const char * desc
Definition: detect.h:1287
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:337
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1275
DetectFlowData_
Definition: detect-flow.h:37
DetectParseRegex
Definition: detect-parse.h:62
DETECT_FLOW_FLAG_NOSTREAM
#define DETECT_FLOW_FLAG_NOSTREAM
Definition: detect-flow.h:33
SigTableElmt_::name
const char * name
Definition: detect.h:1285
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1439
SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:276
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_FLOW
@ DETECT_FLOW
Definition: detect-engine-register.h:54
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:467
DetectFlowData_::match_cnt
uint8_t match_cnt
Definition: detect-flow.h:39
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1182
DetectFlowData_::flags
uint16_t flags
Definition: detect-flow.h:38
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:827
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:221
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:243
DetectEngineThreadCtx_::flags
uint16_t flags
Definition: detect.h:1141
DE_QUIET
#define DE_QUIET
Definition: detect.h:315
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1824
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:537
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2629
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:461
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:256
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1270
DetectFlowSetupImplicit
int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
Definition: detect-flow.c:333
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1273
DETECT_FLOW_FLAG_ONLYSTREAM
#define DETECT_FLOW_FLAG_ONLYSTREAM
Definition: detect-flow.h:32
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:255
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1075
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our flow options.
Definition: detect-flow.c:47
DETECT_FLOW_FLAG_TOSERVER
#define DETECT_FLOW_FLAG_TOSERVER
Definition: detect-flow.h:27
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2753
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:345
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:108
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2270
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:344
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:295
Signature_::flags
uint32_t flags
Definition: detect.h:583
Packet_
Definition: decode.h:430
detect-engine-build.h
detect-engine-alert.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:654
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1253
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:222
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1971
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:336
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3308
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3522
SigMatch_::type
uint16_t type
Definition: detect.h:342
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:835
DetectFlowRegister
void DetectFlowRegister(void)
Registration function for flow: keyword.
Definition: detect-flow.c:65
SIG_FLAG_BOTH
#define SIG_FLAG_BOTH
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
DETECT_FLOW_FLAG_NOT_ESTABLISHED
#define DETECT_FLOW_FLAG_NOT_ESTABLISHED
Definition: detect-flow.h:30
detect-flow.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_FLOW_FLAG_ONLY_FRAG
#define DETECT_FLOW_FLAG_ONLY_FRAG
Definition: detect-flow.h:35
DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH
#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH
Definition: detect.h:303
PKT_REBUILT_FRAGMENT
#define PKT_REBUILT_FRAGMENT
Definition: decode.h:1036
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:668
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1272
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
DETECT_FLOW_FLAG_ESTABLISHED
#define DETECT_FLOW_FLAG_ESTABLISHED
Definition: detect-flow.h:29
detect-parse.h
DetectFlowFree
void DetectFlowFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectFlowData
Definition: detect-flow.c:435
Signature_
Signature container.
Definition: detect.h:582
SigMatch_
a single match condition for a signature
Definition: detect.h:341
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:223
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2729
DetectFlowMatch
int DetectFlowMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
This function is used to match flow flags set on a packet with those passed via flow:
Definition: detect-flow.c:138
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:829
detect-engine-prefilter-common.h
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DETECT_FLOW_FLAG_NO_FRAG
#define DETECT_FLOW_FLAG_NO_FRAG
Definition: detect-flow.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1277
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:242