suricata
detect-flow.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * FLOW part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
33 #include "detect-engine-build.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 
38 #include "detect-flow.h"
39 
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "util-debug.h"
43 
44 /**
45  * \brief Regex for parsing our flow options
46  */
47 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
48 
49 static DetectParseRegex parse_regex;
50 
52  const Signature *, const SigMatchCtx *);
53 static int DetectFlowSetup (DetectEngineCtx *, Signature *, const char *);
54 #ifdef UNITTESTS
55 static void DetectFlowRegisterTests(void);
56 #endif
57 void DetectFlowFree(DetectEngineCtx *, void *);
58 
59 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
60 static bool PrefilterFlowIsPrefilterable(const Signature *s);
61 
62 /**
63  * \brief Registration function for flow: keyword
64  */
65 void DetectFlowRegister (void)
66 {
68  sigmatch_table[DETECT_FLOW].desc = "match on direction and state of the flow";
69  sigmatch_table[DETECT_FLOW].url = "/rules/flow-keywords.html#flow";
71  sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup;
74 #ifdef UNITTESTS
75  sigmatch_table[DETECT_FLOW].RegisterTests = DetectFlowRegisterTests;
76 #endif
77  sigmatch_table[DETECT_FLOW].SupportsPrefilter = PrefilterFlowIsPrefilterable;
78  sigmatch_table[DETECT_FLOW].SetupPrefilter = PrefilterSetupFlow;
79 
80  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
81 }
82 
83 /**
84  * \param pflags packet flags (p->flags)
85  * \param pflowflags packet flow flags (p->flowflags)
86  * \param dflags detect flow flags
87  * \param match_cnt number of matches to trigger
88  */
89 static inline int FlowMatch(const uint32_t pflags, const uint8_t pflowflags, const uint16_t dflags,
90  const uint16_t match_cnt)
91 {
92  uint8_t cnt = 0;
93 
94  if ((dflags & DETECT_FLOW_FLAG_NO_FRAG) &&
95  (!(pflags & PKT_REBUILT_FRAGMENT))) {
96  cnt++;
97  } else if ((dflags & DETECT_FLOW_FLAG_ONLY_FRAG) &&
98  (pflags & PKT_REBUILT_FRAGMENT)) {
99  cnt++;
100  }
101 
102  if ((dflags & DETECT_FLOW_FLAG_TOSERVER) && (pflowflags & FLOW_PKT_TOSERVER)) {
103  cnt++;
104  } else if ((dflags & DETECT_FLOW_FLAG_TOCLIENT) && (pflowflags & FLOW_PKT_TOCLIENT)) {
105  cnt++;
106  }
107 
108  if ((dflags & DETECT_FLOW_FLAG_ESTABLISHED) && (pflowflags & FLOW_PKT_ESTABLISHED)) {
109  cnt++;
110  } else if (dflags & DETECT_FLOW_FLAG_NOT_ESTABLISHED && (!(pflowflags & FLOW_PKT_ESTABLISHED))) {
111  cnt++;
112  } else if (dflags & DETECT_FLOW_FLAG_STATELESS) {
113  cnt++;
114  }
115 
116  return (match_cnt == cnt) ? 1 : 0;
117 }
118 
119 /**
120  * \brief This function is used to match flow flags set on a packet with those passed via flow:
121  *
122  * \param t pointer to thread vars
123  * \param det_ctx pointer to the pattern matcher thread
124  * \param p pointer to the current packet
125  * \param m pointer to the sigmatch that we will cast into DetectFlowData
126  *
127  * \retval 0 no match
128  * \retval 1 match
129  */
131  const Signature *s, const SigMatchCtx *ctx)
132 {
133  SCEnter();
134 
135  SCLogDebug("pkt %p", p);
136 
137  if (p->flowflags & FLOW_PKT_TOSERVER) {
138  SCLogDebug("FLOW_PKT_TOSERVER");
139  } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
140  SCLogDebug("FLOW_PKT_TOCLIENT");
141  }
142 
143  if (p->flowflags & FLOW_PKT_ESTABLISHED) {
144  SCLogDebug("FLOW_PKT_ESTABLISHED");
145  }
146 
147  const DetectFlowData *fd = (const DetectFlowData *)ctx;
148 
149  const int ret = FlowMatch(p->flags, p->flowflags, fd->flags, fd->match_cnt);
150  SCLogDebug("returning %" PRId32 " fd->match_cnt %" PRId32 " fd->flags 0x%02X p->flowflags 0x%02X",
151  ret, fd->match_cnt, fd->flags, p->flowflags);
152  SCReturnInt(ret);
153 }
154 
155 /**
156  * \brief This function is used to parse flow options passed via flow: keyword
157  *
158  * \param de_ctx Pointer to the detection engine context
159  * \param flowstr Pointer to the user provided flow options
160  * \param[out] parse_flags keyword flags only used during parsing
161  *
162  * \retval fd pointer to DetectFlowData on success
163  * \retval NULL on failure
164  */
165 static DetectFlowData *DetectFlowParse(
166  DetectEngineCtx *de_ctx, const char *flowstr, uint16_t *parse_flags)
167 {
168  DetectFlowData *fd = NULL;
169  char *args[3] = {NULL,NULL,NULL};
170  int res = 0;
171  size_t pcre2len;
172  char str1[16] = "", str2[16] = "", str3[16] = "";
173  pcre2_match_data *match = NULL;
174 
175  int ret = DetectParsePcreExec(&parse_regex, &match, flowstr, 0, 0);
176  if (ret < 1 || ret > 4) {
177  SCLogError("parse error, ret %" PRId32 ", string %s", ret, flowstr);
178  goto error;
179  }
180 
181  if (ret > 1) {
182  pcre2len = sizeof(str1);
183  res = SC_Pcre2SubstringCopy(match, 1, (PCRE2_UCHAR8 *)str1, &pcre2len);
184  if (res < 0) {
185  SCLogError("pcre2_substring_copy_bynumber failed");
186  goto error;
187  }
188  args[0] = (char *)str1;
189 
190  if (ret > 2) {
191  pcre2len = sizeof(str2);
192  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)str2, &pcre2len);
193  if (res < 0) {
194  SCLogError("pcre2_substring_copy_bynumber failed");
195  goto error;
196  }
197  args[1] = (char *)str2;
198  }
199  if (ret > 3) {
200  pcre2len = sizeof(str3);
201  res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)str3, &pcre2len);
202  if (res < 0) {
203  SCLogError("pcre2_substring_copy_bynumber failed");
204  goto error;
205  }
206  args[2] = (char *)str3;
207  }
208  }
209 
210  fd = SCMalloc(sizeof(DetectFlowData));
211  if (unlikely(fd == NULL))
212  goto error;
213  fd->flags = 0;
214  fd->match_cnt = 0;
215 
216  for (int i = 0; i < (ret - 1); i++) {
217  if (args[i]) {
218  /* inspect our options and set the flags */
219  if (strcasecmp(args[i], "established") == 0) {
221  SCLogError("DETECT_FLOW_FLAG_ESTABLISHED flag is already set");
222  goto error;
223  } else if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
224  SCLogError("cannot set DETECT_FLOW_FLAG_ESTABLISHED, "
225  "DETECT_FLOW_FLAG_NOT_ESTABLISHED already set");
226  goto error;
227  } else if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
228  SCLogError("DETECT_FLOW_FLAG_STATELESS already set");
229  goto error;
230  }
232  fd->match_cnt++;
233  } else if (strcasecmp(args[i], "not_established") == 0) {
235  SCLogError("DETECT_FLOW_FLAG_NOT_ESTABLISHED flag is already set");
236  goto error;
237  } else if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
238  SCLogError("cannot set DETECT_FLOW_FLAG_NOT_ESTABLISHED, "
239  "DETECT_FLOW_FLAG_ESTABLISHED already set");
240  goto error;
241  }
243  fd->match_cnt++;
244  } else if (strcasecmp(args[i], "stateless") == 0) {
245  if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
246  SCLogError("DETECT_FLOW_FLAG_STATELESS flag is already set");
247  goto error;
248  } else if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
249  SCLogError("cannot set DETECT_FLOW_FLAG_STATELESS, "
250  "DETECT_FLOW_FLAG_ESTABLISHED already set");
251  goto error;
252  }
254  fd->match_cnt++;
255  } else if (strcasecmp(args[i], "to_client") == 0 || strcasecmp(args[i], "from_server") == 0) {
256  if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
257  SCLogError("cannot set DETECT_FLOW_FLAG_TOCLIENT flag is already set");
258  goto error;
259  } else if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
260  SCLogError("cannot set to_client, DETECT_FLOW_FLAG_TOSERVER already set");
261  goto error;
262  }
264  fd->match_cnt++;
265  } else if (strcasecmp(args[i], "to_server") == 0 || strcasecmp(args[i], "from_client") == 0){
266  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
267  SCLogError("cannot set DETECT_FLOW_FLAG_TOSERVER flag is already set");
268  goto error;
269  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
270  SCLogError("cannot set to_server, DETECT_FLOW_FLAG_TO_CLIENT flag already set");
271  goto error;
272  }
274  fd->match_cnt++;
275  } else if (strcasecmp(args[i], "no_frag") == 0) {
276  if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
277  SCLogError("cannot set no_frag flag is already set");
278  goto error;
279  } else if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
280  SCLogError("cannot set no_frag flag, only_frag already set");
281  goto error;
282  }
284  fd->match_cnt++;
285  } else if (strcasecmp(args[i], "only_frag") == 0) {
286  if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
287  SCLogError("cannot set only_frag flag is already set");
288  goto error;
289  } else if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
290  SCLogError("cannot set only_frag flag, no_frag already set");
291  goto error;
292  }
294  fd->match_cnt++;
295 
296  /* special case: these only affect parsing, not matching */
297 
298  } else if (strcasecmp(args[i], "only_stream") == 0) {
299  if (*parse_flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
300  SCLogError("cannot set only_stream flag is already set");
301  goto error;
302  } else if (*parse_flags & DETECT_FLOW_FLAG_NOSTREAM) {
303  SCLogError(
304  "cannot set only_stream flag, DETECT_FLOW_FLAG_NOSTREAM already set");
305  goto error;
306  }
307  *parse_flags |= DETECT_FLOW_FLAG_ONLYSTREAM;
308  } else if (strcasecmp(args[i], "no_stream") == 0) {
309  if (*parse_flags & DETECT_FLOW_FLAG_NOSTREAM) {
310  SCLogError("cannot set no_stream flag is already set");
311  goto error;
312  } else if (*parse_flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
313  SCLogError(
314  "cannot set no_stream flag, DETECT_FLOW_FLAG_ONLYSTREAM already set");
315  goto error;
316  }
317  *parse_flags |= DETECT_FLOW_FLAG_NOSTREAM;
318  } else {
319  SCLogError("invalid flow option \"%s\"", args[i]);
320  goto error;
321  }
322  }
323  }
324  pcre2_match_data_free(match);
325  return fd;
326 
327 error:
328  if (match) {
329  pcre2_match_data_free(match);
330  }
331  if (fd != NULL)
332  DetectFlowFree(de_ctx, fd);
333  return NULL;
334 
335 }
336 
338 {
339 #define SIG_FLAG_BOTH (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)
340  BUG_ON(flags == 0);
343 
344  SCLogDebug("want %08x", flags & SIG_FLAG_BOTH);
345  SCLogDebug("have %08x", s->flags & SIG_FLAG_BOTH);
346 
347  if (flags & SIG_FLAG_TOSERVER) {
348  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
349  /* both is set if we just have 'flow:established' */
350  s->flags &= ~SIG_FLAG_TOCLIENT;
351  } else if (s->flags & SIG_FLAG_TOCLIENT) {
352  return -1;
353  }
354  s->flags |= SIG_FLAG_TOSERVER;
355  } else {
356  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
357  /* both is set if we just have 'flow:established' */
358  s->flags &= ~SIG_FLAG_TOSERVER;
359  } else if (s->flags & SIG_FLAG_TOSERVER) {
360  return -1;
361  }
362  s->flags |= SIG_FLAG_TOCLIENT;
363  }
364  return 0;
365 #undef SIG_FLAG_BOTH
366 }
367 
368 /**
369  * \brief this function is used to add the parsed flowdata into the current signature
370  *
371  * \param de_ctx pointer to the Detection Engine Context
372  * \param s pointer to the Current Signature
373  * \param flowstr pointer to the user provided flow options
374  *
375  * \retval 0 on Success
376  * \retval -1 on Failure
377  */
378 int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *flowstr)
379 {
380  uint16_t parse_flags = 0;
381 
382  /* ensure only one flow option */
384  SCLogError("A signature may have only one flow option.");
385  return -1;
386  }
387 
388  DetectFlowData *fd = DetectFlowParse(de_ctx, flowstr, &parse_flags);
389  if (fd == NULL)
390  return -1;
391 
392  bool appendsm = true;
393  /* set the signature direction flags */
394  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
395  if (s->flags & SIG_FLAG_TXBOTHDIR) {
396  SCLogError(
397  "rule %u means to use both directions, cannot specify a flow direction", s->id);
398  goto error;
399  }
400  if (s->flags & SIG_FLAG_TOCLIENT) {
401  SCLogError("rule %u has flow to_server but a hook to_client", s->id);
402  goto error;
403  }
404  s->flags |= SIG_FLAG_TOSERVER;
405  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
406  if (s->flags & SIG_FLAG_TXBOTHDIR) {
407  SCLogError(
408  "rule %u means to use both directions, cannot specify a flow direction", s->id);
409  goto error;
410  }
411  if (s->flags & SIG_FLAG_TOSERVER) {
412  SCLogError("rule %u has flow to_client but a hook to_server", s->id);
413  goto error;
414  }
415  s->flags |= SIG_FLAG_TOCLIENT;
416  } else {
417  s->flags |= SIG_FLAG_TOSERVER;
418  s->flags |= SIG_FLAG_TOCLIENT;
419  }
420  if (fd->flags == 0 || fd->flags == DETECT_FLOW_FLAG_TOSERVER ||
422  /* no direct flow is needed for just direction,
423  * no sigmatch is needed either. */
424  appendsm = false;
425  } else {
427  }
428 
429  if (appendsm) {
431  de_ctx, s, DETECT_FLOW, (SigMatchCtx *)fd, DETECT_SM_LIST_MATCH) == NULL) {
432  goto error;
433  }
434  } else {
435  DetectFlowFree(de_ctx, fd);
436  }
437 
438  if (parse_flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
440  }
441  if (parse_flags & DETECT_FLOW_FLAG_NOSTREAM) {
443  }
444  return 0;
445 
446 error:
447  if (fd != NULL)
448  DetectFlowFree(de_ctx, fd);
449  return -1;
450 
451 }
452 
453 /**
454  * \brief this function will free memory associated with DetectFlowData
455  *
456  * \param fd pointer to DetectFlowData
457  */
459 {
460  DetectFlowData *fd = (DetectFlowData *)ptr;
461  SCFree(fd);
462 }
463 
464 static void
465 PrefilterPacketFlowMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
466 {
467  SCEnter();
468 
469  const PrefilterPacketHeaderCtx *ctx = pectx;
470 
471  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
472  return;
473 
474  if (FlowMatch(p->flags, p->flowflags, ctx->v1.u16[0], ctx->v1.u16[1])) {
475  SCLogDebug("match: adding sids");
476  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
477  }
478  SCReturn;
479 }
480 
481 static void
482 PrefilterPacketFlowSet(PrefilterPacketHeaderValue *v, void *smctx)
483 {
484  const DetectFlowData *fb = smctx;
485  v->u16[0] = fb->flags;
486  v->u16[1] = fb->match_cnt;
487 }
488 
489 static bool
490 PrefilterPacketFlowCompare(PrefilterPacketHeaderValue v, void *smctx)
491 {
492  const DetectFlowData *fb = smctx;
493  if (v.u16[0] == fb->flags && v.u16[1] == fb->match_cnt) {
494  return true;
495  }
496  return false;
497 }
498 
499 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
500 {
501  return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLOW, 0, PrefilterPacketFlowSet,
502  PrefilterPacketFlowCompare, PrefilterPacketFlowMatch);
503 }
504 
505 static bool PrefilterFlowIsPrefilterable(const Signature *s)
506 {
507  const SigMatch *sm;
508  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
509  switch (sm->type) {
510  case DETECT_FLOW:
511  return true;
512  }
513  }
514  return false;
515 }
516 
517 #ifdef UNITTESTS
518 #include "detect-engine-alert.h"
519 
520 /**
521  * \test DetectFlowTestParse01 is a test to make sure that we return "something"
522  * when given valid flow opt
523  */
524 static int DetectFlowTestParse01 (void)
525 {
526  uint16_t parsed_flags = 0;
527  DetectFlowData *fd = DetectFlowParse(NULL, "established", &parsed_flags);
528  FAIL_IF_NULL(fd);
529  FAIL_IF_NOT(parsed_flags == 0);
530  DetectFlowFree(NULL, fd);
531  PASS;
532 }
533 
534 /**
535  * \test DetectFlowTestParse02 is a test for setting the established flow opt
536  */
537 static int DetectFlowTestParse02 (void)
538 {
539  uint16_t parsed_flags = 0;
540  DetectFlowData *fd = DetectFlowParse(NULL, "established", &parsed_flags);
541  FAIL_IF_NULL(fd);
543  fd->match_cnt == 1);
544  PASS;
545 }
546 
547 /**
548  * \test DetectFlowTestParse03 is a test for setting the stateless flow opt
549  */
550 static int DetectFlowTestParse03 (void)
551 {
552  uint16_t parsed_flags = 0;
553  DetectFlowData *fd = DetectFlowParse(NULL, "stateless", &parsed_flags);
554  FAIL_IF_NULL(fd);
556  DetectFlowFree(NULL, fd);
557  PASS;
558 }
559 
560 /**
561  * \test DetectFlowTestParse04 is a test for setting the to_client flow opt
562  */
563 static int DetectFlowTestParse04 (void)
564 {
565  uint16_t parsed_flags = 0;
566  DetectFlowData *fd = DetectFlowParse(NULL, "to_client", &parsed_flags);
567  FAIL_IF_NULL(fd);
569  DetectFlowFree(NULL, fd);
570  PASS;
571 }
572 
573 /**
574  * \test DetectFlowTestParse05 is a test for setting the to_server flow opt
575  */
576 static int DetectFlowTestParse05 (void)
577 {
578  uint16_t parsed_flags = 0;
579  DetectFlowData *fd = DetectFlowParse(NULL, "to_server", &parsed_flags);
580  FAIL_IF_NULL(fd);
582  DetectFlowFree(NULL, fd);
583  PASS;
584 }
585 
586 /**
587  * \test DetectFlowTestParse06 is a test for setting the from_server flow opt
588  */
589 static int DetectFlowTestParse06 (void)
590 {
591  uint16_t parsed_flags = 0;
592  DetectFlowData *fd = DetectFlowParse(NULL, "from_server", &parsed_flags);
593  FAIL_IF_NULL(fd);
595  DetectFlowFree(NULL, fd);
596  PASS;
597 }
598 
599 /**
600  * \test DetectFlowTestParse07 is a test for setting the from_client flow opt
601  */
602 static int DetectFlowTestParse07 (void)
603 {
604  uint16_t parsed_flags = 0;
605  DetectFlowData *fd = DetectFlowParse(NULL, "from_client", &parsed_flags);
606  FAIL_IF_NULL(fd);
608  DetectFlowFree(NULL, fd);
609  PASS;
610 }
611 
612 /**
613  * \test DetectFlowTestParse08 is a test for setting the established,to_client flow opts
614  */
615 static int DetectFlowTestParse08 (void)
616 {
617  uint16_t parsed_flags = 0;
618  DetectFlowData *fd = DetectFlowParse(NULL, "established,to_client", &parsed_flags);
619  FAIL_IF_NULL(fd);
621  DetectFlowFree(NULL, fd);
622  PASS;
623 }
624 
625 /**
626  * \test DetectFlowTestParse09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
627  */
628 static int DetectFlowTestParse09 (void)
629 {
630  uint16_t parsed_flags = 0;
631  DetectFlowData *fd = DetectFlowParse(NULL, "to_client,stateless", &parsed_flags);
632  FAIL_IF_NULL(fd);
635  fd->match_cnt == 2);
636  DetectFlowFree(NULL, fd);
637  PASS;
638 }
639 
640 /**
641  * \test DetectFlowTestParse10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
642  */
643 static int DetectFlowTestParse10 (void)
644 {
645  uint16_t parsed_flags = 0;
646  DetectFlowData *fd = DetectFlowParse(NULL, "from_server,stateless", &parsed_flags);
647  FAIL_IF_NULL(fd);
650  fd->match_cnt == 2);
651  DetectFlowFree(NULL, fd);
652  PASS;
653 }
654 
655 /**
656  * \test DetectFlowTestParse11 is a test for setting the from_server,stateless flow opts with spaces all around
657  */
658 static int DetectFlowTestParse11 (void)
659 {
660  uint16_t parsed_flags = 0;
661  DetectFlowData *fd = DetectFlowParse(NULL, " from_server , stateless ", &parsed_flags);
662  FAIL_IF_NULL(fd);
665  fd->match_cnt == 2);
666  DetectFlowFree(NULL, fd);
667  PASS;
668 }
669 
670 /**
671  * \test DetectFlowTestParseNocase01 is a test to make sure that we return "something"
672  * when given valid flow opt
673  */
674 static int DetectFlowTestParseNocase01 (void)
675 {
676  uint16_t parsed_flags = 0;
677  DetectFlowData *fd = DetectFlowParse(NULL, "ESTABLISHED", &parsed_flags);
678  FAIL_IF_NULL(fd);
679  DetectFlowFree(NULL, fd);
680  PASS;
681 }
682 
683 /**
684  * \test DetectFlowTestParseNocase02 is a test for setting the established flow opt
685  */
686 static int DetectFlowTestParseNocase02 (void)
687 {
688  uint16_t parsed_flags = 0;
689  DetectFlowData *fd = DetectFlowParse(NULL, "ESTABLISHED", &parsed_flags);
690  FAIL_IF_NULL(fd);
692  fd->match_cnt == 1);
693  DetectFlowFree(NULL, fd);
694  PASS;
695 }
696 
697 /**
698  * \test DetectFlowTestParseNocase03 is a test for setting the stateless flow opt
699  */
700 static int DetectFlowTestParseNocase03 (void)
701 {
702  uint16_t parsed_flags = 0;
703  DetectFlowData *fd = DetectFlowParse(NULL, "STATELESS", &parsed_flags);
704  FAIL_IF_NULL(fd);
706  DetectFlowFree(NULL, fd);
707  PASS;
708 }
709 
710 /**
711  * \test DetectFlowTestParseNocase04 is a test for setting the to_client flow opt
712  */
713 static int DetectFlowTestParseNocase04 (void)
714 {
715  uint16_t parsed_flags = 0;
716  DetectFlowData *fd = DetectFlowParse(NULL, "TO_CLIENT", &parsed_flags);
717  FAIL_IF_NULL(fd);
719  DetectFlowFree(NULL, fd);
720  PASS;
721 }
722 
723 /**
724  * \test DetectFlowTestParseNocase05 is a test for setting the to_server flow opt
725  */
726 static int DetectFlowTestParseNocase05 (void)
727 {
728  uint16_t parsed_flags = 0;
729  DetectFlowData *fd = DetectFlowParse(NULL, "TO_SERVER", &parsed_flags);
730  FAIL_IF_NULL(fd);
732  DetectFlowFree(NULL, fd);
733  PASS;
734 }
735 
736 /**
737  * \test DetectFlowTestParseNocase06 is a test for setting the from_server flow opt
738  */
739 static int DetectFlowTestParseNocase06 (void)
740 {
741  uint16_t parsed_flags = 0;
742  DetectFlowData *fd = DetectFlowParse(NULL, "FROM_SERVER", &parsed_flags);
743  FAIL_IF_NULL(fd);
745  DetectFlowFree(NULL, fd);
746  PASS;
747 }
748 
749 /**
750  * \test DetectFlowTestParseNocase07 is a test for setting the from_client flow opt
751  */
752 static int DetectFlowTestParseNocase07 (void)
753 {
754  uint16_t parsed_flags = 0;
755  DetectFlowData *fd = DetectFlowParse(NULL, "FROM_CLIENT", &parsed_flags);
756  FAIL_IF_NULL(fd);
758  DetectFlowFree(NULL, fd);
759  PASS;
760 }
761 
762 /**
763  * \test DetectFlowTestParseNocase08 is a test for setting the established,to_client flow opts
764  */
765 static int DetectFlowTestParseNocase08 (void)
766 {
767  uint16_t parsed_flags = 0;
768  DetectFlowData *fd = DetectFlowParse(NULL, "ESTABLISHED,TO_CLIENT", &parsed_flags);
769  FAIL_IF_NULL(fd);
772  fd->match_cnt == 2);
773  DetectFlowFree(NULL, fd);
774  PASS;
775 }
776 
777 /**
778  * \test DetectFlowTestParseNocase09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
779  */
780 static int DetectFlowTestParseNocase09 (void)
781 {
782  uint16_t parsed_flags = 0;
783  DetectFlowData *fd = DetectFlowParse(NULL, "TO_CLIENT,STATELESS", &parsed_flags);
784  FAIL_IF_NULL(fd);
787  fd->match_cnt == 2);
788  DetectFlowFree(NULL, fd);
789  PASS;
790 }
791 
792 /**
793  * \test DetectFlowTestParseNocase10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
794  */
795 static int DetectFlowTestParseNocase10 (void)
796 {
797  uint16_t parsed_flags = 0;
798  DetectFlowData *fd = DetectFlowParse(NULL, "FROM_SERVER,STATELESS", &parsed_flags);
799  FAIL_IF_NULL(fd);
802  fd->match_cnt == 2);
803  DetectFlowFree(NULL, fd);
804  PASS;
805 }
806 
807 /**
808  * \test DetectFlowTestParseNocase11 is a test for setting the from_server,stateless flow opts with spaces all around
809  */
810 static int DetectFlowTestParseNocase11 (void)
811 {
812  uint16_t parsed_flags = 0;
813  DetectFlowData *fd = DetectFlowParse(NULL, " FROM_SERVER , STATELESS ", &parsed_flags);
814  FAIL_IF_NULL(fd);
817  fd->match_cnt == 2);
818  DetectFlowFree(NULL, fd);
819  PASS;
820 }
821 
822 /**
823  * \test DetectFlowTestParse12 is a test for setting an invalid separator :
824  */
825 static int DetectFlowTestParse12 (void)
826 {
827  uint16_t parsed_flags = 0;
828  DetectFlowData *fd = DetectFlowParse(NULL, "from_server:stateless", &parsed_flags);
829  FAIL_IF_NOT_NULL(fd);
830  PASS;
831 }
832 
833 /**
834  * \test DetectFlowTestParse13 is a test for an invalid option
835  */
836 static int DetectFlowTestParse13 (void)
837 {
838  uint16_t parsed_flags = 0;
839  DetectFlowData *fd = DetectFlowParse(NULL, "invalidoptiontest", &parsed_flags);
840  FAIL_IF_NOT_NULL(fd);
841  PASS;
842 }
843 
844 /**
845  * \test DetectFlowTestParse14 is a test for a empty option
846  */
847 static int DetectFlowTestParse14 (void)
848 {
849  uint16_t parsed_flags = 0;
850  DetectFlowData *fd = DetectFlowParse(NULL, "", &parsed_flags);
851  FAIL_IF_NOT_NULL(fd);
852  PASS;
853 }
854 
855 /**
856  * \test DetectFlowTestParse15 is a test for an invalid combo of options established,stateless
857  */
858 static int DetectFlowTestParse15 (void)
859 {
860  uint16_t parsed_flags = 0;
861  DetectFlowData *fd = DetectFlowParse(NULL, "established,stateless", &parsed_flags);
862  FAIL_IF_NOT_NULL(fd);
863  PASS;
864 }
865 
866 /**
867  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,to_server
868  */
869 static int DetectFlowTestParse16 (void)
870 {
871  uint16_t parsed_flags = 0;
872  DetectFlowData *fd = DetectFlowParse(NULL, "to_client,to_server", &parsed_flags);
873  FAIL_IF_NOT_NULL(fd);
874  PASS;
875 }
876 
877 /**
878  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,from_server
879  * flowbit flags are the same
880  */
881 static int DetectFlowTestParse17 (void)
882 {
883  uint16_t parsed_flags = 0;
884  DetectFlowData *fd = DetectFlowParse(NULL, "to_client,from_server", &parsed_flags);
885  FAIL_IF_NOT_NULL(fd);
886  PASS;
887 }
888 
889 /**
890  * \test DetectFlowTestParse18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
891  */
892 static int DetectFlowTestParse18 (void)
893 {
894  uint16_t parsed_flags = 0;
895  DetectFlowData *fd =
896  DetectFlowParse(NULL, "from_server,established,only_stream", &parsed_flags);
897  FAIL_IF_NULL(fd);
899  FAIL_IF_NOT(parsed_flags == DETECT_FLOW_FLAG_ONLYSTREAM);
900  FAIL_IF_NOT(fd->match_cnt == 2);
901  DetectFlowFree(NULL, fd);
902  PASS;
903 }
904 
905 /**
906  * \test DetectFlowTestParseNocase18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
907  */
908 static int DetectFlowTestParseNocase18 (void)
909 {
910  uint16_t parsed_flags = 0;
911  DetectFlowData *fd =
912  DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,ONLY_STREAM", &parsed_flags);
913  FAIL_IF_NULL(fd);
915  FAIL_IF_NOT(parsed_flags == DETECT_FLOW_FLAG_ONLYSTREAM);
916  FAIL_IF_NOT(fd->match_cnt == 2);
917  DetectFlowFree(NULL, fd);
918  PASS;
919 }
920 
921 
922 /**
923  * \test DetectFlowTestParse19 is a test for one to many options passed to DetectFlowParse
924  */
925 static int DetectFlowTestParse19 (void)
926 {
927  uint16_t parsed_flags = 0;
928  DetectFlowData *fd =
929  DetectFlowParse(NULL, "from_server,established,only_stream,a", &parsed_flags);
930  FAIL_IF_NOT_NULL(fd);
931  PASS;
932 }
933 
934 /**
935  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
936  */
937 static int DetectFlowTestParse20 (void)
938 {
939  uint16_t parsed_flags = 0;
940  DetectFlowData *fd = DetectFlowParse(NULL, "from_server,established,no_stream", &parsed_flags);
941  FAIL_IF_NULL(fd);
943  FAIL_IF_NOT(parsed_flags == DETECT_FLOW_FLAG_NOSTREAM);
944  FAIL_IF_NOT(fd->match_cnt == 2);
945  DetectFlowFree(NULL, fd);
946  PASS;
947 }
948 
949 /**
950  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
951  */
952 static int DetectFlowTestParseNocase20 (void)
953 {
954  uint16_t parsed_flags = 0;
955  DetectFlowData *fd = DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,NO_STREAM", &parsed_flags);
956  FAIL_IF_NULL(fd);
958  FAIL_IF_NOT(parsed_flags == DETECT_FLOW_FLAG_NOSTREAM);
959  FAIL_IF_NOT(fd->match_cnt == 2);
960  DetectFlowFree(NULL, fd);
961  PASS;
962 }
963 
964 /**
965  * \test DetectFlowTestParse21 is a test for an invalid opt between to valid opts
966  */
967 static int DetectFlowTestParse21 (void)
968 {
969  uint16_t parsed_flags = 0;
970  DetectFlowData *fd = DetectFlowParse(NULL, "from_server,a,no_stream", &parsed_flags);
971  FAIL_IF_NOT_NULL(fd);
972  PASS;
973 }
974 
975 /**
976  * \test DetectFlowTestParse22 is a test for setting the established,not_established flow opts both
977  */
978 static int DetectFlowTestParse22(void)
979 {
980  uint16_t parsed_flags = 0;
981  DetectFlowData *fd = DetectFlowParse(NULL, "established,not_established", &parsed_flags);
982  FAIL_IF_NOT_NULL(fd);
983  fd = DetectFlowParse(NULL, "not_established,established", &parsed_flags);
984  FAIL_IF_NOT_NULL(fd);
985  PASS;
986 }
987 
988 static int DetectFlowSigTest01(void)
989 {
990  uint8_t *buf = (uint8_t *)"supernovaduper";
991  uint16_t buflen = strlen((char *)buf);
992  ThreadVars th_v;
994  memset(&dtv, 0, sizeof(DecodeThreadVars));
995  memset(&th_v, 0, sizeof(th_v));
996 
997  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
998  FAIL_IF_NULL(p);
999 
1000  const char *sig1 = "alert tcp any any -> any any (msg:\"dummy\"; "
1001  "content:\"nova\"; flow:no_stream; sid:1;)";
1002 
1005  de_ctx->flags |= DE_QUIET;
1006 
1007  de_ctx->sig_list = SigInit(de_ctx, sig1);
1009 
1011  DetectEngineThreadCtx *det_ctx = NULL;
1012  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1013  FAIL_IF_NULL(det_ctx);
1014 
1015  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1016  FAIL_IF(PacketAlertCheck(p, 1) != 1);
1017 
1018  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1020  UTHFreePacket(p);
1021 
1022  PASS;
1023 }
1024 
1025 /**
1026  * \test Test parsing of the not_established keyword.
1027  */
1028 static int DetectFlowTestParseNotEstablished(void)
1029 {
1030  uint16_t parsed_flags = 0;
1031  DetectFlowData *fd = DetectFlowParse(NULL, "not_established", &parsed_flags);
1032  FAIL_IF_NULL(fd);
1034  DetectFlowFree(NULL, fd);
1035  PASS;
1036 }
1037 
1038 /**
1039  * \test Test parsing of the "no_frag" flow argument.
1040  */
1041 static int DetectFlowTestParseNoFrag(void)
1042 {
1043  uint16_t parsed_flags = 0;
1044  DetectFlowData *fd = DetectFlowParse(NULL, "no_frag", &parsed_flags);
1045  FAIL_IF_NULL(fd);
1047  DetectFlowFree(NULL, fd);
1048  PASS;
1049 }
1050 
1051 /**
1052  * \test Test parsing of the "only_frag" flow argument.
1053  */
1054 static int DetectFlowTestParseOnlyFrag(void)
1055 {
1056  uint16_t parsed_flags = 0;
1057  DetectFlowData *fd = DetectFlowParse(NULL, "only_frag", &parsed_flags);
1058  FAIL_IF_NULL(fd);
1060  DetectFlowFree(NULL, fd);
1061  PASS;
1062 }
1063 
1064 /**
1065  * \test Test that parsing of only_frag and no_frag together fails.
1066  */
1067 static int DetectFlowTestParseNoFragOnlyFrag(void)
1068 {
1069  uint16_t parsed_flags = 0;
1070  DetectFlowData *fd = DetectFlowParse(NULL, "no_frag,only_frag", &parsed_flags);
1071  FAIL_IF_NOT_NULL(fd);
1072  PASS;
1073 }
1074 
1075 /**
1076  * \test Test no_frag matching.
1077  */
1078 static int DetectFlowTestNoFragMatch(void)
1079 {
1080  uint16_t parsed_flags = 0;
1081  uint32_t pflags = 0;
1082  DetectFlowData *fd = DetectFlowParse(NULL, "no_frag", &parsed_flags);
1083  FAIL_IF_NULL(fd);
1085  FAIL_IF_NOT(fd->match_cnt == 1);
1086  FAIL_IF_NOT(FlowMatch(pflags, 0, fd->flags, fd->match_cnt));
1087  pflags |= PKT_REBUILT_FRAGMENT;
1088  FAIL_IF(FlowMatch(pflags, 0, fd->flags, fd->match_cnt));
1089  PASS;
1090 }
1091 
1092 /**
1093  * \test Test only_frag matching.
1094  */
1095 static int DetectFlowTestOnlyFragMatch(void)
1096 {
1097  uint16_t parsed_flags = 0;
1098  uint32_t pflags = 0;
1099  DetectFlowData *fd = DetectFlowParse(NULL, "only_frag", &parsed_flags);
1100  FAIL_IF_NULL(fd);
1102  FAIL_IF_NOT(fd->match_cnt == 1);
1103  FAIL_IF(FlowMatch(pflags, 0, fd->flags, fd->match_cnt));
1104  pflags |= PKT_REBUILT_FRAGMENT;
1105  FAIL_IF_NOT(FlowMatch(pflags, 0, fd->flags, fd->match_cnt));
1106  PASS;
1107 }
1108 
1109 /**
1110  * \brief this function registers unit tests for DetectFlow
1111  */
1112 static void DetectFlowRegisterTests(void)
1113 {
1114  UtRegisterTest("DetectFlowTestParse01", DetectFlowTestParse01);
1115  UtRegisterTest("DetectFlowTestParse02", DetectFlowTestParse02);
1116  UtRegisterTest("DetectFlowTestParse03", DetectFlowTestParse03);
1117  UtRegisterTest("DetectFlowTestParse04", DetectFlowTestParse04);
1118  UtRegisterTest("DetectFlowTestParse05", DetectFlowTestParse05);
1119  UtRegisterTest("DetectFlowTestParse06", DetectFlowTestParse06);
1120  UtRegisterTest("DetectFlowTestParse07", DetectFlowTestParse07);
1121  UtRegisterTest("DetectFlowTestParse08", DetectFlowTestParse08);
1122  UtRegisterTest("DetectFlowTestParse09", DetectFlowTestParse09);
1123  UtRegisterTest("DetectFlowTestParse10", DetectFlowTestParse10);
1124  UtRegisterTest("DetectFlowTestParse11", DetectFlowTestParse11);
1125  UtRegisterTest("DetectFlowTestParseNocase01", DetectFlowTestParseNocase01);
1126  UtRegisterTest("DetectFlowTestParseNocase02", DetectFlowTestParseNocase02);
1127  UtRegisterTest("DetectFlowTestParseNocase03", DetectFlowTestParseNocase03);
1128  UtRegisterTest("DetectFlowTestParseNocase04", DetectFlowTestParseNocase04);
1129  UtRegisterTest("DetectFlowTestParseNocase05", DetectFlowTestParseNocase05);
1130  UtRegisterTest("DetectFlowTestParseNocase06", DetectFlowTestParseNocase06);
1131  UtRegisterTest("DetectFlowTestParseNocase07", DetectFlowTestParseNocase07);
1132  UtRegisterTest("DetectFlowTestParseNocase08", DetectFlowTestParseNocase08);
1133  UtRegisterTest("DetectFlowTestParseNocase09", DetectFlowTestParseNocase09);
1134  UtRegisterTest("DetectFlowTestParseNocase10", DetectFlowTestParseNocase10);
1135  UtRegisterTest("DetectFlowTestParseNocase11", DetectFlowTestParseNocase11);
1136  UtRegisterTest("DetectFlowTestParse12", DetectFlowTestParse12);
1137  UtRegisterTest("DetectFlowTestParse13", DetectFlowTestParse13);
1138  UtRegisterTest("DetectFlowTestParse14", DetectFlowTestParse14);
1139  UtRegisterTest("DetectFlowTestParse15", DetectFlowTestParse15);
1140  UtRegisterTest("DetectFlowTestParse16", DetectFlowTestParse16);
1141  UtRegisterTest("DetectFlowTestParse17", DetectFlowTestParse17);
1142  UtRegisterTest("DetectFlowTestParse18", DetectFlowTestParse18);
1143  UtRegisterTest("DetectFlowTestParseNocase18", DetectFlowTestParseNocase18);
1144  UtRegisterTest("DetectFlowTestParse19", DetectFlowTestParse19);
1145  UtRegisterTest("DetectFlowTestParse20", DetectFlowTestParse20);
1146  UtRegisterTest("DetectFlowTestParseNocase20", DetectFlowTestParseNocase20);
1147  UtRegisterTest("DetectFlowTestParse21", DetectFlowTestParse21);
1148  UtRegisterTest("DetectFlowTestParse22", DetectFlowTestParse22);
1149  UtRegisterTest("DetectFlowTestParseNotEstablished",
1150  DetectFlowTestParseNotEstablished);
1151  UtRegisterTest("DetectFlowTestParseNoFrag", DetectFlowTestParseNoFrag);
1152  UtRegisterTest("DetectFlowTestParseOnlyFrag",
1153  DetectFlowTestParseOnlyFrag);
1154  UtRegisterTest("DetectFlowTestParseNoFragOnlyFrag",
1155  DetectFlowTestParseNoFragOnlyFrag);
1156  UtRegisterTest("DetectFlowTestNoFragMatch", DetectFlowTestNoFragMatch);
1157  UtRegisterTest("DetectFlowTestOnlyFragMatch", DetectFlowTestOnlyFragMatch);
1158 
1159  UtRegisterTest("DetectFlowSigTest01", DetectFlowSigTest01);
1160 }
1161 #endif /* UNITTESTS */
DETECT_FLOW_FLAG_TOCLIENT
#define DETECT_FLOW_FLAG_TOCLIENT
Definition: detect-flow.h:28
DETECT_FLOW_FLAG_STATELESS
#define DETECT_FLOW_FLAG_STATELESS
Definition: detect-flow.h:31
SigTableElmt_::url
const char * url
Definition: detect.h:1406
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:644
SigTableElmt_::desc
const char * desc
Definition: detect.h:1405
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1393
DetectFlowData_
Definition: detect-flow.h:37
DetectParseRegex
Definition: detect-parse.h:62
DETECT_FLOW_FLAG_NOSTREAM
#define DETECT_FLOW_FLAG_NOSTREAM
Definition: detect-flow.h:33
SigTableElmt_::name
const char * name
Definition: detect.h:1403
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1573
SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:291
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_FLOW
@ DETECT_FLOW
Definition: detect-engine-register.h:54
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:527
DetectFlowData_::match_cnt
uint8_t match_cnt
Definition: detect-flow.h:39
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1299
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1397
ctx
struct Thresholds ctx
DetectFlowData_::flags
uint16_t flags
Definition: detect-flow.h:38
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:921
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2674
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:233
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:254
SIG_FLAG_TXBOTHDIR
#define SIG_FLAG_TXBOTHDIR
Definition: detect.h:249
DE_QUIET
#define DE_QUIET
Definition: detect.h:329
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2312
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:610
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:3398
SIGMATCH_SUPPORT_FIREWALL
#define SIGMATCH_SUPPORT_FIREWALL
Definition: detect.h:1626
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:515
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:271
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1388
DetectFlowSetupImplicit
int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
Definition: detect-flow.c:337
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1391
DETECT_FLOW_FLAG_ONLYSTREAM
#define DETECT_FLOW_FLAG_ONLYSTREAM
Definition: detect-flow.h:32
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1198
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our flow options.
Definition: detect-flow.c:47
DETECT_FLOW_FLAG_TOSERVER
#define DETECT_FLOW_FLAG_TOSERVER
Definition: detect-flow.h:27
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:3524
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3400
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:116
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3002
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:309
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:671
Packet_
Definition: decode.h:484
detect-engine-build.h
detect-engine-alert.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:749
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:406
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1371
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:234
SIG_FLAG_REQUIRE_STREAM_ONLY
#define SIG_FLAG_REQUIRE_STREAM_ONLY
Definition: detect.h:260
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2129
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3626
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:930
DetectFlowRegister
void DetectFlowRegister(void)
Registration function for flow: keyword.
Definition: detect-flow.c:65
SIG_FLAG_BOTH
#define SIG_FLAG_BOTH
DETECT_FLOW_FLAG_NOT_ESTABLISHED
#define DETECT_FLOW_FLAG_NOT_ESTABLISHED
Definition: detect-flow.h:30
detect-flow.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_FLOW_FLAG_ONLY_FRAG
#define DETECT_FLOW_FLAG_ONLY_FRAG
Definition: detect-flow.h:35
PKT_REBUILT_FRAGMENT
#define PKT_REBUILT_FRAGMENT
Definition: decode.h:1278
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:946
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1390
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Signature_::id
uint32_t id
Definition: detect.h:715
DETECT_FLOW_FLAG_ESTABLISHED
#define DETECT_FLOW_FLAG_ESTABLISHED
Definition: detect-flow.h:29
detect-parse.h
DetectFlowFree
void DetectFlowFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectFlowData
Definition: detect-flow.c:458
Signature_
Signature container.
Definition: detect.h:670
SigMatch_
a single match condition for a signature
Definition: detect.h:356
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:235
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2635
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:3500
DetectFlowMatch
int DetectFlowMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
This function is used to match flow flags set on a packet with those passed via flow:
Definition: detect-flow.c:130
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:464
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:923
detect-engine-prefilter-common.h
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DETECT_FLOW_FLAG_NO_FRAG
#define DETECT_FLOW_FLAG_NO_FRAG
Definition: detect-flow.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1395
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:253