suricata
detect-flow.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * FLOW part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 #include "detect-engine.h"
33 #include "detect-engine-prefilter-common.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 
38 #include "detect-flow.h"
39 
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "util-debug.h"
43 
44 /**
45  * \brief Regex for parsing our flow options
46  */
47 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
48 
49 static DetectParseRegex parse_regex;
50 
51 int DetectFlowMatch (DetectEngineThreadCtx *, Packet *,
52  const Signature *, const SigMatchCtx *);
53 static int DetectFlowSetup (DetectEngineCtx *, Signature *, const char *);
54 void DetectFlowRegisterTests(void);
55 void DetectFlowFree(DetectEngineCtx *, void *);
56 
57 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
58 static bool PrefilterFlowIsPrefilterable(const Signature *s);
59 
60 /**
61  * \brief Registration function for flow: keyword
62  */
63 void DetectFlowRegister (void)
64 {
65  sigmatch_table[DETECT_FLOW].name = "flow";
66  sigmatch_table[DETECT_FLOW].desc = "match on direction and state of the flow";
67  sigmatch_table[DETECT_FLOW].url = "/rules/flow-keywords.html#flow";
68  sigmatch_table[DETECT_FLOW].Match = DetectFlowMatch;
69  sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup;
70  sigmatch_table[DETECT_FLOW].Free = DetectFlowFree;
71  sigmatch_table[DETECT_FLOW].RegisterTests = DetectFlowRegisterTests;
72 
73  sigmatch_table[DETECT_FLOW].SupportsPrefilter = PrefilterFlowIsPrefilterable;
74  sigmatch_table[DETECT_FLOW].SetupPrefilter = PrefilterSetupFlow;
75 
76  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
77 }
78 
79 /**
80  * \param pflags packet flags (p->flags)
81  * \param pflowflags packet flow flags (p->flowflags)
82  * \param tflags detection flags (det_ctx->flags)
83  * \param dflags detect flow flags
84  * \param match_cnt number of matches to trigger
85  */
86 static inline int FlowMatch(const uint32_t pflags, const uint8_t pflowflags,
87  const uint16_t tflags, const uint16_t dflags, const uint8_t match_cnt)
88 {
89  uint8_t cnt = 0;
90 
91  if ((dflags & DETECT_FLOW_FLAG_NO_FRAG) &&
92  (!(pflags & PKT_REBUILT_FRAGMENT))) {
93  cnt++;
94  } else if ((dflags & DETECT_FLOW_FLAG_ONLY_FRAG) &&
95  (pflags & PKT_REBUILT_FRAGMENT)) {
96  cnt++;
97  }
98 
99  if ((dflags & DETECT_FLOW_FLAG_TOSERVER) && (pflowflags & FLOW_PKT_TOSERVER)) {
100  cnt++;
101  } else if ((dflags & DETECT_FLOW_FLAG_TOCLIENT) && (pflowflags & FLOW_PKT_TOCLIENT)) {
102  cnt++;
103  }
104 
105  if ((dflags & DETECT_FLOW_FLAG_ESTABLISHED) && (pflowflags & FLOW_PKT_ESTABLISHED)) {
106  cnt++;
107  } else if (dflags & DETECT_FLOW_FLAG_NOT_ESTABLISHED && (!(pflowflags & FLOW_PKT_ESTABLISHED))) {
108  cnt++;
109  } else if (dflags & DETECT_FLOW_FLAG_STATELESS) {
110  cnt++;
111  }
112 
113  if (tflags & DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH) {
114  if (dflags & DETECT_FLOW_FLAG_ONLYSTREAM)
115  cnt++;
116  } else {
117  if (dflags & DETECT_FLOW_FLAG_NOSTREAM)
118  cnt++;
119  }
120 
121  return (match_cnt == cnt) ? 1 : 0;
122 }
123 
124 /**
125  * \brief This function is used to match flow flags set on a packet with those passed via flow:
126  *
127  * \param t pointer to thread vars
128  * \param det_ctx pointer to the pattern matcher thread
129  * \param p pointer to the current packet
130  * \param m pointer to the sigmatch that we will cast into DetectFlowData
131  *
132  * \retval 0 no match
133  * \retval 1 match
134  */
135 int DetectFlowMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
136  const Signature *s, const SigMatchCtx *ctx)
137 {
138  SCEnter();
139 
140  SCLogDebug("pkt %p", p);
141 
142  if (p->flowflags & FLOW_PKT_TOSERVER) {
143  SCLogDebug("FLOW_PKT_TOSERVER");
144  } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
145  SCLogDebug("FLOW_PKT_TOCLIENT");
146  }
147 
148  if (p->flowflags & FLOW_PKT_ESTABLISHED) {
149  SCLogDebug("FLOW_PKT_ESTABLISHED");
150  }
151 
152  const DetectFlowData *fd = (const DetectFlowData *)ctx;
153 
154  const int ret = FlowMatch(p->flags, p->flowflags, det_ctx->flags, fd->flags, fd->match_cnt);
155  SCLogDebug("returning %" PRId32 " fd->match_cnt %" PRId32 " fd->flags 0x%02X p->flowflags 0x%02X",
156  ret, fd->match_cnt, fd->flags, p->flowflags);
157  SCReturnInt(ret);
158 }
159 
160 /**
161  * \brief This function is used to parse flow options passed via flow: keyword
162  *
163  * \param de_ctx Pointer to the detection engine context
164  * \param flowstr Pointer to the user provided flow options
165  *
166  * \retval fd pointer to DetectFlowData on success
167  * \retval NULL on failure
168  */
169 static DetectFlowData *DetectFlowParse (DetectEngineCtx *de_ctx, const char *flowstr)
170 {
171  DetectFlowData *fd = NULL;
172  char *args[3] = {NULL,NULL,NULL};
173  int ret = 0, res = 0;
174  int ov[MAX_SUBSTRINGS];
175  char str1[16] = "", str2[16] = "", str3[16] = "";
176 
177  ret = DetectParsePcreExec(&parse_regex, flowstr, 0, 0, ov, MAX_SUBSTRINGS);
178  if (ret < 1 || ret > 4) {
179  SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, flowstr);
180  goto error;
181  }
182 
183  if (ret > 1) {
184  res = pcre_copy_substring((char *)flowstr, ov, MAX_SUBSTRINGS, 1, str1, sizeof(str1));
185  if (res < 0) {
186  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
187  goto error;
188  }
189  args[0] = (char *)str1;
190 
191  if (ret > 2) {
192  res = pcre_copy_substring((char *)flowstr, ov, MAX_SUBSTRINGS, 2, str2, sizeof(str2));
193  if (res < 0) {
194  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
195  goto error;
196  }
197  args[1] = (char *)str2;
198  }
199  if (ret > 3) {
200  res = pcre_copy_substring((char *)flowstr, ov, MAX_SUBSTRINGS, 3, str3, sizeof(str3));
201  if (res < 0) {
202  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
203  goto error;
204  }
205  args[2] = (char *)str3;
206  }
207  }
208 
209  fd = SCMalloc(sizeof(DetectFlowData));
210  if (unlikely(fd == NULL))
211  goto error;
212  fd->flags = 0;
213  fd->match_cnt = 0;
214 
215  int i;
216  for (i = 0; i < (ret - 1); i++) {
217  if (args[i]) {
218  /* inspect our options and set the flags */
219  if (strcasecmp(args[i], "established") == 0) {
220  if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
221  SCLogError(SC_ERR_FLAGS_MODIFIER, "DETECT_FLOW_FLAG_ESTABLISHED flag is already set");
222  goto error;
223  } else if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
224  SCLogError(SC_ERR_FLAGS_MODIFIER, "DETECT_FLOW_FLAG_STATELESS already set");
225  goto error;
226  }
227  fd->flags |= DETECT_FLOW_FLAG_ESTABLISHED;
228  } else if (strcasecmp(args[i], "not_established") == 0) {
229  if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
230  SCLogError(SC_ERR_FLAGS_MODIFIER, "DETECT_FLOW_FLAG_NOT_ESTABLISHED flag is already set");
231  goto error;
232  } else if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
233  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set DETECT_FLOW_FLAG_NOT_ESTABLISHED, DETECT_FLOW_FLAG_ESTABLISHED already set");
234  goto error;
235  }
236  fd->flags |= DETECT_FLOW_FLAG_NOT_ESTABLISHED;
237  } else if (strcasecmp(args[i], "stateless") == 0) {
238  if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
239  SCLogError(SC_ERR_FLAGS_MODIFIER, "DETECT_FLOW_FLAG_STATELESS flag is already set");
240  goto error;
241  } else if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
242  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set DETECT_FLOW_FLAG_STATELESS, DETECT_FLOW_FLAG_ESTABLISHED already set");
243  goto error;
244  }
245  fd->flags |= DETECT_FLOW_FLAG_STATELESS;
246  } else if (strcasecmp(args[i], "to_client") == 0 || strcasecmp(args[i], "from_server") == 0) {
247  if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
248  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set DETECT_FLOW_FLAG_TOCLIENT flag is already set");
249  goto error;
250  } else if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
251  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set to_client, DETECT_FLOW_FLAG_TOSERVER already set");
252  goto error;
253  }
254  fd->flags |= DETECT_FLOW_FLAG_TOCLIENT;
255  } else if (strcasecmp(args[i], "to_server") == 0 || strcasecmp(args[i], "from_client") == 0){
256  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
257  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set DETECT_FLOW_FLAG_TOSERVER flag is already set");
258  goto error;
259  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
260  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set to_server, DETECT_FLOW_FLAG_TO_CLIENT flag already set");
261  goto error;
262  }
263  fd->flags |= DETECT_FLOW_FLAG_TOSERVER;
264  } else if (strcasecmp(args[i], "only_stream") == 0) {
265  if (fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
266  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set only_stream flag is already set");
267  goto error;
268  } else if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
269  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set only_stream flag, DETECT_FLOW_FLAG_NOSTREAM already set");
270  goto error;
271  }
272  fd->flags |= DETECT_FLOW_FLAG_ONLYSTREAM;
273  } else if (strcasecmp(args[i], "no_stream") == 0) {
274  if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
275  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set no_stream flag is already set");
276  goto error;
277  } else if (fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
278  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set no_stream flag, DETECT_FLOW_FLAG_ONLYSTREAM already set");
279  goto error;
280  }
281  fd->flags |= DETECT_FLOW_FLAG_NOSTREAM;
282  } else if (strcasecmp(args[i], "no_frag") == 0) {
283  if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
284  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set no_frag flag is already set");
285  goto error;
286  } else if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
287  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set no_frag flag, only_frag already set");
288  goto error;
289  }
290  fd->flags |= DETECT_FLOW_FLAG_NO_FRAG;
291  } else if (strcasecmp(args[i], "only_frag") == 0) {
292  if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
293  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set only_frag flag is already set");
294  goto error;
295  } else if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
296  SCLogError(SC_ERR_FLAGS_MODIFIER, "cannot set only_frag flag, no_frag already set");
297  goto error;
298  }
299  fd->flags |= DETECT_FLOW_FLAG_ONLY_FRAG;
300  } else {
301  SCLogError(SC_ERR_INVALID_VALUE, "invalid flow option \"%s\"", args[i]);
302  goto error;
303  }
304 
305  fd->match_cnt++;
306  //printf("args[%" PRId32 "]: %s match_cnt: %" PRId32 " flags: 0x%02X\n", i, args[i], fd->match_cnt, fd->flags);
307  }
308  }
309  return fd;
310 
311 error:
312  if (fd != NULL)
313  DetectFlowFree(de_ctx, fd);
314  return NULL;
315 
316 }
317 
318 int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
319 {
320 #define SIG_FLAG_BOTH (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)
321  BUG_ON(flags == 0);
322  BUG_ON(flags & ~SIG_FLAG_BOTH);
323  BUG_ON((flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH);
324 
325  SCLogDebug("want %08lx", flags & SIG_FLAG_BOTH);
326  SCLogDebug("have %08lx", s->flags & SIG_FLAG_BOTH);
327 
328  if (flags & SIG_FLAG_TOSERVER) {
329  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
330  /* both is set if we just have 'flow:established' */
331  s->flags &= ~SIG_FLAG_TOCLIENT;
332  } else if (s->flags & SIG_FLAG_TOCLIENT) {
333  return -1;
334  }
335  s->flags |= SIG_FLAG_TOSERVER;
336  } else {
337  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
338  /* both is set if we just have 'flow:established' */
339  s->flags &= ~SIG_FLAG_TOSERVER;
340  } else if (s->flags & SIG_FLAG_TOSERVER) {
341  return -1;
342  }
343  s->flags |= SIG_FLAG_TOCLIENT;
344  }
345  return 0;
346 #undef SIG_FLAG_BOTH
347 }
348 
349 /**
350  * \brief this function is used to add the parsed flowdata into the current signature
351  *
352  * \param de_ctx pointer to the Detection Engine Context
353  * \param s pointer to the Current Signature
354  * \param flowstr pointer to the user provided flow options
355  *
356  * \retval 0 on Success
357  * \retval -1 on Failure
358  */
359 int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *flowstr)
360 {
361  /* ensure only one flow option */
362  if (s->init_data->init_flags & SIG_FLAG_INIT_FLOW) {
363  SCLogError (SC_ERR_INVALID_SIGNATURE, "A signature may have only one flow option.");
364  return -1;
365  }
366 
367  DetectFlowData *fd = DetectFlowParse(de_ctx, flowstr);
368  if (fd == NULL)
369  return -1;
370 
371  SigMatch *sm = SigMatchAlloc();
372  if (sm == NULL)
373  goto error;
374 
375  sm->type = DETECT_FLOW;
376  sm->ctx = (SigMatchCtx *)fd;
377 
378  /* set the signature direction flags */
379  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
380  s->flags |= SIG_FLAG_TOSERVER;
381  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
382  s->flags |= SIG_FLAG_TOCLIENT;
383  } else {
384  s->flags |= SIG_FLAG_TOSERVER;
385  s->flags |= SIG_FLAG_TOCLIENT;
386  }
387  if (fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
388  s->flags |= SIG_FLAG_REQUIRE_STREAM;
389  }
390  if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
391  s->flags |= SIG_FLAG_REQUIRE_PACKET;
392  } else if (fd->flags == DETECT_FLOW_FLAG_TOSERVER ||
393  fd->flags == DETECT_FLOW_FLAG_TOCLIENT)
394  {
395  /* no direct flow is needed for just direction,
396  * no sigmatch is needed either. */
397  SigMatchFree(de_ctx, sm);
398  sm = NULL;
399  } else {
400  s->init_data->init_flags |= SIG_FLAG_INIT_FLOW;
401  }
402 
403  if (sm != NULL) {
404  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
405  }
406  return 0;
407 
408 error:
409  if (fd != NULL)
410  DetectFlowFree(de_ctx, fd);
411  return -1;
412 
413 }
414 
415 /**
416  * \brief this function will free memory associated with DetectFlowData
417  *
418  * \param fd pointer to DetectFlowData
419  */
420 void DetectFlowFree(DetectEngineCtx *de_ctx, void *ptr)
421 {
422  DetectFlowData *fd = (DetectFlowData *)ptr;
423  SCFree(fd);
424 }
425 
426 static void
427 PrefilterPacketFlowMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
428 {
429  const PrefilterPacketHeaderCtx *ctx = pectx;
430 
431  if (PrefilterPacketHeaderExtraMatch(ctx, p) == FALSE)
432  return;
433 
434  if (FlowMatch(p->flags, p->flowflags, det_ctx->flags, ctx->v1.u8[0], ctx->v1.u8[1]))
435  {
436  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
437  }
438 }
439 
440 static void
441 PrefilterPacketFlowSet(PrefilterPacketHeaderValue *v, void *smctx)
442 {
443  const DetectFlowData *fb = smctx;
444  v->u8[0] = fb->flags;
445  v->u8[1] = fb->match_cnt;
446 }
447 
448 static bool
449 PrefilterPacketFlowCompare(PrefilterPacketHeaderValue v, void *smctx)
450 {
451  const DetectFlowData *fb = smctx;
452  if (v.u8[0] == fb->flags &&
453  v.u8[1] == fb->match_cnt)
454  {
455  return TRUE;
456  }
457  return FALSE;
458 }
459 
460 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
461 {
462  return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLOW,
463  PrefilterPacketFlowSet,
464  PrefilterPacketFlowCompare,
465  PrefilterPacketFlowMatch);
466 }
467 
468 static bool PrefilterFlowIsPrefilterable(const Signature *s)
469 {
470  const SigMatch *sm;
471  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
472  switch (sm->type) {
473  case DETECT_FLOW:
474  return TRUE;
475  }
476  }
477  return FALSE;
478 }
479 
480 #ifdef UNITTESTS
481 
482 /**
483  * \test DetectFlowTestParse01 is a test to make sure that we return "something"
484  * when given valid flow opt
485  */
486 static int DetectFlowTestParse01 (void)
487 {
488  DetectFlowData *fd = NULL;
489  fd = DetectFlowParse(NULL, "established");
490  FAIL_IF_NULL(fd);
491  DetectFlowFree(NULL, fd);
492  PASS;
493 }
494 
495 /**
496  * \test DetectFlowTestParse02 is a test for setting the established flow opt
497  */
498 static int DetectFlowTestParse02 (void)
499 {
500  DetectFlowData *fd = NULL;
501  fd = DetectFlowParse(NULL, "established");
502  FAIL_IF_NULL(fd);
503  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_ESTABLISHED &&
504  fd->match_cnt == 1);
505  PASS;
506 }
507 
508 /**
509  * \test DetectFlowTestParse03 is a test for setting the stateless flow opt
510  */
511 static int DetectFlowTestParse03 (void)
512 {
513  DetectFlowData *fd = NULL;
514  fd = DetectFlowParse(NULL, "stateless");
515  FAIL_IF_NULL(fd);
516  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_STATELESS && fd->match_cnt == 1);
517  DetectFlowFree(NULL, fd);
518  PASS;
519 }
520 
521 /**
522  * \test DetectFlowTestParse04 is a test for setting the to_client flow opt
523  */
524 static int DetectFlowTestParse04 (void)
525 {
526  DetectFlowData *fd = NULL;
527  fd = DetectFlowParse(NULL, "to_client");
528  FAIL_IF_NULL(fd);
529  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
530  DetectFlowFree(NULL, fd);
531  PASS;
532 }
533 
534 /**
535  * \test DetectFlowTestParse05 is a test for setting the to_server flow opt
536  */
537 static int DetectFlowTestParse05 (void)
538 {
539  DetectFlowData *fd = NULL;
540  fd = DetectFlowParse(NULL, "to_server");
541  FAIL_IF_NULL(fd);
542  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
543  DetectFlowFree(NULL, fd);
544  PASS;
545 }
546 
547 /**
548  * \test DetectFlowTestParse06 is a test for setting the from_server flow opt
549  */
550 static int DetectFlowTestParse06 (void)
551 {
552  DetectFlowData *fd = NULL;
553  fd = DetectFlowParse(NULL, "from_server");
554  FAIL_IF_NULL(fd);
555  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
556  DetectFlowFree(NULL, fd);
557  PASS;
558 }
559 
560 /**
561  * \test DetectFlowTestParse07 is a test for setting the from_client flow opt
562  */
563 static int DetectFlowTestParse07 (void)
564 {
565  DetectFlowData *fd = NULL;
566  fd = DetectFlowParse(NULL, "from_client");
567  FAIL_IF_NULL(fd);
568  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
569  DetectFlowFree(NULL, fd);
570  PASS;
571 }
572 
573 /**
574  * \test DetectFlowTestParse08 is a test for setting the established,to_client flow opts
575  */
576 static int DetectFlowTestParse08 (void)
577 {
578  DetectFlowData *fd = NULL;
579  fd = DetectFlowParse(NULL, "established,to_client");
580  FAIL_IF_NULL(fd);
581  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED && fd->flags & DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 2);
582  DetectFlowFree(NULL, fd);
583  PASS;
584 }
585 
586 /**
587  * \test DetectFlowTestParse09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
588  */
589 static int DetectFlowTestParse09 (void)
590 {
591  DetectFlowData *fd = NULL;
592  fd = DetectFlowParse(NULL, "to_client,stateless");
593  FAIL_IF_NULL(fd);
594  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
595  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
596  fd->match_cnt == 2);
597  DetectFlowFree(NULL, fd);
598  PASS;
599 }
600 
601 /**
602  * \test DetectFlowTestParse10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
603  */
604 static int DetectFlowTestParse10 (void)
605 {
606  DetectFlowData *fd = NULL;
607  fd = DetectFlowParse(NULL, "from_server,stateless");
608  FAIL_IF_NULL(fd);
609  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
610  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
611  fd->match_cnt == 2);
612  DetectFlowFree(NULL, fd);
613  PASS;
614 }
615 
616 /**
617  * \test DetectFlowTestParse11 is a test for setting the from_server,stateless flow opts with spaces all around
618  */
619 static int DetectFlowTestParse11 (void)
620 {
621  DetectFlowData *fd = NULL;
622  fd = DetectFlowParse(NULL, " from_server , stateless ");
623  FAIL_IF_NULL(fd);
624  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
625  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
626  fd->match_cnt == 2);
627  DetectFlowFree(NULL, fd);
628  PASS;
629 }
630 
631 /**
632  * \test DetectFlowTestParseNocase01 is a test to make sure that we return "something"
633  * when given valid flow opt
634  */
635 static int DetectFlowTestParseNocase01 (void)
636 {
637  DetectFlowData *fd = NULL;
638  fd = DetectFlowParse(NULL, "ESTABLISHED");
639  FAIL_IF_NULL(fd);
640  DetectFlowFree(NULL, fd);
641  PASS;
642 }
643 
644 /**
645  * \test DetectFlowTestParseNocase02 is a test for setting the established flow opt
646  */
647 static int DetectFlowTestParseNocase02 (void)
648 {
649  DetectFlowData *fd = NULL;
650  fd = DetectFlowParse(NULL, "ESTABLISHED");
651  FAIL_IF_NULL(fd);
652  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_ESTABLISHED &&
653  fd->match_cnt == 1);
654  DetectFlowFree(NULL, fd);
655  PASS;
656 }
657 
658 /**
659  * \test DetectFlowTestParseNocase03 is a test for setting the stateless flow opt
660  */
661 static int DetectFlowTestParseNocase03 (void)
662 {
663  DetectFlowData *fd = NULL;
664  fd = DetectFlowParse(NULL, "STATELESS");
665  FAIL_IF_NULL(fd);
666  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_STATELESS && fd->match_cnt == 1); DetectFlowFree(NULL, fd);
667  PASS;
668 }
669 
670 /**
671  * \test DetectFlowTestParseNocase04 is a test for setting the to_client flow opt
672  */
673 static int DetectFlowTestParseNocase04 (void)
674 {
675  DetectFlowData *fd = NULL;
676  fd = DetectFlowParse(NULL, "TO_CLIENT");
677  FAIL_IF_NULL(fd);
678  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
679  DetectFlowFree(NULL, fd);
680  PASS;
681 }
682 
683 /**
684  * \test DetectFlowTestParseNocase05 is a test for setting the to_server flow opt
685  */
686 static int DetectFlowTestParseNocase05 (void)
687 {
688  DetectFlowData *fd = NULL;
689  fd = DetectFlowParse(NULL, "TO_SERVER");
690  FAIL_IF_NULL(fd);
691  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
692  DetectFlowFree(NULL, fd);
693  PASS;
694 }
695 
696 /**
697  * \test DetectFlowTestParseNocase06 is a test for setting the from_server flow opt
698  */
699 static int DetectFlowTestParseNocase06 (void)
700 {
701  DetectFlowData *fd = NULL;
702  fd = DetectFlowParse(NULL, "FROM_SERVER");
703  FAIL_IF_NULL(fd);
704  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
705  DetectFlowFree(NULL, fd);
706  PASS;
707 }
708 
709 /**
710  * \test DetectFlowTestParseNocase07 is a test for setting the from_client flow opt
711  */
712 static int DetectFlowTestParseNocase07 (void)
713 {
714  DetectFlowData *fd = NULL;
715  fd = DetectFlowParse(NULL, "FROM_CLIENT");
716  FAIL_IF_NULL(fd);
717  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
718  DetectFlowFree(NULL, fd);
719  PASS;
720 }
721 
722 /**
723  * \test DetectFlowTestParseNocase08 is a test for setting the established,to_client flow opts
724  */
725 static int DetectFlowTestParseNocase08 (void)
726 {
727  DetectFlowData *fd = NULL;
728  fd = DetectFlowParse(NULL, "ESTABLISHED,TO_CLIENT");
729  FAIL_IF_NULL(fd);
730  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
731  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
732  fd->match_cnt == 2);
733  DetectFlowFree(NULL, fd);
734  PASS;
735 }
736 
737 /**
738  * \test DetectFlowTestParseNocase09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
739  */
740 static int DetectFlowTestParseNocase09 (void)
741 {
742  DetectFlowData *fd = NULL;
743  fd = DetectFlowParse(NULL, "TO_CLIENT,STATELESS");
744  FAIL_IF_NULL(fd);
745  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
746  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
747  fd->match_cnt == 2);
748  DetectFlowFree(NULL, fd);
749  PASS;
750 }
751 
752 /**
753  * \test DetectFlowTestParseNocase10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
754  */
755 static int DetectFlowTestParseNocase10 (void)
756 {
757  DetectFlowData *fd = NULL;
758  fd = DetectFlowParse(NULL, "FROM_SERVER,STATELESS");
759  FAIL_IF_NULL(fd);
760  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
761  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
762  fd->match_cnt == 2);
763  DetectFlowFree(NULL, fd);
764  PASS;
765 }
766 
767 /**
768  * \test DetectFlowTestParseNocase11 is a test for setting the from_server,stateless flow opts with spaces all around
769  */
770 static int DetectFlowTestParseNocase11 (void)
771 {
772  DetectFlowData *fd = NULL;
773  fd = DetectFlowParse(NULL, " FROM_SERVER , STATELESS ");
774  FAIL_IF_NULL(fd);
775  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
776  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
777  fd->match_cnt == 2);
778  DetectFlowFree(NULL, fd);
779  PASS;
780 }
781 
782 /**
783  * \test DetectFlowTestParse12 is a test for setting an invalid seperator :
784  */
785 static int DetectFlowTestParse12 (void)
786 {
787  DetectFlowData *fd = NULL;
788  fd = DetectFlowParse(NULL, "from_server:stateless");
789  FAIL_IF_NOT_NULL(fd);
790  PASS;
791 }
792 
793 /**
794  * \test DetectFlowTestParse13 is a test for an invalid option
795  */
796 static int DetectFlowTestParse13 (void)
797 {
798  DetectFlowData *fd = NULL;
799  fd = DetectFlowParse(NULL, "invalidoptiontest");
800  FAIL_IF_NOT_NULL(fd);
801  PASS;
802 }
803 
804 /**
805  * \test DetectFlowTestParse14 is a test for a empty option
806  */
807 static int DetectFlowTestParse14 (void)
808 {
809  DetectFlowData *fd = NULL;
810  fd = DetectFlowParse(NULL, "");
811  FAIL_IF_NOT_NULL(fd);
812  PASS;
813 }
814 
815 /**
816  * \test DetectFlowTestParse15 is a test for an invalid combo of options established,stateless
817  */
818 static int DetectFlowTestParse15 (void)
819 {
820  DetectFlowData *fd = NULL;
821  fd = DetectFlowParse(NULL, "established,stateless");
822  FAIL_IF_NOT_NULL(fd);
823  PASS;
824 }
825 
826 /**
827  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,to_server
828  */
829 static int DetectFlowTestParse16 (void)
830 {
831  DetectFlowData *fd = NULL;
832  fd = DetectFlowParse(NULL, "to_client,to_server");
833  FAIL_IF_NOT_NULL(fd);
834  PASS;
835 }
836 
837 /**
838  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,from_server
839  * flowbit flags are the same
840  */
841 static int DetectFlowTestParse17 (void)
842 {
843  DetectFlowData *fd = NULL;
844  fd = DetectFlowParse(NULL, "to_client,from_server");
845  FAIL_IF_NOT_NULL(fd);
846  PASS;
847 }
848 
849 /**
850  * \test DetectFlowTestParse18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
851  */
852 static int DetectFlowTestParse18 (void)
853 {
854  DetectFlowData *fd = NULL;
855  fd = DetectFlowParse(NULL, "from_server,established,only_stream");
856  FAIL_IF_NULL(fd);
857  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
858  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
859  fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM &&
860  fd->match_cnt == 3);
861  DetectFlowFree(NULL, fd);
862  PASS;
863 }
864 
865 /**
866  * \test DetectFlowTestParseNocase18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
867  */
868 static int DetectFlowTestParseNocase18 (void)
869 {
870  DetectFlowData *fd = NULL;
871  fd = DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,ONLY_STREAM");
872  FAIL_IF_NULL(fd);
873  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
874  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
875  fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM &&
876  fd->match_cnt == 3);
877  DetectFlowFree(NULL, fd);
878  PASS;
879 }
880 
881 
882 /**
883  * \test DetectFlowTestParse19 is a test for one to many options passed to DetectFlowParse
884  */
885 static int DetectFlowTestParse19 (void)
886 {
887  DetectFlowData *fd = NULL;
888  fd = DetectFlowParse(NULL, "from_server,established,only_stream,a");
889  FAIL_IF_NOT_NULL(fd);
890  PASS;
891 }
892 
893 /**
894  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
895  */
896 static int DetectFlowTestParse20 (void)
897 {
898  DetectFlowData *fd = NULL;
899  fd = DetectFlowParse(NULL, "from_server,established,no_stream");
900  FAIL_IF_NULL(fd);
901  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
902  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
903  fd->flags & DETECT_FLOW_FLAG_NOSTREAM &&
904  fd->match_cnt == 3);
905  DetectFlowFree(NULL, fd);
906  PASS;
907 }
908 
909 /**
910  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
911  */
912 static int DetectFlowTestParseNocase20 (void)
913 {
914  DetectFlowData *fd = NULL;
915  fd = DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,NO_STREAM");
916  FAIL_IF_NULL(fd);
917  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
918  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
919  fd->flags & DETECT_FLOW_FLAG_NOSTREAM &&
920  fd->match_cnt == 3);
921  DetectFlowFree(NULL, fd);
922  PASS;
923 }
924 
925 /**
926  * \test DetectFlowTestParse21 is a test for an invalid opt between to valid opts
927  */
928 static int DetectFlowTestParse21 (void)
929 {
930  DetectFlowData *fd = NULL;
931  fd = DetectFlowParse(NULL, "from_server,a,no_stream");
932  FAIL_IF_NOT_NULL(fd);
933  PASS;
934 }
935 
936 static int DetectFlowSigTest01(void)
937 {
938  ThreadVars th_v;
939  DecodeThreadVars dtv;
940  DetectEngineCtx *de_ctx = NULL;
941  DetectEngineThreadCtx *det_ctx = NULL;
942  uint8_t *buf = (uint8_t *)"supernovaduper";
943  uint16_t buflen = strlen((char *)buf);
944 
945  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
946  FAIL_IF_NULL(p);
947 
948  const char *sig1 = "alert tcp any any -> any any (msg:\"dummy\"; "
949  "content:\"nova\"; flow:no_stream; sid:1;)";
950 
951  memset(&dtv, 0, sizeof(DecodeThreadVars));
952  memset(&th_v, 0, sizeof(th_v));
953 
954  de_ctx = DetectEngineCtxInit();
955  FAIL_IF_NULL(de_ctx);
956  de_ctx->flags |= DE_QUIET;
957 
958  de_ctx->sig_list = SigInit(de_ctx, sig1);
959  FAIL_IF_NULL(de_ctx->sig_list);
960 
961  SigGroupBuild(de_ctx);
962  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
963 
964  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
965  FAIL_IF(PacketAlertCheck(p, 1) != 1);
966 
967  if (det_ctx != NULL)
968  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
969 
970  if (de_ctx != NULL) {
971  SigGroupCleanup(de_ctx);
972  SigCleanSignatures(de_ctx);
973  DetectEngineCtxFree(de_ctx);
974  }
975 
976  if (p != NULL)
977  UTHFreePacket(p);
978 
979  PASS;
980 }
981 
982 /**
983  * \test Test parsing of the not_established keyword.
984  */
985 static int DetectFlowTestParseNotEstablished(void)
986 {
987  DetectFlowData *fd = NULL;
988  fd = DetectFlowParse(NULL, "not_established");
989  FAIL_IF_NULL(fd);
990  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED);
991  DetectFlowFree(NULL, fd);
992  PASS;
993 }
994 
995 /**
996  * \test Test parsing of the "no_frag" flow argument.
997  */
998 static int DetectFlowTestParseNoFrag(void)
999 {
1000  DetectFlowData *fd = NULL;
1001  fd = DetectFlowParse(NULL, "no_frag");
1002  FAIL_IF_NULL(fd);
1003  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_NO_FRAG);
1004  DetectFlowFree(NULL, fd);
1005  PASS;
1006 }
1007 
1008 /**
1009  * \test Test parsing of the "only_frag" flow argument.
1010  */
1011 static int DetectFlowTestParseOnlyFrag(void)
1012 {
1013  DetectFlowData *fd = NULL;
1014  fd = DetectFlowParse(NULL, "only_frag");
1015  FAIL_IF_NULL(fd);
1016  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG);
1017  DetectFlowFree(NULL, fd);
1018  PASS;
1019 }
1020 
1021 /**
1022  * \test Test that parsing of only_frag and no_frag together fails.
1023  */
1024 static int DetectFlowTestParseNoFragOnlyFrag(void)
1025 {
1026  DetectFlowData *fd = NULL;
1027  fd = DetectFlowParse(NULL, "no_frag,only_frag");
1028  FAIL_IF_NOT_NULL(fd);
1029  PASS;
1030 }
1031 
1032 /**
1033  * \test Test no_frag matching.
1034  */
1035 static int DetectFlowTestNoFragMatch(void)
1036 {
1037  uint32_t pflags = 0;
1038  DetectFlowData *fd = DetectFlowParse(NULL, "no_frag");
1039  FAIL_IF_NULL(fd);
1040  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_NO_FRAG);
1041  FAIL_IF_NOT(fd->match_cnt == 1);
1042  FAIL_IF_NOT(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1043  pflags |= PKT_REBUILT_FRAGMENT;
1044  FAIL_IF(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1045  PASS;
1046 }
1047 
1048 /**
1049  * \test Test only_frag matching.
1050  */
1051 static int DetectFlowTestOnlyFragMatch(void)
1052 {
1053  uint32_t pflags = 0;
1054  DetectFlowData *fd = DetectFlowParse(NULL, "only_frag");
1055  FAIL_IF_NULL(fd);
1056  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG);
1057  FAIL_IF_NOT(fd->match_cnt == 1);
1058  FAIL_IF(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1059  pflags |= PKT_REBUILT_FRAGMENT;
1060  FAIL_IF_NOT(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1061  PASS;
1062 }
1063 
1064 #endif /* UNITTESTS */
1065 
1066 /**
1067  * \brief this function registers unit tests for DetectFlow
1068  */
1069 void DetectFlowRegisterTests(void)
1070 {
1071 #ifdef UNITTESTS
1072  UtRegisterTest("DetectFlowTestParse01", DetectFlowTestParse01);
1073  UtRegisterTest("DetectFlowTestParse02", DetectFlowTestParse02);
1074  UtRegisterTest("DetectFlowTestParse03", DetectFlowTestParse03);
1075  UtRegisterTest("DetectFlowTestParse04", DetectFlowTestParse04);
1076  UtRegisterTest("DetectFlowTestParse05", DetectFlowTestParse05);
1077  UtRegisterTest("DetectFlowTestParse06", DetectFlowTestParse06);
1078  UtRegisterTest("DetectFlowTestParse07", DetectFlowTestParse07);
1079  UtRegisterTest("DetectFlowTestParse08", DetectFlowTestParse08);
1080  UtRegisterTest("DetectFlowTestParse09", DetectFlowTestParse09);
1081  UtRegisterTest("DetectFlowTestParse10", DetectFlowTestParse10);
1082  UtRegisterTest("DetectFlowTestParse11", DetectFlowTestParse11);
1083  UtRegisterTest("DetectFlowTestParseNocase01", DetectFlowTestParseNocase01);
1084  UtRegisterTest("DetectFlowTestParseNocase02", DetectFlowTestParseNocase02);
1085  UtRegisterTest("DetectFlowTestParseNocase03", DetectFlowTestParseNocase03);
1086  UtRegisterTest("DetectFlowTestParseNocase04", DetectFlowTestParseNocase04);
1087  UtRegisterTest("DetectFlowTestParseNocase05", DetectFlowTestParseNocase05);
1088  UtRegisterTest("DetectFlowTestParseNocase06", DetectFlowTestParseNocase06);
1089  UtRegisterTest("DetectFlowTestParseNocase07", DetectFlowTestParseNocase07);
1090  UtRegisterTest("DetectFlowTestParseNocase08", DetectFlowTestParseNocase08);
1091  UtRegisterTest("DetectFlowTestParseNocase09", DetectFlowTestParseNocase09);
1092  UtRegisterTest("DetectFlowTestParseNocase10", DetectFlowTestParseNocase10);
1093  UtRegisterTest("DetectFlowTestParseNocase11", DetectFlowTestParseNocase11);
1094  UtRegisterTest("DetectFlowTestParse12", DetectFlowTestParse12);
1095  UtRegisterTest("DetectFlowTestParse13", DetectFlowTestParse13);
1096  UtRegisterTest("DetectFlowTestParse14", DetectFlowTestParse14);
1097  UtRegisterTest("DetectFlowTestParse15", DetectFlowTestParse15);
1098  UtRegisterTest("DetectFlowTestParse16", DetectFlowTestParse16);
1099  UtRegisterTest("DetectFlowTestParse17", DetectFlowTestParse17);
1100  UtRegisterTest("DetectFlowTestParse18", DetectFlowTestParse18);
1101  UtRegisterTest("DetectFlowTestParseNocase18", DetectFlowTestParseNocase18);
1102  UtRegisterTest("DetectFlowTestParse19", DetectFlowTestParse19);
1103  UtRegisterTest("DetectFlowTestParse20", DetectFlowTestParse20);
1104  UtRegisterTest("DetectFlowTestParseNocase20", DetectFlowTestParseNocase20);
1105  UtRegisterTest("DetectFlowTestParse21", DetectFlowTestParse21);
1106  UtRegisterTest("DetectFlowTestParseNotEstablished",
1107  DetectFlowTestParseNotEstablished);
1108  UtRegisterTest("DetectFlowTestParseNoFrag", DetectFlowTestParseNoFrag);
1109  UtRegisterTest("DetectFlowTestParseOnlyFrag",
1110  DetectFlowTestParseOnlyFrag);
1111  UtRegisterTest("DetectFlowTestParseNoFragOnlyFrag",
1112  DetectFlowTestParseNoFragOnlyFrag);
1113  UtRegisterTest("DetectFlowTestNoFragMatch", DetectFlowTestNoFragMatch);
1114  UtRegisterTest("DetectFlowTestOnlyFragMatch", DetectFlowTestOnlyFragMatch);
1115 
1116  UtRegisterTest("DetectFlowSigTest01", DetectFlowSigTest01);
1117 #endif /* UNITTESTS */
1118 }
DETECT_FLOW_FLAG_TOCLIENT
#define DETECT_FLOW_FLAG_TOCLIENT
Definition: detect-flow.h:28
DETECT_FLOW_FLAG_STATELESS
#define DETECT_FLOW_FLAG_STATELESS
Definition: detect-flow.h:31
SigTableElmt_::url
const char * url
Definition: detect.h:1212
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectFlowRegisterTests
void DetectFlowRegisterTests(void)
this function registers unit tests for DetectFlow
Definition: detect-flow.c:1069
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:250
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
DetectFlowData_
Definition: detect-flow.h:37
DETECT_FLOW_FLAG_NOSTREAM
#define DETECT_FLOW_FLAG_NOSTREAM
Definition: detect-flow.h:33
SigTableElmt_::name
const char * name
Definition: detect.h:1209
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1345
SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:258
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_FLOW
@ DETECT_FLOW
Definition: detect-engine-register.h:51
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:446
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2033
DetectFlowData_::match_cnt
uint8_t match_cnt
Definition: detect-flow.h:39
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1110
DetectFlowData_::flags
uint16_t flags
Definition: detect-flow.h:38
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:41
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:22
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:224
DetectEngineThreadCtx_::flags
uint16_t flags
Definition: detect.h:1076
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:492
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:40
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
DetectFlowSetupImplicit
int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
Definition: detect-flow.c:318
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1198
DETECT_FLOW_FLAG_ONLYSTREAM
#define DETECT_FLOW_FLAG_ONLYSTREAM
Definition: detect-flow.h:32
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:33
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our flow options.
Definition: detect-flow.c:47
DETECT_FLOW_FLAG_TOSERVER
#define DETECT_FLOW_FLAG_TOSERVER
Definition: detect-flow.h:27
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2456
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:323
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
FALSE
#define FALSE
Definition: suricata-common.h:34
Signature_::flags
uint32_t flags
Definition: detect.h:528
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2388
Packet_
Definition: decode.h:411
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:521
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:219
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:320
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:34
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3001
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
DetectFlowRegister
void DetectFlowRegister(void)
Registration function for flow: keyword.
Definition: detect-flow.c:63
SIG_FLAG_BOTH
#define SIG_FLAG_BOTH
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:407
DETECT_FLOW_FLAG_NOT_ESTABLISHED
#define DETECT_FLOW_FLAG_NOT_ESTABLISHED
Definition: detect-flow.h:30
detect-flow.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_FLOW_FLAG_ONLY_FRAG
#define DETECT_FLOW_FLAG_ONLY_FRAG
Definition: detect-flow.h:35
DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH
#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH
Definition: detect.h:281
PKT_REBUILT_FRAGMENT
#define PKT_REBUILT_FRAGMENT
Definition: decode.h:1114
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:625
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1197
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:484
DETECT_FLOW_FLAG_ESTABLISHED
#define DETECT_FLOW_FLAG_ESTABLISHED
Definition: detect-flow.h:29
detect-parse.h
DetectFlowFree
void DetectFlowFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectFlowData
Definition: detect-flow.c:420
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
SC_ERR_FLAGS_MODIFIER
@ SC_ERR_FLAGS_MODIFIER
Definition: util-error.h:133
DetectFlowMatch
int DetectFlowMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
This function is used to match flow flags set on a packet with those passed via flow:
Definition: detect-flow.c:135
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:21
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
detect-engine-prefilter-common.h
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
DETECT_FLOW_FLAG_NO_FRAG
#define DETECT_FLOW_FLAG_NO_FRAG
Definition: detect-flow.h:34
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223