suricata
detect-flow.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * FLOW part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
33 #include "detect-engine-build.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 
38 #include "detect-flow.h"
39 
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "util-debug.h"
43 
44 /**
45  * \brief Regex for parsing our flow options
46  */
47 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
48 
49 static DetectParseRegex parse_regex;
50 
52  const Signature *, const SigMatchCtx *);
53 static int DetectFlowSetup (DetectEngineCtx *, Signature *, const char *);
54 #ifdef UNITTESTS
55 static void DetectFlowRegisterTests(void);
56 #endif
57 void DetectFlowFree(DetectEngineCtx *, void *);
58 
59 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
60 static bool PrefilterFlowIsPrefilterable(const Signature *s);
61 
62 /**
63  * \brief Registration function for flow: keyword
64  */
65 void DetectFlowRegister (void)
66 {
68  sigmatch_table[DETECT_FLOW].desc = "match on direction and state of the flow";
69  sigmatch_table[DETECT_FLOW].url = "/rules/flow-keywords.html#flow";
71  sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup;
73 #ifdef UNITTESTS
74  sigmatch_table[DETECT_FLOW].RegisterTests = DetectFlowRegisterTests;
75 #endif
76  sigmatch_table[DETECT_FLOW].SupportsPrefilter = PrefilterFlowIsPrefilterable;
77  sigmatch_table[DETECT_FLOW].SetupPrefilter = PrefilterSetupFlow;
78 
79  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
80 }
81 
82 /**
83  * \param pflags packet flags (p->flags)
84  * \param pflowflags packet flow flags (p->flowflags)
85  * \param dflags detect flow flags
86  * \param match_cnt number of matches to trigger
87  */
88 static inline int FlowMatch(const uint32_t pflags, const uint8_t pflowflags, const uint16_t dflags,
89  const uint16_t match_cnt)
90 {
91  uint8_t cnt = 0;
92 
93  if ((dflags & DETECT_FLOW_FLAG_NO_FRAG) &&
94  (!(pflags & PKT_REBUILT_FRAGMENT))) {
95  cnt++;
96  } else if ((dflags & DETECT_FLOW_FLAG_ONLY_FRAG) &&
97  (pflags & PKT_REBUILT_FRAGMENT)) {
98  cnt++;
99  }
100 
101  if ((dflags & DETECT_FLOW_FLAG_TOSERVER) && (pflowflags & FLOW_PKT_TOSERVER)) {
102  cnt++;
103  } else if ((dflags & DETECT_FLOW_FLAG_TOCLIENT) && (pflowflags & FLOW_PKT_TOCLIENT)) {
104  cnt++;
105  }
106 
107  if ((dflags & DETECT_FLOW_FLAG_ESTABLISHED) && (pflowflags & FLOW_PKT_ESTABLISHED)) {
108  cnt++;
109  } else if (dflags & DETECT_FLOW_FLAG_NOT_ESTABLISHED && (!(pflowflags & FLOW_PKT_ESTABLISHED))) {
110  cnt++;
111  } else if (dflags & DETECT_FLOW_FLAG_STATELESS) {
112  cnt++;
113  }
114 
115  return (match_cnt == cnt) ? 1 : 0;
116 }
117 
118 /**
119  * \brief This function is used to match flow flags set on a packet with those passed via flow:
120  *
121  * \param t pointer to thread vars
122  * \param det_ctx pointer to the pattern matcher thread
123  * \param p pointer to the current packet
124  * \param m pointer to the sigmatch that we will cast into DetectFlowData
125  *
126  * \retval 0 no match
127  * \retval 1 match
128  */
130  const Signature *s, const SigMatchCtx *ctx)
131 {
132  SCEnter();
133 
134  SCLogDebug("pkt %p", p);
135 
136  if (p->flowflags & FLOW_PKT_TOSERVER) {
137  SCLogDebug("FLOW_PKT_TOSERVER");
138  } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
139  SCLogDebug("FLOW_PKT_TOCLIENT");
140  }
141 
142  if (p->flowflags & FLOW_PKT_ESTABLISHED) {
143  SCLogDebug("FLOW_PKT_ESTABLISHED");
144  }
145 
146  const DetectFlowData *fd = (const DetectFlowData *)ctx;
147 
148  const int ret = FlowMatch(p->flags, p->flowflags, fd->flags, fd->match_cnt);
149  SCLogDebug("returning %" PRId32 " fd->match_cnt %" PRId32 " fd->flags 0x%02X p->flowflags 0x%02X",
150  ret, fd->match_cnt, fd->flags, p->flowflags);
151  SCReturnInt(ret);
152 }
153 
154 /**
155  * \brief This function is used to parse flow options passed via flow: keyword
156  *
157  * \param de_ctx Pointer to the detection engine context
158  * \param flowstr Pointer to the user provided flow options
159  * \param[out] parse_flags keyword flags only used during parsing
160  *
161  * \retval fd pointer to DetectFlowData on success
162  * \retval NULL on failure
163  */
164 static DetectFlowData *DetectFlowParse(
165  DetectEngineCtx *de_ctx, const char *flowstr, uint16_t *parse_flags)
166 {
167  DetectFlowData *fd = NULL;
168  char *args[3] = {NULL,NULL,NULL};
169  int res = 0;
170  size_t pcre2len;
171  char str1[16] = "", str2[16] = "", str3[16] = "";
172  pcre2_match_data *match = NULL;
173 
174  int ret = DetectParsePcreExec(&parse_regex, &match, flowstr, 0, 0);
175  if (ret < 1 || ret > 4) {
176  SCLogError("parse error, ret %" PRId32 ", string %s", ret, flowstr);
177  goto error;
178  }
179 
180  if (ret > 1) {
181  pcre2len = sizeof(str1);
182  res = SC_Pcre2SubstringCopy(match, 1, (PCRE2_UCHAR8 *)str1, &pcre2len);
183  if (res < 0) {
184  SCLogError("pcre2_substring_copy_bynumber failed");
185  goto error;
186  }
187  args[0] = (char *)str1;
188 
189  if (ret > 2) {
190  pcre2len = sizeof(str2);
191  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)str2, &pcre2len);
192  if (res < 0) {
193  SCLogError("pcre2_substring_copy_bynumber failed");
194  goto error;
195  }
196  args[1] = (char *)str2;
197  }
198  if (ret > 3) {
199  pcre2len = sizeof(str3);
200  res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)str3, &pcre2len);
201  if (res < 0) {
202  SCLogError("pcre2_substring_copy_bynumber failed");
203  goto error;
204  }
205  args[2] = (char *)str3;
206  }
207  }
208 
209  fd = SCMalloc(sizeof(DetectFlowData));
210  if (unlikely(fd == NULL))
211  goto error;
212  fd->flags = 0;
213  fd->match_cnt = 0;
214 
215  for (int i = 0; i < (ret - 1); i++) {
216  if (args[i]) {
217  /* inspect our options and set the flags */
218  if (strcasecmp(args[i], "established") == 0) {
220  SCLogError("DETECT_FLOW_FLAG_ESTABLISHED flag is already set");
221  goto error;
222  } else if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
223  SCLogError("cannot set DETECT_FLOW_FLAG_ESTABLISHED, "
224  "DETECT_FLOW_FLAG_NOT_ESTABLISHED already set");
225  goto error;
226  } else if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
227  SCLogError("DETECT_FLOW_FLAG_STATELESS already set");
228  goto error;
229  }
231  fd->match_cnt++;
232  } else if (strcasecmp(args[i], "not_established") == 0) {
234  SCLogError("DETECT_FLOW_FLAG_NOT_ESTABLISHED flag is already set");
235  goto error;
236  } else if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
237  SCLogError("cannot set DETECT_FLOW_FLAG_NOT_ESTABLISHED, "
238  "DETECT_FLOW_FLAG_ESTABLISHED already set");
239  goto error;
240  }
242  fd->match_cnt++;
243  } else if (strcasecmp(args[i], "stateless") == 0) {
244  if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
245  SCLogError("DETECT_FLOW_FLAG_STATELESS flag is already set");
246  goto error;
247  } else if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
248  SCLogError("cannot set DETECT_FLOW_FLAG_STATELESS, "
249  "DETECT_FLOW_FLAG_ESTABLISHED already set");
250  goto error;
251  }
253  fd->match_cnt++;
254  } else if (strcasecmp(args[i], "to_client") == 0 || strcasecmp(args[i], "from_server") == 0) {
255  if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
256  SCLogError("cannot set DETECT_FLOW_FLAG_TOCLIENT flag is already set");
257  goto error;
258  } else if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
259  SCLogError("cannot set to_client, DETECT_FLOW_FLAG_TOSERVER already set");
260  goto error;
261  }
263  fd->match_cnt++;
264  } else if (strcasecmp(args[i], "to_server") == 0 || strcasecmp(args[i], "from_client") == 0){
265  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
266  SCLogError("cannot set DETECT_FLOW_FLAG_TOSERVER flag is already set");
267  goto error;
268  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
269  SCLogError("cannot set to_server, DETECT_FLOW_FLAG_TO_CLIENT flag already set");
270  goto error;
271  }
273  fd->match_cnt++;
274  } else if (strcasecmp(args[i], "no_frag") == 0) {
275  if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
276  SCLogError("cannot set no_frag flag is already set");
277  goto error;
278  } else if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
279  SCLogError("cannot set no_frag flag, only_frag already set");
280  goto error;
281  }
283  fd->match_cnt++;
284  } else if (strcasecmp(args[i], "only_frag") == 0) {
285  if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
286  SCLogError("cannot set only_frag flag is already set");
287  goto error;
288  } else if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
289  SCLogError("cannot set only_frag flag, no_frag already set");
290  goto error;
291  }
293  fd->match_cnt++;
294 
295  /* special case: these only affect parsing, not matching */
296 
297  } else if (strcasecmp(args[i], "only_stream") == 0) {
298  if (*parse_flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
299  SCLogError("cannot set only_stream flag is already set");
300  goto error;
301  } else if (*parse_flags & DETECT_FLOW_FLAG_NOSTREAM) {
302  SCLogError(
303  "cannot set only_stream flag, DETECT_FLOW_FLAG_NOSTREAM already set");
304  goto error;
305  }
306  *parse_flags |= DETECT_FLOW_FLAG_ONLYSTREAM;
307  } else if (strcasecmp(args[i], "no_stream") == 0) {
308  if (*parse_flags & DETECT_FLOW_FLAG_NOSTREAM) {
309  SCLogError("cannot set no_stream flag is already set");
310  goto error;
311  } else if (*parse_flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
312  SCLogError(
313  "cannot set no_stream flag, DETECT_FLOW_FLAG_ONLYSTREAM already set");
314  goto error;
315  }
316  *parse_flags |= DETECT_FLOW_FLAG_NOSTREAM;
317  } else {
318  SCLogError("invalid flow option \"%s\"", args[i]);
319  goto error;
320  }
321  }
322  }
323  pcre2_match_data_free(match);
324  return fd;
325 
326 error:
327  if (match) {
328  pcre2_match_data_free(match);
329  }
330  if (fd != NULL)
331  DetectFlowFree(de_ctx, fd);
332  return NULL;
333 
334 }
335 
337 {
338 #define SIG_FLAG_BOTH (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)
339  BUG_ON(flags == 0);
342 
343  SCLogDebug("want %08lx", flags & SIG_FLAG_BOTH);
344  SCLogDebug("have %08lx", s->flags & SIG_FLAG_BOTH);
345 
346  if (flags & SIG_FLAG_TOSERVER) {
347  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
348  /* both is set if we just have 'flow:established' */
349  s->flags &= ~SIG_FLAG_TOCLIENT;
350  } else if (s->flags & SIG_FLAG_TOCLIENT) {
351  return -1;
352  }
353  s->flags |= SIG_FLAG_TOSERVER;
354  } else {
355  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
356  /* both is set if we just have 'flow:established' */
357  s->flags &= ~SIG_FLAG_TOSERVER;
358  } else if (s->flags & SIG_FLAG_TOSERVER) {
359  return -1;
360  }
361  s->flags |= SIG_FLAG_TOCLIENT;
362  }
363  return 0;
364 #undef SIG_FLAG_BOTH
365 }
366 
367 /**
368  * \brief this function is used to add the parsed flowdata into the current signature
369  *
370  * \param de_ctx pointer to the Detection Engine Context
371  * \param s pointer to the Current Signature
372  * \param flowstr pointer to the user provided flow options
373  *
374  * \retval 0 on Success
375  * \retval -1 on Failure
376  */
377 int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *flowstr)
378 {
379  uint16_t parse_flags = 0;
380 
381  /* ensure only one flow option */
383  SCLogError("A signature may have only one flow option.");
384  return -1;
385  }
386 
387  DetectFlowData *fd = DetectFlowParse(de_ctx, flowstr, &parse_flags);
388  if (fd == NULL)
389  return -1;
390 
391  bool appendsm = true;
392  /* set the signature direction flags */
393  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
394  s->flags |= SIG_FLAG_TOSERVER;
395  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
396  s->flags |= SIG_FLAG_TOCLIENT;
397  } else {
398  s->flags |= SIG_FLAG_TOSERVER;
399  s->flags |= SIG_FLAG_TOCLIENT;
400  }
401  if (fd->flags == 0 || fd->flags == DETECT_FLOW_FLAG_TOSERVER ||
403  /* no direct flow is needed for just direction,
404  * no sigmatch is needed either. */
405  appendsm = false;
406  } else {
408  }
409 
410  if (appendsm) {
412  de_ctx, s, DETECT_FLOW, (SigMatchCtx *)fd, DETECT_SM_LIST_MATCH) == NULL) {
413  goto error;
414  }
415  } else if (fd != NULL) {
416  DetectFlowFree(de_ctx, fd);
417  }
418 
419  if (parse_flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
421  }
422  if (parse_flags & DETECT_FLOW_FLAG_NOSTREAM) {
424  }
425  return 0;
426 
427 error:
428  if (fd != NULL)
429  DetectFlowFree(de_ctx, fd);
430  return -1;
431 
432 }
433 
434 /**
435  * \brief this function will free memory associated with DetectFlowData
436  *
437  * \param fd pointer to DetectFlowData
438  */
440 {
441  DetectFlowData *fd = (DetectFlowData *)ptr;
442  SCFree(fd);
443 }
444 
445 static void
446 PrefilterPacketFlowMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
447 {
448  const PrefilterPacketHeaderCtx *ctx = pectx;
449 
450  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
451  return;
452 
453  if (FlowMatch(p->flags, p->flowflags, ctx->v1.u16[0], ctx->v1.u16[1])) {
454  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
455  }
456 }
457 
458 static void
459 PrefilterPacketFlowSet(PrefilterPacketHeaderValue *v, void *smctx)
460 {
461  const DetectFlowData *fb = smctx;
462  v->u16[0] = fb->flags;
463  v->u16[1] = fb->match_cnt;
464 }
465 
466 static bool
467 PrefilterPacketFlowCompare(PrefilterPacketHeaderValue v, void *smctx)
468 {
469  const DetectFlowData *fb = smctx;
470  if (v.u16[0] == fb->flags && v.u16[1] == fb->match_cnt) {
471  return true;
472  }
473  return false;
474 }
475 
476 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
477 {
479  PrefilterPacketFlowSet,
480  PrefilterPacketFlowCompare,
481  PrefilterPacketFlowMatch);
482 }
483 
484 static bool PrefilterFlowIsPrefilterable(const Signature *s)
485 {
486  const SigMatch *sm;
487  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
488  switch (sm->type) {
489  case DETECT_FLOW:
490  return true;
491  }
492  }
493  return false;
494 }
495 
496 #ifdef UNITTESTS
497 #include "detect-engine-alert.h"
498 
499 /**
500  * \test DetectFlowTestParse01 is a test to make sure that we return "something"
501  * when given valid flow opt
502  */
503 static int DetectFlowTestParse01 (void)
504 {
505  uint16_t parsed_flags = 0;
506  DetectFlowData *fd = DetectFlowParse(NULL, "established", &parsed_flags);
507  FAIL_IF_NULL(fd);
508  FAIL_IF_NOT(parsed_flags == 0);
509  DetectFlowFree(NULL, fd);
510  PASS;
511 }
512 
513 /**
514  * \test DetectFlowTestParse02 is a test for setting the established flow opt
515  */
516 static int DetectFlowTestParse02 (void)
517 {
518  uint16_t parsed_flags = 0;
519  DetectFlowData *fd = DetectFlowParse(NULL, "established", &parsed_flags);
520  FAIL_IF_NULL(fd);
522  fd->match_cnt == 1);
523  PASS;
524 }
525 
526 /**
527  * \test DetectFlowTestParse03 is a test for setting the stateless flow opt
528  */
529 static int DetectFlowTestParse03 (void)
530 {
531  uint16_t parsed_flags = 0;
532  DetectFlowData *fd = DetectFlowParse(NULL, "stateless", &parsed_flags);
533  FAIL_IF_NULL(fd);
535  DetectFlowFree(NULL, fd);
536  PASS;
537 }
538 
539 /**
540  * \test DetectFlowTestParse04 is a test for setting the to_client flow opt
541  */
542 static int DetectFlowTestParse04 (void)
543 {
544  uint16_t parsed_flags = 0;
545  DetectFlowData *fd = DetectFlowParse(NULL, "to_client", &parsed_flags);
546  FAIL_IF_NULL(fd);
548  DetectFlowFree(NULL, fd);
549  PASS;
550 }
551 
552 /**
553  * \test DetectFlowTestParse05 is a test for setting the to_server flow opt
554  */
555 static int DetectFlowTestParse05 (void)
556 {
557  uint16_t parsed_flags = 0;
558  DetectFlowData *fd = DetectFlowParse(NULL, "to_server", &parsed_flags);
559  FAIL_IF_NULL(fd);
561  DetectFlowFree(NULL, fd);
562  PASS;
563 }
564 
565 /**
566  * \test DetectFlowTestParse06 is a test for setting the from_server flow opt
567  */
568 static int DetectFlowTestParse06 (void)
569 {
570  uint16_t parsed_flags = 0;
571  DetectFlowData *fd = DetectFlowParse(NULL, "from_server", &parsed_flags);
572  FAIL_IF_NULL(fd);
574  DetectFlowFree(NULL, fd);
575  PASS;
576 }
577 
578 /**
579  * \test DetectFlowTestParse07 is a test for setting the from_client flow opt
580  */
581 static int DetectFlowTestParse07 (void)
582 {
583  uint16_t parsed_flags = 0;
584  DetectFlowData *fd = DetectFlowParse(NULL, "from_client", &parsed_flags);
585  FAIL_IF_NULL(fd);
587  DetectFlowFree(NULL, fd);
588  PASS;
589 }
590 
591 /**
592  * \test DetectFlowTestParse08 is a test for setting the established,to_client flow opts
593  */
594 static int DetectFlowTestParse08 (void)
595 {
596  uint16_t parsed_flags = 0;
597  DetectFlowData *fd = DetectFlowParse(NULL, "established,to_client", &parsed_flags);
598  FAIL_IF_NULL(fd);
600  DetectFlowFree(NULL, fd);
601  PASS;
602 }
603 
604 /**
605  * \test DetectFlowTestParse09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
606  */
607 static int DetectFlowTestParse09 (void)
608 {
609  uint16_t parsed_flags = 0;
610  DetectFlowData *fd = DetectFlowParse(NULL, "to_client,stateless", &parsed_flags);
611  FAIL_IF_NULL(fd);
614  fd->match_cnt == 2);
615  DetectFlowFree(NULL, fd);
616  PASS;
617 }
618 
619 /**
620  * \test DetectFlowTestParse10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
621  */
622 static int DetectFlowTestParse10 (void)
623 {
624  uint16_t parsed_flags = 0;
625  DetectFlowData *fd = DetectFlowParse(NULL, "from_server,stateless", &parsed_flags);
626  FAIL_IF_NULL(fd);
629  fd->match_cnt == 2);
630  DetectFlowFree(NULL, fd);
631  PASS;
632 }
633 
634 /**
635  * \test DetectFlowTestParse11 is a test for setting the from_server,stateless flow opts with spaces all around
636  */
637 static int DetectFlowTestParse11 (void)
638 {
639  uint16_t parsed_flags = 0;
640  DetectFlowData *fd = DetectFlowParse(NULL, " from_server , stateless ", &parsed_flags);
641  FAIL_IF_NULL(fd);
644  fd->match_cnt == 2);
645  DetectFlowFree(NULL, fd);
646  PASS;
647 }
648 
649 /**
650  * \test DetectFlowTestParseNocase01 is a test to make sure that we return "something"
651  * when given valid flow opt
652  */
653 static int DetectFlowTestParseNocase01 (void)
654 {
655  uint16_t parsed_flags = 0;
656  DetectFlowData *fd = DetectFlowParse(NULL, "ESTABLISHED", &parsed_flags);
657  FAIL_IF_NULL(fd);
658  DetectFlowFree(NULL, fd);
659  PASS;
660 }
661 
662 /**
663  * \test DetectFlowTestParseNocase02 is a test for setting the established flow opt
664  */
665 static int DetectFlowTestParseNocase02 (void)
666 {
667  uint16_t parsed_flags = 0;
668  DetectFlowData *fd = DetectFlowParse(NULL, "ESTABLISHED", &parsed_flags);
669  FAIL_IF_NULL(fd);
671  fd->match_cnt == 1);
672  DetectFlowFree(NULL, fd);
673  PASS;
674 }
675 
676 /**
677  * \test DetectFlowTestParseNocase03 is a test for setting the stateless flow opt
678  */
679 static int DetectFlowTestParseNocase03 (void)
680 {
681  uint16_t parsed_flags = 0;
682  DetectFlowData *fd = DetectFlowParse(NULL, "STATELESS", &parsed_flags);
683  FAIL_IF_NULL(fd);
685  DetectFlowFree(NULL, fd);
686  PASS;
687 }
688 
689 /**
690  * \test DetectFlowTestParseNocase04 is a test for setting the to_client flow opt
691  */
692 static int DetectFlowTestParseNocase04 (void)
693 {
694  uint16_t parsed_flags = 0;
695  DetectFlowData *fd = DetectFlowParse(NULL, "TO_CLIENT", &parsed_flags);
696  FAIL_IF_NULL(fd);
698  DetectFlowFree(NULL, fd);
699  PASS;
700 }
701 
702 /**
703  * \test DetectFlowTestParseNocase05 is a test for setting the to_server flow opt
704  */
705 static int DetectFlowTestParseNocase05 (void)
706 {
707  uint16_t parsed_flags = 0;
708  DetectFlowData *fd = DetectFlowParse(NULL, "TO_SERVER", &parsed_flags);
709  FAIL_IF_NULL(fd);
711  DetectFlowFree(NULL, fd);
712  PASS;
713 }
714 
715 /**
716  * \test DetectFlowTestParseNocase06 is a test for setting the from_server flow opt
717  */
718 static int DetectFlowTestParseNocase06 (void)
719 {
720  uint16_t parsed_flags = 0;
721  DetectFlowData *fd = DetectFlowParse(NULL, "FROM_SERVER", &parsed_flags);
722  FAIL_IF_NULL(fd);
724  DetectFlowFree(NULL, fd);
725  PASS;
726 }
727 
728 /**
729  * \test DetectFlowTestParseNocase07 is a test for setting the from_client flow opt
730  */
731 static int DetectFlowTestParseNocase07 (void)
732 {
733  uint16_t parsed_flags = 0;
734  DetectFlowData *fd = DetectFlowParse(NULL, "FROM_CLIENT", &parsed_flags);
735  FAIL_IF_NULL(fd);
737  DetectFlowFree(NULL, fd);
738  PASS;
739 }
740 
741 /**
742  * \test DetectFlowTestParseNocase08 is a test for setting the established,to_client flow opts
743  */
744 static int DetectFlowTestParseNocase08 (void)
745 {
746  uint16_t parsed_flags = 0;
747  DetectFlowData *fd = DetectFlowParse(NULL, "ESTABLISHED,TO_CLIENT", &parsed_flags);
748  FAIL_IF_NULL(fd);
751  fd->match_cnt == 2);
752  DetectFlowFree(NULL, fd);
753  PASS;
754 }
755 
756 /**
757  * \test DetectFlowTestParseNocase09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
758  */
759 static int DetectFlowTestParseNocase09 (void)
760 {
761  uint16_t parsed_flags = 0;
762  DetectFlowData *fd = DetectFlowParse(NULL, "TO_CLIENT,STATELESS", &parsed_flags);
763  FAIL_IF_NULL(fd);
766  fd->match_cnt == 2);
767  DetectFlowFree(NULL, fd);
768  PASS;
769 }
770 
771 /**
772  * \test DetectFlowTestParseNocase10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
773  */
774 static int DetectFlowTestParseNocase10 (void)
775 {
776  uint16_t parsed_flags = 0;
777  DetectFlowData *fd = DetectFlowParse(NULL, "FROM_SERVER,STATELESS", &parsed_flags);
778  FAIL_IF_NULL(fd);
781  fd->match_cnt == 2);
782  DetectFlowFree(NULL, fd);
783  PASS;
784 }
785 
786 /**
787  * \test DetectFlowTestParseNocase11 is a test for setting the from_server,stateless flow opts with spaces all around
788  */
789 static int DetectFlowTestParseNocase11 (void)
790 {
791  uint16_t parsed_flags = 0;
792  DetectFlowData *fd = DetectFlowParse(NULL, " FROM_SERVER , STATELESS ", &parsed_flags);
793  FAIL_IF_NULL(fd);
796  fd->match_cnt == 2);
797  DetectFlowFree(NULL, fd);
798  PASS;
799 }
800 
801 /**
802  * \test DetectFlowTestParse12 is a test for setting an invalid separator :
803  */
804 static int DetectFlowTestParse12 (void)
805 {
806  uint16_t parsed_flags = 0;
807  DetectFlowData *fd = DetectFlowParse(NULL, "from_server:stateless", &parsed_flags);
808  FAIL_IF_NOT_NULL(fd);
809  PASS;
810 }
811 
812 /**
813  * \test DetectFlowTestParse13 is a test for an invalid option
814  */
815 static int DetectFlowTestParse13 (void)
816 {
817  uint16_t parsed_flags = 0;
818  DetectFlowData *fd = DetectFlowParse(NULL, "invalidoptiontest", &parsed_flags);
819  FAIL_IF_NOT_NULL(fd);
820  PASS;
821 }
822 
823 /**
824  * \test DetectFlowTestParse14 is a test for a empty option
825  */
826 static int DetectFlowTestParse14 (void)
827 {
828  uint16_t parsed_flags = 0;
829  DetectFlowData *fd = DetectFlowParse(NULL, "", &parsed_flags);
830  FAIL_IF_NOT_NULL(fd);
831  PASS;
832 }
833 
834 /**
835  * \test DetectFlowTestParse15 is a test for an invalid combo of options established,stateless
836  */
837 static int DetectFlowTestParse15 (void)
838 {
839  uint16_t parsed_flags = 0;
840  DetectFlowData *fd = DetectFlowParse(NULL, "established,stateless", &parsed_flags);
841  FAIL_IF_NOT_NULL(fd);
842  PASS;
843 }
844 
845 /**
846  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,to_server
847  */
848 static int DetectFlowTestParse16 (void)
849 {
850  uint16_t parsed_flags = 0;
851  DetectFlowData *fd = DetectFlowParse(NULL, "to_client,to_server", &parsed_flags);
852  FAIL_IF_NOT_NULL(fd);
853  PASS;
854 }
855 
856 /**
857  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,from_server
858  * flowbit flags are the same
859  */
860 static int DetectFlowTestParse17 (void)
861 {
862  uint16_t parsed_flags = 0;
863  DetectFlowData *fd = DetectFlowParse(NULL, "to_client,from_server", &parsed_flags);
864  FAIL_IF_NOT_NULL(fd);
865  PASS;
866 }
867 
868 /**
869  * \test DetectFlowTestParse18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
870  */
871 static int DetectFlowTestParse18 (void)
872 {
873  uint16_t parsed_flags = 0;
874  DetectFlowData *fd =
875  DetectFlowParse(NULL, "from_server,established,only_stream", &parsed_flags);
876  FAIL_IF_NULL(fd);
878  FAIL_IF_NOT(parsed_flags == DETECT_FLOW_FLAG_ONLYSTREAM);
879  FAIL_IF_NOT(fd->match_cnt == 2);
880  DetectFlowFree(NULL, fd);
881  PASS;
882 }
883 
884 /**
885  * \test DetectFlowTestParseNocase18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
886  */
887 static int DetectFlowTestParseNocase18 (void)
888 {
889  uint16_t parsed_flags = 0;
890  DetectFlowData *fd =
891  DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,ONLY_STREAM", &parsed_flags);
892  FAIL_IF_NULL(fd);
894  FAIL_IF_NOT(parsed_flags == DETECT_FLOW_FLAG_ONLYSTREAM);
895  FAIL_IF_NOT(fd->match_cnt == 2);
896  DetectFlowFree(NULL, fd);
897  PASS;
898 }
899 
900 
901 /**
902  * \test DetectFlowTestParse19 is a test for one to many options passed to DetectFlowParse
903  */
904 static int DetectFlowTestParse19 (void)
905 {
906  uint16_t parsed_flags = 0;
907  DetectFlowData *fd =
908  DetectFlowParse(NULL, "from_server,established,only_stream,a", &parsed_flags);
909  FAIL_IF_NOT_NULL(fd);
910  PASS;
911 }
912 
913 /**
914  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
915  */
916 static int DetectFlowTestParse20 (void)
917 {
918  uint16_t parsed_flags = 0;
919  DetectFlowData *fd = DetectFlowParse(NULL, "from_server,established,no_stream", &parsed_flags);
920  FAIL_IF_NULL(fd);
922  FAIL_IF_NOT(parsed_flags == DETECT_FLOW_FLAG_NOSTREAM);
923  FAIL_IF_NOT(fd->match_cnt == 2);
924  DetectFlowFree(NULL, fd);
925  PASS;
926 }
927 
928 /**
929  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
930  */
931 static int DetectFlowTestParseNocase20 (void)
932 {
933  uint16_t parsed_flags = 0;
934  DetectFlowData *fd = DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,NO_STREAM", &parsed_flags);
935  FAIL_IF_NULL(fd);
937  FAIL_IF_NOT(parsed_flags == DETECT_FLOW_FLAG_NOSTREAM);
938  FAIL_IF_NOT(fd->match_cnt == 2);
939  DetectFlowFree(NULL, fd);
940  PASS;
941 }
942 
943 /**
944  * \test DetectFlowTestParse21 is a test for an invalid opt between to valid opts
945  */
946 static int DetectFlowTestParse21 (void)
947 {
948  uint16_t parsed_flags = 0;
949  DetectFlowData *fd = DetectFlowParse(NULL, "from_server,a,no_stream", &parsed_flags);
950  FAIL_IF_NOT_NULL(fd);
951  PASS;
952 }
953 
954 /**
955  * \test DetectFlowTestParse22 is a test for setting the established,not_established flow opts both
956  */
957 static int DetectFlowTestParse22(void)
958 {
959  uint16_t parsed_flags = 0;
960  DetectFlowData *fd = DetectFlowParse(NULL, "established,not_established", &parsed_flags);
961  FAIL_IF_NOT_NULL(fd);
962  fd = DetectFlowParse(NULL, "not_established,established", &parsed_flags);
963  FAIL_IF_NOT_NULL(fd);
964  PASS;
965 }
966 
967 static int DetectFlowSigTest01(void)
968 {
969  uint8_t *buf = (uint8_t *)"supernovaduper";
970  uint16_t buflen = strlen((char *)buf);
971  ThreadVars th_v;
973  memset(&dtv, 0, sizeof(DecodeThreadVars));
974  memset(&th_v, 0, sizeof(th_v));
975 
976  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
977  FAIL_IF_NULL(p);
978 
979  const char *sig1 = "alert tcp any any -> any any (msg:\"dummy\"; "
980  "content:\"nova\"; flow:no_stream; sid:1;)";
981 
984  de_ctx->flags |= DE_QUIET;
985 
986  de_ctx->sig_list = SigInit(de_ctx, sig1);
988 
990  DetectEngineThreadCtx *det_ctx = NULL;
991  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
992  FAIL_IF_NULL(det_ctx);
993 
994  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
995  FAIL_IF(PacketAlertCheck(p, 1) != 1);
996 
997  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
999  UTHFreePacket(p);
1000 
1001  PASS;
1002 }
1003 
1004 /**
1005  * \test Test parsing of the not_established keyword.
1006  */
1007 static int DetectFlowTestParseNotEstablished(void)
1008 {
1009  uint16_t parsed_flags = 0;
1010  DetectFlowData *fd = DetectFlowParse(NULL, "not_established", &parsed_flags);
1011  FAIL_IF_NULL(fd);
1013  DetectFlowFree(NULL, fd);
1014  PASS;
1015 }
1016 
1017 /**
1018  * \test Test parsing of the "no_frag" flow argument.
1019  */
1020 static int DetectFlowTestParseNoFrag(void)
1021 {
1022  uint16_t parsed_flags = 0;
1023  DetectFlowData *fd = DetectFlowParse(NULL, "no_frag", &parsed_flags);
1024  FAIL_IF_NULL(fd);
1026  DetectFlowFree(NULL, fd);
1027  PASS;
1028 }
1029 
1030 /**
1031  * \test Test parsing of the "only_frag" flow argument.
1032  */
1033 static int DetectFlowTestParseOnlyFrag(void)
1034 {
1035  uint16_t parsed_flags = 0;
1036  DetectFlowData *fd = DetectFlowParse(NULL, "only_frag", &parsed_flags);
1037  FAIL_IF_NULL(fd);
1039  DetectFlowFree(NULL, fd);
1040  PASS;
1041 }
1042 
1043 /**
1044  * \test Test that parsing of only_frag and no_frag together fails.
1045  */
1046 static int DetectFlowTestParseNoFragOnlyFrag(void)
1047 {
1048  uint16_t parsed_flags = 0;
1049  DetectFlowData *fd = DetectFlowParse(NULL, "no_frag,only_frag", &parsed_flags);
1050  FAIL_IF_NOT_NULL(fd);
1051  PASS;
1052 }
1053 
1054 /**
1055  * \test Test no_frag matching.
1056  */
1057 static int DetectFlowTestNoFragMatch(void)
1058 {
1059  uint16_t parsed_flags = 0;
1060  uint32_t pflags = 0;
1061  DetectFlowData *fd = DetectFlowParse(NULL, "no_frag", &parsed_flags);
1062  FAIL_IF_NULL(fd);
1064  FAIL_IF_NOT(fd->match_cnt == 1);
1065  FAIL_IF_NOT(FlowMatch(pflags, 0, fd->flags, fd->match_cnt));
1066  pflags |= PKT_REBUILT_FRAGMENT;
1067  FAIL_IF(FlowMatch(pflags, 0, fd->flags, fd->match_cnt));
1068  PASS;
1069 }
1070 
1071 /**
1072  * \test Test only_frag matching.
1073  */
1074 static int DetectFlowTestOnlyFragMatch(void)
1075 {
1076  uint16_t parsed_flags = 0;
1077  uint32_t pflags = 0;
1078  DetectFlowData *fd = DetectFlowParse(NULL, "only_frag", &parsed_flags);
1079  FAIL_IF_NULL(fd);
1081  FAIL_IF_NOT(fd->match_cnt == 1);
1082  FAIL_IF(FlowMatch(pflags, 0, fd->flags, fd->match_cnt));
1083  pflags |= PKT_REBUILT_FRAGMENT;
1084  FAIL_IF_NOT(FlowMatch(pflags, 0, fd->flags, fd->match_cnt));
1085  PASS;
1086 }
1087 
1088 /**
1089  * \brief this function registers unit tests for DetectFlow
1090  */
1091 static void DetectFlowRegisterTests(void)
1092 {
1093  UtRegisterTest("DetectFlowTestParse01", DetectFlowTestParse01);
1094  UtRegisterTest("DetectFlowTestParse02", DetectFlowTestParse02);
1095  UtRegisterTest("DetectFlowTestParse03", DetectFlowTestParse03);
1096  UtRegisterTest("DetectFlowTestParse04", DetectFlowTestParse04);
1097  UtRegisterTest("DetectFlowTestParse05", DetectFlowTestParse05);
1098  UtRegisterTest("DetectFlowTestParse06", DetectFlowTestParse06);
1099  UtRegisterTest("DetectFlowTestParse07", DetectFlowTestParse07);
1100  UtRegisterTest("DetectFlowTestParse08", DetectFlowTestParse08);
1101  UtRegisterTest("DetectFlowTestParse09", DetectFlowTestParse09);
1102  UtRegisterTest("DetectFlowTestParse10", DetectFlowTestParse10);
1103  UtRegisterTest("DetectFlowTestParse11", DetectFlowTestParse11);
1104  UtRegisterTest("DetectFlowTestParseNocase01", DetectFlowTestParseNocase01);
1105  UtRegisterTest("DetectFlowTestParseNocase02", DetectFlowTestParseNocase02);
1106  UtRegisterTest("DetectFlowTestParseNocase03", DetectFlowTestParseNocase03);
1107  UtRegisterTest("DetectFlowTestParseNocase04", DetectFlowTestParseNocase04);
1108  UtRegisterTest("DetectFlowTestParseNocase05", DetectFlowTestParseNocase05);
1109  UtRegisterTest("DetectFlowTestParseNocase06", DetectFlowTestParseNocase06);
1110  UtRegisterTest("DetectFlowTestParseNocase07", DetectFlowTestParseNocase07);
1111  UtRegisterTest("DetectFlowTestParseNocase08", DetectFlowTestParseNocase08);
1112  UtRegisterTest("DetectFlowTestParseNocase09", DetectFlowTestParseNocase09);
1113  UtRegisterTest("DetectFlowTestParseNocase10", DetectFlowTestParseNocase10);
1114  UtRegisterTest("DetectFlowTestParseNocase11", DetectFlowTestParseNocase11);
1115  UtRegisterTest("DetectFlowTestParse12", DetectFlowTestParse12);
1116  UtRegisterTest("DetectFlowTestParse13", DetectFlowTestParse13);
1117  UtRegisterTest("DetectFlowTestParse14", DetectFlowTestParse14);
1118  UtRegisterTest("DetectFlowTestParse15", DetectFlowTestParse15);
1119  UtRegisterTest("DetectFlowTestParse16", DetectFlowTestParse16);
1120  UtRegisterTest("DetectFlowTestParse17", DetectFlowTestParse17);
1121  UtRegisterTest("DetectFlowTestParse18", DetectFlowTestParse18);
1122  UtRegisterTest("DetectFlowTestParseNocase18", DetectFlowTestParseNocase18);
1123  UtRegisterTest("DetectFlowTestParse19", DetectFlowTestParse19);
1124  UtRegisterTest("DetectFlowTestParse20", DetectFlowTestParse20);
1125  UtRegisterTest("DetectFlowTestParseNocase20", DetectFlowTestParseNocase20);
1126  UtRegisterTest("DetectFlowTestParse21", DetectFlowTestParse21);
1127  UtRegisterTest("DetectFlowTestParse22", DetectFlowTestParse22);
1128  UtRegisterTest("DetectFlowTestParseNotEstablished",
1129  DetectFlowTestParseNotEstablished);
1130  UtRegisterTest("DetectFlowTestParseNoFrag", DetectFlowTestParseNoFrag);
1131  UtRegisterTest("DetectFlowTestParseOnlyFrag",
1132  DetectFlowTestParseOnlyFrag);
1133  UtRegisterTest("DetectFlowTestParseNoFragOnlyFrag",
1134  DetectFlowTestParseNoFragOnlyFrag);
1135  UtRegisterTest("DetectFlowTestNoFragMatch", DetectFlowTestNoFragMatch);
1136  UtRegisterTest("DetectFlowTestOnlyFragMatch", DetectFlowTestOnlyFragMatch);
1137 
1138  UtRegisterTest("DetectFlowSigTest01", DetectFlowSigTest01);
1139 }
1140 #endif /* UNITTESTS */
DETECT_FLOW_FLAG_TOCLIENT
#define DETECT_FLOW_FLAG_TOCLIENT
Definition: detect-flow.h:28
DETECT_FLOW_FLAG_STATELESS
#define DETECT_FLOW_FLAG_STATELESS
Definition: detect-flow.h:31
SigTableElmt_::url
const char * url
Definition: detect.h:1296
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:578
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1283
DetectFlowData_
Definition: detect-flow.h:37
DetectParseRegex
Definition: detect-parse.h:62
DETECT_FLOW_FLAG_NOSTREAM
#define DETECT_FLOW_FLAG_NOSTREAM
Definition: detect-flow.h:33
SigTableElmt_::name
const char * name
Definition: detect.h:1293
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1445
SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:284
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_FLOW
@ DETECT_FLOW
Definition: detect-engine-register.h:54
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
DetectFlowData_::match_cnt
uint8_t match_cnt
Definition: detect-flow.h:39
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1201
DetectFlowData_::flags
uint16_t flags
Definition: detect-flow.h:38
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:247
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1884
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:545
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2674
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:264
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
DetectFlowSetupImplicit
int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
Definition: detect-flow.c:336
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1281
DETECT_FLOW_FLAG_ONLYSTREAM
#define DETECT_FLOW_FLAG_ONLYSTREAM
Definition: detect-flow.h:32
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:263
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our flow options.
Definition: detect-flow.c:47
DETECT_FLOW_FLAG_TOSERVER
#define DETECT_FLOW_FLAG_TOSERVER
Definition: detect-flow.h:27
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2791
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:351
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:111
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
Signature_::flags
uint32_t flags
Definition: detect.h:594
Packet_
Definition: decode.h:437
detect-engine-build.h
detect-engine-alert.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:662
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1261
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
SIG_FLAG_REQUIRE_STREAM_ONLY
#define SIG_FLAG_REQUIRE_STREAM_ONLY
Definition: detect.h:253
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:342
cnt
uint32_t cnt
Definition: tmqh-packetpool.h:7
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
SigMatch_::type
uint16_t type
Definition: detect.h:348
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:844
DetectFlowRegister
void DetectFlowRegister(void)
Registration function for flow: keyword.
Definition: detect-flow.c:65
SIG_FLAG_BOTH
#define SIG_FLAG_BOTH
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
DETECT_FLOW_FLAG_NOT_ESTABLISHED
#define DETECT_FLOW_FLAG_NOT_ESTABLISHED
Definition: detect-flow.h:30
detect-flow.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_FLOW_FLAG_ONLY_FRAG
#define DETECT_FLOW_FLAG_ONLY_FRAG
Definition: detect-flow.h:35
PKT_REBUILT_FRAGMENT
#define PKT_REBUILT_FRAGMENT
Definition: decode.h:1058
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:685
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1280
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
DETECT_FLOW_FLAG_ESTABLISHED
#define DETECT_FLOW_FLAG_ESTABLISHED
Definition: detect-flow.h:29
detect-parse.h
DetectFlowFree
void DetectFlowFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectFlowData
Definition: detect-flow.c:439
Signature_
Signature container.
Definition: detect.h:593
SigMatch_
a single match condition for a signature
Definition: detect.h:347
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2767
DetectFlowMatch
int DetectFlowMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
This function is used to match flow flags set on a packet with those passed via flow:
Definition: detect-flow.c:129
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
detect-engine-prefilter-common.h
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DETECT_FLOW_FLAG_NO_FRAG
#define DETECT_FLOW_FLAG_NO_FRAG
Definition: detect-flow.h:34
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:246