suricata
detect-flow.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * FLOW part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-engine.h"
32 #include "detect-engine-prefilter-common.h"
33 #include "detect-engine-build.h"
34 
35 #include "flow.h"
36 #include "flow-var.h"
37 
38 #include "detect-flow.h"
39 
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 #include "util-debug.h"
43 
44 /**
45  * \brief Regex for parsing our flow options
46  */
47 #define PARSE_REGEX "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
48 
49 static DetectParseRegex parse_regex;
50 
51 int DetectFlowMatch (DetectEngineThreadCtx *, Packet *,
52  const Signature *, const SigMatchCtx *);
53 static int DetectFlowSetup (DetectEngineCtx *, Signature *, const char *);
54 #ifdef UNITTESTS
55 static void DetectFlowRegisterTests(void);
56 #endif
57 void DetectFlowFree(DetectEngineCtx *, void *);
58 
59 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
60 static bool PrefilterFlowIsPrefilterable(const Signature *s);
61 
62 /**
63  * \brief Registration function for flow: keyword
64  */
65 void DetectFlowRegister (void)
66 {
67  sigmatch_table[DETECT_FLOW].name = "flow";
68  sigmatch_table[DETECT_FLOW].desc = "match on direction and state of the flow";
69  sigmatch_table[DETECT_FLOW].url = "/rules/flow-keywords.html#flow";
70  sigmatch_table[DETECT_FLOW].Match = DetectFlowMatch;
71  sigmatch_table[DETECT_FLOW].Setup = DetectFlowSetup;
72  sigmatch_table[DETECT_FLOW].Free = DetectFlowFree;
73 #ifdef UNITTESTS
74  sigmatch_table[DETECT_FLOW].RegisterTests = DetectFlowRegisterTests;
75 #endif
76  sigmatch_table[DETECT_FLOW].SupportsPrefilter = PrefilterFlowIsPrefilterable;
77  sigmatch_table[DETECT_FLOW].SetupPrefilter = PrefilterSetupFlow;
78 
79  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
80 }
81 
82 /**
83  * \param pflags packet flags (p->flags)
84  * \param pflowflags packet flow flags (p->flowflags)
85  * \param tflags detection flags (det_ctx->flags)
86  * \param dflags detect flow flags
87  * \param match_cnt number of matches to trigger
88  */
89 static inline int FlowMatch(const uint32_t pflags, const uint8_t pflowflags, const uint16_t tflags,
90  const uint16_t dflags, const uint16_t match_cnt)
91 {
92  uint8_t cnt = 0;
93 
94  if ((dflags & DETECT_FLOW_FLAG_NO_FRAG) &&
95  (!(pflags & PKT_REBUILT_FRAGMENT))) {
96  cnt++;
97  } else if ((dflags & DETECT_FLOW_FLAG_ONLY_FRAG) &&
98  (pflags & PKT_REBUILT_FRAGMENT)) {
99  cnt++;
100  }
101 
102  if ((dflags & DETECT_FLOW_FLAG_TOSERVER) && (pflowflags & FLOW_PKT_TOSERVER)) {
103  cnt++;
104  } else if ((dflags & DETECT_FLOW_FLAG_TOCLIENT) && (pflowflags & FLOW_PKT_TOCLIENT)) {
105  cnt++;
106  }
107 
108  if ((dflags & DETECT_FLOW_FLAG_ESTABLISHED) && (pflowflags & FLOW_PKT_ESTABLISHED)) {
109  cnt++;
110  } else if (dflags & DETECT_FLOW_FLAG_NOT_ESTABLISHED && (!(pflowflags & FLOW_PKT_ESTABLISHED))) {
111  cnt++;
112  } else if (dflags & DETECT_FLOW_FLAG_STATELESS) {
113  cnt++;
114  }
115 
116  if (tflags & DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH) {
117  if (dflags & DETECT_FLOW_FLAG_ONLYSTREAM)
118  cnt++;
119  } else {
120  if (dflags & DETECT_FLOW_FLAG_NOSTREAM)
121  cnt++;
122  }
123 
124  return (match_cnt == cnt) ? 1 : 0;
125 }
126 
127 /**
128  * \brief This function is used to match flow flags set on a packet with those passed via flow:
129  *
130  * \param t pointer to thread vars
131  * \param det_ctx pointer to the pattern matcher thread
132  * \param p pointer to the current packet
133  * \param m pointer to the sigmatch that we will cast into DetectFlowData
134  *
135  * \retval 0 no match
136  * \retval 1 match
137  */
138 int DetectFlowMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
139  const Signature *s, const SigMatchCtx *ctx)
140 {
141  SCEnter();
142 
143  SCLogDebug("pkt %p", p);
144 
145  if (p->flowflags & FLOW_PKT_TOSERVER) {
146  SCLogDebug("FLOW_PKT_TOSERVER");
147  } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
148  SCLogDebug("FLOW_PKT_TOCLIENT");
149  }
150 
151  if (p->flowflags & FLOW_PKT_ESTABLISHED) {
152  SCLogDebug("FLOW_PKT_ESTABLISHED");
153  }
154 
155  const DetectFlowData *fd = (const DetectFlowData *)ctx;
156 
157  const int ret = FlowMatch(p->flags, p->flowflags, det_ctx->flags, fd->flags, fd->match_cnt);
158  SCLogDebug("returning %" PRId32 " fd->match_cnt %" PRId32 " fd->flags 0x%02X p->flowflags 0x%02X",
159  ret, fd->match_cnt, fd->flags, p->flowflags);
160  SCReturnInt(ret);
161 }
162 
163 /**
164  * \brief This function is used to parse flow options passed via flow: keyword
165  *
166  * \param de_ctx Pointer to the detection engine context
167  * \param flowstr Pointer to the user provided flow options
168  *
169  * \retval fd pointer to DetectFlowData on success
170  * \retval NULL on failure
171  */
172 static DetectFlowData *DetectFlowParse (DetectEngineCtx *de_ctx, const char *flowstr)
173 {
174  DetectFlowData *fd = NULL;
175  char *args[3] = {NULL,NULL,NULL};
176  int ret = 0, res = 0;
177  size_t pcre2len;
178  char str1[16] = "", str2[16] = "", str3[16] = "";
179 
180  ret = DetectParsePcreExec(&parse_regex, flowstr, 0, 0);
181  if (ret < 1 || ret > 4) {
182  SCLogError("parse error, ret %" PRId32 ", string %s", ret, flowstr);
183  goto error;
184  }
185 
186  if (ret > 1) {
187  pcre2len = sizeof(str1);
188  res = SC_Pcre2SubstringCopy(parse_regex.match, 1, (PCRE2_UCHAR8 *)str1, &pcre2len);
189  if (res < 0) {
190  SCLogError("pcre2_substring_copy_bynumber failed");
191  goto error;
192  }
193  args[0] = (char *)str1;
194 
195  if (ret > 2) {
196  pcre2len = sizeof(str2);
197  res = pcre2_substring_copy_bynumber(
198  parse_regex.match, 2, (PCRE2_UCHAR8 *)str2, &pcre2len);
199  if (res < 0) {
200  SCLogError("pcre2_substring_copy_bynumber failed");
201  goto error;
202  }
203  args[1] = (char *)str2;
204  }
205  if (ret > 3) {
206  pcre2len = sizeof(str3);
207  res = pcre2_substring_copy_bynumber(
208  parse_regex.match, 3, (PCRE2_UCHAR8 *)str3, &pcre2len);
209  if (res < 0) {
210  SCLogError("pcre2_substring_copy_bynumber failed");
211  goto error;
212  }
213  args[2] = (char *)str3;
214  }
215  }
216 
217  fd = SCMalloc(sizeof(DetectFlowData));
218  if (unlikely(fd == NULL))
219  goto error;
220  fd->flags = 0;
221  fd->match_cnt = 0;
222 
223  int i;
224  for (i = 0; i < (ret - 1); i++) {
225  if (args[i]) {
226  /* inspect our options and set the flags */
227  if (strcasecmp(args[i], "established") == 0) {
228  if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
229  SCLogError("DETECT_FLOW_FLAG_ESTABLISHED flag is already set");
230  goto error;
231  } else if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
232  SCLogError("DETECT_FLOW_FLAG_STATELESS already set");
233  goto error;
234  }
235  fd->flags |= DETECT_FLOW_FLAG_ESTABLISHED;
236  } else if (strcasecmp(args[i], "not_established") == 0) {
237  if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
238  SCLogError("DETECT_FLOW_FLAG_NOT_ESTABLISHED flag is already set");
239  goto error;
240  } else if (fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED) {
241  SCLogError("cannot set DETECT_FLOW_FLAG_NOT_ESTABLISHED, "
242  "DETECT_FLOW_FLAG_ESTABLISHED already set");
243  goto error;
244  }
245  fd->flags |= DETECT_FLOW_FLAG_NOT_ESTABLISHED;
246  } else if (strcasecmp(args[i], "stateless") == 0) {
247  if (fd->flags & DETECT_FLOW_FLAG_STATELESS) {
248  SCLogError("DETECT_FLOW_FLAG_STATELESS flag is already set");
249  goto error;
250  } else if (fd->flags & DETECT_FLOW_FLAG_ESTABLISHED) {
251  SCLogError("cannot set DETECT_FLOW_FLAG_STATELESS, "
252  "DETECT_FLOW_FLAG_ESTABLISHED already set");
253  goto error;
254  }
255  fd->flags |= DETECT_FLOW_FLAG_STATELESS;
256  } else if (strcasecmp(args[i], "to_client") == 0 || strcasecmp(args[i], "from_server") == 0) {
257  if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
258  SCLogError("cannot set DETECT_FLOW_FLAG_TOCLIENT flag is already set");
259  goto error;
260  } else if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
261  SCLogError("cannot set to_client, DETECT_FLOW_FLAG_TOSERVER already set");
262  goto error;
263  }
264  fd->flags |= DETECT_FLOW_FLAG_TOCLIENT;
265  } else if (strcasecmp(args[i], "to_server") == 0 || strcasecmp(args[i], "from_client") == 0){
266  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
267  SCLogError("cannot set DETECT_FLOW_FLAG_TOSERVER flag is already set");
268  goto error;
269  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
270  SCLogError("cannot set to_server, DETECT_FLOW_FLAG_TO_CLIENT flag already set");
271  goto error;
272  }
273  fd->flags |= DETECT_FLOW_FLAG_TOSERVER;
274  } else if (strcasecmp(args[i], "only_stream") == 0) {
275  if (fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
276  SCLogError("cannot set only_stream flag is already set");
277  goto error;
278  } else if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
279  SCLogError(
280  "cannot set only_stream flag, DETECT_FLOW_FLAG_NOSTREAM already set");
281  goto error;
282  }
283  fd->flags |= DETECT_FLOW_FLAG_ONLYSTREAM;
284  } else if (strcasecmp(args[i], "no_stream") == 0) {
285  if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
286  SCLogError("cannot set no_stream flag is already set");
287  goto error;
288  } else if (fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
289  SCLogError(
290  "cannot set no_stream flag, DETECT_FLOW_FLAG_ONLYSTREAM already set");
291  goto error;
292  }
293  fd->flags |= DETECT_FLOW_FLAG_NOSTREAM;
294  } else if (strcasecmp(args[i], "no_frag") == 0) {
295  if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
296  SCLogError("cannot set no_frag flag is already set");
297  goto error;
298  } else if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
299  SCLogError("cannot set no_frag flag, only_frag already set");
300  goto error;
301  }
302  fd->flags |= DETECT_FLOW_FLAG_NO_FRAG;
303  } else if (strcasecmp(args[i], "only_frag") == 0) {
304  if (fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG) {
305  SCLogError("cannot set only_frag flag is already set");
306  goto error;
307  } else if (fd->flags & DETECT_FLOW_FLAG_NO_FRAG) {
308  SCLogError("cannot set only_frag flag, no_frag already set");
309  goto error;
310  }
311  fd->flags |= DETECT_FLOW_FLAG_ONLY_FRAG;
312  } else {
313  SCLogError("invalid flow option \"%s\"", args[i]);
314  goto error;
315  }
316 
317  fd->match_cnt++;
318  //printf("args[%" PRId32 "]: %s match_cnt: %" PRId32 " flags: 0x%02X\n", i, args[i], fd->match_cnt, fd->flags);
319  }
320  }
321  return fd;
322 
323 error:
324  if (fd != NULL)
325  DetectFlowFree(de_ctx, fd);
326  return NULL;
327 
328 }
329 
330 int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
331 {
332 #define SIG_FLAG_BOTH (SIG_FLAG_TOSERVER|SIG_FLAG_TOCLIENT)
333  BUG_ON(flags == 0);
334  BUG_ON(flags & ~SIG_FLAG_BOTH);
335  BUG_ON((flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH);
336 
337  SCLogDebug("want %08lx", flags & SIG_FLAG_BOTH);
338  SCLogDebug("have %08lx", s->flags & SIG_FLAG_BOTH);
339 
340  if (flags & SIG_FLAG_TOSERVER) {
341  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
342  /* both is set if we just have 'flow:established' */
343  s->flags &= ~SIG_FLAG_TOCLIENT;
344  } else if (s->flags & SIG_FLAG_TOCLIENT) {
345  return -1;
346  }
347  s->flags |= SIG_FLAG_TOSERVER;
348  } else {
349  if ((s->flags & SIG_FLAG_BOTH) == SIG_FLAG_BOTH) {
350  /* both is set if we just have 'flow:established' */
351  s->flags &= ~SIG_FLAG_TOSERVER;
352  } else if (s->flags & SIG_FLAG_TOSERVER) {
353  return -1;
354  }
355  s->flags |= SIG_FLAG_TOCLIENT;
356  }
357  return 0;
358 #undef SIG_FLAG_BOTH
359 }
360 
361 /**
362  * \brief this function is used to add the parsed flowdata into the current signature
363  *
364  * \param de_ctx pointer to the Detection Engine Context
365  * \param s pointer to the Current Signature
366  * \param flowstr pointer to the user provided flow options
367  *
368  * \retval 0 on Success
369  * \retval -1 on Failure
370  */
371 int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *flowstr)
372 {
373  /* ensure only one flow option */
374  if (s->init_data->init_flags & SIG_FLAG_INIT_FLOW) {
375  SCLogError("A signature may have only one flow option.");
376  return -1;
377  }
378 
379  DetectFlowData *fd = DetectFlowParse(de_ctx, flowstr);
380  if (fd == NULL)
381  return -1;
382 
383  SigMatch *sm = SigMatchAlloc();
384  if (sm == NULL)
385  goto error;
386 
387  sm->type = DETECT_FLOW;
388  sm->ctx = (SigMatchCtx *)fd;
389 
390  /* set the signature direction flags */
391  if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
392  s->flags |= SIG_FLAG_TOSERVER;
393  } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
394  s->flags |= SIG_FLAG_TOCLIENT;
395  } else {
396  s->flags |= SIG_FLAG_TOSERVER;
397  s->flags |= SIG_FLAG_TOCLIENT;
398  }
399  if (fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM) {
400  s->flags |= SIG_FLAG_REQUIRE_STREAM;
401  }
402  if (fd->flags & DETECT_FLOW_FLAG_NOSTREAM) {
403  s->flags |= SIG_FLAG_REQUIRE_PACKET;
404  } else if (fd->flags == DETECT_FLOW_FLAG_TOSERVER ||
405  fd->flags == DETECT_FLOW_FLAG_TOCLIENT)
406  {
407  /* no direct flow is needed for just direction,
408  * no sigmatch is needed either. */
409  SigMatchFree(de_ctx, sm);
410  sm = NULL;
411  } else {
412  s->init_data->init_flags |= SIG_FLAG_INIT_FLOW;
413  }
414 
415  if (sm != NULL) {
416  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
417  }
418  return 0;
419 
420 error:
421  if (fd != NULL)
422  DetectFlowFree(de_ctx, fd);
423  return -1;
424 
425 }
426 
427 /**
428  * \brief this function will free memory associated with DetectFlowData
429  *
430  * \param fd pointer to DetectFlowData
431  */
432 void DetectFlowFree(DetectEngineCtx *de_ctx, void *ptr)
433 {
434  DetectFlowData *fd = (DetectFlowData *)ptr;
435  SCFree(fd);
436 }
437 
438 static void
439 PrefilterPacketFlowMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
440 {
441  const PrefilterPacketHeaderCtx *ctx = pectx;
442 
443  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
444  return;
445 
446  if (FlowMatch(p->flags, p->flowflags, det_ctx->flags, ctx->v1.u16[0], ctx->v1.u16[1])) {
447  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
448  }
449 }
450 
451 static void
452 PrefilterPacketFlowSet(PrefilterPacketHeaderValue *v, void *smctx)
453 {
454  const DetectFlowData *fb = smctx;
455  v->u16[0] = fb->flags;
456  v->u16[1] = fb->match_cnt;
457 }
458 
459 static bool
460 PrefilterPacketFlowCompare(PrefilterPacketHeaderValue v, void *smctx)
461 {
462  const DetectFlowData *fb = smctx;
463  if (v.u16[0] == fb->flags && v.u16[1] == fb->match_cnt) {
464  return true;
465  }
466  return false;
467 }
468 
469 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
470 {
471  return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLOW,
472  PrefilterPacketFlowSet,
473  PrefilterPacketFlowCompare,
474  PrefilterPacketFlowMatch);
475 }
476 
477 static bool PrefilterFlowIsPrefilterable(const Signature *s)
478 {
479  const SigMatch *sm;
480  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
481  switch (sm->type) {
482  case DETECT_FLOW:
483  return true;
484  }
485  }
486  return false;
487 }
488 
489 #ifdef UNITTESTS
490 #include "detect-engine-alert.h"
491 
492 /**
493  * \test DetectFlowTestParse01 is a test to make sure that we return "something"
494  * when given valid flow opt
495  */
496 static int DetectFlowTestParse01 (void)
497 {
498  DetectFlowData *fd = NULL;
499  fd = DetectFlowParse(NULL, "established");
500  FAIL_IF_NULL(fd);
501  DetectFlowFree(NULL, fd);
502  PASS;
503 }
504 
505 /**
506  * \test DetectFlowTestParse02 is a test for setting the established flow opt
507  */
508 static int DetectFlowTestParse02 (void)
509 {
510  DetectFlowData *fd = NULL;
511  fd = DetectFlowParse(NULL, "established");
512  FAIL_IF_NULL(fd);
513  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_ESTABLISHED &&
514  fd->match_cnt == 1);
515  PASS;
516 }
517 
518 /**
519  * \test DetectFlowTestParse03 is a test for setting the stateless flow opt
520  */
521 static int DetectFlowTestParse03 (void)
522 {
523  DetectFlowData *fd = NULL;
524  fd = DetectFlowParse(NULL, "stateless");
525  FAIL_IF_NULL(fd);
526  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_STATELESS && fd->match_cnt == 1);
527  DetectFlowFree(NULL, fd);
528  PASS;
529 }
530 
531 /**
532  * \test DetectFlowTestParse04 is a test for setting the to_client flow opt
533  */
534 static int DetectFlowTestParse04 (void)
535 {
536  DetectFlowData *fd = NULL;
537  fd = DetectFlowParse(NULL, "to_client");
538  FAIL_IF_NULL(fd);
539  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
540  DetectFlowFree(NULL, fd);
541  PASS;
542 }
543 
544 /**
545  * \test DetectFlowTestParse05 is a test for setting the to_server flow opt
546  */
547 static int DetectFlowTestParse05 (void)
548 {
549  DetectFlowData *fd = NULL;
550  fd = DetectFlowParse(NULL, "to_server");
551  FAIL_IF_NULL(fd);
552  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
553  DetectFlowFree(NULL, fd);
554  PASS;
555 }
556 
557 /**
558  * \test DetectFlowTestParse06 is a test for setting the from_server flow opt
559  */
560 static int DetectFlowTestParse06 (void)
561 {
562  DetectFlowData *fd = NULL;
563  fd = DetectFlowParse(NULL, "from_server");
564  FAIL_IF_NULL(fd);
565  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
566  DetectFlowFree(NULL, fd);
567  PASS;
568 }
569 
570 /**
571  * \test DetectFlowTestParse07 is a test for setting the from_client flow opt
572  */
573 static int DetectFlowTestParse07 (void)
574 {
575  DetectFlowData *fd = NULL;
576  fd = DetectFlowParse(NULL, "from_client");
577  FAIL_IF_NULL(fd);
578  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
579  DetectFlowFree(NULL, fd);
580  PASS;
581 }
582 
583 /**
584  * \test DetectFlowTestParse08 is a test for setting the established,to_client flow opts
585  */
586 static int DetectFlowTestParse08 (void)
587 {
588  DetectFlowData *fd = NULL;
589  fd = DetectFlowParse(NULL, "established,to_client");
590  FAIL_IF_NULL(fd);
591  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED && fd->flags & DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 2);
592  DetectFlowFree(NULL, fd);
593  PASS;
594 }
595 
596 /**
597  * \test DetectFlowTestParse09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
598  */
599 static int DetectFlowTestParse09 (void)
600 {
601  DetectFlowData *fd = NULL;
602  fd = DetectFlowParse(NULL, "to_client,stateless");
603  FAIL_IF_NULL(fd);
604  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
605  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
606  fd->match_cnt == 2);
607  DetectFlowFree(NULL, fd);
608  PASS;
609 }
610 
611 /**
612  * \test DetectFlowTestParse10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
613  */
614 static int DetectFlowTestParse10 (void)
615 {
616  DetectFlowData *fd = NULL;
617  fd = DetectFlowParse(NULL, "from_server,stateless");
618  FAIL_IF_NULL(fd);
619  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
620  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
621  fd->match_cnt == 2);
622  DetectFlowFree(NULL, fd);
623  PASS;
624 }
625 
626 /**
627  * \test DetectFlowTestParse11 is a test for setting the from_server,stateless flow opts with spaces all around
628  */
629 static int DetectFlowTestParse11 (void)
630 {
631  DetectFlowData *fd = NULL;
632  fd = DetectFlowParse(NULL, " from_server , stateless ");
633  FAIL_IF_NULL(fd);
634  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
635  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
636  fd->match_cnt == 2);
637  DetectFlowFree(NULL, fd);
638  PASS;
639 }
640 
641 /**
642  * \test DetectFlowTestParseNocase01 is a test to make sure that we return "something"
643  * when given valid flow opt
644  */
645 static int DetectFlowTestParseNocase01 (void)
646 {
647  DetectFlowData *fd = NULL;
648  fd = DetectFlowParse(NULL, "ESTABLISHED");
649  FAIL_IF_NULL(fd);
650  DetectFlowFree(NULL, fd);
651  PASS;
652 }
653 
654 /**
655  * \test DetectFlowTestParseNocase02 is a test for setting the established flow opt
656  */
657 static int DetectFlowTestParseNocase02 (void)
658 {
659  DetectFlowData *fd = NULL;
660  fd = DetectFlowParse(NULL, "ESTABLISHED");
661  FAIL_IF_NULL(fd);
662  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_ESTABLISHED &&
663  fd->match_cnt == 1);
664  DetectFlowFree(NULL, fd);
665  PASS;
666 }
667 
668 /**
669  * \test DetectFlowTestParseNocase03 is a test for setting the stateless flow opt
670  */
671 static int DetectFlowTestParseNocase03 (void)
672 {
673  DetectFlowData *fd = NULL;
674  fd = DetectFlowParse(NULL, "STATELESS");
675  FAIL_IF_NULL(fd);
676  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_STATELESS && fd->match_cnt == 1); DetectFlowFree(NULL, fd);
677  PASS;
678 }
679 
680 /**
681  * \test DetectFlowTestParseNocase04 is a test for setting the to_client flow opt
682  */
683 static int DetectFlowTestParseNocase04 (void)
684 {
685  DetectFlowData *fd = NULL;
686  fd = DetectFlowParse(NULL, "TO_CLIENT");
687  FAIL_IF_NULL(fd);
688  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
689  DetectFlowFree(NULL, fd);
690  PASS;
691 }
692 
693 /**
694  * \test DetectFlowTestParseNocase05 is a test for setting the to_server flow opt
695  */
696 static int DetectFlowTestParseNocase05 (void)
697 {
698  DetectFlowData *fd = NULL;
699  fd = DetectFlowParse(NULL, "TO_SERVER");
700  FAIL_IF_NULL(fd);
701  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
702  DetectFlowFree(NULL, fd);
703  PASS;
704 }
705 
706 /**
707  * \test DetectFlowTestParseNocase06 is a test for setting the from_server flow opt
708  */
709 static int DetectFlowTestParseNocase06 (void)
710 {
711  DetectFlowData *fd = NULL;
712  fd = DetectFlowParse(NULL, "FROM_SERVER");
713  FAIL_IF_NULL(fd);
714  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOCLIENT && fd->match_cnt == 1);
715  DetectFlowFree(NULL, fd);
716  PASS;
717 }
718 
719 /**
720  * \test DetectFlowTestParseNocase07 is a test for setting the from_client flow opt
721  */
722 static int DetectFlowTestParseNocase07 (void)
723 {
724  DetectFlowData *fd = NULL;
725  fd = DetectFlowParse(NULL, "FROM_CLIENT");
726  FAIL_IF_NULL(fd);
727  FAIL_IF_NOT(fd->flags == DETECT_FLOW_FLAG_TOSERVER && fd->match_cnt == 1);
728  DetectFlowFree(NULL, fd);
729  PASS;
730 }
731 
732 /**
733  * \test DetectFlowTestParseNocase08 is a test for setting the established,to_client flow opts
734  */
735 static int DetectFlowTestParseNocase08 (void)
736 {
737  DetectFlowData *fd = NULL;
738  fd = DetectFlowParse(NULL, "ESTABLISHED,TO_CLIENT");
739  FAIL_IF_NULL(fd);
740  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
741  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
742  fd->match_cnt == 2);
743  DetectFlowFree(NULL, fd);
744  PASS;
745 }
746 
747 /**
748  * \test DetectFlowTestParseNocase09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
749  */
750 static int DetectFlowTestParseNocase09 (void)
751 {
752  DetectFlowData *fd = NULL;
753  fd = DetectFlowParse(NULL, "TO_CLIENT,STATELESS");
754  FAIL_IF_NULL(fd);
755  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
756  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
757  fd->match_cnt == 2);
758  DetectFlowFree(NULL, fd);
759  PASS;
760 }
761 
762 /**
763  * \test DetectFlowTestParseNocase10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
764  */
765 static int DetectFlowTestParseNocase10 (void)
766 {
767  DetectFlowData *fd = NULL;
768  fd = DetectFlowParse(NULL, "FROM_SERVER,STATELESS");
769  FAIL_IF_NULL(fd);
770  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
771  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
772  fd->match_cnt == 2);
773  DetectFlowFree(NULL, fd);
774  PASS;
775 }
776 
777 /**
778  * \test DetectFlowTestParseNocase11 is a test for setting the from_server,stateless flow opts with spaces all around
779  */
780 static int DetectFlowTestParseNocase11 (void)
781 {
782  DetectFlowData *fd = NULL;
783  fd = DetectFlowParse(NULL, " FROM_SERVER , STATELESS ");
784  FAIL_IF_NULL(fd);
785  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_STATELESS &&
786  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
787  fd->match_cnt == 2);
788  DetectFlowFree(NULL, fd);
789  PASS;
790 }
791 
792 /**
793  * \test DetectFlowTestParse12 is a test for setting an invalid seperator :
794  */
795 static int DetectFlowTestParse12 (void)
796 {
797  DetectFlowData *fd = NULL;
798  fd = DetectFlowParse(NULL, "from_server:stateless");
799  FAIL_IF_NOT_NULL(fd);
800  PASS;
801 }
802 
803 /**
804  * \test DetectFlowTestParse13 is a test for an invalid option
805  */
806 static int DetectFlowTestParse13 (void)
807 {
808  DetectFlowData *fd = NULL;
809  fd = DetectFlowParse(NULL, "invalidoptiontest");
810  FAIL_IF_NOT_NULL(fd);
811  PASS;
812 }
813 
814 /**
815  * \test DetectFlowTestParse14 is a test for a empty option
816  */
817 static int DetectFlowTestParse14 (void)
818 {
819  DetectFlowData *fd = NULL;
820  fd = DetectFlowParse(NULL, "");
821  FAIL_IF_NOT_NULL(fd);
822  PASS;
823 }
824 
825 /**
826  * \test DetectFlowTestParse15 is a test for an invalid combo of options established,stateless
827  */
828 static int DetectFlowTestParse15 (void)
829 {
830  DetectFlowData *fd = NULL;
831  fd = DetectFlowParse(NULL, "established,stateless");
832  FAIL_IF_NOT_NULL(fd);
833  PASS;
834 }
835 
836 /**
837  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,to_server
838  */
839 static int DetectFlowTestParse16 (void)
840 {
841  DetectFlowData *fd = NULL;
842  fd = DetectFlowParse(NULL, "to_client,to_server");
843  FAIL_IF_NOT_NULL(fd);
844  PASS;
845 }
846 
847 /**
848  * \test DetectFlowTestParse16 is a test for an invalid combo of options to_client,from_server
849  * flowbit flags are the same
850  */
851 static int DetectFlowTestParse17 (void)
852 {
853  DetectFlowData *fd = NULL;
854  fd = DetectFlowParse(NULL, "to_client,from_server");
855  FAIL_IF_NOT_NULL(fd);
856  PASS;
857 }
858 
859 /**
860  * \test DetectFlowTestParse18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
861  */
862 static int DetectFlowTestParse18 (void)
863 {
864  DetectFlowData *fd = NULL;
865  fd = DetectFlowParse(NULL, "from_server,established,only_stream");
866  FAIL_IF_NULL(fd);
867  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
868  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
869  fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM &&
870  fd->match_cnt == 3);
871  DetectFlowFree(NULL, fd);
872  PASS;
873 }
874 
875 /**
876  * \test DetectFlowTestParseNocase18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
877  */
878 static int DetectFlowTestParseNocase18 (void)
879 {
880  DetectFlowData *fd = NULL;
881  fd = DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,ONLY_STREAM");
882  FAIL_IF_NULL(fd);
883  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
884  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
885  fd->flags & DETECT_FLOW_FLAG_ONLYSTREAM &&
886  fd->match_cnt == 3);
887  DetectFlowFree(NULL, fd);
888  PASS;
889 }
890 
891 
892 /**
893  * \test DetectFlowTestParse19 is a test for one to many options passed to DetectFlowParse
894  */
895 static int DetectFlowTestParse19 (void)
896 {
897  DetectFlowData *fd = NULL;
898  fd = DetectFlowParse(NULL, "from_server,established,only_stream,a");
899  FAIL_IF_NOT_NULL(fd);
900  PASS;
901 }
902 
903 /**
904  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
905  */
906 static int DetectFlowTestParse20 (void)
907 {
908  DetectFlowData *fd = NULL;
909  fd = DetectFlowParse(NULL, "from_server,established,no_stream");
910  FAIL_IF_NULL(fd);
911  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
912  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
913  fd->flags & DETECT_FLOW_FLAG_NOSTREAM &&
914  fd->match_cnt == 3);
915  DetectFlowFree(NULL, fd);
916  PASS;
917 }
918 
919 /**
920  * \test DetectFlowTestParse20 is a test for setting from_server, established, no_stream
921  */
922 static int DetectFlowTestParseNocase20 (void)
923 {
924  DetectFlowData *fd = NULL;
925  fd = DetectFlowParse(NULL, "FROM_SERVER,ESTABLISHED,NO_STREAM");
926  FAIL_IF_NULL(fd);
927  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ESTABLISHED &&
928  fd->flags & DETECT_FLOW_FLAG_TOCLIENT &&
929  fd->flags & DETECT_FLOW_FLAG_NOSTREAM &&
930  fd->match_cnt == 3);
931  DetectFlowFree(NULL, fd);
932  PASS;
933 }
934 
935 /**
936  * \test DetectFlowTestParse21 is a test for an invalid opt between to valid opts
937  */
938 static int DetectFlowTestParse21 (void)
939 {
940  DetectFlowData *fd = NULL;
941  fd = DetectFlowParse(NULL, "from_server,a,no_stream");
942  FAIL_IF_NOT_NULL(fd);
943  PASS;
944 }
945 
946 static int DetectFlowSigTest01(void)
947 {
948  uint8_t *buf = (uint8_t *)"supernovaduper";
949  uint16_t buflen = strlen((char *)buf);
950  ThreadVars th_v;
951  DecodeThreadVars dtv;
952  memset(&dtv, 0, sizeof(DecodeThreadVars));
953  memset(&th_v, 0, sizeof(th_v));
954 
955  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
956  FAIL_IF_NULL(p);
957 
958  const char *sig1 = "alert tcp any any -> any any (msg:\"dummy\"; "
959  "content:\"nova\"; flow:no_stream; sid:1;)";
960 
961  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
962  FAIL_IF_NULL(de_ctx);
963  de_ctx->flags |= DE_QUIET;
964 
965  de_ctx->sig_list = SigInit(de_ctx, sig1);
966  FAIL_IF_NULL(de_ctx->sig_list);
967 
968  SigGroupBuild(de_ctx);
969  DetectEngineThreadCtx *det_ctx = NULL;
970  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
971  FAIL_IF_NULL(det_ctx);
972 
973  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
974  FAIL_IF(PacketAlertCheck(p, 1) != 1);
975 
976  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
977  DetectEngineCtxFree(de_ctx);
978  UTHFreePacket(p);
979 
980  PASS;
981 }
982 
983 /**
984  * \test Test parsing of the not_established keyword.
985  */
986 static int DetectFlowTestParseNotEstablished(void)
987 {
988  DetectFlowData *fd = NULL;
989  fd = DetectFlowParse(NULL, "not_established");
990  FAIL_IF_NULL(fd);
991  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_NOT_ESTABLISHED);
992  DetectFlowFree(NULL, fd);
993  PASS;
994 }
995 
996 /**
997  * \test Test parsing of the "no_frag" flow argument.
998  */
999 static int DetectFlowTestParseNoFrag(void)
1000 {
1001  DetectFlowData *fd = NULL;
1002  fd = DetectFlowParse(NULL, "no_frag");
1003  FAIL_IF_NULL(fd);
1004  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_NO_FRAG);
1005  DetectFlowFree(NULL, fd);
1006  PASS;
1007 }
1008 
1009 /**
1010  * \test Test parsing of the "only_frag" flow argument.
1011  */
1012 static int DetectFlowTestParseOnlyFrag(void)
1013 {
1014  DetectFlowData *fd = NULL;
1015  fd = DetectFlowParse(NULL, "only_frag");
1016  FAIL_IF_NULL(fd);
1017  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG);
1018  DetectFlowFree(NULL, fd);
1019  PASS;
1020 }
1021 
1022 /**
1023  * \test Test that parsing of only_frag and no_frag together fails.
1024  */
1025 static int DetectFlowTestParseNoFragOnlyFrag(void)
1026 {
1027  DetectFlowData *fd = NULL;
1028  fd = DetectFlowParse(NULL, "no_frag,only_frag");
1029  FAIL_IF_NOT_NULL(fd);
1030  PASS;
1031 }
1032 
1033 /**
1034  * \test Test no_frag matching.
1035  */
1036 static int DetectFlowTestNoFragMatch(void)
1037 {
1038  uint32_t pflags = 0;
1039  DetectFlowData *fd = DetectFlowParse(NULL, "no_frag");
1040  FAIL_IF_NULL(fd);
1041  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_NO_FRAG);
1042  FAIL_IF_NOT(fd->match_cnt == 1);
1043  FAIL_IF_NOT(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1044  pflags |= PKT_REBUILT_FRAGMENT;
1045  FAIL_IF(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1046  PASS;
1047 }
1048 
1049 /**
1050  * \test Test only_frag matching.
1051  */
1052 static int DetectFlowTestOnlyFragMatch(void)
1053 {
1054  uint32_t pflags = 0;
1055  DetectFlowData *fd = DetectFlowParse(NULL, "only_frag");
1056  FAIL_IF_NULL(fd);
1057  FAIL_IF_NOT(fd->flags & DETECT_FLOW_FLAG_ONLY_FRAG);
1058  FAIL_IF_NOT(fd->match_cnt == 1);
1059  FAIL_IF(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1060  pflags |= PKT_REBUILT_FRAGMENT;
1061  FAIL_IF_NOT(FlowMatch(pflags, 0, 0, fd->flags, fd->match_cnt));
1062  PASS;
1063 }
1064 
1065 /**
1066  * \brief this function registers unit tests for DetectFlow
1067  */
1068 static void DetectFlowRegisterTests(void)
1069 {
1070  UtRegisterTest("DetectFlowTestParse01", DetectFlowTestParse01);
1071  UtRegisterTest("DetectFlowTestParse02", DetectFlowTestParse02);
1072  UtRegisterTest("DetectFlowTestParse03", DetectFlowTestParse03);
1073  UtRegisterTest("DetectFlowTestParse04", DetectFlowTestParse04);
1074  UtRegisterTest("DetectFlowTestParse05", DetectFlowTestParse05);
1075  UtRegisterTest("DetectFlowTestParse06", DetectFlowTestParse06);
1076  UtRegisterTest("DetectFlowTestParse07", DetectFlowTestParse07);
1077  UtRegisterTest("DetectFlowTestParse08", DetectFlowTestParse08);
1078  UtRegisterTest("DetectFlowTestParse09", DetectFlowTestParse09);
1079  UtRegisterTest("DetectFlowTestParse10", DetectFlowTestParse10);
1080  UtRegisterTest("DetectFlowTestParse11", DetectFlowTestParse11);
1081  UtRegisterTest("DetectFlowTestParseNocase01", DetectFlowTestParseNocase01);
1082  UtRegisterTest("DetectFlowTestParseNocase02", DetectFlowTestParseNocase02);
1083  UtRegisterTest("DetectFlowTestParseNocase03", DetectFlowTestParseNocase03);
1084  UtRegisterTest("DetectFlowTestParseNocase04", DetectFlowTestParseNocase04);
1085  UtRegisterTest("DetectFlowTestParseNocase05", DetectFlowTestParseNocase05);
1086  UtRegisterTest("DetectFlowTestParseNocase06", DetectFlowTestParseNocase06);
1087  UtRegisterTest("DetectFlowTestParseNocase07", DetectFlowTestParseNocase07);
1088  UtRegisterTest("DetectFlowTestParseNocase08", DetectFlowTestParseNocase08);
1089  UtRegisterTest("DetectFlowTestParseNocase09", DetectFlowTestParseNocase09);
1090  UtRegisterTest("DetectFlowTestParseNocase10", DetectFlowTestParseNocase10);
1091  UtRegisterTest("DetectFlowTestParseNocase11", DetectFlowTestParseNocase11);
1092  UtRegisterTest("DetectFlowTestParse12", DetectFlowTestParse12);
1093  UtRegisterTest("DetectFlowTestParse13", DetectFlowTestParse13);
1094  UtRegisterTest("DetectFlowTestParse14", DetectFlowTestParse14);
1095  UtRegisterTest("DetectFlowTestParse15", DetectFlowTestParse15);
1096  UtRegisterTest("DetectFlowTestParse16", DetectFlowTestParse16);
1097  UtRegisterTest("DetectFlowTestParse17", DetectFlowTestParse17);
1098  UtRegisterTest("DetectFlowTestParse18", DetectFlowTestParse18);
1099  UtRegisterTest("DetectFlowTestParseNocase18", DetectFlowTestParseNocase18);
1100  UtRegisterTest("DetectFlowTestParse19", DetectFlowTestParse19);
1101  UtRegisterTest("DetectFlowTestParse20", DetectFlowTestParse20);
1102  UtRegisterTest("DetectFlowTestParseNocase20", DetectFlowTestParseNocase20);
1103  UtRegisterTest("DetectFlowTestParse21", DetectFlowTestParse21);
1104  UtRegisterTest("DetectFlowTestParseNotEstablished",
1105  DetectFlowTestParseNotEstablished);
1106  UtRegisterTest("DetectFlowTestParseNoFrag", DetectFlowTestParseNoFrag);
1107  UtRegisterTest("DetectFlowTestParseOnlyFrag",
1108  DetectFlowTestParseOnlyFrag);
1109  UtRegisterTest("DetectFlowTestParseNoFragOnlyFrag",
1110  DetectFlowTestParseNoFragOnlyFrag);
1111  UtRegisterTest("DetectFlowTestNoFragMatch", DetectFlowTestNoFragMatch);
1112  UtRegisterTest("DetectFlowTestOnlyFragMatch", DetectFlowTestOnlyFragMatch);
1113 
1114  UtRegisterTest("DetectFlowSigTest01", DetectFlowSigTest01);
1115 }
1116 #endif /* UNITTESTS */
DETECT_FLOW_FLAG_TOCLIENT
#define DETECT_FLOW_FLAG_TOCLIENT
Definition: detect-flow.h:28
DETECT_FLOW_FLAG_STATELESS
#define DETECT_FLOW_FLAG_STATELESS
Definition: detect-flow.h:31
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1241
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:254
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1228
DetectFlowData_
Definition: detect-flow.h:37
DetectParseRegex
Definition: detect-parse.h:44
DETECT_FLOW_FLAG_NOSTREAM
#define DETECT_FLOW_FLAG_NOSTREAM
Definition: detect-flow.h:33
SigTableElmt_::name
const char * name
Definition: detect.h:1238
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1395
SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:250
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_FLOW
@ DETECT_FLOW
Definition: detect-engine-register.h:54
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:463
DetectFlowData_::match_cnt
uint8_t match_cnt
Definition: detect-flow.h:39
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1134
DetectFlowData_::flags
uint16_t flags
Definition: detect-flow.h:38
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
SIG_FLAG_REQUIRE_STREAM
#define SIG_FLAG_REQUIRE_STREAM
Definition: detect.h:216
DetectEngineThreadCtx_::flags
uint16_t flags
Definition: detect.h:1093
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:503
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
DetectFlowSetupImplicit
int DetectFlowSetupImplicit(Signature *s, uint32_t flags)
Definition: detect-flow.c:330
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1226
DETECT_FLOW_FLAG_ONLYSTREAM
#define DETECT_FLOW_FLAG_ONLYSTREAM
Definition: detect-flow.h:32
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our flow options.
Definition: detect-flow.c:47
DETECT_FLOW_FLAG_TOSERVER
#define DETECT_FLOW_FLAG_TOSERVER
Definition: detect-flow.h:27
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2609
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:289
Signature_::flags
uint32_t flags
Definition: detect.h:541
Packet_
Definition: decode.h:428
detect-engine-build.h
detect-engine-alert.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1206
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:228
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:239
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
DetectFlowRegister
void DetectFlowRegister(void)
Registration function for flow: keyword.
Definition: detect-flow.c:65
SIG_FLAG_BOTH
#define SIG_FLAG_BOTH
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
DETECT_FLOW_FLAG_NOT_ESTABLISHED
#define DETECT_FLOW_FLAG_NOT_ESTABLISHED
Definition: detect-flow.h:30
detect-flow.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_FLOW_FLAG_ONLY_FRAG
#define DETECT_FLOW_FLAG_ONLY_FRAG
Definition: detect-flow.h:35
DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH
#define DETECT_ENGINE_THREAD_CTX_STREAM_CONTENT_MATCH
Definition: detect.h:275
PKT_REBUILT_FRAGMENT
#define PKT_REBUILT_FRAGMENT
Definition: decode.h:1039
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:664
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1225
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
DETECT_FLOW_FLAG_ESTABLISHED
#define DETECT_FLOW_FLAG_ESTABLISHED
Definition: detect-flow.h:29
detect-parse.h
DetectFlowFree
void DetectFlowFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectFlowData
Definition: detect-flow.c:432
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:229
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2585
DetectFlowMatch
int DetectFlowMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
This function is used to match flow flags set on a packet with those passed via flow:
Definition: detect-flow.c:138
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
detect-engine-prefilter-common.h
flow.h
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DETECT_FLOW_FLAG_NO_FRAG
#define DETECT_FLOW_FLAG_NO_FRAG
Definition: detect-flow.h:34
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:354
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:215