Go to the documentation of this file.
51 #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?"
54 #define MAX_TOKENS 100
89 while ((token = strtok_r(arrptr,
"|", &saveptr))) {
91 while(isspace((
unsigned char)*token))
95 char *end = token + strlen(token) - 1;
96 while(end > token && isspace((
unsigned char)*end))
100 if (strchr(token,
' ') != NULL) {
101 SCLogError(
"Spaces are not allowed in flowbit names.");
107 "maximum allowed: %d.",
206 return DetectFlowbitMatchIsset(p,fd);
208 return DetectFlowbitMatchIsnotset(p,fd);
210 return DetectFlowbitMatchSet(p,fd);
212 return DetectFlowbitMatchUnset(p,fd);
214 return DetectFlowbitMatchToggle(p,fd);
223 static int DetectFlowbitParse(
const char *
str,
char *cmd,
int cmd_len,
char *name,
228 pcre2_match_data *match = NULL;
231 if (count != 2 && count != 3) {
232 SCLogError(
"\"%s\" is not a valid setting for flowbits.",
str);
237 rc = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
239 SCLogError(
"pcre2_substring_copy_bynumber failed");
245 rc = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
247 SCLogError(
"pcre2_substring_copy_bynumber failed");
252 while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) {
253 name[strlen(name) - 1] =
'\0';
256 if (strchr(name,
'|') == NULL) {
258 for (
size_t i = 0; i < strlen(name); i++) {
259 if (isblank(name[i])) {
260 SCLogError(
"spaces not allowed in flowbit names");
267 pcre2_match_data_free(match);
272 pcre2_match_data_free(match);
281 char fb_cmd_str[16] =
"", fb_name[256] =
"";
283 if (!DetectFlowbitParse(rawstr, fb_cmd_str,
sizeof(fb_cmd_str), fb_name,
288 if (strcmp(fb_cmd_str,
"noalert") == 0) {
289 if (strlen(fb_name) != 0)
293 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
295 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
297 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
299 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
301 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
304 SCLogError(
"ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
315 if (strlen(fb_name) == 0)
323 if (strchr(fb_name,
'|') != NULL) {
324 int retval = FlowbitOrAddData(
de_ctx, cd, fb_name);
335 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
336 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
418 struct FBAnalyze *array, uint32_t elements);
427 uint32_t array_size = max_fb_id + 1;
431 SCLogError(
"Unable to allocate flowbit analyze array");
436 (uint64_t)(array_size *
sizeof(
struct FBAnalyze)));
583 for (uint32_t i = 0; i < array_size; i++) {
588 bool to_state =
false;
596 "set. Checked in %u and %u other sigs",
602 SCLogDebug(
"flowbit %s/%u: isset in state, set not in state", varname, i);
611 SCLogDebug(
"flowbit %s/%u: isset not in state, set in state", varname, i);
615 SCLogDebug(
"ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
619 SCLogDebug(
"STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
624 SCLogDebug(
"SET flowbit %s/%u: SID %u", varname, i,
629 SCLogDebug(
"GET flowbit %s/%u: SID %u", varname, i, s->
id);
633 SCLogDebug(
"made SID %u stateful because it depends on "
634 "stateful rules that set flowbit %s", s->
id, varname);
640 DetectFlowbitsAnalyzeDump(
de_ctx, array, array_size);
644 for (uint32_t i = 0; i < array_size; i++) {
658 struct FBAnalyze *array, uint32_t elements)
660 JsonBuilder *js = jb_new_object();
664 jb_open_array(js,
"flowbits");
665 for (uint32_t x = 0; x < elements; x++) {
673 jb_set_string(js,
"name", varname);
674 jb_set_uint(js,
"internal_id", x);
683 jb_open_array(js,
"sets");
686 jb_append_uint(js, s->
id);
692 jb_open_array(js,
"isset");
695 jb_append_uint(js, s->
id);
701 jb_open_array(js,
"isnotset");
704 jb_append_uint(js, s->
id);
710 jb_open_array(js,
"unset");
713 jb_append_uint(js, s->
id);
719 jb_open_array(js,
"toggle");
722 jb_append_uint(js, s->
id);
731 const char *filename =
"flowbits.json";
733 char log_path[PATH_MAX] =
"";
734 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir, filename);
737 FILE *fp = fopen(log_path,
"w");
739 fwrite(jb_ptr(js), jb_len(js), 1, fp);
750 static int FlowBitsTestParse01(
void)
752 char command[16] =
"", name[16] =
"";
755 FAIL_IF(!DetectFlowbitParse(
"noalert", command,
sizeof(command), name,
757 FAIL_IF(strcmp(command,
"noalert") != 0);
760 FAIL_IF(!DetectFlowbitParse(
"set,flowbit", command,
sizeof(command), name,
762 FAIL_IF(strcmp(command,
"set") != 0);
763 FAIL_IF(strcmp(name,
"flowbit") != 0);
766 FAIL_IF(!DetectFlowbitParse(
"set, flowbit", command,
sizeof(command), name,
768 FAIL_IF(strcmp(command,
"set") != 0);
769 FAIL_IF(strcmp(name,
"flowbit") != 0);
772 FAIL_IF(!DetectFlowbitParse(
"set,flowbit ", command,
sizeof(command), name,
774 FAIL_IF(strcmp(command,
"set") != 0);
775 FAIL_IF(strcmp(name,
"flowbit") != 0);
778 FAIL_IF(!DetectFlowbitParse(
"set, flowbit ", command,
sizeof(command), name,
780 FAIL_IF(strcmp(command,
"set") != 0);
781 FAIL_IF(strcmp(name,
"flowbit") != 0);
784 FAIL_IF(DetectFlowbitParse(
"set,namewith space", command,
sizeof(command),
785 name,
sizeof(name)));
797 static int FlowBitsTestSig01(
void)
807 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert,wrongusage; content:\"GET \"; sid:1;)");
822 static int FlowBitsTestSig02(
void)
828 memset(&th_v, 0,
sizeof(th_v));
835 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset rule need an option\"; flowbits:isset; content:\"GET \"; sid:1;)");
838 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isnotset rule need an option\"; flowbits:isnotset; content:\"GET \"; sid:2;)");
841 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"set rule need an option\"; flowbits:set; content:\"GET \"; sid:3;)");
844 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"unset rule need an option\"; flowbits:unset; content:\"GET \"; sid:4;)");
847 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
850 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
866 static int FlowBitsTestSig03(
void)
876 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
891 static int FlowBitsTestSig04(
void)
901 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
919 static int FlowBitsTestSig05(
void)
929 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
945 static int FlowBitsTestSig06(
void)
947 uint8_t *buf = (uint8_t *)
948 "GET /one/ HTTP/1.1\r\n"
949 "Host: one.example.org\r\n"
951 uint16_t buflen = strlen((
char *)buf);
963 memset(&th_v, 0,
sizeof(th_v));
964 memset(&f, 0,
sizeof(
Flow));
975 p->
proto = IPPROTO_TCP;
995 for ( ; gv != NULL; gv = gv->
next) {
1018 static int FlowBitsTestSig07(
void)
1020 uint8_t *buf = (uint8_t *)
1021 "GET /one/ HTTP/1.1\r\n"
1022 "Host: one.example.org\r\n"
1024 uint16_t buflen = strlen((
char *)buf);
1036 memset(&th_v, 0,
sizeof(th_v));
1037 memset(&f, 0,
sizeof(
Flow));
1048 p->
proto = IPPROTO_TCP;
1058 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
1070 for ( ; gv != NULL; gv = gv->
next) {
1093 static int FlowBitsTestSig08(
void)
1095 uint8_t *buf = (uint8_t *)
1096 "GET /one/ HTTP/1.1\r\n"
1097 "Host: one.example.org\r\n"
1099 uint16_t buflen = strlen((
char *)buf);
1112 memset(&th_v, 0,
sizeof(th_v));
1113 memset(&f, 0,
sizeof(
Flow));
1124 p->
proto = IPPROTO_TCP;
1134 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:toggle,myflow2; sid:11;)");
1146 for ( ; gv != NULL; gv = gv->
next) {
uint16_t cnts[DETECT_FLOWBITS_CMD_MAX]
uint32_t isnotset_sids_idx
SCMutex g_flowbits_dump_write_m
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
#define DETECT_FLOWBITS_CMD_MAX
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
void FlowBitsRegisterTests(void)
this function registers unit tests for FlowBits
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
struct HtpBodyChunk_ * next
#define DETECT_FLOWBITS_CMD_ISNOTSET
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define FLOW_PKT_TOSERVER
const char * VarNameStoreSetupLookup(const uint32_t id, const enum VarTypes type)
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
#define SCMUTEX_INITIALIZER
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
#define DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_ISSET
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void FlowBitUnset(Flow *f, uint32_t idx)
@ DETECT_SM_LIST_POSTMATCH
#define FLOW_INITIALIZE(f)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
struct GenericVar_ * next
#define PASS
Pass the test.
#define SCMutexUnlock(mut)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void FlowBitSet(Flow *f, uint32_t idx)
Per thread variable structure.
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
#define SCLogWarning(...)
Macro used to log WARNING messages.
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
void DetectFlowbitFree(DetectEngineCtx *, void *)
void DetectFlowbitsRegister(void)
SignatureInitData * init_data
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void FlowBitToggle(Flow *f, uint32_t idx)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint32_t toggle_sids_size
#define SCRealloc(ptr, sz)
#define SIG_FLAG_INIT_STATE_MATCH
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX]
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
const char * ConfigGetLogDirectory(void)
int FlowBitIsset(Flow *f, uint32_t idx)
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_FLOWBITS_CMD_UNSET
a single match condition for a signature
uint32_t isnotset_sids_size
DetectEngineCtx * DetectEngineCtxInit(void)
int DetectFlowbitMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
#define SIGMATCH_IPONLY_COMPAT
bool rule_engine_analysis_set
int FlowBitIsnotset(Flow *f, uint32_t idx)
#define DETECT_FLOWBITS_CMD_SET
void(* RegisterTests)(void)