Go to the documentation of this file.
50 #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?"
53 #define MAX_TOKENS 100
88 while ((token = strtok_r(arrptr,
"|", &saveptr))) {
90 while(isspace((
unsigned char)*token))
94 char *end = token + strlen(token) - 1;
95 while(end > token && isspace((
unsigned char)*end))
99 if (strchr(token,
' ') != NULL) {
100 SCLogError(
"Spaces are not allowed in flowbit names.");
106 "maximum allowed: %d.",
201 return DetectFlowbitMatchIsset(p,fd);
203 return DetectFlowbitMatchIsnotset(p,fd);
205 return DetectFlowbitMatchSet(p,fd);
207 return DetectFlowbitMatchUnset(p,fd);
209 return DetectFlowbitMatchToggle(p,fd);
218 static int DetectFlowbitParse(
const char *
str,
char *cmd,
int cmd_len,
char *name,
225 if (count != 2 && count != 3) {
226 SCLogError(
"\"%s\" is not a valid setting for flowbits.",
str);
231 rc = pcre2_substring_copy_bynumber(parse_regex.
match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
233 SCLogError(
"pcre2_substring_copy_bynumber failed");
239 rc = pcre2_substring_copy_bynumber(parse_regex.
match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
241 SCLogError(
"pcre2_substring_copy_bynumber failed");
246 while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) {
247 name[strlen(name) - 1] =
'\0';
250 if (strchr(name,
'|') == NULL) {
252 for (
size_t i = 0; i < strlen(name); i++) {
253 if (isblank(name[i])) {
254 SCLogError(
"spaces not allowed in flowbit names");
269 char fb_cmd_str[16] =
"", fb_name[256] =
"";
271 if (!DetectFlowbitParse(rawstr, fb_cmd_str,
sizeof(fb_cmd_str), fb_name,
276 if (strcmp(fb_cmd_str,
"noalert") == 0) {
278 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
280 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
282 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
284 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
286 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
289 SCLogError(
"ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
295 if (strlen(fb_name) != 0)
305 if (strlen(fb_name) == 0)
313 if (strchr(fb_name,
'|') != NULL) {
314 int retval = FlowbitOrAddData(
de_ctx, cd, fb_name);
325 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
326 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
406 struct FBAnalyze *array, uint32_t elements);
415 uint32_t array_size = max_fb_id + 1;
419 SCLogError(
"Unable to allocate flowbit analyze array");
424 (uint64_t)(array_size *
sizeof(
struct FBAnalyze)));
429 bool has_state =
false;
577 for (uint32_t i = 0; i < array_size; i++) {
582 bool to_state =
false;
590 "set. Checked in %u and %u other sigs",
596 SCLogDebug(
"flowbit %s/%u: isset in state, set not in state", varname, i);
605 SCLogDebug(
"flowbit %s/%u: isset not in state, set in state", varname, i);
609 SCLogDebug(
"ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
613 SCLogDebug(
"STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
618 SCLogDebug(
"SET flowbit %s/%u: SID %u", varname, i,
623 SCLogDebug(
"GET flowbit %s/%u: SID %u", varname, i, s->
id);
627 SCLogDebug(
"made SID %u stateful because it depends on "
628 "stateful rules that set flowbit %s", s->
id, varname);
635 DetectFlowbitsAnalyzeDump(
de_ctx, array, array_size);
639 for (uint32_t i = 0; i < array_size; i++) {
653 struct FBAnalyze *array, uint32_t elements)
655 JsonBuilder *js = jb_new_object();
659 jb_open_array(js,
"flowbits");
660 for (uint32_t x = 0; x < elements; x++) {
668 jb_set_string(js,
"name", varname);
669 jb_set_uint(js,
"internal_id", x);
678 jb_open_array(js,
"sets");
681 jb_append_uint(js, s->
id);
687 jb_open_array(js,
"isset");
690 jb_append_uint(js, s->
id);
696 jb_open_array(js,
"isnotset");
699 jb_append_uint(js, s->
id);
705 jb_open_array(js,
"unset");
708 jb_append_uint(js, s->
id);
714 jb_open_array(js,
"toggle");
717 jb_append_uint(js, s->
id);
727 const char *filename =
"flowbits.json";
729 char log_path[PATH_MAX] =
"";
730 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir, filename);
733 FILE *fp = fopen(log_path,
"w");
735 fwrite(jb_ptr(js), jb_len(js), 1, fp);
746 static int FlowBitsTestParse01(
void)
748 char command[16] =
"", name[16] =
"";
751 FAIL_IF(!DetectFlowbitParse(
"noalert", command,
sizeof(command), name,
753 FAIL_IF(strcmp(command,
"noalert") != 0);
756 FAIL_IF(!DetectFlowbitParse(
"set,flowbit", command,
sizeof(command), name,
758 FAIL_IF(strcmp(command,
"set") != 0);
759 FAIL_IF(strcmp(name,
"flowbit") != 0);
762 FAIL_IF(!DetectFlowbitParse(
"set, flowbit", command,
sizeof(command), name,
764 FAIL_IF(strcmp(command,
"set") != 0);
765 FAIL_IF(strcmp(name,
"flowbit") != 0);
768 FAIL_IF(!DetectFlowbitParse(
"set,flowbit ", command,
sizeof(command), name,
770 FAIL_IF(strcmp(command,
"set") != 0);
771 FAIL_IF(strcmp(name,
"flowbit") != 0);
774 FAIL_IF(!DetectFlowbitParse(
"set, flowbit ", command,
sizeof(command), name,
776 FAIL_IF(strcmp(command,
"set") != 0);
777 FAIL_IF(strcmp(name,
"flowbit") != 0);
780 FAIL_IF(DetectFlowbitParse(
"set,namewith space", command,
sizeof(command),
781 name,
sizeof(name)));
793 static int FlowBitsTestSig01(
void)
803 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert,wrongusage; content:\"GET \"; sid:1;)");
818 static int FlowBitsTestSig02(
void)
824 memset(&th_v, 0,
sizeof(th_v));
831 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset rule need an option\"; flowbits:isset; content:\"GET \"; sid:1;)");
834 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isnotset rule need an option\"; flowbits:isnotset; content:\"GET \"; sid:2;)");
837 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"set rule need an option\"; flowbits:set; content:\"GET \"; sid:3;)");
840 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"unset rule need an option\"; flowbits:unset; content:\"GET \"; sid:4;)");
843 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
846 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
862 static int FlowBitsTestSig03(
void)
872 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
887 static int FlowBitsTestSig04(
void)
897 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
915 static int FlowBitsTestSig05(
void)
925 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
941 static int FlowBitsTestSig06(
void)
943 uint8_t *buf = (uint8_t *)
944 "GET /one/ HTTP/1.1\r\n"
945 "Host: one.example.org\r\n"
947 uint16_t buflen = strlen((
char *)buf);
959 memset(&th_v, 0,
sizeof(th_v));
960 memset(&f, 0,
sizeof(
Flow));
971 p->
proto = IPPROTO_TCP;
991 for ( ; gv != NULL; gv = gv->
next) {
1014 static int FlowBitsTestSig07(
void)
1016 uint8_t *buf = (uint8_t *)
1017 "GET /one/ HTTP/1.1\r\n"
1018 "Host: one.example.org\r\n"
1020 uint16_t buflen = strlen((
char *)buf);
1032 memset(&th_v, 0,
sizeof(th_v));
1033 memset(&f, 0,
sizeof(
Flow));
1044 p->
proto = IPPROTO_TCP;
1054 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
1066 for ( ; gv != NULL; gv = gv->
next) {
1089 static int FlowBitsTestSig08(
void)
1091 uint8_t *buf = (uint8_t *)
1092 "GET /one/ HTTP/1.1\r\n"
1093 "Host: one.example.org\r\n"
1095 uint16_t buflen = strlen((
char *)buf);
1108 memset(&th_v, 0,
sizeof(th_v));
1109 memset(&f, 0,
sizeof(
Flow));
1120 p->
proto = IPPROTO_TCP;
1130 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:toggle,myflow2; sid:11;)");
1142 for ( ; gv != NULL; gv = gv->
next) {
uint16_t cnts[DETECT_FLOWBITS_CMD_MAX]
uint32_t isnotset_sids_idx
SCMutex g_flowbits_dump_write_m
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define DETECT_FLOWBITS_CMD_MAX
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
void FlowBitsRegisterTests(void)
this function registers unit tests for FlowBits
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
struct HtpBodyChunk_ * next
@ DETECT_SM_LIST_DYNAMIC_START
#define DETECT_FLOWBITS_CMD_ISNOTSET
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
main detection engine ctx
char * VarNameStoreSetupLookup(uint32_t idx, const enum VarTypes type)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define FLOW_PKT_TOSERVER
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
#define SCMUTEX_INITIALIZER
#define DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_ISSET
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void FlowBitUnset(Flow *f, uint32_t idx)
@ DETECT_SM_LIST_POSTMATCH
#define FLOW_INITIALIZE(f)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
struct GenericVar_ * next
#define PASS
Pass the test.
#define SCMutexUnlock(mut)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void FlowBitSet(Flow *f, uint32_t idx)
Per thread variable structure.
#define SCLogWarning(...)
Macro used to log WARNING messages.
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
void DetectFlowbitFree(DetectEngineCtx *, void *)
void DetectFlowbitsRegister(void)
SignatureInitData * init_data
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
struct SigMatch_ ** smlists
SigMatch * SigMatchAlloc(void)
void FlowBitToggle(Flow *f, uint32_t idx)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint32_t toggle_sids_size
#define SCRealloc(ptr, sz)
#define SIG_FLAG_INIT_STATE_MATCH
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_FLOWBITS_CMD_NOALERT
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX]
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int rule_engine_analysis_set
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
const char * ConfigGetLogDirectory(void)
int FlowBitIsset(Flow *f, uint32_t idx)
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_FLOWBITS_CMD_UNSET
a single match condition for a signature
uint32_t isnotset_sids_size
DetectEngineCtx * DetectEngineCtxInit(void)
int DetectFlowbitMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
#define SIGMATCH_IPONLY_COMPAT
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
int FlowBitIsnotset(Flow *f, uint32_t idx)
#define DETECT_FLOWBITS_CMD_SET
void(* RegisterTests)(void)
uint32_t smlists_array_size