suricata
detect-flowbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Breno Silva <breno.silva@gmail.com>
23  *
24  * Implements the flowbits keyword
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "threads.h"
31 #include "flow.h"
32 #include "flow-bit.h"
33 #include "flow-util.h"
34 #include "detect-flowbits.h"
35 #include "util-spm.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "detect-parse.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-engine-state.h"
43 
44 #include "util-var-name.h"
45 #include "util-unittest.h"
46 #include "util-debug.h"
47 
48 #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?"
49 static DetectParseRegex parse_regex;
50 
52  const Signature *, const SigMatchCtx *);
53 static int DetectFlowbitSetup (DetectEngineCtx *, Signature *, const char *);
54 void DetectFlowbitFree (void *);
55 void FlowBitsRegisterTests(void);
56 
58 {
59  sigmatch_table[DETECT_FLOWBITS].name = "flowbits";
60  sigmatch_table[DETECT_FLOWBITS].desc = "operate on flow flag";
61  sigmatch_table[DETECT_FLOWBITS].url = DOC_URL DOC_VERSION "/rules/flow-keywords.html#flowbits";
63  sigmatch_table[DETECT_FLOWBITS].Setup = DetectFlowbitSetup;
66  /* this is compatible to ip-only signatures */
68 
69  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
70 }
71 
72 
73 static int DetectFlowbitMatchToggle (Packet *p, const DetectFlowbitsData *fd)
74 {
75  if (p->flow == NULL)
76  return 0;
77 
78  FlowBitToggle(p->flow,fd->idx);
79 
80  return 1;
81 }
82 
83 static int DetectFlowbitMatchUnset (Packet *p, const DetectFlowbitsData *fd)
84 {
85  if (p->flow == NULL)
86  return 0;
87 
88  FlowBitUnset(p->flow,fd->idx);
89 
90  return 1;
91 }
92 
93 static int DetectFlowbitMatchSet (Packet *p, const DetectFlowbitsData *fd)
94 {
95  if (p->flow == NULL)
96  return 0;
97 
98  FlowBitSet(p->flow,fd->idx);
99 
100  return 1;
101 }
102 
103 static int DetectFlowbitMatchIsset (Packet *p, const DetectFlowbitsData *fd)
104 {
105  if (p->flow == NULL)
106  return 0;
107 
108  return FlowBitIsset(p->flow,fd->idx);
109 }
110 
111 static int DetectFlowbitMatchIsnotset (Packet *p, const DetectFlowbitsData *fd)
112 {
113  if (p->flow == NULL)
114  return 0;
115 
116  return FlowBitIsnotset(p->flow,fd->idx);
117 }
118 
119 /*
120  * returns 0: no match
121  * 1: match
122  * -1: error
123  */
124 
126  const Signature *s, const SigMatchCtx *ctx)
127 {
128  const DetectFlowbitsData *fd = (const DetectFlowbitsData *)ctx;
129  if (fd == NULL)
130  return 0;
131 
132  switch (fd->cmd) {
134  return DetectFlowbitMatchIsset(p,fd);
136  return DetectFlowbitMatchIsnotset(p,fd);
138  return DetectFlowbitMatchSet(p,fd);
140  return DetectFlowbitMatchUnset(p,fd);
142  return DetectFlowbitMatchToggle(p,fd);
143  default:
144  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown cmd %" PRIu32 "", fd->cmd);
145  return 0;
146  }
147 
148  return 0;
149 }
150 
151 static int DetectFlowbitParse(const char *str, char *cmd, int cmd_len, char *name,
152  int name_len)
153 {
154  const int max_substrings = 30;
155  int count, rc;
156  int ov[max_substrings];
157 
158  count = DetectParsePcreExec(&parse_regex, str, 0, 0, ov, max_substrings);
159  if (count != 2 && count != 3) {
161  "\"%s\" is not a valid setting for flowbits.", str);
162  return 0;
163  }
164 
165  rc = pcre_copy_substring((char *)str, ov, max_substrings, 1, cmd, cmd_len);
166  if (rc < 0) {
167  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
168  return 0;
169  }
170 
171  if (count == 3) {
172  rc = pcre_copy_substring((char *)str, ov, max_substrings, 2, name,
173  name_len);
174  if (rc < 0) {
175  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
176  return 0;
177  }
178 
179  /* Trim trailing whitespace. */
180  while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) {
181  name[strlen(name) - 1] = '\0';
182  }
183 
184  /* Validate name, spaces are not allowed. */
185  for (size_t i = 0; i < strlen(name); i++) {
186  if (isblank(name[i])) {
188  "spaces not allowed in flowbit names");
189  return 0;
190  }
191  }
192  }
193 
194  return 1;
195 }
196 
197 int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
198 {
199  DetectFlowbitsData *cd = NULL;
200  SigMatch *sm = NULL;
201  uint8_t fb_cmd = 0;
202  char fb_cmd_str[16] = "", fb_name[256] = "";
203 
204  if (!DetectFlowbitParse(rawstr, fb_cmd_str, sizeof(fb_cmd_str), fb_name,
205  sizeof(fb_name))) {
206  return -1;
207  }
208 
209  if (strcmp(fb_cmd_str,"noalert") == 0) {
211  } else if (strcmp(fb_cmd_str,"isset") == 0) {
212  fb_cmd = DETECT_FLOWBITS_CMD_ISSET;
213  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
215  } else if (strcmp(fb_cmd_str,"set") == 0) {
216  fb_cmd = DETECT_FLOWBITS_CMD_SET;
217  } else if (strcmp(fb_cmd_str,"unset") == 0) {
218  fb_cmd = DETECT_FLOWBITS_CMD_UNSET;
219  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
221  } else {
222  SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
223  goto error;
224  }
225 
226  switch (fb_cmd) {
228  if (strlen(fb_name) != 0)
229  goto error;
230  s->flags |= SIG_FLAG_NOALERT;
231  return 0;
237  default:
238  if (strlen(fb_name) == 0)
239  goto error;
240  break;
241  }
242 
243  cd = SCMalloc(sizeof(DetectFlowbitsData));
244  if (unlikely(cd == NULL))
245  goto error;
246 
249  cd->cmd = fb_cmd;
250 
251  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
252  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
253 
254  /* Okay so far so good, lets get this into a SigMatch
255  * and put it in the Signature. */
256  sm = SigMatchAlloc();
257  if (sm == NULL)
258  goto error;
259 
260  sm->type = DETECT_FLOWBITS;
261  sm->ctx = (SigMatchCtx *)cd;
262 
263  switch (fb_cmd) {
264  /* case DETECT_FLOWBITS_CMD_NOALERT can't happen here */
265 
268  /* checks, so packet list */
270  break;
271 
275  /* modifiers, only run when entire sig has matched */
277  break;
278 
279  // suppress coverity warning as scan-build-7 warns w/o this.
280  // coverity[deadcode : FALSE]
281  default:
282  goto error;
283  }
284 
285  return 0;
286 
287 error:
288  if (cd != NULL)
289  SCFree(cd);
290  if (sm != NULL)
291  SCFree(sm);
292  return -1;
293 }
294 
295 void DetectFlowbitFree (void *ptr)
296 {
298 
299  if (fd == NULL)
300  return;
301 
302  SCFree(fd);
303 }
304 
305 struct FBAnalyze {
308 
309  uint32_t *set_sids;
310  uint32_t set_sids_idx;
311  uint32_t set_sids_size;
312 
313  uint32_t *isset_sids;
314  uint32_t isset_sids_idx;
315  uint32_t isset_sids_size;
316 
317  uint32_t *isnotset_sids;
320 
321  uint32_t *unset_sids;
322  uint32_t unset_sids_idx;
323  uint32_t unset_sids_size;
324 
325  uint32_t *toggle_sids;
326  uint32_t toggle_sids_idx;
328 };
329 #ifdef PROFILING
330 static void DetectFlowbitsAnalyzeDump(const DetectEngineCtx *de_ctx,
331  struct FBAnalyze *array, uint32_t elements);
332 #endif
333 
335 {
336  const uint32_t max_fb_id = de_ctx->max_fb_id;
337  if (max_fb_id == 0)
338  return;
339 
340 #define MAX_SIDS 8
341  uint32_t array_size = max_fb_id + 1;
342  struct FBAnalyze array[array_size];
343  memset(&array, 0, array_size * sizeof(struct FBAnalyze));
344 
345  SCLogDebug("fb analyzer array size: %"PRIu64,
346  (uint64_t)(array_size * sizeof(struct FBAnalyze)));
347 
348  /* fill flowbit array, updating counters per sig */
349  for (uint32_t i = 0; i < de_ctx->sig_array_len; i++) {
350  const Signature *s = de_ctx->sig_array[i];
351  bool has_state = false;
352 
353  /* see if the signature uses stateful matching */
354  for (uint32_t x = DETECT_SM_LIST_DYNAMIC_START; x < s->init_data->smlists_array_size; x++) {
355  if (s->init_data->smlists[x] == NULL)
356  continue;
357  has_state = true;
358  break;
359  }
360 
361  for (const SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
362  switch (sm->type) {
363  case DETECT_FLOWBITS:
364  {
365  /* figure out the flowbit action */
366  const DetectFlowbitsData *fb = (DetectFlowbitsData *)sm->ctx;
367  array[fb->idx].cnts[fb->cmd]++;
368  if (has_state)
369  array[fb->idx].state_cnts[fb->cmd]++;
370  if (fb->cmd == DETECT_FLOWBITS_CMD_ISSET) {
371  if (array[fb->idx].isset_sids_idx >= array[fb->idx].isset_sids_size) {
372  uint32_t old_size = array[fb->idx].isset_sids_size;
373  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
374 
375  void *ptr = SCRealloc(array[fb->idx].isset_sids, new_size * sizeof(uint32_t));
376  if (ptr == NULL)
377  goto end;
378  array[fb->idx].isset_sids_size = new_size;
379  array[fb->idx].isset_sids = ptr;
380  }
381 
382  array[fb->idx].isset_sids[array[fb->idx].isset_sids_idx] = s->num;
383  array[fb->idx].isset_sids_idx++;
384  } else if (fb->cmd == DETECT_FLOWBITS_CMD_ISNOTSET){
385  if (array[fb->idx].isnotset_sids_idx >= array[fb->idx].isnotset_sids_size) {
386  uint32_t old_size = array[fb->idx].isnotset_sids_size;
387  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
388 
389  void *ptr = SCRealloc(array[fb->idx].isnotset_sids, new_size * sizeof(uint32_t));
390  if (ptr == NULL)
391  goto end;
392  array[fb->idx].isnotset_sids_size = new_size;
393  array[fb->idx].isnotset_sids = ptr;
394  }
395 
396  array[fb->idx].isnotset_sids[array[fb->idx].isnotset_sids_idx] = s->num;
397  array[fb->idx].isnotset_sids_idx++;
398  }
399  }
400  }
401  }
402  for (const SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_POSTMATCH] ; sm != NULL; sm = sm->next) {
403  switch (sm->type) {
404  case DETECT_FLOWBITS:
405  {
406  /* figure out what flowbit action */
407  const DetectFlowbitsData *fb = (DetectFlowbitsData *)sm->ctx;
408  array[fb->idx].cnts[fb->cmd]++;
409  if (has_state)
410  array[fb->idx].state_cnts[fb->cmd]++;
411  if (fb->cmd == DETECT_FLOWBITS_CMD_SET) {
412  if (array[fb->idx].set_sids_idx >= array[fb->idx].set_sids_size) {
413  uint32_t old_size = array[fb->idx].set_sids_size;
414  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
415 
416  void *ptr = SCRealloc(array[fb->idx].set_sids, new_size * sizeof(uint32_t));
417  if (ptr == NULL)
418  goto end;
419  array[fb->idx].set_sids_size = new_size;
420  array[fb->idx].set_sids = ptr;
421  }
422 
423  array[fb->idx].set_sids[array[fb->idx].set_sids_idx] = s->num;
424  array[fb->idx].set_sids_idx++;
425  }
426  else if (fb->cmd == DETECT_FLOWBITS_CMD_UNSET) {
427  if (array[fb->idx].unset_sids_idx >= array[fb->idx].unset_sids_size) {
428  uint32_t old_size = array[fb->idx].unset_sids_size;
429  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
430 
431  void *ptr = SCRealloc(array[fb->idx].unset_sids, new_size * sizeof(uint32_t));
432  if (ptr == NULL)
433  goto end;
434  array[fb->idx].unset_sids_size = new_size;
435  array[fb->idx].unset_sids = ptr;
436  }
437 
438  array[fb->idx].unset_sids[array[fb->idx].unset_sids_idx] = s->num;
439  array[fb->idx].unset_sids_idx++;
440  }
441  else if (fb->cmd == DETECT_FLOWBITS_CMD_TOGGLE) {
442  if (array[fb->idx].toggle_sids_idx >= array[fb->idx].toggle_sids_size) {
443  uint32_t old_size = array[fb->idx].toggle_sids_size;
444  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
445 
446  void *ptr = SCRealloc(array[fb->idx].toggle_sids, new_size * sizeof(uint32_t));
447  if (ptr == NULL)
448  goto end;
449  array[fb->idx].toggle_sids_size = new_size;
450  array[fb->idx].toggle_sids = ptr;
451  }
452 
453  array[fb->idx].toggle_sids[array[fb->idx].toggle_sids_idx] = s->num;
454  array[fb->idx].toggle_sids_idx++;
455  }
456  }
457  }
458  }
459  }
460 
461  /* walk array to see if all bits make sense */
462  for (uint32_t i = 0; i < array_size; i++) {
463  char *varname = VarNameStoreSetupLookup(i, VAR_TYPE_FLOW_BIT);
464  if (varname == NULL)
465  continue;
466 
467  bool to_state = false;
468 
469  if (array[i].cnts[DETECT_FLOWBITS_CMD_ISSET] &&
470  array[i].cnts[DETECT_FLOWBITS_CMD_TOGGLE] == 0 &&
471  array[i].cnts[DETECT_FLOWBITS_CMD_SET] == 0) {
472 
473  const Signature *s = de_ctx->sig_array[array[i].isset_sids[0]];
474  SCLogWarning(SC_WARN_FLOWBIT, "flowbit '%s' is checked but not "
475  "set. Checked in %u and %u other sigs",
476  varname, s->id, array[i].isset_sids_idx - 1);
477  }
478  if (array[i].state_cnts[DETECT_FLOWBITS_CMD_ISSET] &&
479  array[i].state_cnts[DETECT_FLOWBITS_CMD_SET] == 0)
480  {
481  SCLogDebug("flowbit %s/%u: isset in state, set not in state", varname, i);
482  }
483 
484  /* if signature depends on 'stateful' flowbits, then turn the
485  * sig into a stateful sig itself */
486  if (array[i].cnts[DETECT_FLOWBITS_CMD_ISSET] > 0 &&
487  array[i].state_cnts[DETECT_FLOWBITS_CMD_ISSET] == 0 &&
489  {
490  SCLogDebug("flowbit %s/%u: isset not in state, set in state", varname, i);
491  to_state = true;
492  }
493 
494  SCLogDebug("ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
497  array[i].cnts[DETECT_FLOWBITS_CMD_ISSET]);
498  SCLogDebug("STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
502  for (uint32_t x = 0; x < array[i].set_sids_idx; x++) {
503  SCLogDebug("SET flowbit %s/%u: SID %u", varname, i,
504  de_ctx->sig_array[array[i].set_sids[x]]->id);
505  }
506  for (uint32_t x = 0; x < array[i].isset_sids_idx; x++) {
507  Signature *s = de_ctx->sig_array[array[i].isset_sids[x]];
508  SCLogDebug("GET flowbit %s/%u: SID %u", varname, i, s->id);
509 
510  if (to_state) {
512  SCLogDebug("made SID %u stateful because it depends on "
513  "stateful rules that set flowbit %s", s->id, varname);
514  }
515  }
516  SCFree(varname);
517  }
518 #ifdef PROFILING
519  DetectFlowbitsAnalyzeDump(de_ctx, array, array_size);
520 #endif
521 
522 end:
523  for (uint32_t i = 0; i < array_size; i++) {
524  SCFree(array[i].set_sids);
525  SCFree(array[i].unset_sids);
526  SCFree(array[i].isset_sids);
527  SCFree(array[i].isnotset_sids);
528  SCFree(array[i].toggle_sids);
529  }
530 }
531 
532 #ifdef PROFILING
533 #include "output-json.h"
534 #include "util-buffer.h"
536 static void DetectFlowbitsAnalyzeDump(const DetectEngineCtx *de_ctx,
537  struct FBAnalyze *array, uint32_t elements)
538 {
539  json_t *js = json_object();
540  if (js == NULL)
541  return;
542 
543  json_t *js_array = json_array();
544  uint32_t x;
545  for (x = 0; x < elements; x++)
546  {
547  char *varname = VarNameStoreSetupLookup(x, VAR_TYPE_FLOW_BIT);
548  if (varname == NULL)
549  continue;
550 
551  const struct FBAnalyze *e = &array[x];
552 
553  json_t *js_fb = json_object();
554  if (unlikely(js_fb != NULL)) {
555  json_object_set_new(js_fb, "name", json_string(varname));
556  json_object_set_new(js_fb, "internal_id", json_integer(x));
557  json_object_set_new(js_fb, "set_cnt", json_integer(e->cnts[DETECT_FLOWBITS_CMD_SET]));
558  json_object_set_new(js_fb, "unset_cnt", json_integer(e->cnts[DETECT_FLOWBITS_CMD_UNSET]));
559  json_object_set_new(js_fb, "toggle_cnt", json_integer(e->cnts[DETECT_FLOWBITS_CMD_TOGGLE]));
560  json_object_set_new(js_fb, "isset_cnt", json_integer(e->cnts[DETECT_FLOWBITS_CMD_ISSET]));
561  json_object_set_new(js_fb, "isnotset_cnt", json_integer(e->cnts[DETECT_FLOWBITS_CMD_ISNOTSET]));
562 
563  // sets
564  if (e->cnts[DETECT_FLOWBITS_CMD_SET]) {
565  json_t *js_set_array = json_array();
566  if (js_set_array) {
567  for(uint32_t i = 0; i < e->set_sids_idx; i++) {
568  const Signature *s = de_ctx->sig_array[e->set_sids[i]];
569  json_array_append_new(js_set_array, json_integer(s->id));
570  }
571  json_object_set_new(js_fb, "sets", js_set_array);
572  }
573  }
574  // gets
576  json_t *js_isset_array = json_array();
577  if (js_isset_array) {
578  for(uint32_t i = 0; i < e->isset_sids_idx; i++) {
579  const Signature *s = de_ctx->sig_array[e->isset_sids[i]];
580  json_array_append_new(js_isset_array, json_integer(s->id));
581  }
582  json_object_set_new(js_fb, "isset", js_isset_array);
583  }
584  }
585  // isnotset
587  json_t *js_isnotset_array = json_array();
588  if (js_isnotset_array) {
589  for(uint32_t i = 0; i < e->isnotset_sids_idx; i++) {
590  const Signature *s = de_ctx->sig_array[e->isnotset_sids[i]];
591  json_array_append_new(js_isnotset_array, json_integer(s->id));
592  }
593  json_object_set_new(js_fb, "isnotset", js_isnotset_array);
594  }
595  }
596  // unset
598  json_t *js_unset_array = json_array();
599  if (js_unset_array) {
600  for(uint32_t i = 0; i < e->unset_sids_idx; i++) {
601  const Signature *s = de_ctx->sig_array[e->unset_sids[i]];
602  json_array_append_new(js_unset_array, json_integer(s->id));
603  }
604  json_object_set_new(js_fb, "unset", js_unset_array);
605  }
606  }
607  // toggle
609  json_t *js_toggle_array = json_array();
610  if (js_toggle_array) {
611  for(uint32_t i = 0; i < e->toggle_sids_idx; i++) {
612  const Signature *s = de_ctx->sig_array[e->toggle_sids[i]];
613  json_array_append_new(js_toggle_array, json_integer(s->id));
614  }
615  json_object_set_new(js_fb, "toggle", js_toggle_array);
616  }
617  }
618 
619  json_array_append_new(js_array, js_fb);
620  }
621  SCFree(varname);
622  }
623 
624  json_object_set_new(js, "flowbits", js_array);
625 
626  const char *filename = "flowbits.json";
627  const char *log_dir = ConfigGetLogDirectory();
628  char log_path[PATH_MAX] = "";
629  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
630 
631  MemBuffer *mbuf = NULL;
632  mbuf = MemBufferCreateNew(4096);
633  BUG_ON(mbuf == NULL);
634 
635  OutputJSONMemBufferWrapper wrapper = {
636  .buffer = &mbuf,
637  .expand_by = 4096,
638  };
639 
640  int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
641  JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII|
643  if (r != 0) {
644  SCLogWarning(SC_ERR_SOCKET, "unable to serialize JSON object");
645  } else {
646  MemBufferWriteString(mbuf, "\n");
648  FILE *fp = fopen(log_path, "w");
649  if (fp != NULL) {
650  MemBufferPrintToFPAsString(mbuf, fp);
651  fclose(fp);
652  }
654  }
655 
656  MemBufferFree(mbuf);
657  json_object_clear(js);
658  json_decref(js);
659 }
660 #endif /* PROFILING */
661 
662 #ifdef UNITTESTS
663 
664 static int FlowBitsTestParse01(void)
665 {
666  char command[16] = "", name[16] = "";
667 
668  /* Single argument version. */
669  FAIL_IF(!DetectFlowbitParse("noalert", command, sizeof(command), name,
670  sizeof(name)));
671  FAIL_IF(strcmp(command, "noalert") != 0);
672 
673  /* No leading or trailing spaces. */
674  FAIL_IF(!DetectFlowbitParse("set,flowbit", command, sizeof(command), name,
675  sizeof(name)));
676  FAIL_IF(strcmp(command, "set") != 0);
677  FAIL_IF(strcmp(name, "flowbit") != 0);
678 
679  /* Leading space. */
680  FAIL_IF(!DetectFlowbitParse("set, flowbit", command, sizeof(command), name,
681  sizeof(name)));
682  FAIL_IF(strcmp(command, "set") != 0);
683  FAIL_IF(strcmp(name, "flowbit") != 0);
684 
685  /* Trailing space. */
686  FAIL_IF(!DetectFlowbitParse("set,flowbit ", command, sizeof(command), name,
687  sizeof(name)));
688  FAIL_IF(strcmp(command, "set") != 0);
689  FAIL_IF(strcmp(name, "flowbit") != 0);
690 
691  /* Leading and trailing space. */
692  FAIL_IF(!DetectFlowbitParse("set, flowbit ", command, sizeof(command), name,
693  sizeof(name)));
694  FAIL_IF(strcmp(command, "set") != 0);
695  FAIL_IF(strcmp(name, "flowbit") != 0);
696 
697  /* Spaces are not allowed in the name. */
698  FAIL_IF(DetectFlowbitParse("set,namewith space", command, sizeof(command),
699  name, sizeof(name)));
700 
701  PASS;
702 }
703 
704 /**
705  * \test FlowBitsTestSig01 is a test for a valid noalert flowbits option
706  *
707  * \retval 1 on succces
708  * \retval 0 on failure
709  */
710 
711 static int FlowBitsTestSig01(void)
712 {
713  Signature *s = NULL;
714  DetectEngineCtx *de_ctx = NULL;
715 
718 
719  de_ctx->flags |= DE_QUIET;
720 
721  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert,wrongusage; content:\"GET \"; sid:1;)");
722  FAIL_IF_NOT_NULL(s);
723 
726  PASS;
727 }
728 
729 /**
730  * \test FlowBitsTestSig02 is a test for a valid isset,set,isnotset,unset,toggle flowbits options
731  *
732  * \retval 1 on succces
733  * \retval 0 on failure
734  */
735 
736 static int FlowBitsTestSig02(void)
737 {
738  Signature *s = NULL;
739  ThreadVars th_v;
740  DetectEngineCtx *de_ctx = NULL;
741 
742  memset(&th_v, 0, sizeof(th_v));
743 
746 
747  de_ctx->flags |= DE_QUIET;
748 
749  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset rule need an option\"; flowbits:isset; content:\"GET \"; sid:1;)");
750  FAIL_IF_NOT_NULL(s);
751 
752  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isnotset rule need an option\"; flowbits:isnotset; content:\"GET \"; sid:2;)");
753  FAIL_IF_NOT_NULL(s);
754 
755  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"set rule need an option\"; flowbits:set; content:\"GET \"; sid:3;)");
756  FAIL_IF_NOT_NULL(s);
757 
758  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"unset rule need an option\"; flowbits:unset; content:\"GET \"; sid:4;)");
759  FAIL_IF_NOT_NULL(s);
760 
761  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
762  FAIL_IF_NOT_NULL(s);
763 
764  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
765  FAIL_IF_NOT_NULL(s);
766 
769 
770  PASS;
771 }
772 
773 /**
774  * \test FlowBitsTestSig03 is a test for a invalid flowbits option
775  *
776  * \retval 1 on succces
777  * \retval 0 on failure
778  */
779 
780 static int FlowBitsTestSig03(void)
781 {
782  Signature *s = NULL;
783  DetectEngineCtx *de_ctx = NULL;
784 
787 
788  de_ctx->flags |= DE_QUIET;
789 
790  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
791  FAIL_IF_NOT_NULL(s);
792 
795  PASS;
796 }
797 
798 /**
799  * \test FlowBitsTestSig04 is a test check idx value
800  *
801  * \retval 1 on succces
802  * \retval 0 on failure
803  */
804 
805 static int FlowBitsTestSig04(void)
806 {
807  Signature *s = NULL;
808  DetectEngineCtx *de_ctx = NULL;
809  int idx = 0;
810 
813 
814  de_ctx->flags |= DE_QUIET;
815 
816  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
817  FAIL_IF_NULL(s);
818 
820  FAIL_IF(idx != 1);
821 
824  PASS;
825 }
826 
827 /**
828  * \test FlowBitsTestSig05 is a test check noalert flag
829  *
830  * \retval 1 on succces
831  * \retval 0 on failure
832  */
833 
834 static int FlowBitsTestSig05(void)
835 {
836  Signature *s = NULL;
837  DetectEngineCtx *de_ctx = NULL;
838 
841 
842  de_ctx->flags |= DE_QUIET;
843 
844  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
845  FAIL_IF_NULL(s);
847 
850  PASS;
851 }
852 
853 /**
854  * \test FlowBitsTestSig06 is a test set flowbits option
855  *
856  * \retval 1 on succces
857  * \retval 0 on failure
858  */
859 
860 static int FlowBitsTestSig06(void)
861 {
862  uint8_t *buf = (uint8_t *)
863  "GET /one/ HTTP/1.1\r\n"
864  "Host: one.example.org\r\n"
865  "\r\n";
866  uint16_t buflen = strlen((char *)buf);
868  FAIL_IF_NULL(p);
869  Signature *s = NULL;
870  ThreadVars th_v;
871  DetectEngineThreadCtx *det_ctx = NULL;
872  DetectEngineCtx *de_ctx = NULL;
873  Flow f;
874  GenericVar flowvar, *gv = NULL;
875  int result = 0;
876  uint32_t idx = 0;
877 
878  memset(p, 0, SIZE_OF_PACKET);
879  memset(&th_v, 0, sizeof(th_v));
880  memset(&f, 0, sizeof(Flow));
881  memset(&flowvar, 0, sizeof(GenericVar));
882 
883  FLOW_INITIALIZE(&f);
884  p->flow = &f;
885  p->flow->flowvar = &flowvar;
886 
887  p->src.family = AF_INET;
888  p->dst.family = AF_INET;
889  p->payload = buf;
890  p->payload_len = buflen;
891  p->proto = IPPROTO_TCP;
892  p->flags |= PKT_HAS_FLOW;
894 
897 
898  de_ctx->flags |= DE_QUIET;
899 
900  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow; sid:10;)");
901  FAIL_IF_NULL(s);
902 
903  idx = VarNameStoreSetupAdd("myflow", VAR_TYPE_FLOW_BIT);
905  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
906 
907  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
908 
909  gv = p->flow->flowvar;
910  FAIL_IF_NULL(gv);
911  for ( ; gv != NULL; gv = gv->next) {
912  if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {
913  result = 1;
914  }
915  }
916  FAIL_IF_NOT(result);
917 
918  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
920 
921  FLOW_DESTROY(&f);
922 
923  SCFree(p);
924  PASS;
925 }
926 
927 /**
928  * \test FlowBitsTestSig07 is a test unset flowbits option
929  *
930  * \retval 1 on succces
931  * \retval 0 on failure
932  */
933 
934 static int FlowBitsTestSig07(void)
935 {
936  uint8_t *buf = (uint8_t *)
937  "GET /one/ HTTP/1.1\r\n"
938  "Host: one.example.org\r\n"
939  "\r\n";
940  uint16_t buflen = strlen((char *)buf);
942  FAIL_IF_NULL(p);
943  Signature *s = NULL;
944  ThreadVars th_v;
945  DetectEngineThreadCtx *det_ctx = NULL;
946  DetectEngineCtx *de_ctx = NULL;
947  Flow f;
948  GenericVar flowvar, *gv = NULL;
949  int result = 0;
950  uint32_t idx = 0;
951 
952  memset(p, 0, SIZE_OF_PACKET);
953  memset(&th_v, 0, sizeof(th_v));
954  memset(&f, 0, sizeof(Flow));
955  memset(&flowvar, 0, sizeof(GenericVar));
956 
957  FLOW_INITIALIZE(&f);
958  p->flow = &f;
959  p->flow->flowvar = &flowvar;
960 
961  p->src.family = AF_INET;
962  p->dst.family = AF_INET;
963  p->payload = buf;
964  p->payload_len = buflen;
965  p->proto = IPPROTO_TCP;
966 
969 
970  de_ctx->flags |= DE_QUIET;
971 
972  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow2; sid:10;)");
973  FAIL_IF_NULL(s);
974 
975  s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
976  FAIL_IF_NULL(s);
977 
978  idx = VarNameStoreSetupAdd("myflow", VAR_TYPE_FLOW_BIT);
980  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
981 
982  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
983 
984  gv = p->flow->flowvar;
985  FAIL_IF_NULL(gv);
986 
987  for ( ; gv != NULL; gv = gv->next) {
988  if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {
989  result = 1;
990  }
991  }
992  FAIL_IF(result);
993 
994  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
996 
997  FLOW_DESTROY(&f);
998 
999  SCFree(p);
1000  PASS;
1001 }
1002 
1003 /**
1004  * \test FlowBitsTestSig08 is a test toogle flowbits option
1005  *
1006  * \retval 1 on succces
1007  * \retval 0 on failure
1008  */
1009 
1010 static int FlowBitsTestSig08(void)
1011 {
1012  uint8_t *buf = (uint8_t *)
1013  "GET /one/ HTTP/1.1\r\n"
1014  "Host: one.example.org\r\n"
1015  "\r\n";
1016  uint16_t buflen = strlen((char *)buf);
1018  if (unlikely(p == NULL))
1019  return 0;
1020  Signature *s = NULL;
1021  ThreadVars th_v;
1022  DetectEngineThreadCtx *det_ctx = NULL;
1023  DetectEngineCtx *de_ctx = NULL;
1024  Flow f;
1025  GenericVar flowvar, *gv = NULL;
1026  int result = 0;
1027  uint32_t idx = 0;
1028 
1029  memset(p, 0, SIZE_OF_PACKET);
1030  memset(&th_v, 0, sizeof(th_v));
1031  memset(&f, 0, sizeof(Flow));
1032  memset(&flowvar, 0, sizeof(GenericVar));
1033 
1034  FLOW_INITIALIZE(&f);
1035  p->flow = &f;
1036  p->flow->flowvar = &flowvar;
1037 
1038  p->src.family = AF_INET;
1039  p->dst.family = AF_INET;
1040  p->payload = buf;
1041  p->payload_len = buflen;
1042  p->proto = IPPROTO_TCP;
1043 
1046 
1047  de_ctx->flags |= DE_QUIET;
1048 
1049  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow2; sid:10;)");
1050  FAIL_IF_NULL(s);
1051 
1052  s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:toggle,myflow2; sid:11;)");
1053  FAIL_IF_NULL(s);
1054 
1055  idx = VarNameStoreSetupAdd("myflow", VAR_TYPE_FLOW_BIT);
1057  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1058 
1059  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1060 
1061  gv = p->flow->flowvar;
1062  FAIL_IF_NULL(gv);
1063 
1064  for ( ; gv != NULL; gv = gv->next) {
1065  if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {
1066  result = 1;
1067  }
1068  }
1069  FAIL_IF(result);
1070 
1071  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1073 
1074  FLOW_DESTROY(&f);
1075 
1076  SCFree(p);
1077  PASS;
1078 }
1079 #endif /* UNITTESTS */
1080 
1081 /**
1082  * \brief this function registers unit tests for FlowBits
1083  */
1085 {
1086 #ifdef UNITTESTS
1087  UtRegisterTest("FlowBitsTestParse01", FlowBitsTestParse01);
1088  UtRegisterTest("FlowBitsTestSig01", FlowBitsTestSig01);
1089  UtRegisterTest("FlowBitsTestSig02", FlowBitsTestSig02);
1090  UtRegisterTest("FlowBitsTestSig03", FlowBitsTestSig03);
1091  UtRegisterTest("FlowBitsTestSig04", FlowBitsTestSig04);
1092  UtRegisterTest("FlowBitsTestSig05", FlowBitsTestSig05);
1093  UtRegisterTest("FlowBitsTestSig06", FlowBitsTestSig06);
1094  UtRegisterTest("FlowBitsTestSig07", FlowBitsTestSig07);
1095  UtRegisterTest("FlowBitsTestSig08", FlowBitsTestSig08);
1096 #endif /* UNITTESTS */
1097 }
FBAnalyze::cnts
uint16_t cnts[DETECT_FLOWBITS_CMD_MAX]
Definition: detect-flowbits.c:306
GenericVar_::type
uint8_t type
Definition: util-var.h:49
FBAnalyze::isset_sids
uint32_t * isset_sids
Definition: detect-flowbits.c:313
SigTableElmt_::url
const char * url
Definition: detect.h:1204
Packet_::proto
uint8_t proto
Definition: decode.h:431
FBAnalyze::isnotset_sids_idx
uint32_t isnotset_sids_idx
Definition: detect-flowbits.c:318
g_flowbits_dump_write_m
SCMutex g_flowbits_dump_write_m
Definition: detect-flowbits.c:535
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DETECT_FLOWBITS_CMD_MAX
#define DETECT_FLOWBITS_CMD_MAX
Definition: detect-flowbits.h:34
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1077
flow-util.h
SC_ERR_SOCKET
@ SC_ERR_SOCKET
Definition: util-error.h:232
SigTableElmt_::name
const char * name
Definition: detect.h:1201
Signature_::num
SigIntId num
Definition: detect.h:532
FBAnalyze::isnotset_sids
uint32_t * isnotset_sids
Definition: detect-flowbits.c:317
FlowBitsRegisterTests
void FlowBitsRegisterTests(void)
this function registers unit tests for FlowBits
Definition: detect-flowbits.c:1084
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
MAX_SIDS
#define MAX_SIDS
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FBAnalyze::unset_sids_size
uint32_t unset_sids_size
Definition: detect-flowbits.c:323
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
DETECT_SM_LIST_DYNAMIC_START
@ DETECT_SM_LIST_DYNAMIC_START
Definition: detect.h:109
DETECT_FLOWBITS_CMD_ISNOTSET
#define DETECT_FLOWBITS_CMD_ISNOTSET
Definition: detect-flowbits.h:31
Packet_::payload
uint8_t * payload
Definition: decode.h:541
Packet_::flags
uint32_t flags
Definition: decode.h:444
threads.h
Flow_
Flow data structure.
Definition: flow.h:342
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1195
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
VarNameStoreSetupLookup
char * VarNameStoreSetupLookup(uint32_t idx, const enum VarTypes type)
Definition: util-var-name.c:332
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectFlowbitsData_::cmd
uint8_t cmd
Definition: detect-flowbits.h:38
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2030
flow-bit.h
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
util-var-name.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:48
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:486
JSON_ESCAPE_SLASH
#define JSON_ESCAPE_SLASH
Definition: suricata-common.h:241
DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_TOGGLE
Definition: detect-flowbits.h:29
DETECT_FLOWBITS_CMD_ISSET
#define DETECT_FLOWBITS_CMD_ISSET
Definition: detect-flowbits.h:32
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1192
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
MAX
#define MAX(x, y)
Definition: suricata-common.h:364
DetectFlowbitFree
void DetectFlowbitFree(void *)
Definition: detect-flowbits.c:295
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:542
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
Signature_::next
struct Signature_ * next
Definition: detect.h:594
FlowBitUnset
void FlowBitUnset(Flow *f, uint32_t idx)
Definition: flow-bit.c:89
DetectFlowbitsData_
Definition: detect-flowbits.h:36
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:52
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-flowbits.c:48
DetectEngineThreadCtx_
Definition: detect.h:1004
output-json.h
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2440
FlowBitSet
void FlowBitSet(Flow *f, uint32_t idx)
Definition: flow-bit.c:84
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SCRealloc
#define SCRealloc(x, a)
Definition: util-mem.h:238
FBAnalyze::toggle_sids_idx
uint32_t toggle_sids_idx
Definition: detect-flowbits.c:326
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:322
FBAnalyze::set_sids_size
uint32_t set_sids_size
Definition: detect-flowbits.c:311
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:619
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
GenericVar_::idx
uint32_t idx
Definition: util-var.h:51
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
FBAnalyze::unset_sids
uint32_t * unset_sids
Definition: detect-flowbits.c:321
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1665
DetectFlowbitsRegister
void DetectFlowbitsRegister(void)
Definition: detect-flowbits.c:57
Signature_::flags
uint32_t flags
Definition: detect.h:523
FBAnalyze::set_sids
uint32_t * set_sids
Definition: detect-flowbits.c:309
DetectEngineCtx_::max_fb_id
uint32_t max_fb_id
Definition: detect.h:826
MemBufferPrintToFPAsString
#define MemBufferPrintToFPAsString(mem_buffer, fp)
Write a buffer to the file pointer as a printable char string.
Definition: util-buffer.h:93
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
Packet_
Definition: decode.h:408
OutputJSONMemBufferWrapper_
Definition: output-json.h:47
DetectFlowbitsData_::idx
uint32_t idx
Definition: detect-flowbits.h:37
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:591
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1171
FBAnalyze::toggle_sids
uint32_t * toggle_sids
Definition: detect-flowbits.c:325
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:516
SC_WARN_FLOWBIT
@ SC_WARN_FLOWBIT
Definition: util-error.h:339
FBAnalyze::isset_sids_idx
uint32_t isset_sids_idx
Definition: detect-flowbits.c:314
MemBuffer_
Definition: util-buffer.h:27
detect-flowbits.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
FlowBitToggle
void FlowBitToggle(Flow *f, uint32_t idx)
Definition: flow-bit.c:94
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:464
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:319
FBAnalyze::unset_sids_idx
uint32_t unset_sids_idx
Definition: detect-flowbits.c:322
FBAnalyze::toggle_sids_size
uint32_t toggle_sids_size
Definition: detect-flowbits.c:327
SIG_FLAG_INIT_STATE_MATCH
#define SIG_FLAG_INIT_STATE_MATCH
Definition: detect.h:262
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
Packet_::flow
struct Flow_ * flow
Definition: decode.h:446
DETECT_FLOWBITS_CMD_NOALERT
#define DETECT_FLOWBITS_CMD_NOALERT
Definition: detect-flowbits.h:33
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2726
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
VAR_TYPE_FLOW_BIT
@ VAR_TYPE_FLOW_BIT
Definition: util-var.h:35
FBAnalyze::state_cnts
uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX]
Definition: detect-flowbits.c:307
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2934
GenericVar_
Definition: util-var.h:48
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
util-spm.h
MemBufferWriteString
#define MemBufferWriteString(dst,...)
Write a string buffer to the Membuffer dst.
Definition: util-buffer.h:162
VarNameStoreSetupAdd
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
Definition: util-var-name.c:323
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DOC_URL
#define DOC_URL
Definition: suricata.h:86
FBAnalyze::set_sids_idx
uint32_t set_sids_idx
Definition: detect-flowbits.c:310
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
SIG_FLAG_NOALERT
#define SIG_FLAG_NOALERT
Definition: detect.h:216
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:86
FlowBitIsset
int FlowBitIsset(Flow *f, uint32_t idx)
Definition: flow-bit.c:104
str
#define str(s)
Definition: suricata-common.h:256
FBAnalyze::isset_sids_size
uint32_t isset_sids_size
Definition: detect-flowbits.c:315
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:36
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
Signature_::id
uint32_t id
Definition: detect.h:555
DETECT_FLOWBITS_CMD_UNSET
#define DETECT_FLOWBITS_CMD_UNSET
Definition: detect-flowbits.h:30
detect-parse.h
util-buffer.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
FBAnalyze::isnotset_sids_size
uint32_t isnotset_sids_size
Definition: detect-flowbits.c:319
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1985
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:796
DetectFlowbitMatch
int DetectFlowbitMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect-flowbits.c:125
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:776
Address_::family
char family
Definition: decode.h:112
Packet_::dst
Address dst
Definition: decode.h:414
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
flow.h
DetectEngineCtx_::sig_array_len
uint32_t sig_array_len
Definition: detect.h:778
FBAnalyze
Definition: detect-flowbits.c:305
DetectFlowbitsAnalyze
void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
Definition: detect-flowbits.c:334
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1372
SCMutex
#define SCMutex
Definition: threads-debug.h:114
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
Packet_::src
Address src
Definition: decode.h:413
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
FlowBitIsnotset
int FlowBitIsnotset(Flow *f, uint32_t idx)
Definition: flow-bit.c:116
DETECT_FLOWBITS_CMD_SET
#define DETECT_FLOWBITS_CMD_SET
Definition: detect-flowbits.h:28
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
SignatureInitData_::smlists_array_size
uint32_t smlists_array_size
Definition: detect.h:514