suricata
detect-flowbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Breno Silva <breno.silva@gmail.com>
23  *
24  * Implements the flowbits keyword
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 #include "action-globals.h"
30 #include "detect.h"
31 #include "threads.h"
32 #include "flow.h"
33 #include "flow-bit.h"
34 #include "flow-util.h"
35 #include "detect-flowbits.h"
36 #include "util-spm.h"
37 
38 #include "app-layer-parser.h"
39 
40 #include "detect-parse.h"
41 #include "detect-engine.h"
42 #include "detect-engine-mpm.h"
43 #include "detect-engine-state.h"
44 #include "detect-engine-build.h"
45 
46 #include "util-var-name.h"
47 #include "util-unittest.h"
48 #include "util-debug.h"
49 #include "util-conf.h"
50 
51 #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?"
52 static DetectParseRegex parse_regex;
53 
54 #define MAX_TOKENS 100
55 
56 int DetectFlowbitMatch (DetectEngineThreadCtx *, Packet *,
57  const Signature *, const SigMatchCtx *);
58 static int DetectFlowbitSetup (DetectEngineCtx *, Signature *, const char *);
59 static int FlowbitOrAddData(DetectEngineCtx *, DetectFlowbitsData *, char *);
60 void DetectFlowbitFree (DetectEngineCtx *, void *);
61 #ifdef UNITTESTS
62 void FlowBitsRegisterTests(void);
63 #endif
64 
65 void DetectFlowbitsRegister (void)
66 {
67  sigmatch_table[DETECT_FLOWBITS].name = "flowbits";
68  sigmatch_table[DETECT_FLOWBITS].desc = "operate on flow flag";
69  sigmatch_table[DETECT_FLOWBITS].url = "/rules/flow-keywords.html#flowbits";
70  sigmatch_table[DETECT_FLOWBITS].Match = DetectFlowbitMatch;
71  sigmatch_table[DETECT_FLOWBITS].Setup = DetectFlowbitSetup;
72  sigmatch_table[DETECT_FLOWBITS].Free = DetectFlowbitFree;
73 #ifdef UNITTESTS
74  sigmatch_table[DETECT_FLOWBITS].RegisterTests = FlowBitsRegisterTests;
75 #endif
76  /* this is compatible to ip-only signatures */
77  sigmatch_table[DETECT_FLOWBITS].flags |= SIGMATCH_IPONLY_COMPAT;
78 
79  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
80 }
81 
82 static int FlowbitOrAddData(DetectEngineCtx *de_ctx, DetectFlowbitsData *cd, char *arrptr)
83 {
84  char *strarr[MAX_TOKENS];
85  char *token;
86  char *saveptr = NULL;
87  uint8_t i = 0;
88 
89  while ((token = strtok_r(arrptr, "|", &saveptr))) {
90  // Check for leading/trailing spaces in the token
91  while(isspace((unsigned char)*token))
92  token++;
93  if (*token == 0)
94  goto next;
95  char *end = token + strlen(token) - 1;
96  while(end > token && isspace((unsigned char)*end))
97  *(end--) = '\0';
98 
99  // Check for spaces in between the flowbit names
100  if (strchr(token, ' ') != NULL) {
101  SCLogError("Spaces are not allowed in flowbit names.");
102  return -1;
103  }
104 
105  if (i == MAX_TOKENS) {
106  SCLogError("Number of flowbits exceeds "
107  "maximum allowed: %d.",
108  MAX_TOKENS);
109  return -1;
110  }
111  strarr[i++] = token;
112  next:
113  arrptr = NULL;
114  }
115  if (i == 0) {
116  SCLogError("No valid flowbits specified");
117  return -1;
118  }
119 
120  cd->or_list_size = i;
121  cd->or_list = SCCalloc(cd->or_list_size, sizeof(uint32_t));
122  if (unlikely(cd->or_list == NULL))
123  return -1;
124  for (uint8_t j = 0; j < cd->or_list_size ; j++) {
125  cd->or_list[j] = VarNameStoreRegister(strarr[j], VAR_TYPE_FLOW_BIT);
126  de_ctx->max_fb_id = MAX(cd->or_list[j], de_ctx->max_fb_id);
127  }
128 
129  return 1;
130 }
131 
132 static int DetectFlowbitMatchToggle (Packet *p, const DetectFlowbitsData *fd)
133 {
134  if (p->flow == NULL)
135  return 0;
136 
137  FlowBitToggle(p->flow,fd->idx);
138 
139  return 1;
140 }
141 
142 static int DetectFlowbitMatchUnset (Packet *p, const DetectFlowbitsData *fd)
143 {
144  if (p->flow == NULL)
145  return 0;
146 
147  FlowBitUnset(p->flow,fd->idx);
148 
149  return 1;
150 }
151 
152 static int DetectFlowbitMatchSet (Packet *p, const DetectFlowbitsData *fd)
153 {
154  if (p->flow == NULL)
155  return 0;
156 
157  FlowBitSet(p->flow,fd->idx);
158 
159  return 1;
160 }
161 
162 static int DetectFlowbitMatchIsset (Packet *p, const DetectFlowbitsData *fd)
163 {
164  if (p->flow == NULL)
165  return 0;
166  if (fd->or_list_size > 0) {
167  for (uint8_t i = 0; i < fd->or_list_size; i++) {
168  if (FlowBitIsset(p->flow, fd->or_list[i]) == 1)
169  return 1;
170  }
171  return 0;
172  }
173 
174  return FlowBitIsset(p->flow,fd->idx);
175 }
176 
177 static int DetectFlowbitMatchIsnotset (Packet *p, const DetectFlowbitsData *fd)
178 {
179  if (p->flow == NULL)
180  return 0;
181  if (fd->or_list_size > 0) {
182  for (uint8_t i = 0; i < fd->or_list_size; i++) {
183  if (FlowBitIsnotset(p->flow, fd->or_list[i]) == 1)
184  return 1;
185  }
186  return 0;
187  }
188  return FlowBitIsnotset(p->flow,fd->idx);
189 }
190 
191 /*
192  * returns 0: no match
193  * 1: match
194  * -1: error
195  */
196 
197 int DetectFlowbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
198  const Signature *s, const SigMatchCtx *ctx)
199 {
200  const DetectFlowbitsData *fd = (const DetectFlowbitsData *)ctx;
201  if (fd == NULL)
202  return 0;
203 
204  switch (fd->cmd) {
205  case DETECT_FLOWBITS_CMD_ISSET:
206  return DetectFlowbitMatchIsset(p,fd);
207  case DETECT_FLOWBITS_CMD_ISNOTSET:
208  return DetectFlowbitMatchIsnotset(p,fd);
209  case DETECT_FLOWBITS_CMD_SET:
210  return DetectFlowbitMatchSet(p,fd);
211  case DETECT_FLOWBITS_CMD_UNSET:
212  return DetectFlowbitMatchUnset(p,fd);
213  case DETECT_FLOWBITS_CMD_TOGGLE:
214  return DetectFlowbitMatchToggle(p,fd);
215  default:
216  SCLogError("unknown cmd %" PRIu32 "", fd->cmd);
217  return 0;
218  }
219 
220  return 0;
221 }
222 
223 static int DetectFlowbitParse(const char *str, char *cmd, int cmd_len, char *name,
224  int name_len)
225 {
226  int rc;
227  size_t pcre2len;
228  pcre2_match_data *match = NULL;
229 
230  int count = DetectParsePcreExec(&parse_regex, &match, str, 0, 0);
231  if (count != 2 && count != 3) {
232  SCLogError("\"%s\" is not a valid setting for flowbits.", str);
233  goto error;
234  }
235 
236  pcre2len = cmd_len;
237  rc = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
238  if (rc < 0) {
239  SCLogError("pcre2_substring_copy_bynumber failed");
240  goto error;
241  }
242 
243  if (count == 3) {
244  pcre2len = name_len;
245  rc = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
246  if (rc < 0) {
247  SCLogError("pcre2_substring_copy_bynumber failed");
248  goto error;
249  }
250 
251  /* Trim trailing whitespace. */
252  while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) {
253  name[strlen(name) - 1] = '\0';
254  }
255 
256  if (strchr(name, '|') == NULL) {
257  /* Validate name, spaces are not allowed. */
258  for (size_t i = 0; i < strlen(name); i++) {
259  if (isblank(name[i])) {
260  SCLogError("spaces not allowed in flowbit names");
261  goto error;
262  }
263  }
264  }
265  }
266 
267  pcre2_match_data_free(match);
268  return 1;
269 
270 error:
271  if (match) {
272  pcre2_match_data_free(match);
273  }
274  return 0;
275 }
276 
277 int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
278 {
279  DetectFlowbitsData *cd = NULL;
280  uint8_t fb_cmd = 0;
281  char fb_cmd_str[16] = "", fb_name[256] = "";
282 
283  if (!DetectFlowbitParse(rawstr, fb_cmd_str, sizeof(fb_cmd_str), fb_name,
284  sizeof(fb_name))) {
285  return -1;
286  }
287 
288  if (strcmp(fb_cmd_str,"noalert") == 0) {
289  if (strlen(fb_name) != 0)
290  goto error;
291  s->action &= ~ACTION_ALERT;
292  return 0;
293  } else if (strcmp(fb_cmd_str,"isset") == 0) {
294  fb_cmd = DETECT_FLOWBITS_CMD_ISSET;
295  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
296  fb_cmd = DETECT_FLOWBITS_CMD_ISNOTSET;
297  } else if (strcmp(fb_cmd_str,"set") == 0) {
298  fb_cmd = DETECT_FLOWBITS_CMD_SET;
299  } else if (strcmp(fb_cmd_str,"unset") == 0) {
300  fb_cmd = DETECT_FLOWBITS_CMD_UNSET;
301  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
302  fb_cmd = DETECT_FLOWBITS_CMD_TOGGLE;
303  } else {
304  SCLogError("ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
305  goto error;
306  }
307 
308  switch (fb_cmd) {
309  case DETECT_FLOWBITS_CMD_ISNOTSET:
310  case DETECT_FLOWBITS_CMD_ISSET:
311  case DETECT_FLOWBITS_CMD_SET:
312  case DETECT_FLOWBITS_CMD_UNSET:
313  case DETECT_FLOWBITS_CMD_TOGGLE:
314  default:
315  if (strlen(fb_name) == 0)
316  goto error;
317  break;
318  }
319 
320  cd = SCCalloc(1, sizeof(DetectFlowbitsData));
321  if (unlikely(cd == NULL))
322  goto error;
323  if (strchr(fb_name, '|') != NULL) {
324  int retval = FlowbitOrAddData(de_ctx, cd, fb_name);
325  if (retval == -1) {
326  goto error;
327  }
328  cd->cmd = fb_cmd;
329  } else {
330  cd->idx = VarNameStoreRegister(fb_name, VAR_TYPE_FLOW_BIT);
331  de_ctx->max_fb_id = MAX(cd->idx, de_ctx->max_fb_id);
332  cd->cmd = fb_cmd;
333  cd->or_list_size = 0;
334  cd->or_list = NULL;
335  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
336  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
337  }
338  /* Okay so far so good, lets get this into a SigMatch
339  * and put it in the Signature. */
340 
341  switch (fb_cmd) {
342  /* noalert can't happen here */
343  case DETECT_FLOWBITS_CMD_ISNOTSET:
344  case DETECT_FLOWBITS_CMD_ISSET:
345  /* checks, so packet list */
346  if (SigMatchAppendSMToList(de_ctx, s, DETECT_FLOWBITS, (SigMatchCtx *)cd,
347  DETECT_SM_LIST_MATCH) == NULL) {
348  goto error;
349  }
350  break;
351 
352  case DETECT_FLOWBITS_CMD_SET:
353  case DETECT_FLOWBITS_CMD_UNSET:
354  case DETECT_FLOWBITS_CMD_TOGGLE:
355  /* modifiers, only run when entire sig has matched */
356  if (SigMatchAppendSMToList(de_ctx, s, DETECT_FLOWBITS, (SigMatchCtx *)cd,
357  DETECT_SM_LIST_POSTMATCH) == NULL) {
358  goto error;
359  }
360  break;
361 
362  // suppress coverity warning as scan-build-7 warns w/o this.
363  // coverity[deadcode : FALSE]
364  default:
365  goto error;
366  }
367 
368  return 0;
369 
370 error:
371  if (cd != NULL)
372  DetectFlowbitFree(de_ctx, cd);
373  return -1;
374 }
375 
376 void DetectFlowbitFree (DetectEngineCtx *de_ctx, void *ptr)
377 {
378  DetectFlowbitsData *fd = (DetectFlowbitsData *)ptr;
379  if (fd == NULL)
380  return;
381  VarNameStoreUnregister(fd->idx, VAR_TYPE_FLOW_BIT);
382  if (fd->or_list != NULL) {
383  for (uint8_t i = 0; i < fd->or_list_size; i++) {
384  VarNameStoreUnregister(fd->or_list[i], VAR_TYPE_FLOW_BIT);
385  }
386  SCFree(fd->or_list);
387  }
388  SCFree(fd);
389 }
390 
391 struct FBAnalyze {
392  uint16_t cnts[DETECT_FLOWBITS_CMD_MAX];
393  uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX];
394 
395  uint32_t *set_sids;
396  uint32_t set_sids_idx;
397  uint32_t set_sids_size;
398 
399  uint32_t *isset_sids;
400  uint32_t isset_sids_idx;
401  uint32_t isset_sids_size;
402 
403  uint32_t *isnotset_sids;
404  uint32_t isnotset_sids_idx;
405  uint32_t isnotset_sids_size;
406 
407  uint32_t *unset_sids;
408  uint32_t unset_sids_idx;
409  uint32_t unset_sids_size;
410 
411  uint32_t *toggle_sids;
412  uint32_t toggle_sids_idx;
413  uint32_t toggle_sids_size;
414 };
415 
416 extern bool rule_engine_analysis_set;
417 static void DetectFlowbitsAnalyzeDump(const DetectEngineCtx *de_ctx,
418  struct FBAnalyze *array, uint32_t elements);
419 
420 int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
421 {
422  const uint32_t max_fb_id = de_ctx->max_fb_id;
423  if (max_fb_id == 0)
424  return 0;
425 
426 #define MAX_SIDS 8
427  uint32_t array_size = max_fb_id + 1;
428  struct FBAnalyze *array = SCCalloc(array_size, sizeof(struct FBAnalyze));
429 
430  if (array == NULL) {
431  SCLogError("Unable to allocate flowbit analyze array");
432  return -1;
433  }
434 
435  SCLogDebug("fb analyzer array size: %"PRIu64,
436  (uint64_t)(array_size * sizeof(struct FBAnalyze)));
437 
438  /* fill flowbit array, updating counters per sig */
439  for (uint32_t i = 0; i < de_ctx->sig_array_len; i++) {
440  const Signature *s = de_ctx->sig_array[i];
441 
442  /* see if the signature uses stateful matching */
443  bool has_state = (s->init_data->buffer_index != 0);
444 
445  for (const SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
446  switch (sm->type) {
447  case DETECT_FLOWBITS:
448  {
449  /* figure out the flowbit action */
450  const DetectFlowbitsData *fb = (DetectFlowbitsData *)sm->ctx;
451  // Handle flowbit array in case of ORed flowbits
452  for (uint8_t k = 0; k < fb->or_list_size; k++) {
453  array[fb->or_list[k]].cnts[fb->cmd]++;
454  if (has_state)
455  array[fb->or_list[k]].state_cnts[fb->cmd]++;
456  if (fb->cmd == DETECT_FLOWBITS_CMD_ISSET) {
457  if (array[fb->or_list[k]].isset_sids_idx >= array[fb->or_list[k]].isset_sids_size) {
458  uint32_t old_size = array[fb->or_list[k]].isset_sids_size;
459  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
460 
461  void *ptr = SCRealloc(array[fb->or_list[k]].isset_sids, new_size * sizeof(uint32_t));
462  if (ptr == NULL)
463  goto end;
464  array[fb->or_list[k]].isset_sids_size = new_size;
465  array[fb->or_list[k]].isset_sids = ptr;
466  }
467 
468  array[fb->or_list[k]].isset_sids[array[fb->or_list[k]].isset_sids_idx] = s->num;
469  array[fb->or_list[k]].isset_sids_idx++;
470  } else if (fb->cmd == DETECT_FLOWBITS_CMD_ISNOTSET) {
471  if (array[fb->or_list[k]].isnotset_sids_idx >= array[fb->or_list[k]].isnotset_sids_size) {
472  uint32_t old_size = array[fb->or_list[k]].isnotset_sids_size;
473  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
474 
475  void *ptr = SCRealloc(array[fb->or_list[k]].isnotset_sids, new_size * sizeof(uint32_t));
476  if (ptr == NULL)
477  goto end;
478  array[fb->or_list[k]].isnotset_sids_size = new_size;
479  array[fb->or_list[k]].isnotset_sids = ptr;
480  }
481 
482  array[fb->or_list[k]].isnotset_sids[array[fb->or_list[k]].isnotset_sids_idx] = s->num;
483  array[fb->or_list[k]].isnotset_sids_idx++;
484  }
485  }
486  if (fb->or_list_size == 0) {
487  array[fb->idx].cnts[fb->cmd]++;
488  if (has_state)
489  array[fb->idx].state_cnts[fb->cmd]++;
490  if (fb->cmd == DETECT_FLOWBITS_CMD_ISSET) {
491  if (array[fb->idx].isset_sids_idx >= array[fb->idx].isset_sids_size) {
492  uint32_t old_size = array[fb->idx].isset_sids_size;
493  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
494 
495  void *ptr = SCRealloc(array[fb->idx].isset_sids, new_size * sizeof(uint32_t));
496  if (ptr == NULL)
497  goto end;
498  array[fb->idx].isset_sids_size = new_size;
499  array[fb->idx].isset_sids = ptr;
500  }
501 
502  array[fb->idx].isset_sids[array[fb->idx].isset_sids_idx] = s->num;
503  array[fb->idx].isset_sids_idx++;
504  } else if (fb->cmd == DETECT_FLOWBITS_CMD_ISNOTSET) {
505  if (array[fb->idx].isnotset_sids_idx >= array[fb->idx].isnotset_sids_size) {
506  uint32_t old_size = array[fb->idx].isnotset_sids_size;
507  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
508 
509  void *ptr = SCRealloc(array[fb->idx].isnotset_sids, new_size * sizeof(uint32_t));
510  if (ptr == NULL)
511  goto end;
512  array[fb->idx].isnotset_sids_size = new_size;
513  array[fb->idx].isnotset_sids = ptr;
514  }
515 
516  array[fb->idx].isnotset_sids[array[fb->idx].isnotset_sids_idx] = s->num;
517  array[fb->idx].isnotset_sids_idx++;
518  }
519  }
520  }
521  }
522  }
523  for (const SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_POSTMATCH] ; sm != NULL; sm = sm->next) {
524  switch (sm->type) {
525  case DETECT_FLOWBITS:
526  {
527  /* figure out what flowbit action */
528  const DetectFlowbitsData *fb = (DetectFlowbitsData *)sm->ctx;
529  array[fb->idx].cnts[fb->cmd]++;
530  if (has_state)
531  array[fb->idx].state_cnts[fb->cmd]++;
532  if (fb->cmd == DETECT_FLOWBITS_CMD_SET) {
533  if (array[fb->idx].set_sids_idx >= array[fb->idx].set_sids_size) {
534  uint32_t old_size = array[fb->idx].set_sids_size;
535  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
536 
537  void *ptr = SCRealloc(array[fb->idx].set_sids, new_size * sizeof(uint32_t));
538  if (ptr == NULL)
539  goto end;
540  array[fb->idx].set_sids_size = new_size;
541  array[fb->idx].set_sids = ptr;
542  }
543 
544  array[fb->idx].set_sids[array[fb->idx].set_sids_idx] = s->num;
545  array[fb->idx].set_sids_idx++;
546  }
547  else if (fb->cmd == DETECT_FLOWBITS_CMD_UNSET) {
548  if (array[fb->idx].unset_sids_idx >= array[fb->idx].unset_sids_size) {
549  uint32_t old_size = array[fb->idx].unset_sids_size;
550  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
551 
552  void *ptr = SCRealloc(array[fb->idx].unset_sids, new_size * sizeof(uint32_t));
553  if (ptr == NULL)
554  goto end;
555  array[fb->idx].unset_sids_size = new_size;
556  array[fb->idx].unset_sids = ptr;
557  }
558 
559  array[fb->idx].unset_sids[array[fb->idx].unset_sids_idx] = s->num;
560  array[fb->idx].unset_sids_idx++;
561  }
562  else if (fb->cmd == DETECT_FLOWBITS_CMD_TOGGLE) {
563  if (array[fb->idx].toggle_sids_idx >= array[fb->idx].toggle_sids_size) {
564  uint32_t old_size = array[fb->idx].toggle_sids_size;
565  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
566 
567  void *ptr = SCRealloc(array[fb->idx].toggle_sids, new_size * sizeof(uint32_t));
568  if (ptr == NULL)
569  goto end;
570  array[fb->idx].toggle_sids_size = new_size;
571  array[fb->idx].toggle_sids = ptr;
572  }
573 
574  array[fb->idx].toggle_sids[array[fb->idx].toggle_sids_idx] = s->num;
575  array[fb->idx].toggle_sids_idx++;
576  }
577  }
578  }
579  }
580  }
581 
582  /* walk array to see if all bits make sense */
583  for (uint32_t i = 0; i < array_size; i++) {
584  const char *varname = VarNameStoreSetupLookup(i, VAR_TYPE_FLOW_BIT);
585  if (varname == NULL)
586  continue;
587 
588  bool to_state = false;
589 
590  if (array[i].cnts[DETECT_FLOWBITS_CMD_ISSET] &&
591  array[i].cnts[DETECT_FLOWBITS_CMD_TOGGLE] == 0 &&
592  array[i].cnts[DETECT_FLOWBITS_CMD_SET] == 0) {
593 
594  const Signature *s = de_ctx->sig_array[array[i].isset_sids[0]];
595  SCLogWarning("flowbit '%s' is checked but not "
596  "set. Checked in %u and %u other sigs",
597  varname, s->id, array[i].isset_sids_idx - 1);
598  }
599  if (array[i].state_cnts[DETECT_FLOWBITS_CMD_ISSET] &&
600  array[i].state_cnts[DETECT_FLOWBITS_CMD_SET] == 0)
601  {
602  SCLogDebug("flowbit %s/%u: isset in state, set not in state", varname, i);
603  }
604 
605  /* if signature depends on 'stateful' flowbits, then turn the
606  * sig into a stateful sig itself */
607  if (array[i].cnts[DETECT_FLOWBITS_CMD_ISSET] > 0 &&
608  array[i].state_cnts[DETECT_FLOWBITS_CMD_ISSET] == 0 &&
609  array[i].state_cnts[DETECT_FLOWBITS_CMD_SET])
610  {
611  SCLogDebug("flowbit %s/%u: isset not in state, set in state", varname, i);
612  to_state = true;
613  }
614 
615  SCLogDebug("ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
616  array[i].cnts[DETECT_FLOWBITS_CMD_SET], array[i].cnts[DETECT_FLOWBITS_CMD_TOGGLE],
617  array[i].cnts[DETECT_FLOWBITS_CMD_UNSET], array[i].cnts[DETECT_FLOWBITS_CMD_ISNOTSET],
618  array[i].cnts[DETECT_FLOWBITS_CMD_ISSET]);
619  SCLogDebug("STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
620  array[i].state_cnts[DETECT_FLOWBITS_CMD_SET], array[i].state_cnts[DETECT_FLOWBITS_CMD_TOGGLE],
621  array[i].state_cnts[DETECT_FLOWBITS_CMD_UNSET], array[i].state_cnts[DETECT_FLOWBITS_CMD_ISNOTSET],
622  array[i].state_cnts[DETECT_FLOWBITS_CMD_ISSET]);
623  for (uint32_t x = 0; x < array[i].set_sids_idx; x++) {
624  SCLogDebug("SET flowbit %s/%u: SID %u", varname, i,
625  de_ctx->sig_array[array[i].set_sids[x]]->id);
626  }
627  if (to_state) {
628  for (uint32_t x = 0; x < array[i].isset_sids_idx; x++) {
629  Signature *s = de_ctx->sig_array[array[i].isset_sids[x]];
630  SCLogDebug("GET flowbit %s/%u: SID %u", varname, i, s->id);
631 
632  s->init_data->init_flags |= SIG_FLAG_INIT_STATE_MATCH;
633  s->init_data->is_rule_state_dependant = true;
634 
635  uint32_t sids_array_size = array[i].set_sids_idx;
636 
637  // save information about flowbits that affect this rule's state
638  if (s->init_data->rule_state_dependant_sids_array == NULL) {
639  s->init_data->rule_state_dependant_sids_array =
640  SCCalloc(sids_array_size, sizeof(uint32_t));
641  if (s->init_data->rule_state_dependant_sids_array == NULL) {
642  SCLogError("Failed to allocate memory for rule_state_dependant_ids");
643  goto end;
644  }
645  s->init_data->rule_state_flowbits_ids_size = 1;
646  s->init_data->rule_state_flowbits_ids_array =
647  SCCalloc(s->init_data->rule_state_flowbits_ids_size, sizeof(uint32_t));
648  if (s->init_data->rule_state_flowbits_ids_array == NULL) {
649  SCLogError("Failed to allocate memory for rule_state_variable_idx");
650  goto end;
651  }
652  s->init_data->rule_state_dependant_sids_size = sids_array_size;
653  SCLogDebug("alloc'ed array for rule dependency and fbs idx array, sid %u, "
654  "sizes are %u and %u",
655  s->id, s->init_data->rule_state_dependant_sids_size,
656  s->init_data->rule_state_flowbits_ids_size);
657  } else {
658  uint32_t new_array_size =
659  s->init_data->rule_state_dependant_sids_size + sids_array_size;
660  void *tmp_ptr = SCRealloc(s->init_data->rule_state_dependant_sids_array,
661  new_array_size * sizeof(uint32_t));
662  if (tmp_ptr == NULL) {
663  SCLogError("Failed to allocate memory for rule_state_variable_idx");
664  goto end;
665  }
666  s->init_data->rule_state_dependant_sids_array = tmp_ptr;
667  s->init_data->rule_state_dependant_sids_size = new_array_size;
668  SCLogDebug("realloc'ed array for rule dependency, sid %u, new size is %u",
669  s->id, s->init_data->rule_state_dependant_sids_size);
670  uint32_t new_fb_array_size = s->init_data->rule_state_flowbits_ids_size + 1;
671  void *tmp_fb_ptr = SCRealloc(s->init_data->rule_state_flowbits_ids_array,
672  new_fb_array_size * sizeof(uint32_t));
673  s->init_data->rule_state_flowbits_ids_array = tmp_fb_ptr;
674  if (s->init_data->rule_state_flowbits_ids_array == NULL) {
675  SCLogError("Failed to reallocate memory for rule_state_variable_idx");
676  goto end;
677  }
678  SCLogDebug(
679  "realloc'ed array for flowbits ids, new size is %u", new_fb_array_size);
680  s->init_data->rule_state_dependant_sids_size = new_array_size;
681  s->init_data->rule_state_flowbits_ids_size = new_fb_array_size;
682  }
683  for (uint32_t idx = 0; idx < s->init_data->rule_state_dependant_sids_size; idx++) {
684  if (idx < array[i].set_sids_idx) {
685  s->init_data->rule_state_dependant_sids_array
686  [s->init_data->rule_state_dependant_sids_idx] =
687  de_ctx->sig_array[array[i].set_sids[idx]]->id;
688  s->init_data->rule_state_dependant_sids_idx++;
689  }
690  }
691  s->init_data
692  ->rule_state_flowbits_ids_array[s->init_data->rule_state_flowbits_ids_size -
693  1] = i;
694  s->init_data->rule_state_flowbits_ids_size += 1;
695  // flowbit info saving for rule made stateful rule work finished
696 
697  SCLogDebug("made SID %u stateful because it depends on "
698  "stateful rules that set flowbit %s", s->id, varname);
699  }
700  }
701  }
702 
703  if (rule_engine_analysis_set) {
704  DetectFlowbitsAnalyzeDump(de_ctx, array, array_size);
705  }
706 
707 end:
708  for (uint32_t i = 0; i < array_size; i++) {
709  SCFree(array[i].set_sids);
710  SCFree(array[i].unset_sids);
711  SCFree(array[i].isset_sids);
712  SCFree(array[i].isnotset_sids);
713  SCFree(array[i].toggle_sids);
714  }
715  SCFree(array);
716 
717  return 0;
718 }
719 
720 SCMutex g_flowbits_dump_write_m = SCMUTEX_INITIALIZER;
721 static void DetectFlowbitsAnalyzeDump(const DetectEngineCtx *de_ctx,
722  struct FBAnalyze *array, uint32_t elements)
723 {
724  JsonBuilder *js = jb_new_object();
725  if (js == NULL)
726  return;
727 
728  jb_open_array(js, "flowbits");
729  for (uint32_t x = 0; x < elements; x++) {
730  const char *varname = VarNameStoreSetupLookup(x, VAR_TYPE_FLOW_BIT);
731  if (varname == NULL)
732  continue;
733 
734  const struct FBAnalyze *e = &array[x];
735 
736  jb_start_object(js);
737  jb_set_string(js, "name", varname);
738  jb_set_uint(js, "internal_id", x);
739  jb_set_uint(js, "set_cnt", e->cnts[DETECT_FLOWBITS_CMD_SET]);
740  jb_set_uint(js, "unset_cnt", e->cnts[DETECT_FLOWBITS_CMD_UNSET]);
741  jb_set_uint(js, "toggle_cnt", e->cnts[DETECT_FLOWBITS_CMD_TOGGLE]);
742  jb_set_uint(js, "isset_cnt", e->cnts[DETECT_FLOWBITS_CMD_ISSET]);
743  jb_set_uint(js, "isnotset_cnt", e->cnts[DETECT_FLOWBITS_CMD_ISNOTSET]);
744 
745  // sets
746  if (e->cnts[DETECT_FLOWBITS_CMD_SET]) {
747  jb_open_array(js, "sets");
748  for (uint32_t i = 0; i < e->set_sids_idx; i++) {
749  const Signature *s = de_ctx->sig_array[e->set_sids[i]];
750  jb_append_uint(js, s->id);
751  }
752  jb_close(js);
753  }
754  // gets
755  if (e->cnts[DETECT_FLOWBITS_CMD_ISSET]) {
756  jb_open_array(js, "isset");
757  for (uint32_t i = 0; i < e->isset_sids_idx; i++) {
758  const Signature *s = de_ctx->sig_array[e->isset_sids[i]];
759  jb_append_uint(js, s->id);
760  }
761  jb_close(js);
762  }
763  // isnotset
764  if (e->cnts[DETECT_FLOWBITS_CMD_ISNOTSET]) {
765  jb_open_array(js, "isnotset");
766  for (uint32_t i = 0; i < e->isnotset_sids_idx; i++) {
767  const Signature *s = de_ctx->sig_array[e->isnotset_sids[i]];
768  jb_append_uint(js, s->id);
769  }
770  jb_close(js);
771  }
772  // unset
773  if (e->cnts[DETECT_FLOWBITS_CMD_UNSET]) {
774  jb_open_array(js, "unset");
775  for (uint32_t i = 0; i < e->unset_sids_idx; i++) {
776  const Signature *s = de_ctx->sig_array[e->unset_sids[i]];
777  jb_append_uint(js, s->id);
778  }
779  jb_close(js);
780  }
781  // toggle
782  if (e->cnts[DETECT_FLOWBITS_CMD_TOGGLE]) {
783  jb_open_array(js, "toggle");
784  for (uint32_t i = 0; i < e->toggle_sids_idx; i++) {
785  const Signature *s = de_ctx->sig_array[e->toggle_sids[i]];
786  jb_append_uint(js, s->id);
787  }
788  jb_close(js);
789  }
790  jb_close(js);
791  }
792  jb_close(js); // array
793  jb_close(js); // object
794 
795  const char *filename = "flowbits.json";
796  const char *log_dir = ConfigGetLogDirectory();
797  char log_path[PATH_MAX] = "";
798  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
799 
800  SCMutexLock(&g_flowbits_dump_write_m);
801  FILE *fp = fopen(log_path, "w");
802  if (fp != NULL) {
803  fwrite(jb_ptr(js), jb_len(js), 1, fp);
804  fprintf(fp, "\n");
805  fclose(fp);
806  }
807  SCMutexUnlock(&g_flowbits_dump_write_m);
808 
809  jb_free(js);
810 }
811 
812 #ifdef UNITTESTS
813 
814 static int FlowBitsTestParse01(void)
815 {
816  char command[16] = "", name[16] = "";
817 
818  /* Single argument version. */
819  FAIL_IF(!DetectFlowbitParse("noalert", command, sizeof(command), name,
820  sizeof(name)));
821  FAIL_IF(strcmp(command, "noalert") != 0);
822 
823  /* No leading or trailing spaces. */
824  FAIL_IF(!DetectFlowbitParse("set,flowbit", command, sizeof(command), name,
825  sizeof(name)));
826  FAIL_IF(strcmp(command, "set") != 0);
827  FAIL_IF(strcmp(name, "flowbit") != 0);
828 
829  /* Leading space. */
830  FAIL_IF(!DetectFlowbitParse("set, flowbit", command, sizeof(command), name,
831  sizeof(name)));
832  FAIL_IF(strcmp(command, "set") != 0);
833  FAIL_IF(strcmp(name, "flowbit") != 0);
834 
835  /* Trailing space. */
836  FAIL_IF(!DetectFlowbitParse("set,flowbit ", command, sizeof(command), name,
837  sizeof(name)));
838  FAIL_IF(strcmp(command, "set") != 0);
839  FAIL_IF(strcmp(name, "flowbit") != 0);
840 
841  /* Leading and trailing space. */
842  FAIL_IF(!DetectFlowbitParse("set, flowbit ", command, sizeof(command), name,
843  sizeof(name)));
844  FAIL_IF(strcmp(command, "set") != 0);
845  FAIL_IF(strcmp(name, "flowbit") != 0);
846 
847  /* Spaces are not allowed in the name. */
848  FAIL_IF(DetectFlowbitParse("set,namewith space", command, sizeof(command),
849  name, sizeof(name)));
850 
851  PASS;
852 }
853 
854 /**
855  * \test FlowBitsTestSig01 is a test for a valid noalert flowbits option
856  *
857  * \retval 1 on success
858  * \retval 0 on failure
859  */
860 
861 static int FlowBitsTestSig01(void)
862 {
863  Signature *s = NULL;
864  DetectEngineCtx *de_ctx = NULL;
865 
866  de_ctx = DetectEngineCtxInit();
867  FAIL_IF_NULL(de_ctx);
868 
869  de_ctx->flags |= DE_QUIET;
870 
871  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert,wrongusage; content:\"GET \"; sid:1;)");
872  FAIL_IF_NOT_NULL(s);
873 
874  SigGroupBuild(de_ctx);
875  DetectEngineCtxFree(de_ctx);
876  PASS;
877 }
878 
879 /**
880  * \test FlowBitsTestSig02 is a test for a valid isset,set,isnotset,unset,toggle flowbits options
881  *
882  * \retval 1 on success
883  * \retval 0 on failure
884  */
885 
886 static int FlowBitsTestSig02(void)
887 {
888  Signature *s = NULL;
889  ThreadVars th_v;
890  DetectEngineCtx *de_ctx = NULL;
891 
892  memset(&th_v, 0, sizeof(th_v));
893 
894  de_ctx = DetectEngineCtxInit();
895  FAIL_IF_NULL(de_ctx);
896 
897  de_ctx->flags |= DE_QUIET;
898 
899  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset rule need an option\"; flowbits:isset; content:\"GET \"; sid:1;)");
900  FAIL_IF_NOT_NULL(s);
901 
902  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isnotset rule need an option\"; flowbits:isnotset; content:\"GET \"; sid:2;)");
903  FAIL_IF_NOT_NULL(s);
904 
905  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"set rule need an option\"; flowbits:set; content:\"GET \"; sid:3;)");
906  FAIL_IF_NOT_NULL(s);
907 
908  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"unset rule need an option\"; flowbits:unset; content:\"GET \"; sid:4;)");
909  FAIL_IF_NOT_NULL(s);
910 
911  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
912  FAIL_IF_NOT_NULL(s);
913 
914  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
915  FAIL_IF_NOT_NULL(s);
916 
917  SigGroupBuild(de_ctx);
918  DetectEngineCtxFree(de_ctx);
919 
920  PASS;
921 }
922 
923 /**
924  * \test FlowBitsTestSig03 is a test for a invalid flowbits option
925  *
926  * \retval 1 on success
927  * \retval 0 on failure
928  */
929 
930 static int FlowBitsTestSig03(void)
931 {
932  Signature *s = NULL;
933  DetectEngineCtx *de_ctx = NULL;
934 
935  de_ctx = DetectEngineCtxInit();
936  FAIL_IF_NULL(de_ctx);
937 
938  de_ctx->flags |= DE_QUIET;
939 
940  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
941  FAIL_IF_NOT_NULL(s);
942 
943  SigGroupBuild(de_ctx);
944  DetectEngineCtxFree(de_ctx);
945  PASS;
946 }
947 
948 /**
949  * \test FlowBitsTestSig04 is a test check idx value
950  *
951  * \retval 1 on success
952  * \retval 0 on failure
953  */
954 
955 static int FlowBitsTestSig04(void)
956 {
957  Signature *s = NULL;
958  DetectEngineCtx *de_ctx = NULL;
959  int idx = 0;
960  de_ctx = DetectEngineCtxInit();
961  FAIL_IF_NULL(de_ctx);
962 
963  de_ctx->flags |= DE_QUIET;
964 
965  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
966  FAIL_IF_NULL(s);
967 
968  idx = VarNameStoreRegister("fbt", VAR_TYPE_FLOW_BIT);
969  FAIL_IF(idx == 0);
970 
971  SigGroupBuild(de_ctx);
972  DetectEngineCtxFree(de_ctx);
973  PASS;
974 }
975 
976 /**
977  * \test FlowBitsTestSig05 is a test check noalert flag
978  *
979  * \retval 1 on success
980  * \retval 0 on failure
981  */
982 
983 static int FlowBitsTestSig05(void)
984 {
985  Signature *s = NULL;
986  DetectEngineCtx *de_ctx = NULL;
987 
988  de_ctx = DetectEngineCtxInit();
989  FAIL_IF_NULL(de_ctx);
990 
991  de_ctx->flags |= DE_QUIET;
992 
993  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
994  FAIL_IF_NULL(s);
995  FAIL_IF((s->action & ACTION_ALERT) != 0);
996 
997  SigGroupBuild(de_ctx);
998  DetectEngineCtxFree(de_ctx);
999  PASS;
1000 }
1001 
1002 /**
1003  * \test FlowBitsTestSig06 is a test set flowbits option
1004  *
1005  * \retval 1 on success
1006  * \retval 0 on failure
1007  */
1008 
1009 static int FlowBitsTestSig06(void)
1010 {
1011  uint8_t *buf = (uint8_t *)
1012  "GET /one/ HTTP/1.1\r\n"
1013  "Host: one.example.org\r\n"
1014  "\r\n";
1015  uint16_t buflen = strlen((char *)buf);
1016  Packet *p = PacketGetFromAlloc();
1017  FAIL_IF_NULL(p);
1018  Signature *s = NULL;
1019  ThreadVars th_v;
1020  DetectEngineThreadCtx *det_ctx = NULL;
1021  DetectEngineCtx *de_ctx = NULL;
1022  Flow f;
1023  GenericVar flowvar, *gv = NULL;
1024  int result = 0;
1025  uint32_t idx = 0;
1026 
1027  memset(&th_v, 0, sizeof(th_v));
1028  memset(&f, 0, sizeof(Flow));
1029  memset(&flowvar, 0, sizeof(GenericVar));
1030 
1031  FLOW_INITIALIZE(&f);
1032  p->flow = &f;
1033  p->flow->flowvar = &flowvar;
1034 
1035  p->src.family = AF_INET;
1036  p->dst.family = AF_INET;
1037  p->payload = buf;
1038  p->payload_len = buflen;
1039  p->proto = IPPROTO_TCP;
1040  p->flags |= PKT_HAS_FLOW;
1041  p->flowflags |= (FLOW_PKT_TOSERVER | FLOW_PKT_TOSERVER_FIRST);
1042 
1043  de_ctx = DetectEngineCtxInit();
1044  FAIL_IF_NULL(de_ctx);
1045 
1046  de_ctx->flags |= DE_QUIET;
1047 
1048  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow; sid:10;)");
1049  FAIL_IF_NULL(s);
1050 
1051  idx = VarNameStoreRegister("myflow", VAR_TYPE_FLOW_BIT);
1052  SigGroupBuild(de_ctx);
1053  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1054 
1055  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1056 
1057  gv = p->flow->flowvar;
1058  FAIL_IF_NULL(gv);
1059  for ( ; gv != NULL; gv = gv->next) {
1060  if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {
1061  result = 1;
1062  }
1063  }
1064  FAIL_IF_NOT(result);
1065 
1066  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1067  DetectEngineCtxFree(de_ctx);
1068 
1069  FLOW_DESTROY(&f);
1070 
1071  SCFree(p);
1072  PASS;
1073 }
1074 
1075 /**
1076  * \test FlowBitsTestSig07 is a test unset flowbits option
1077  *
1078  * \retval 1 on success
1079  * \retval 0 on failure
1080  */
1081 
1082 static int FlowBitsTestSig07(void)
1083 {
1084  uint8_t *buf = (uint8_t *)
1085  "GET /one/ HTTP/1.1\r\n"
1086  "Host: one.example.org\r\n"
1087  "\r\n";
1088  uint16_t buflen = strlen((char *)buf);
1089  Packet *p = PacketGetFromAlloc();
1090  FAIL_IF_NULL(p);
1091  Signature *s = NULL;
1092  ThreadVars th_v;
1093  DetectEngineThreadCtx *det_ctx = NULL;
1094  DetectEngineCtx *de_ctx = NULL;
1095  Flow f;
1096  GenericVar flowvar, *gv = NULL;
1097  int result = 0;
1098  uint32_t idx = 0;
1099 
1100  memset(&th_v, 0, sizeof(th_v));
1101  memset(&f, 0, sizeof(Flow));
1102  memset(&flowvar, 0, sizeof(GenericVar));
1103 
1104  FLOW_INITIALIZE(&f);
1105  p->flow = &f;
1106  p->flow->flowvar = &flowvar;
1107 
1108  p->src.family = AF_INET;
1109  p->dst.family = AF_INET;
1110  p->payload = buf;
1111  p->payload_len = buflen;
1112  p->proto = IPPROTO_TCP;
1113 
1114  de_ctx = DetectEngineCtxInit();
1115  FAIL_IF_NULL(de_ctx);
1116 
1117  de_ctx->flags |= DE_QUIET;
1118 
1119  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow2; sid:10;)");
1120  FAIL_IF_NULL(s);
1121 
1122  s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
1123  FAIL_IF_NULL(s);
1124 
1125  idx = VarNameStoreRegister("myflow", VAR_TYPE_FLOW_BIT);
1126  SigGroupBuild(de_ctx);
1127  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1128 
1129  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1130 
1131  gv = p->flow->flowvar;
1132  FAIL_IF_NULL(gv);
1133 
1134  for ( ; gv != NULL; gv = gv->next) {
1135  if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {
1136  result = 1;
1137  }
1138  }
1139  FAIL_IF(result);
1140 
1141  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1142  DetectEngineCtxFree(de_ctx);
1143 
1144  FLOW_DESTROY(&f);
1145 
1146  SCFree(p);
1147  PASS;
1148 }
1149 
1150 /**
1151  * \test FlowBitsTestSig08 is a test toggle flowbits option
1152  *
1153  * \retval 1 on success
1154  * \retval 0 on failure
1155  */
1156 
1157 static int FlowBitsTestSig08(void)
1158 {
1159  uint8_t *buf = (uint8_t *)
1160  "GET /one/ HTTP/1.1\r\n"
1161  "Host: one.example.org\r\n"
1162  "\r\n";
1163  uint16_t buflen = strlen((char *)buf);
1164  Packet *p = PacketGetFromAlloc();
1165  if (unlikely(p == NULL))
1166  return 0;
1167  Signature *s = NULL;
1168  ThreadVars th_v;
1169  DetectEngineThreadCtx *det_ctx = NULL;
1170  DetectEngineCtx *de_ctx = NULL;
1171  Flow f;
1172  GenericVar flowvar, *gv = NULL;
1173  int result = 0;
1174  uint32_t idx = 0;
1175 
1176  memset(&th_v, 0, sizeof(th_v));
1177  memset(&f, 0, sizeof(Flow));
1178  memset(&flowvar, 0, sizeof(GenericVar));
1179 
1180  FLOW_INITIALIZE(&f);
1181  p->flow = &f;
1182  p->flow->flowvar = &flowvar;
1183 
1184  p->src.family = AF_INET;
1185  p->dst.family = AF_INET;
1186  p->payload = buf;
1187  p->payload_len = buflen;
1188  p->proto = IPPROTO_TCP;
1189 
1190  de_ctx = DetectEngineCtxInit();
1191  FAIL_IF_NULL(de_ctx);
1192 
1193  de_ctx->flags |= DE_QUIET;
1194 
1195  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow2; sid:10;)");
1196  FAIL_IF_NULL(s);
1197 
1198  s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:toggle,myflow2; sid:11;)");
1199  FAIL_IF_NULL(s);
1200 
1201  idx = VarNameStoreRegister("myflow", VAR_TYPE_FLOW_BIT);
1202  SigGroupBuild(de_ctx);
1203  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1204 
1205  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1206 
1207  gv = p->flow->flowvar;
1208  FAIL_IF_NULL(gv);
1209 
1210  for ( ; gv != NULL; gv = gv->next) {
1211  if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {
1212  result = 1;
1213  }
1214  }
1215  FAIL_IF(result);
1216 
1217  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1218  DetectEngineCtxFree(de_ctx);
1219 
1220  FLOW_DESTROY(&f);
1221 
1222  SCFree(p);
1223  PASS;
1224 }
1225 
1226 /**
1227  * \brief this function registers unit tests for FlowBits
1228  */
1229 void FlowBitsRegisterTests(void)
1230 {
1231  UtRegisterTest("FlowBitsTestParse01", FlowBitsTestParse01);
1232  UtRegisterTest("FlowBitsTestSig01", FlowBitsTestSig01);
1233  UtRegisterTest("FlowBitsTestSig02", FlowBitsTestSig02);
1234  UtRegisterTest("FlowBitsTestSig03", FlowBitsTestSig03);
1235  UtRegisterTest("FlowBitsTestSig04", FlowBitsTestSig04);
1236  UtRegisterTest("FlowBitsTestSig05", FlowBitsTestSig05);
1237  UtRegisterTest("FlowBitsTestSig06", FlowBitsTestSig06);
1238  UtRegisterTest("FlowBitsTestSig07", FlowBitsTestSig07);
1239  UtRegisterTest("FlowBitsTestSig08", FlowBitsTestSig08);
1240 }
1241 #endif /* UNITTESTS */
FBAnalyze::cnts
uint16_t cnts[DETECT_FLOWBITS_CMD_MAX]
Definition: detect-flowbits.c:392
SignatureInitData_::rule_state_dependant_sids_idx
uint32_t rule_state_dependant_sids_idx
Definition: detect.h:608
FBAnalyze::isset_sids
uint32_t * isset_sids
Definition: detect-flowbits.c:399
SigTableElmt_::url
const char * url
Definition: detect.h:1323
Packet_::proto
uint8_t proto
Definition: decode.h:498
FBAnalyze::isnotset_sids_idx
uint32_t isnotset_sids_idx
Definition: detect-flowbits.c:404
g_flowbits_dump_write_m
SCMutex g_flowbits_dump_write_m
Definition: detect-flowbits.c:720
DetectFlowbitsData_::or_list_size
uint8_t or_list_size
Definition: detect-flowbits.h:38
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:591
DETECT_FLOWBITS_CMD_MAX
#define DETECT_FLOWBITS_CMD_MAX
Definition: detect-flowbits.h:33
SigTableElmt_::desc
const char * desc
Definition: detect.h:1322
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:153
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1266
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1310
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1320
Signature_::num
SigIntId num
Definition: detect.h:626
FBAnalyze::isnotset_sids
uint32_t * isnotset_sids
Definition: detect-flowbits.c:403
FlowBitsRegisterTests
void FlowBitsRegisterTests(void)
this function registers unit tests for FlowBits
Definition: detect-flowbits.c:1229
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
MAX_SIDS
#define MAX_SIDS
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FBAnalyze::unset_sids_size
uint32_t unset_sids_size
Definition: detect-flowbits.c:409
MAX_TOKENS
#define MAX_TOKENS
Definition: detect-flowbits.c:54
SignatureInitData_::is_rule_state_dependant
bool is_rule_state_dependant
Definition: detect.h:605
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DETECT_FLOWBITS_CMD_ISNOTSET
#define DETECT_FLOWBITS_CMD_ISNOTSET
Definition: detect-flowbits.h:31
Packet_::payload
uint8_t * payload
Definition: decode.h:574
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:513
threads.h
Flow_
Flow data structure.
Definition: flow.h:354
DetectFlowbitsAnalyze
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
Definition: detect-flowbits.c:420
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1314
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:855
DetectFlowbitsData_::cmd
uint8_t cmd
Definition: detect-flowbits.h:37
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2698
flow-bit.h
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:231
util-var-name.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:325
VarNameStoreSetupLookup
const char * VarNameStoreSetupLookup(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:188
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1969
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:560
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2760
DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_TOGGLE
Definition: detect-flowbits.h:29
DETECT_FLOWBITS_CMD_ISSET
#define DETECT_FLOWBITS_CMD_ISSET
Definition: detect-flowbits.h:32
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:155
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:507
MAX
#define MAX(x, y)
Definition: suricata-common.h:404
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1305
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:575
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
Signature_::next
struct Signature_ * next
Definition: detect.h:686
FlowBitUnset
void FlowBitUnset(Flow *f, uint32_t idx)
Definition: flow-bit.c:89
DetectFlowbitsData_
Definition: detect-flowbits.h:35
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:126
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:53
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-flowbits.c:51
DetectEngineThreadCtx_
Definition: detect.h:1110
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2886
FlowBitSet
void FlowBitSet(Flow *f, uint32_t idx)
Definition: flow-bit.c:84
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SignatureInitData_::rule_state_flowbits_ids_size
uint32_t rule_state_flowbits_ids_size
Definition: detect.h:610
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3437
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:201
FBAnalyze::toggle_sids_idx
uint32_t toggle_sids_idx
Definition: detect-flowbits.c:412
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:355
FBAnalyze::set_sids_size
uint32_t set_sids_size
Definition: detect-flowbits.c:397
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:116
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2404
app-layer-parser.h
GenericVar_::idx
uint32_t idx
Definition: util-var.h:52
FBAnalyze::unset_sids
uint32_t * unset_sids
Definition: detect-flowbits.c:407
DetectFlowbitFree
void DetectFlowbitFree(DetectEngineCtx *, void *)
Definition: detect-flowbits.c:376
Signature_::action
uint8_t action
Definition: detect.h:629
DetectFlowbitsRegister
void DetectFlowbitsRegister(void)
Definition: detect-flowbits.c:65
FBAnalyze::set_sids
uint32_t * set_sids
Definition: detect-flowbits.c:395
DetectEngineCtx_::max_fb_id
uint32_t max_fb_id
Definition: detect.h:920
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:476
detect-engine-build.h
DetectFlowbitsData_::idx
uint32_t idx
Definition: detect-flowbits.h:36
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:683
name
const char * name
Definition: tm-threads.c:2081
SignatureInitData_::rule_state_dependant_sids_array
uint32_t * rule_state_dependant_sids_array
Definition: detect.h:606
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1288
FBAnalyze::toggle_sids
uint32_t * toggle_sids
Definition: detect-flowbits.c:411
SignatureInitData_::rule_state_dependant_sids_size
uint32_t rule_state_dependant_sids_size
Definition: detect.h:607
FBAnalyze::isset_sids_idx
uint32_t isset_sids_idx
Definition: detect-flowbits.c:400
detect-flowbits.h
FlowBitToggle
void FlowBitToggle(Flow *f, uint32_t idx)
Definition: flow-bit.c:94
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:487
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2113
FBAnalyze::unset_sids_idx
uint32_t unset_sids_idx
Definition: detect-flowbits.c:408
FBAnalyze::toggle_sids_size
uint32_t toggle_sids_size
Definition: detect-flowbits.c:413
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SIG_FLAG_INIT_STATE_MATCH
#define SIG_FLAG_INIT_STATE_MATCH
Definition: detect.h:294
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:346
util-conf.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
VAR_TYPE_FLOW_BIT
@ VAR_TYPE_FLOW_BIT
Definition: util-var.h:36
FBAnalyze::state_cnts
uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX]
Definition: detect-flowbits.c:393
suricata-common.h
GenericVar_
Definition: util-var.h:49
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3664
util-spm.h
FBAnalyze::set_sids_idx
uint32_t set_sids_idx
Definition: detect-flowbits.c:396
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:863
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:61
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
ConfigGetLogDirectory
const char * ConfigGetLogDirectory(void)
Definition: util-conf.c:38
FlowBitIsset
int FlowBitIsset(Flow *f, uint32_t idx)
Definition: flow-bit.c:104
str
#define str(s)
Definition: suricata-common.h:300
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
FBAnalyze::isset_sids_size
uint32_t isset_sids_size
Definition: detect-flowbits.c:401
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectFlowbitsData_::or_list
uint32_t * or_list
Definition: detect-flowbits.h:39
Signature_::id
uint32_t id
Definition: detect.h:649
DETECT_FLOWBITS_CMD_UNSET
#define DETECT_FLOWBITS_CMD_UNSET
Definition: detect-flowbits.h:30
detect-parse.h
Signature_
Signature container.
Definition: detect.h:614
SigMatch_
a single match condition for a signature
Definition: detect.h:351
FBAnalyze::isnotset_sids_size
uint32_t isnotset_sids_size
Definition: detect-flowbits.c:405
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2659
GenericVar_::type
uint16_t type
Definition: util-var.h:50
DetectFlowbitMatch
int DetectFlowbitMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect-flowbits.c:197
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:872
Address_::family
char family
Definition: decode.h:109
Packet_::dst
Address dst
Definition: decode.h:481
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:462
SignatureInitData_::rule_state_flowbits_ids_array
uint32_t * rule_state_flowbits_ids_array
Definition: detect.h:609
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:857
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::sig_array_len
uint32_t sig_array_len
Definition: detect.h:873
FBAnalyze
Definition: detect-flowbits.c:391
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:597
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1506
FLOW_PKT_TOSERVER_FIRST
#define FLOW_PKT_TOSERVER_FIRST
Definition: flow.h:234
SCMutex
#define SCMutex
Definition: threads-debug.h:114
rule_engine_analysis_set
bool rule_engine_analysis_set
Definition: detect-engine-loader.c:55
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
Packet_::src
Address src
Definition: decode.h:480
FlowBitIsnotset
int FlowBitIsnotset(Flow *f, uint32_t idx)
Definition: flow-bit.c:116
DETECT_FLOWBITS_CMD_SET
#define DETECT_FLOWBITS_CMD_SET
Definition: detect-flowbits.h:28
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1312