Go to the documentation of this file.
50 #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?"
53 #define MAX_TOKENS 100
88 while ((token = strtok_r(arrptr,
"|", &saveptr))) {
90 while(isspace((
unsigned char)*token))
94 char *end = token + strlen(token) - 1;
95 while(end > token && isspace((
unsigned char)*end))
99 if (strchr(token,
' ') != NULL) {
100 SCLogError(
"Spaces are not allowed in flowbit names.");
106 "maximum allowed: %d.",
205 return DetectFlowbitMatchIsset(p,fd);
207 return DetectFlowbitMatchIsnotset(p,fd);
209 return DetectFlowbitMatchSet(p,fd);
211 return DetectFlowbitMatchUnset(p,fd);
213 return DetectFlowbitMatchToggle(p,fd);
222 static int DetectFlowbitParse(
const char *
str,
char *cmd,
int cmd_len,
char *name,
229 if (count != 2 && count != 3) {
230 SCLogError(
"\"%s\" is not a valid setting for flowbits.",
str);
235 rc = pcre2_substring_copy_bynumber(parse_regex.
match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
237 SCLogError(
"pcre2_substring_copy_bynumber failed");
243 rc = pcre2_substring_copy_bynumber(parse_regex.
match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
245 SCLogError(
"pcre2_substring_copy_bynumber failed");
250 while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) {
251 name[strlen(name) - 1] =
'\0';
254 if (strchr(name,
'|') == NULL) {
256 for (
size_t i = 0; i < strlen(name); i++) {
257 if (isblank(name[i])) {
258 SCLogError(
"spaces not allowed in flowbit names");
273 char fb_cmd_str[16] =
"", fb_name[256] =
"";
275 if (!DetectFlowbitParse(rawstr, fb_cmd_str,
sizeof(fb_cmd_str), fb_name,
280 if (strcmp(fb_cmd_str,
"noalert") == 0) {
282 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
284 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
286 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
288 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
290 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
293 SCLogError(
"ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
299 if (strlen(fb_name) != 0)
309 if (strlen(fb_name) == 0)
317 if (strchr(fb_name,
'|') != NULL) {
318 int retval = FlowbitOrAddData(
de_ctx, cd, fb_name);
329 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
330 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
410 struct FBAnalyze *array, uint32_t elements);
419 uint32_t array_size = max_fb_id + 1;
423 SCLogError(
"Unable to allocate flowbit analyze array");
428 (uint64_t)(array_size *
sizeof(
struct FBAnalyze)));
575 for (uint32_t i = 0; i < array_size; i++) {
580 bool to_state =
false;
588 "set. Checked in %u and %u other sigs",
594 SCLogDebug(
"flowbit %s/%u: isset in state, set not in state", varname, i);
603 SCLogDebug(
"flowbit %s/%u: isset not in state, set in state", varname, i);
607 SCLogDebug(
"ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
611 SCLogDebug(
"STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
616 SCLogDebug(
"SET flowbit %s/%u: SID %u", varname, i,
621 SCLogDebug(
"GET flowbit %s/%u: SID %u", varname, i, s->
id);
625 SCLogDebug(
"made SID %u stateful because it depends on "
626 "stateful rules that set flowbit %s", s->
id, varname);
633 DetectFlowbitsAnalyzeDump(
de_ctx, array, array_size);
637 for (uint32_t i = 0; i < array_size; i++) {
651 struct FBAnalyze *array, uint32_t elements)
653 JsonBuilder *js = jb_new_object();
657 jb_open_array(js,
"flowbits");
658 for (uint32_t x = 0; x < elements; x++) {
666 jb_set_string(js,
"name", varname);
667 jb_set_uint(js,
"internal_id", x);
676 jb_open_array(js,
"sets");
679 jb_append_uint(js, s->
id);
685 jb_open_array(js,
"isset");
688 jb_append_uint(js, s->
id);
694 jb_open_array(js,
"isnotset");
697 jb_append_uint(js, s->
id);
703 jb_open_array(js,
"unset");
706 jb_append_uint(js, s->
id);
712 jb_open_array(js,
"toggle");
715 jb_append_uint(js, s->
id);
725 const char *filename =
"flowbits.json";
727 char log_path[PATH_MAX] =
"";
728 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir, filename);
731 FILE *fp = fopen(log_path,
"w");
733 fwrite(jb_ptr(js), jb_len(js), 1, fp);
744 static int FlowBitsTestParse01(
void)
746 char command[16] =
"", name[16] =
"";
749 FAIL_IF(!DetectFlowbitParse(
"noalert", command,
sizeof(command), name,
751 FAIL_IF(strcmp(command,
"noalert") != 0);
754 FAIL_IF(!DetectFlowbitParse(
"set,flowbit", command,
sizeof(command), name,
756 FAIL_IF(strcmp(command,
"set") != 0);
757 FAIL_IF(strcmp(name,
"flowbit") != 0);
760 FAIL_IF(!DetectFlowbitParse(
"set, flowbit", command,
sizeof(command), name,
762 FAIL_IF(strcmp(command,
"set") != 0);
763 FAIL_IF(strcmp(name,
"flowbit") != 0);
766 FAIL_IF(!DetectFlowbitParse(
"set,flowbit ", command,
sizeof(command), name,
768 FAIL_IF(strcmp(command,
"set") != 0);
769 FAIL_IF(strcmp(name,
"flowbit") != 0);
772 FAIL_IF(!DetectFlowbitParse(
"set, flowbit ", command,
sizeof(command), name,
774 FAIL_IF(strcmp(command,
"set") != 0);
775 FAIL_IF(strcmp(name,
"flowbit") != 0);
778 FAIL_IF(DetectFlowbitParse(
"set,namewith space", command,
sizeof(command),
779 name,
sizeof(name)));
791 static int FlowBitsTestSig01(
void)
801 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert,wrongusage; content:\"GET \"; sid:1;)");
816 static int FlowBitsTestSig02(
void)
822 memset(&th_v, 0,
sizeof(th_v));
829 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset rule need an option\"; flowbits:isset; content:\"GET \"; sid:1;)");
832 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isnotset rule need an option\"; flowbits:isnotset; content:\"GET \"; sid:2;)");
835 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"set rule need an option\"; flowbits:set; content:\"GET \"; sid:3;)");
838 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"unset rule need an option\"; flowbits:unset; content:\"GET \"; sid:4;)");
841 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
844 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
860 static int FlowBitsTestSig03(
void)
870 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
885 static int FlowBitsTestSig04(
void)
895 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
913 static int FlowBitsTestSig05(
void)
923 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
939 static int FlowBitsTestSig06(
void)
941 uint8_t *buf = (uint8_t *)
942 "GET /one/ HTTP/1.1\r\n"
943 "Host: one.example.org\r\n"
945 uint16_t buflen = strlen((
char *)buf);
957 memset(&th_v, 0,
sizeof(th_v));
958 memset(&f, 0,
sizeof(
Flow));
969 p->
proto = IPPROTO_TCP;
989 for ( ; gv != NULL; gv = gv->
next) {
1012 static int FlowBitsTestSig07(
void)
1014 uint8_t *buf = (uint8_t *)
1015 "GET /one/ HTTP/1.1\r\n"
1016 "Host: one.example.org\r\n"
1018 uint16_t buflen = strlen((
char *)buf);
1030 memset(&th_v, 0,
sizeof(th_v));
1031 memset(&f, 0,
sizeof(
Flow));
1042 p->
proto = IPPROTO_TCP;
1052 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
1064 for ( ; gv != NULL; gv = gv->
next) {
1087 static int FlowBitsTestSig08(
void)
1089 uint8_t *buf = (uint8_t *)
1090 "GET /one/ HTTP/1.1\r\n"
1091 "Host: one.example.org\r\n"
1093 uint16_t buflen = strlen((
char *)buf);
1106 memset(&th_v, 0,
sizeof(th_v));
1107 memset(&f, 0,
sizeof(
Flow));
1118 p->
proto = IPPROTO_TCP;
1128 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:toggle,myflow2; sid:11;)");
1140 for ( ; gv != NULL; gv = gv->
next) {
uint16_t cnts[DETECT_FLOWBITS_CMD_MAX]
uint32_t isnotset_sids_idx
SCMutex g_flowbits_dump_write_m
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
#define DETECT_FLOWBITS_CMD_MAX
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
void FlowBitsRegisterTests(void)
this function registers unit tests for FlowBits
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
struct HtpBodyChunk_ * next
#define DETECT_FLOWBITS_CMD_ISNOTSET
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
main detection engine ctx
char * VarNameStoreSetupLookup(uint32_t idx, const enum VarTypes type)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define FLOW_PKT_TOSERVER
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
#define SCMUTEX_INITIALIZER
#define DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_ISSET
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void FlowBitUnset(Flow *f, uint32_t idx)
@ DETECT_SM_LIST_POSTMATCH
#define FLOW_INITIALIZE(f)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
struct GenericVar_ * next
#define PASS
Pass the test.
#define SCMutexUnlock(mut)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void FlowBitSet(Flow *f, uint32_t idx)
Per thread variable structure.
#define SCLogWarning(...)
Macro used to log WARNING messages.
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
void DetectFlowbitFree(DetectEngineCtx *, void *)
void DetectFlowbitsRegister(void)
SignatureInitData * init_data
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
void FlowBitToggle(Flow *f, uint32_t idx)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint32_t toggle_sids_size
#define SCRealloc(ptr, sz)
#define SIG_FLAG_INIT_STATE_MATCH
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_FLOWBITS_CMD_NOALERT
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX]
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int rule_engine_analysis_set
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
const char * ConfigGetLogDirectory(void)
int FlowBitIsset(Flow *f, uint32_t idx)
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_FLOWBITS_CMD_UNSET
a single match condition for a signature
uint32_t isnotset_sids_size
DetectEngineCtx * DetectEngineCtxInit(void)
int DetectFlowbitMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
#define SIGMATCH_IPONLY_COMPAT
int FlowBitIsnotset(Flow *f, uint32_t idx)
#define DETECT_FLOWBITS_CMD_SET
void(* RegisterTests)(void)