Go to the documentation of this file.
50 #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?"
53 #define MAX_TOKENS 100
88 while ((token = strtok_r(arrptr,
"|", &saveptr))) {
90 while(isspace((
unsigned char)*token))
94 char *end = token + strlen(token) - 1;
95 while(end > token && isspace((
unsigned char)*end))
99 if (strchr(token,
' ') != NULL) {
100 SCLogError(
"Spaces are not allowed in flowbit names.");
106 "maximum allowed: %d.",
205 return DetectFlowbitMatchIsset(p,fd);
207 return DetectFlowbitMatchIsnotset(p,fd);
209 return DetectFlowbitMatchSet(p,fd);
211 return DetectFlowbitMatchUnset(p,fd);
213 return DetectFlowbitMatchToggle(p,fd);
222 static int DetectFlowbitParse(
const char *
str,
char *cmd,
int cmd_len,
char *name,
227 pcre2_match_data *match = NULL;
230 if (count != 2 && count != 3) {
231 SCLogError(
"\"%s\" is not a valid setting for flowbits.",
str);
236 rc = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
238 SCLogError(
"pcre2_substring_copy_bynumber failed");
244 rc = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
246 SCLogError(
"pcre2_substring_copy_bynumber failed");
251 while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) {
252 name[strlen(name) - 1] =
'\0';
255 if (strchr(name,
'|') == NULL) {
257 for (
size_t i = 0; i < strlen(name); i++) {
258 if (isblank(name[i])) {
259 SCLogError(
"spaces not allowed in flowbit names");
266 pcre2_match_data_free(match);
271 pcre2_match_data_free(match);
281 char fb_cmd_str[16] =
"", fb_name[256] =
"";
283 if (!DetectFlowbitParse(rawstr, fb_cmd_str,
sizeof(fb_cmd_str), fb_name,
288 if (strcmp(fb_cmd_str,
"noalert") == 0) {
290 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
292 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
294 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
296 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
298 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
301 SCLogError(
"ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
307 if (strlen(fb_name) != 0)
317 if (strlen(fb_name) == 0)
325 if (strchr(fb_name,
'|') != NULL) {
326 int retval = FlowbitOrAddData(
de_ctx, cd, fb_name);
337 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
338 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
423 struct FBAnalyze *array, uint32_t elements);
432 uint32_t array_size = max_fb_id + 1;
436 SCLogError(
"Unable to allocate flowbit analyze array");
441 (uint64_t)(array_size *
sizeof(
struct FBAnalyze)));
588 for (uint32_t i = 0; i < array_size; i++) {
593 bool to_state =
false;
601 "set. Checked in %u and %u other sigs",
607 SCLogDebug(
"flowbit %s/%u: isset in state, set not in state", varname, i);
616 SCLogDebug(
"flowbit %s/%u: isset not in state, set in state", varname, i);
620 SCLogDebug(
"ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
624 SCLogDebug(
"STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
629 SCLogDebug(
"SET flowbit %s/%u: SID %u", varname, i,
634 SCLogDebug(
"GET flowbit %s/%u: SID %u", varname, i, s->
id);
638 SCLogDebug(
"made SID %u stateful because it depends on "
639 "stateful rules that set flowbit %s", s->
id, varname);
645 DetectFlowbitsAnalyzeDump(
de_ctx, array, array_size);
649 for (uint32_t i = 0; i < array_size; i++) {
663 struct FBAnalyze *array, uint32_t elements)
665 JsonBuilder *js = jb_new_object();
669 jb_open_array(js,
"flowbits");
670 for (uint32_t x = 0; x < elements; x++) {
678 jb_set_string(js,
"name", varname);
679 jb_set_uint(js,
"internal_id", x);
688 jb_open_array(js,
"sets");
691 jb_append_uint(js, s->
id);
697 jb_open_array(js,
"isset");
700 jb_append_uint(js, s->
id);
706 jb_open_array(js,
"isnotset");
709 jb_append_uint(js, s->
id);
715 jb_open_array(js,
"unset");
718 jb_append_uint(js, s->
id);
724 jb_open_array(js,
"toggle");
727 jb_append_uint(js, s->
id);
736 const char *filename =
"flowbits.json";
738 char log_path[PATH_MAX] =
"";
739 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir, filename);
742 FILE *fp = fopen(log_path,
"w");
744 fwrite(jb_ptr(js), jb_len(js), 1, fp);
755 static int FlowBitsTestParse01(
void)
757 char command[16] =
"", name[16] =
"";
760 FAIL_IF(!DetectFlowbitParse(
"noalert", command,
sizeof(command), name,
762 FAIL_IF(strcmp(command,
"noalert") != 0);
765 FAIL_IF(!DetectFlowbitParse(
"set,flowbit", command,
sizeof(command), name,
767 FAIL_IF(strcmp(command,
"set") != 0);
768 FAIL_IF(strcmp(name,
"flowbit") != 0);
771 FAIL_IF(!DetectFlowbitParse(
"set, flowbit", command,
sizeof(command), name,
773 FAIL_IF(strcmp(command,
"set") != 0);
774 FAIL_IF(strcmp(name,
"flowbit") != 0);
777 FAIL_IF(!DetectFlowbitParse(
"set,flowbit ", command,
sizeof(command), name,
779 FAIL_IF(strcmp(command,
"set") != 0);
780 FAIL_IF(strcmp(name,
"flowbit") != 0);
783 FAIL_IF(!DetectFlowbitParse(
"set, flowbit ", command,
sizeof(command), name,
785 FAIL_IF(strcmp(command,
"set") != 0);
786 FAIL_IF(strcmp(name,
"flowbit") != 0);
789 FAIL_IF(DetectFlowbitParse(
"set,namewith space", command,
sizeof(command),
790 name,
sizeof(name)));
802 static int FlowBitsTestSig01(
void)
812 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert,wrongusage; content:\"GET \"; sid:1;)");
827 static int FlowBitsTestSig02(
void)
833 memset(&th_v, 0,
sizeof(th_v));
840 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset rule need an option\"; flowbits:isset; content:\"GET \"; sid:1;)");
843 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isnotset rule need an option\"; flowbits:isnotset; content:\"GET \"; sid:2;)");
846 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"set rule need an option\"; flowbits:set; content:\"GET \"; sid:3;)");
849 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"unset rule need an option\"; flowbits:unset; content:\"GET \"; sid:4;)");
852 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
855 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
871 static int FlowBitsTestSig03(
void)
881 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
896 static int FlowBitsTestSig04(
void)
906 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
924 static int FlowBitsTestSig05(
void)
934 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
950 static int FlowBitsTestSig06(
void)
952 uint8_t *buf = (uint8_t *)
953 "GET /one/ HTTP/1.1\r\n"
954 "Host: one.example.org\r\n"
956 uint16_t buflen = strlen((
char *)buf);
968 memset(&th_v, 0,
sizeof(th_v));
969 memset(&f, 0,
sizeof(
Flow));
980 p->
proto = IPPROTO_TCP;
1000 for ( ; gv != NULL; gv = gv->
next) {
1023 static int FlowBitsTestSig07(
void)
1025 uint8_t *buf = (uint8_t *)
1026 "GET /one/ HTTP/1.1\r\n"
1027 "Host: one.example.org\r\n"
1029 uint16_t buflen = strlen((
char *)buf);
1041 memset(&th_v, 0,
sizeof(th_v));
1042 memset(&f, 0,
sizeof(
Flow));
1053 p->
proto = IPPROTO_TCP;
1063 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
1075 for ( ; gv != NULL; gv = gv->
next) {
1098 static int FlowBitsTestSig08(
void)
1100 uint8_t *buf = (uint8_t *)
1101 "GET /one/ HTTP/1.1\r\n"
1102 "Host: one.example.org\r\n"
1104 uint16_t buflen = strlen((
char *)buf);
1117 memset(&th_v, 0,
sizeof(th_v));
1118 memset(&f, 0,
sizeof(
Flow));
1129 p->
proto = IPPROTO_TCP;
1139 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:toggle,myflow2; sid:11;)");
1151 for ( ; gv != NULL; gv = gv->
next) {
uint16_t cnts[DETECT_FLOWBITS_CMD_MAX]
uint32_t isnotset_sids_idx
SCMutex g_flowbits_dump_write_m
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
#define DETECT_FLOWBITS_CMD_MAX
void(* Free)(DetectEngineCtx *, void *)
void FlowBitsRegisterTests(void)
this function registers unit tests for FlowBits
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
struct HtpBodyChunk_ * next
#define DETECT_FLOWBITS_CMD_ISNOTSET
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define FLOW_PKT_TOSERVER
const char * VarNameStoreSetupLookup(const uint32_t id, const enum VarTypes type)
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
#define SCMUTEX_INITIALIZER
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
#define DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_ISSET
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void FlowBitUnset(Flow *f, uint32_t idx)
@ DETECT_SM_LIST_POSTMATCH
#define FLOW_INITIALIZE(f)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
struct GenericVar_ * next
#define PASS
Pass the test.
#define SCMutexUnlock(mut)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void FlowBitSet(Flow *f, uint32_t idx)
Per thread variable structure.
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
#define SCLogWarning(...)
Macro used to log WARNING messages.
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
void DetectFlowbitFree(DetectEngineCtx *, void *)
void DetectFlowbitsRegister(void)
SignatureInitData * init_data
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
void FlowBitToggle(Flow *f, uint32_t idx)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint32_t toggle_sids_size
#define SCRealloc(ptr, sz)
#define SIG_FLAG_INIT_STATE_MATCH
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_FLOWBITS_CMD_NOALERT
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX]
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
const char * ConfigGetLogDirectory(void)
int FlowBitIsset(Flow *f, uint32_t idx)
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_FLOWBITS_CMD_UNSET
a single match condition for a signature
uint32_t isnotset_sids_size
DetectEngineCtx * DetectEngineCtxInit(void)
int DetectFlowbitMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
#define SIGMATCH_IPONLY_COMPAT
bool rule_engine_analysis_set
int FlowBitIsnotset(Flow *f, uint32_t idx)
#define DETECT_FLOWBITS_CMD_SET
void(* RegisterTests)(void)