suricata
detect-flowbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Breno Silva <breno.silva@gmail.com>
23  *
24  * Implements the flowbits keyword
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "threads.h"
31 #include "flow.h"
32 #include "flow-bit.h"
33 #include "flow-util.h"
34 #include "detect-flowbits.h"
35 #include "util-spm.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "detect-parse.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-engine-state.h"
43 #include "detect-engine-build.h"
44 
45 #include "util-var-name.h"
46 #include "util-unittest.h"
47 #include "util-debug.h"
48 #include "util-conf.h"
49 
50 #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?"
51 static DetectParseRegex parse_regex;
52 
53 #define MAX_TOKENS 100
54 
55 int DetectFlowbitMatch (DetectEngineThreadCtx *, Packet *,
56  const Signature *, const SigMatchCtx *);
57 static int DetectFlowbitSetup (DetectEngineCtx *, Signature *, const char *);
58 static int FlowbitOrAddData(DetectEngineCtx *, DetectFlowbitsData *, char *);
59 void DetectFlowbitFree (DetectEngineCtx *, void *);
60 #ifdef UNITTESTS
61 void FlowBitsRegisterTests(void);
62 #endif
63 
64 void DetectFlowbitsRegister (void)
65 {
66  sigmatch_table[DETECT_FLOWBITS].name = "flowbits";
67  sigmatch_table[DETECT_FLOWBITS].desc = "operate on flow flag";
68  sigmatch_table[DETECT_FLOWBITS].url = "/rules/flow-keywords.html#flowbits";
69  sigmatch_table[DETECT_FLOWBITS].Match = DetectFlowbitMatch;
70  sigmatch_table[DETECT_FLOWBITS].Setup = DetectFlowbitSetup;
71  sigmatch_table[DETECT_FLOWBITS].Free = DetectFlowbitFree;
72 #ifdef UNITTESTS
73  sigmatch_table[DETECT_FLOWBITS].RegisterTests = FlowBitsRegisterTests;
74 #endif
75  /* this is compatible to ip-only signatures */
76  sigmatch_table[DETECT_FLOWBITS].flags |= SIGMATCH_IPONLY_COMPAT;
77 
78  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
79 }
80 
81 static int FlowbitOrAddData(DetectEngineCtx *de_ctx, DetectFlowbitsData *cd, char *arrptr)
82 {
83  char *strarr[MAX_TOKENS];
84  char *token;
85  char *saveptr = NULL;
86  uint8_t i = 0;
87 
88  while ((token = strtok_r(arrptr, "|", &saveptr))) {
89  // Check for leading/trailing spaces in the token
90  while(isspace((unsigned char)*token))
91  token++;
92  if (*token == 0)
93  goto next;
94  char *end = token + strlen(token) - 1;
95  while(end > token && isspace((unsigned char)*end))
96  *(end--) = '\0';
97 
98  // Check for spaces in between the flowbit names
99  if (strchr(token, ' ') != NULL) {
100  SCLogError("Spaces are not allowed in flowbit names.");
101  return -1;
102  }
103 
104  if (i == MAX_TOKENS) {
105  SCLogError("Number of flowbits exceeds "
106  "maximum allowed: %d.",
107  MAX_TOKENS);
108  return -1;
109  }
110  strarr[i++] = token;
111  next:
112  arrptr = NULL;
113  }
114  if (i == 0) {
115  SCLogError("No valid flowbits specified");
116  return -1;
117  }
118 
119  cd->or_list_size = i;
120  cd->or_list = SCCalloc(cd->or_list_size, sizeof(uint32_t));
121  if (unlikely(cd->or_list == NULL))
122  return -1;
123  for (uint8_t j = 0; j < cd->or_list_size ; j++) {
124  cd->or_list[j] = VarNameStoreRegister(strarr[j], VAR_TYPE_FLOW_BIT);
125  de_ctx->max_fb_id = MAX(cd->or_list[j], de_ctx->max_fb_id);
126  }
127 
128  return 1;
129 }
130 
131 static int DetectFlowbitMatchToggle (Packet *p, const DetectFlowbitsData *fd)
132 {
133  if (p->flow == NULL)
134  return 0;
135 
136  FlowBitToggle(p->flow,fd->idx);
137 
138  return 1;
139 }
140 
141 static int DetectFlowbitMatchUnset (Packet *p, const DetectFlowbitsData *fd)
142 {
143  if (p->flow == NULL)
144  return 0;
145 
146  FlowBitUnset(p->flow,fd->idx);
147 
148  return 1;
149 }
150 
151 static int DetectFlowbitMatchSet (Packet *p, const DetectFlowbitsData *fd)
152 {
153  if (p->flow == NULL)
154  return 0;
155 
156  FlowBitSet(p->flow,fd->idx);
157 
158  return 1;
159 }
160 
161 static int DetectFlowbitMatchIsset (Packet *p, const DetectFlowbitsData *fd)
162 {
163  if (p->flow == NULL)
164  return 0;
165  if (fd->or_list_size > 0) {
166  for (uint8_t i = 0; i < fd->or_list_size; i++) {
167  if (FlowBitIsset(p->flow, fd->or_list[i]) == 1)
168  return 1;
169  }
170  return 0;
171  }
172 
173  return FlowBitIsset(p->flow,fd->idx);
174 }
175 
176 static int DetectFlowbitMatchIsnotset (Packet *p, const DetectFlowbitsData *fd)
177 {
178  if (p->flow == NULL)
179  return 0;
180  if (fd->or_list_size > 0) {
181  for (uint8_t i = 0; i < fd->or_list_size; i++) {
182  if (FlowBitIsnotset(p->flow, fd->or_list[i]) == 1)
183  return 1;
184  }
185  return 0;
186  }
187  return FlowBitIsnotset(p->flow,fd->idx);
188 }
189 
190 /*
191  * returns 0: no match
192  * 1: match
193  * -1: error
194  */
195 
196 int DetectFlowbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
197  const Signature *s, const SigMatchCtx *ctx)
198 {
199  const DetectFlowbitsData *fd = (const DetectFlowbitsData *)ctx;
200  if (fd == NULL)
201  return 0;
202 
203  switch (fd->cmd) {
204  case DETECT_FLOWBITS_CMD_ISSET:
205  return DetectFlowbitMatchIsset(p,fd);
206  case DETECT_FLOWBITS_CMD_ISNOTSET:
207  return DetectFlowbitMatchIsnotset(p,fd);
208  case DETECT_FLOWBITS_CMD_SET:
209  return DetectFlowbitMatchSet(p,fd);
210  case DETECT_FLOWBITS_CMD_UNSET:
211  return DetectFlowbitMatchUnset(p,fd);
212  case DETECT_FLOWBITS_CMD_TOGGLE:
213  return DetectFlowbitMatchToggle(p,fd);
214  default:
215  SCLogError("unknown cmd %" PRIu32 "", fd->cmd);
216  return 0;
217  }
218 
219  return 0;
220 }
221 
222 static int DetectFlowbitParse(const char *str, char *cmd, int cmd_len, char *name,
223  int name_len)
224 {
225  int rc;
226  size_t pcre2len;
227  pcre2_match_data *match = NULL;
228 
229  int count = DetectParsePcreExec(&parse_regex, &match, str, 0, 0);
230  if (count != 2 && count != 3) {
231  SCLogError("\"%s\" is not a valid setting for flowbits.", str);
232  goto error;
233  }
234 
235  pcre2len = cmd_len;
236  rc = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
237  if (rc < 0) {
238  SCLogError("pcre2_substring_copy_bynumber failed");
239  goto error;
240  }
241 
242  if (count == 3) {
243  pcre2len = name_len;
244  rc = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
245  if (rc < 0) {
246  SCLogError("pcre2_substring_copy_bynumber failed");
247  goto error;
248  }
249 
250  /* Trim trailing whitespace. */
251  while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) {
252  name[strlen(name) - 1] = '\0';
253  }
254 
255  if (strchr(name, '|') == NULL) {
256  /* Validate name, spaces are not allowed. */
257  for (size_t i = 0; i < strlen(name); i++) {
258  if (isblank(name[i])) {
259  SCLogError("spaces not allowed in flowbit names");
260  goto error;
261  }
262  }
263  }
264  }
265 
266  pcre2_match_data_free(match);
267  return 1;
268 
269 error:
270  if (match) {
271  pcre2_match_data_free(match);
272  }
273  return 0;
274 }
275 
276 int DetectFlowbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
277 {
278  DetectFlowbitsData *cd = NULL;
279  SigMatch *sm = NULL;
280  uint8_t fb_cmd = 0;
281  char fb_cmd_str[16] = "", fb_name[256] = "";
282 
283  if (!DetectFlowbitParse(rawstr, fb_cmd_str, sizeof(fb_cmd_str), fb_name,
284  sizeof(fb_name))) {
285  return -1;
286  }
287 
288  if (strcmp(fb_cmd_str,"noalert") == 0) {
289  fb_cmd = DETECT_FLOWBITS_CMD_NOALERT;
290  } else if (strcmp(fb_cmd_str,"isset") == 0) {
291  fb_cmd = DETECT_FLOWBITS_CMD_ISSET;
292  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
293  fb_cmd = DETECT_FLOWBITS_CMD_ISNOTSET;
294  } else if (strcmp(fb_cmd_str,"set") == 0) {
295  fb_cmd = DETECT_FLOWBITS_CMD_SET;
296  } else if (strcmp(fb_cmd_str,"unset") == 0) {
297  fb_cmd = DETECT_FLOWBITS_CMD_UNSET;
298  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
299  fb_cmd = DETECT_FLOWBITS_CMD_TOGGLE;
300  } else {
301  SCLogError("ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
302  goto error;
303  }
304 
305  switch (fb_cmd) {
306  case DETECT_FLOWBITS_CMD_NOALERT:
307  if (strlen(fb_name) != 0)
308  goto error;
309  s->flags |= SIG_FLAG_NOALERT;
310  return 0;
311  case DETECT_FLOWBITS_CMD_ISNOTSET:
312  case DETECT_FLOWBITS_CMD_ISSET:
313  case DETECT_FLOWBITS_CMD_SET:
314  case DETECT_FLOWBITS_CMD_UNSET:
315  case DETECT_FLOWBITS_CMD_TOGGLE:
316  default:
317  if (strlen(fb_name) == 0)
318  goto error;
319  break;
320  }
321 
322  cd = SCCalloc(1, sizeof(DetectFlowbitsData));
323  if (unlikely(cd == NULL))
324  goto error;
325  if (strchr(fb_name, '|') != NULL) {
326  int retval = FlowbitOrAddData(de_ctx, cd, fb_name);
327  if (retval == -1) {
328  goto error;
329  }
330  cd->cmd = fb_cmd;
331  } else {
332  cd->idx = VarNameStoreRegister(fb_name, VAR_TYPE_FLOW_BIT);
333  de_ctx->max_fb_id = MAX(cd->idx, de_ctx->max_fb_id);
334  cd->cmd = fb_cmd;
335  cd->or_list_size = 0;
336  cd->or_list = NULL;
337  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
338  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
339  }
340  /* Okay so far so good, lets get this into a SigMatch
341  * and put it in the Signature. */
342  sm = SigMatchAlloc();
343  if (sm == NULL)
344  goto error;
345 
346  sm->type = DETECT_FLOWBITS;
347  sm->ctx = (SigMatchCtx *)cd;
348 
349  switch (fb_cmd) {
350  /* case DETECT_FLOWBITS_CMD_NOALERT can't happen here */
351 
352  case DETECT_FLOWBITS_CMD_ISNOTSET:
353  case DETECT_FLOWBITS_CMD_ISSET:
354  /* checks, so packet list */
355  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
356  break;
357 
358  case DETECT_FLOWBITS_CMD_SET:
359  case DETECT_FLOWBITS_CMD_UNSET:
360  case DETECT_FLOWBITS_CMD_TOGGLE:
361  /* modifiers, only run when entire sig has matched */
362  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
363  break;
364 
365  // suppress coverity warning as scan-build-7 warns w/o this.
366  // coverity[deadcode : FALSE]
367  default:
368  goto error;
369  }
370 
371  return 0;
372 
373 error:
374  if (cd != NULL)
375  DetectFlowbitFree(de_ctx, cd);
376  if (sm != NULL)
377  SCFree(sm);
378  return -1;
379 }
380 
381 void DetectFlowbitFree (DetectEngineCtx *de_ctx, void *ptr)
382 {
383  DetectFlowbitsData *fd = (DetectFlowbitsData *)ptr;
384  if (fd == NULL)
385  return;
386  VarNameStoreUnregister(fd->idx, VAR_TYPE_FLOW_BIT);
387  if (fd->or_list != NULL) {
388  for (uint8_t i = 0; i < fd->or_list_size; i++) {
389  VarNameStoreUnregister(fd->or_list[i], VAR_TYPE_FLOW_BIT);
390  }
391  SCFree(fd->or_list);
392  }
393  SCFree(fd);
394 }
395 
396 struct FBAnalyze {
397  uint16_t cnts[DETECT_FLOWBITS_CMD_MAX];
398  uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX];
399 
400  uint32_t *set_sids;
401  uint32_t set_sids_idx;
402  uint32_t set_sids_size;
403 
404  uint32_t *isset_sids;
405  uint32_t isset_sids_idx;
406  uint32_t isset_sids_size;
407 
408  uint32_t *isnotset_sids;
409  uint32_t isnotset_sids_idx;
410  uint32_t isnotset_sids_size;
411 
412  uint32_t *unset_sids;
413  uint32_t unset_sids_idx;
414  uint32_t unset_sids_size;
415 
416  uint32_t *toggle_sids;
417  uint32_t toggle_sids_idx;
418  uint32_t toggle_sids_size;
419 };
420 
421 extern bool rule_engine_analysis_set;
422 static void DetectFlowbitsAnalyzeDump(const DetectEngineCtx *de_ctx,
423  struct FBAnalyze *array, uint32_t elements);
424 
425 int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
426 {
427  const uint32_t max_fb_id = de_ctx->max_fb_id;
428  if (max_fb_id == 0)
429  return 0;
430 
431 #define MAX_SIDS 8
432  uint32_t array_size = max_fb_id + 1;
433  struct FBAnalyze *array = SCCalloc(array_size, sizeof(struct FBAnalyze));
434 
435  if (array == NULL) {
436  SCLogError("Unable to allocate flowbit analyze array");
437  return -1;
438  }
439 
440  SCLogDebug("fb analyzer array size: %"PRIu64,
441  (uint64_t)(array_size * sizeof(struct FBAnalyze)));
442 
443  /* fill flowbit array, updating counters per sig */
444  for (uint32_t i = 0; i < de_ctx->sig_array_len; i++) {
445  const Signature *s = de_ctx->sig_array[i];
446 
447  /* see if the signature uses stateful matching */
448  bool has_state = (s->init_data->buffer_index != 0);
449 
450  for (const SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
451  switch (sm->type) {
452  case DETECT_FLOWBITS:
453  {
454  /* figure out the flowbit action */
455  const DetectFlowbitsData *fb = (DetectFlowbitsData *)sm->ctx;
456  // Handle flowbit array in case of ORed flowbits
457  for (uint8_t k = 0; k < fb->or_list_size; k++) {
458  array[fb->or_list[k]].cnts[fb->cmd]++;
459  if (has_state)
460  array[fb->or_list[k]].state_cnts[fb->cmd]++;
461  if (fb->cmd == DETECT_FLOWBITS_CMD_ISSET) {
462  if (array[fb->or_list[k]].isset_sids_idx >= array[fb->or_list[k]].isset_sids_size) {
463  uint32_t old_size = array[fb->or_list[k]].isset_sids_size;
464  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
465 
466  void *ptr = SCRealloc(array[fb->or_list[k]].isset_sids, new_size * sizeof(uint32_t));
467  if (ptr == NULL)
468  goto end;
469  array[fb->or_list[k]].isset_sids_size = new_size;
470  array[fb->or_list[k]].isset_sids = ptr;
471  }
472 
473  array[fb->or_list[k]].isset_sids[array[fb->or_list[k]].isset_sids_idx] = s->num;
474  array[fb->or_list[k]].isset_sids_idx++;
475  } else if (fb->cmd == DETECT_FLOWBITS_CMD_ISNOTSET) {
476  if (array[fb->or_list[k]].isnotset_sids_idx >= array[fb->or_list[k]].isnotset_sids_size) {
477  uint32_t old_size = array[fb->or_list[k]].isnotset_sids_size;
478  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
479 
480  void *ptr = SCRealloc(array[fb->or_list[k]].isnotset_sids, new_size * sizeof(uint32_t));
481  if (ptr == NULL)
482  goto end;
483  array[fb->or_list[k]].isnotset_sids_size = new_size;
484  array[fb->or_list[k]].isnotset_sids = ptr;
485  }
486 
487  array[fb->or_list[k]].isnotset_sids[array[fb->or_list[k]].isnotset_sids_idx] = s->num;
488  array[fb->or_list[k]].isnotset_sids_idx++;
489  }
490  }
491  if (fb->or_list_size == 0) {
492  array[fb->idx].cnts[fb->cmd]++;
493  if (has_state)
494  array[fb->idx].state_cnts[fb->cmd]++;
495  if (fb->cmd == DETECT_FLOWBITS_CMD_ISSET) {
496  if (array[fb->idx].isset_sids_idx >= array[fb->idx].isset_sids_size) {
497  uint32_t old_size = array[fb->idx].isset_sids_size;
498  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
499 
500  void *ptr = SCRealloc(array[fb->idx].isset_sids, new_size * sizeof(uint32_t));
501  if (ptr == NULL)
502  goto end;
503  array[fb->idx].isset_sids_size = new_size;
504  array[fb->idx].isset_sids = ptr;
505  }
506 
507  array[fb->idx].isset_sids[array[fb->idx].isset_sids_idx] = s->num;
508  array[fb->idx].isset_sids_idx++;
509  } else if (fb->cmd == DETECT_FLOWBITS_CMD_ISNOTSET) {
510  if (array[fb->idx].isnotset_sids_idx >= array[fb->idx].isnotset_sids_size) {
511  uint32_t old_size = array[fb->idx].isnotset_sids_size;
512  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
513 
514  void *ptr = SCRealloc(array[fb->idx].isnotset_sids, new_size * sizeof(uint32_t));
515  if (ptr == NULL)
516  goto end;
517  array[fb->idx].isnotset_sids_size = new_size;
518  array[fb->idx].isnotset_sids = ptr;
519  }
520 
521  array[fb->idx].isnotset_sids[array[fb->idx].isnotset_sids_idx] = s->num;
522  array[fb->idx].isnotset_sids_idx++;
523  }
524  }
525  }
526  }
527  }
528  for (const SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_POSTMATCH] ; sm != NULL; sm = sm->next) {
529  switch (sm->type) {
530  case DETECT_FLOWBITS:
531  {
532  /* figure out what flowbit action */
533  const DetectFlowbitsData *fb = (DetectFlowbitsData *)sm->ctx;
534  array[fb->idx].cnts[fb->cmd]++;
535  if (has_state)
536  array[fb->idx].state_cnts[fb->cmd]++;
537  if (fb->cmd == DETECT_FLOWBITS_CMD_SET) {
538  if (array[fb->idx].set_sids_idx >= array[fb->idx].set_sids_size) {
539  uint32_t old_size = array[fb->idx].set_sids_size;
540  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
541 
542  void *ptr = SCRealloc(array[fb->idx].set_sids, new_size * sizeof(uint32_t));
543  if (ptr == NULL)
544  goto end;
545  array[fb->idx].set_sids_size = new_size;
546  array[fb->idx].set_sids = ptr;
547  }
548 
549  array[fb->idx].set_sids[array[fb->idx].set_sids_idx] = s->num;
550  array[fb->idx].set_sids_idx++;
551  }
552  else if (fb->cmd == DETECT_FLOWBITS_CMD_UNSET) {
553  if (array[fb->idx].unset_sids_idx >= array[fb->idx].unset_sids_size) {
554  uint32_t old_size = array[fb->idx].unset_sids_size;
555  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
556 
557  void *ptr = SCRealloc(array[fb->idx].unset_sids, new_size * sizeof(uint32_t));
558  if (ptr == NULL)
559  goto end;
560  array[fb->idx].unset_sids_size = new_size;
561  array[fb->idx].unset_sids = ptr;
562  }
563 
564  array[fb->idx].unset_sids[array[fb->idx].unset_sids_idx] = s->num;
565  array[fb->idx].unset_sids_idx++;
566  }
567  else if (fb->cmd == DETECT_FLOWBITS_CMD_TOGGLE) {
568  if (array[fb->idx].toggle_sids_idx >= array[fb->idx].toggle_sids_size) {
569  uint32_t old_size = array[fb->idx].toggle_sids_size;
570  uint32_t new_size = MAX(2 * old_size, MAX_SIDS);
571 
572  void *ptr = SCRealloc(array[fb->idx].toggle_sids, new_size * sizeof(uint32_t));
573  if (ptr == NULL)
574  goto end;
575  array[fb->idx].toggle_sids_size = new_size;
576  array[fb->idx].toggle_sids = ptr;
577  }
578 
579  array[fb->idx].toggle_sids[array[fb->idx].toggle_sids_idx] = s->num;
580  array[fb->idx].toggle_sids_idx++;
581  }
582  }
583  }
584  }
585  }
586 
587  /* walk array to see if all bits make sense */
588  for (uint32_t i = 0; i < array_size; i++) {
589  const char *varname = VarNameStoreSetupLookup(i, VAR_TYPE_FLOW_BIT);
590  if (varname == NULL)
591  continue;
592 
593  bool to_state = false;
594 
595  if (array[i].cnts[DETECT_FLOWBITS_CMD_ISSET] &&
596  array[i].cnts[DETECT_FLOWBITS_CMD_TOGGLE] == 0 &&
597  array[i].cnts[DETECT_FLOWBITS_CMD_SET] == 0) {
598 
599  const Signature *s = de_ctx->sig_array[array[i].isset_sids[0]];
600  SCLogWarning("flowbit '%s' is checked but not "
601  "set. Checked in %u and %u other sigs",
602  varname, s->id, array[i].isset_sids_idx - 1);
603  }
604  if (array[i].state_cnts[DETECT_FLOWBITS_CMD_ISSET] &&
605  array[i].state_cnts[DETECT_FLOWBITS_CMD_SET] == 0)
606  {
607  SCLogDebug("flowbit %s/%u: isset in state, set not in state", varname, i);
608  }
609 
610  /* if signature depends on 'stateful' flowbits, then turn the
611  * sig into a stateful sig itself */
612  if (array[i].cnts[DETECT_FLOWBITS_CMD_ISSET] > 0 &&
613  array[i].state_cnts[DETECT_FLOWBITS_CMD_ISSET] == 0 &&
614  array[i].state_cnts[DETECT_FLOWBITS_CMD_SET])
615  {
616  SCLogDebug("flowbit %s/%u: isset not in state, set in state", varname, i);
617  to_state = true;
618  }
619 
620  SCLogDebug("ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
621  array[i].cnts[DETECT_FLOWBITS_CMD_SET], array[i].cnts[DETECT_FLOWBITS_CMD_TOGGLE],
622  array[i].cnts[DETECT_FLOWBITS_CMD_UNSET], array[i].cnts[DETECT_FLOWBITS_CMD_ISNOTSET],
623  array[i].cnts[DETECT_FLOWBITS_CMD_ISSET]);
624  SCLogDebug("STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
625  array[i].state_cnts[DETECT_FLOWBITS_CMD_SET], array[i].state_cnts[DETECT_FLOWBITS_CMD_TOGGLE],
626  array[i].state_cnts[DETECT_FLOWBITS_CMD_UNSET], array[i].state_cnts[DETECT_FLOWBITS_CMD_ISNOTSET],
627  array[i].state_cnts[DETECT_FLOWBITS_CMD_ISSET]);
628  for (uint32_t x = 0; x < array[i].set_sids_idx; x++) {
629  SCLogDebug("SET flowbit %s/%u: SID %u", varname, i,
630  de_ctx->sig_array[array[i].set_sids[x]]->id);
631  }
632  for (uint32_t x = 0; x < array[i].isset_sids_idx; x++) {
633  Signature *s = de_ctx->sig_array[array[i].isset_sids[x]];
634  SCLogDebug("GET flowbit %s/%u: SID %u", varname, i, s->id);
635 
636  if (to_state) {
637  s->init_data->init_flags |= SIG_FLAG_INIT_STATE_MATCH;
638  SCLogDebug("made SID %u stateful because it depends on "
639  "stateful rules that set flowbit %s", s->id, varname);
640  }
641  }
642  }
643 
644  if (rule_engine_analysis_set) {
645  DetectFlowbitsAnalyzeDump(de_ctx, array, array_size);
646  }
647 
648 end:
649  for (uint32_t i = 0; i < array_size; i++) {
650  SCFree(array[i].set_sids);
651  SCFree(array[i].unset_sids);
652  SCFree(array[i].isset_sids);
653  SCFree(array[i].isnotset_sids);
654  SCFree(array[i].toggle_sids);
655  }
656  SCFree(array);
657 
658  return 0;
659 }
660 
661 SCMutex g_flowbits_dump_write_m = SCMUTEX_INITIALIZER;
662 static void DetectFlowbitsAnalyzeDump(const DetectEngineCtx *de_ctx,
663  struct FBAnalyze *array, uint32_t elements)
664 {
665  JsonBuilder *js = jb_new_object();
666  if (js == NULL)
667  return;
668 
669  jb_open_array(js, "flowbits");
670  for (uint32_t x = 0; x < elements; x++) {
671  const char *varname = VarNameStoreSetupLookup(x, VAR_TYPE_FLOW_BIT);
672  if (varname == NULL)
673  continue;
674 
675  const struct FBAnalyze *e = &array[x];
676 
677  jb_start_object(js);
678  jb_set_string(js, "name", varname);
679  jb_set_uint(js, "internal_id", x);
680  jb_set_uint(js, "set_cnt", e->cnts[DETECT_FLOWBITS_CMD_SET]);
681  jb_set_uint(js, "unset_cnt", e->cnts[DETECT_FLOWBITS_CMD_UNSET]);
682  jb_set_uint(js, "toggle_cnt", e->cnts[DETECT_FLOWBITS_CMD_TOGGLE]);
683  jb_set_uint(js, "isset_cnt", e->cnts[DETECT_FLOWBITS_CMD_ISSET]);
684  jb_set_uint(js, "isnotset_cnt", e->cnts[DETECT_FLOWBITS_CMD_ISNOTSET]);
685 
686  // sets
687  if (e->cnts[DETECT_FLOWBITS_CMD_SET]) {
688  jb_open_array(js, "sets");
689  for (uint32_t i = 0; i < e->set_sids_idx; i++) {
690  const Signature *s = de_ctx->sig_array[e->set_sids[i]];
691  jb_append_uint(js, s->id);
692  }
693  jb_close(js);
694  }
695  // gets
696  if (e->cnts[DETECT_FLOWBITS_CMD_ISSET]) {
697  jb_open_array(js, "isset");
698  for (uint32_t i = 0; i < e->isset_sids_idx; i++) {
699  const Signature *s = de_ctx->sig_array[e->isset_sids[i]];
700  jb_append_uint(js, s->id);
701  }
702  jb_close(js);
703  }
704  // isnotset
705  if (e->cnts[DETECT_FLOWBITS_CMD_ISNOTSET]) {
706  jb_open_array(js, "isnotset");
707  for (uint32_t i = 0; i < e->isnotset_sids_idx; i++) {
708  const Signature *s = de_ctx->sig_array[e->isnotset_sids[i]];
709  jb_append_uint(js, s->id);
710  }
711  jb_close(js);
712  }
713  // unset
714  if (e->cnts[DETECT_FLOWBITS_CMD_UNSET]) {
715  jb_open_array(js, "unset");
716  for (uint32_t i = 0; i < e->unset_sids_idx; i++) {
717  const Signature *s = de_ctx->sig_array[e->unset_sids[i]];
718  jb_append_uint(js, s->id);
719  }
720  jb_close(js);
721  }
722  // toggle
723  if (e->cnts[DETECT_FLOWBITS_CMD_TOGGLE]) {
724  jb_open_array(js, "toggle");
725  for (uint32_t i = 0; i < e->toggle_sids_idx; i++) {
726  const Signature *s = de_ctx->sig_array[e->toggle_sids[i]];
727  jb_append_uint(js, s->id);
728  }
729  jb_close(js);
730  }
731  jb_close(js);
732  }
733  jb_close(js); // array
734  jb_close(js); // object
735 
736  const char *filename = "flowbits.json";
737  const char *log_dir = ConfigGetLogDirectory();
738  char log_path[PATH_MAX] = "";
739  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
740 
741  SCMutexLock(&g_flowbits_dump_write_m);
742  FILE *fp = fopen(log_path, "w");
743  if (fp != NULL) {
744  fwrite(jb_ptr(js), jb_len(js), 1, fp);
745  fprintf(fp, "\n");
746  fclose(fp);
747  }
748  SCMutexUnlock(&g_flowbits_dump_write_m);
749 
750  jb_free(js);
751 }
752 
753 #ifdef UNITTESTS
754 
755 static int FlowBitsTestParse01(void)
756 {
757  char command[16] = "", name[16] = "";
758 
759  /* Single argument version. */
760  FAIL_IF(!DetectFlowbitParse("noalert", command, sizeof(command), name,
761  sizeof(name)));
762  FAIL_IF(strcmp(command, "noalert") != 0);
763 
764  /* No leading or trailing spaces. */
765  FAIL_IF(!DetectFlowbitParse("set,flowbit", command, sizeof(command), name,
766  sizeof(name)));
767  FAIL_IF(strcmp(command, "set") != 0);
768  FAIL_IF(strcmp(name, "flowbit") != 0);
769 
770  /* Leading space. */
771  FAIL_IF(!DetectFlowbitParse("set, flowbit", command, sizeof(command), name,
772  sizeof(name)));
773  FAIL_IF(strcmp(command, "set") != 0);
774  FAIL_IF(strcmp(name, "flowbit") != 0);
775 
776  /* Trailing space. */
777  FAIL_IF(!DetectFlowbitParse("set,flowbit ", command, sizeof(command), name,
778  sizeof(name)));
779  FAIL_IF(strcmp(command, "set") != 0);
780  FAIL_IF(strcmp(name, "flowbit") != 0);
781 
782  /* Leading and trailing space. */
783  FAIL_IF(!DetectFlowbitParse("set, flowbit ", command, sizeof(command), name,
784  sizeof(name)));
785  FAIL_IF(strcmp(command, "set") != 0);
786  FAIL_IF(strcmp(name, "flowbit") != 0);
787 
788  /* Spaces are not allowed in the name. */
789  FAIL_IF(DetectFlowbitParse("set,namewith space", command, sizeof(command),
790  name, sizeof(name)));
791 
792  PASS;
793 }
794 
795 /**
796  * \test FlowBitsTestSig01 is a test for a valid noalert flowbits option
797  *
798  * \retval 1 on success
799  * \retval 0 on failure
800  */
801 
802 static int FlowBitsTestSig01(void)
803 {
804  Signature *s = NULL;
805  DetectEngineCtx *de_ctx = NULL;
806 
807  de_ctx = DetectEngineCtxInit();
808  FAIL_IF_NULL(de_ctx);
809 
810  de_ctx->flags |= DE_QUIET;
811 
812  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert,wrongusage; content:\"GET \"; sid:1;)");
813  FAIL_IF_NOT_NULL(s);
814 
815  SigGroupBuild(de_ctx);
816  DetectEngineCtxFree(de_ctx);
817  PASS;
818 }
819 
820 /**
821  * \test FlowBitsTestSig02 is a test for a valid isset,set,isnotset,unset,toggle flowbits options
822  *
823  * \retval 1 on success
824  * \retval 0 on failure
825  */
826 
827 static int FlowBitsTestSig02(void)
828 {
829  Signature *s = NULL;
830  ThreadVars th_v;
831  DetectEngineCtx *de_ctx = NULL;
832 
833  memset(&th_v, 0, sizeof(th_v));
834 
835  de_ctx = DetectEngineCtxInit();
836  FAIL_IF_NULL(de_ctx);
837 
838  de_ctx->flags |= DE_QUIET;
839 
840  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset rule need an option\"; flowbits:isset; content:\"GET \"; sid:1;)");
841  FAIL_IF_NOT_NULL(s);
842 
843  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isnotset rule need an option\"; flowbits:isnotset; content:\"GET \"; sid:2;)");
844  FAIL_IF_NOT_NULL(s);
845 
846  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"set rule need an option\"; flowbits:set; content:\"GET \"; sid:3;)");
847  FAIL_IF_NOT_NULL(s);
848 
849  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"unset rule need an option\"; flowbits:unset; content:\"GET \"; sid:4;)");
850  FAIL_IF_NOT_NULL(s);
851 
852  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
853  FAIL_IF_NOT_NULL(s);
854 
855  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
856  FAIL_IF_NOT_NULL(s);
857 
858  SigGroupBuild(de_ctx);
859  DetectEngineCtxFree(de_ctx);
860 
861  PASS;
862 }
863 
864 /**
865  * \test FlowBitsTestSig03 is a test for a invalid flowbits option
866  *
867  * \retval 1 on success
868  * \retval 0 on failure
869  */
870 
871 static int FlowBitsTestSig03(void)
872 {
873  Signature *s = NULL;
874  DetectEngineCtx *de_ctx = NULL;
875 
876  de_ctx = DetectEngineCtxInit();
877  FAIL_IF_NULL(de_ctx);
878 
879  de_ctx->flags |= DE_QUIET;
880 
881  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
882  FAIL_IF_NOT_NULL(s);
883 
884  SigGroupBuild(de_ctx);
885  DetectEngineCtxFree(de_ctx);
886  PASS;
887 }
888 
889 /**
890  * \test FlowBitsTestSig04 is a test check idx value
891  *
892  * \retval 1 on success
893  * \retval 0 on failure
894  */
895 
896 static int FlowBitsTestSig04(void)
897 {
898  Signature *s = NULL;
899  DetectEngineCtx *de_ctx = NULL;
900  int idx = 0;
901  de_ctx = DetectEngineCtxInit();
902  FAIL_IF_NULL(de_ctx);
903 
904  de_ctx->flags |= DE_QUIET;
905 
906  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
907  FAIL_IF_NULL(s);
908 
909  idx = VarNameStoreRegister("fbt", VAR_TYPE_FLOW_BIT);
910  FAIL_IF(idx == 0);
911 
912  SigGroupBuild(de_ctx);
913  DetectEngineCtxFree(de_ctx);
914  PASS;
915 }
916 
917 /**
918  * \test FlowBitsTestSig05 is a test check noalert flag
919  *
920  * \retval 1 on success
921  * \retval 0 on failure
922  */
923 
924 static int FlowBitsTestSig05(void)
925 {
926  Signature *s = NULL;
927  DetectEngineCtx *de_ctx = NULL;
928 
929  de_ctx = DetectEngineCtxInit();
930  FAIL_IF_NULL(de_ctx);
931 
932  de_ctx->flags |= DE_QUIET;
933 
934  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
935  FAIL_IF_NULL(s);
936  FAIL_IF((s->flags & SIG_FLAG_NOALERT) != SIG_FLAG_NOALERT);
937 
938  SigGroupBuild(de_ctx);
939  DetectEngineCtxFree(de_ctx);
940  PASS;
941 }
942 
943 /**
944  * \test FlowBitsTestSig06 is a test set flowbits option
945  *
946  * \retval 1 on success
947  * \retval 0 on failure
948  */
949 
950 static int FlowBitsTestSig06(void)
951 {
952  uint8_t *buf = (uint8_t *)
953  "GET /one/ HTTP/1.1\r\n"
954  "Host: one.example.org\r\n"
955  "\r\n";
956  uint16_t buflen = strlen((char *)buf);
957  Packet *p = PacketGetFromAlloc();
958  FAIL_IF_NULL(p);
959  Signature *s = NULL;
960  ThreadVars th_v;
961  DetectEngineThreadCtx *det_ctx = NULL;
962  DetectEngineCtx *de_ctx = NULL;
963  Flow f;
964  GenericVar flowvar, *gv = NULL;
965  int result = 0;
966  uint32_t idx = 0;
967 
968  memset(&th_v, 0, sizeof(th_v));
969  memset(&f, 0, sizeof(Flow));
970  memset(&flowvar, 0, sizeof(GenericVar));
971 
972  FLOW_INITIALIZE(&f);
973  p->flow = &f;
974  p->flow->flowvar = &flowvar;
975 
976  p->src.family = AF_INET;
977  p->dst.family = AF_INET;
978  p->payload = buf;
979  p->payload_len = buflen;
980  p->proto = IPPROTO_TCP;
981  p->flags |= PKT_HAS_FLOW;
982  p->flowflags |= FLOW_PKT_TOSERVER;
983 
984  de_ctx = DetectEngineCtxInit();
985  FAIL_IF_NULL(de_ctx);
986 
987  de_ctx->flags |= DE_QUIET;
988 
989  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow; sid:10;)");
990  FAIL_IF_NULL(s);
991 
992  idx = VarNameStoreRegister("myflow", VAR_TYPE_FLOW_BIT);
993  SigGroupBuild(de_ctx);
994  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
995 
996  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
997 
998  gv = p->flow->flowvar;
999  FAIL_IF_NULL(gv);
1000  for ( ; gv != NULL; gv = gv->next) {
1001  if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {
1002  result = 1;
1003  }
1004  }
1005  FAIL_IF_NOT(result);
1006 
1007  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1008  DetectEngineCtxFree(de_ctx);
1009 
1010  FLOW_DESTROY(&f);
1011 
1012  SCFree(p);
1013  PASS;
1014 }
1015 
1016 /**
1017  * \test FlowBitsTestSig07 is a test unset flowbits option
1018  *
1019  * \retval 1 on success
1020  * \retval 0 on failure
1021  */
1022 
1023 static int FlowBitsTestSig07(void)
1024 {
1025  uint8_t *buf = (uint8_t *)
1026  "GET /one/ HTTP/1.1\r\n"
1027  "Host: one.example.org\r\n"
1028  "\r\n";
1029  uint16_t buflen = strlen((char *)buf);
1030  Packet *p = PacketGetFromAlloc();
1031  FAIL_IF_NULL(p);
1032  Signature *s = NULL;
1033  ThreadVars th_v;
1034  DetectEngineThreadCtx *det_ctx = NULL;
1035  DetectEngineCtx *de_ctx = NULL;
1036  Flow f;
1037  GenericVar flowvar, *gv = NULL;
1038  int result = 0;
1039  uint32_t idx = 0;
1040 
1041  memset(&th_v, 0, sizeof(th_v));
1042  memset(&f, 0, sizeof(Flow));
1043  memset(&flowvar, 0, sizeof(GenericVar));
1044 
1045  FLOW_INITIALIZE(&f);
1046  p->flow = &f;
1047  p->flow->flowvar = &flowvar;
1048 
1049  p->src.family = AF_INET;
1050  p->dst.family = AF_INET;
1051  p->payload = buf;
1052  p->payload_len = buflen;
1053  p->proto = IPPROTO_TCP;
1054 
1055  de_ctx = DetectEngineCtxInit();
1056  FAIL_IF_NULL(de_ctx);
1057 
1058  de_ctx->flags |= DE_QUIET;
1059 
1060  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow2; sid:10;)");
1061  FAIL_IF_NULL(s);
1062 
1063  s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
1064  FAIL_IF_NULL(s);
1065 
1066  idx = VarNameStoreRegister("myflow", VAR_TYPE_FLOW_BIT);
1067  SigGroupBuild(de_ctx);
1068  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1069 
1070  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1071 
1072  gv = p->flow->flowvar;
1073  FAIL_IF_NULL(gv);
1074 
1075  for ( ; gv != NULL; gv = gv->next) {
1076  if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {
1077  result = 1;
1078  }
1079  }
1080  FAIL_IF(result);
1081 
1082  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1083  DetectEngineCtxFree(de_ctx);
1084 
1085  FLOW_DESTROY(&f);
1086 
1087  SCFree(p);
1088  PASS;
1089 }
1090 
1091 /**
1092  * \test FlowBitsTestSig08 is a test toggle flowbits option
1093  *
1094  * \retval 1 on success
1095  * \retval 0 on failure
1096  */
1097 
1098 static int FlowBitsTestSig08(void)
1099 {
1100  uint8_t *buf = (uint8_t *)
1101  "GET /one/ HTTP/1.1\r\n"
1102  "Host: one.example.org\r\n"
1103  "\r\n";
1104  uint16_t buflen = strlen((char *)buf);
1105  Packet *p = PacketGetFromAlloc();
1106  if (unlikely(p == NULL))
1107  return 0;
1108  Signature *s = NULL;
1109  ThreadVars th_v;
1110  DetectEngineThreadCtx *det_ctx = NULL;
1111  DetectEngineCtx *de_ctx = NULL;
1112  Flow f;
1113  GenericVar flowvar, *gv = NULL;
1114  int result = 0;
1115  uint32_t idx = 0;
1116 
1117  memset(&th_v, 0, sizeof(th_v));
1118  memset(&f, 0, sizeof(Flow));
1119  memset(&flowvar, 0, sizeof(GenericVar));
1120 
1121  FLOW_INITIALIZE(&f);
1122  p->flow = &f;
1123  p->flow->flowvar = &flowvar;
1124 
1125  p->src.family = AF_INET;
1126  p->dst.family = AF_INET;
1127  p->payload = buf;
1128  p->payload_len = buflen;
1129  p->proto = IPPROTO_TCP;
1130 
1131  de_ctx = DetectEngineCtxInit();
1132  FAIL_IF_NULL(de_ctx);
1133 
1134  de_ctx->flags |= DE_QUIET;
1135 
1136  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow2; sid:10;)");
1137  FAIL_IF_NULL(s);
1138 
1139  s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:toggle,myflow2; sid:11;)");
1140  FAIL_IF_NULL(s);
1141 
1142  idx = VarNameStoreRegister("myflow", VAR_TYPE_FLOW_BIT);
1143  SigGroupBuild(de_ctx);
1144  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1145 
1146  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1147 
1148  gv = p->flow->flowvar;
1149  FAIL_IF_NULL(gv);
1150 
1151  for ( ; gv != NULL; gv = gv->next) {
1152  if (gv->type == DETECT_FLOWBITS && gv->idx == idx) {
1153  result = 1;
1154  }
1155  }
1156  FAIL_IF(result);
1157 
1158  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1159  DetectEngineCtxFree(de_ctx);
1160 
1161  FLOW_DESTROY(&f);
1162 
1163  SCFree(p);
1164  PASS;
1165 }
1166 
1167 /**
1168  * \brief this function registers unit tests for FlowBits
1169  */
1170 void FlowBitsRegisterTests(void)
1171 {
1172  UtRegisterTest("FlowBitsTestParse01", FlowBitsTestParse01);
1173  UtRegisterTest("FlowBitsTestSig01", FlowBitsTestSig01);
1174  UtRegisterTest("FlowBitsTestSig02", FlowBitsTestSig02);
1175  UtRegisterTest("FlowBitsTestSig03", FlowBitsTestSig03);
1176  UtRegisterTest("FlowBitsTestSig04", FlowBitsTestSig04);
1177  UtRegisterTest("FlowBitsTestSig05", FlowBitsTestSig05);
1178  UtRegisterTest("FlowBitsTestSig06", FlowBitsTestSig06);
1179  UtRegisterTest("FlowBitsTestSig07", FlowBitsTestSig07);
1180  UtRegisterTest("FlowBitsTestSig08", FlowBitsTestSig08);
1181 }
1182 #endif /* UNITTESTS */
FBAnalyze::cnts
uint16_t cnts[DETECT_FLOWBITS_CMD_MAX]
Definition: detect-flowbits.c:397
GenericVar_::type
uint8_t type
Definition: util-var.h:49
FBAnalyze::isset_sids
uint32_t * isset_sids
Definition: detect-flowbits.c:404
SigTableElmt_::url
const char * url
Definition: detect.h:1288
Packet_::proto
uint8_t proto
Definition: decode.h:452
FBAnalyze::isnotset_sids_idx
uint32_t isnotset_sids_idx
Definition: detect-flowbits.c:409
g_flowbits_dump_write_m
SCMutex g_flowbits_dump_write_m
Definition: detect-flowbits.c:661
DetectFlowbitsData_::or_list_size
uint8_t or_list_size
Definition: detect-flowbits.h:39
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:567
DETECT_FLOWBITS_CMD_MAX
#define DETECT_FLOWBITS_CMD_MAX
Definition: detect-flowbits.h:34
SigTableElmt_::desc
const char * desc
Definition: detect.h:1287
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1000
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1275
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1285
Signature_::num
SigIntId num
Definition: detect.h:594
FBAnalyze::isnotset_sids
uint32_t * isnotset_sids
Definition: detect-flowbits.c:408
FlowBitsRegisterTests
void FlowBitsRegisterTests(void)
this function registers unit tests for FlowBits
Definition: detect-flowbits.c:1170
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
MAX_SIDS
#define MAX_SIDS
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FBAnalyze::unset_sids_size
uint32_t unset_sids_size
Definition: detect-flowbits.c:414
MAX_TOKENS
#define MAX_TOKENS
Definition: detect-flowbits.c:53
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
DETECT_FLOWBITS_CMD_ISNOTSET
#define DETECT_FLOWBITS_CMD_ISNOTSET
Definition: detect-flowbits.h:31
Packet_::payload
uint8_t * payload
Definition: decode.h:577
Packet_::flags
uint32_t flags
Definition: decode.h:467
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
DetectFlowbitsAnalyze
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
Definition: detect-flowbits.c:425
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1279
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:827
DetectFlowbitsData_::cmd
uint8_t cmd
Definition: detect-flowbits.h:38
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
flow-bit.h
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:221
util-var-name.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:315
VarNameStoreSetupLookup
const char * VarNameStoreSetupLookup(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:188
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1824
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:537
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2629
DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_TOGGLE
Definition: detect-flowbits.h:29
DETECT_FLOWBITS_CMD_ISSET
#define DETECT_FLOWBITS_CMD_ISSET
Definition: detect-flowbits.h:32
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:155
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:461
MAX
#define MAX(x, y)
Definition: suricata-common.h:390
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1270
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:578
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
Signature_::next
struct Signature_ * next
Definition: detect.h:657
FlowBitUnset
void FlowBitUnset(Flow *f, uint32_t idx)
Definition: flow-bit.c:89
DetectFlowbitsData_
Definition: detect-flowbits.h:36
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:118
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:52
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-flowbits.c:50
DetectEngineThreadCtx_
Definition: detect.h:1075
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2753
FlowBitSet
void FlowBitSet(Flow *f, uint32_t idx)
Definition: flow-bit.c:84
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:201
FBAnalyze::toggle_sids_idx
uint32_t toggle_sids_idx
Definition: detect-flowbits.c:417
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:345
FBAnalyze::set_sids_size
uint32_t set_sids_size
Definition: detect-flowbits.c:402
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:108
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2270
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:344
GenericVar_::idx
uint32_t idx
Definition: util-var.h:51
FBAnalyze::unset_sids
uint32_t * unset_sids
Definition: detect-flowbits.c:412
DetectFlowbitFree
void DetectFlowbitFree(DetectEngineCtx *, void *)
Definition: detect-flowbits.c:381
DetectFlowbitsRegister
void DetectFlowbitsRegister(void)
Definition: detect-flowbits.c:64
Signature_::flags
uint32_t flags
Definition: detect.h:583
FBAnalyze::set_sids
uint32_t * set_sids
Definition: detect-flowbits.c:400
DetectEngineCtx_::max_fb_id
uint32_t max_fb_id
Definition: detect.h:888
Packet_
Definition: decode.h:430
detect-engine-build.h
DetectFlowbitsData_::idx
uint32_t idx
Definition: detect-flowbits.h:37
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:654
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1253
FBAnalyze::toggle_sids
uint32_t * toggle_sids
Definition: detect-flowbits.c:416
FBAnalyze::isset_sids_idx
uint32_t isset_sids_idx
Definition: detect-flowbits.c:405
detect-flowbits.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
FlowBitToggle
void FlowBitToggle(Flow *f, uint32_t idx)
Definition: flow-bit.c:94
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:482
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1971
FBAnalyze::unset_sids_idx
uint32_t unset_sids_idx
Definition: detect-flowbits.c:413
FBAnalyze::toggle_sids_size
uint32_t toggle_sids_size
Definition: detect-flowbits.c:418
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
SIG_FLAG_INIT_STATE_MATCH
#define SIG_FLAG_INIT_STATE_MATCH
Definition: detect.h:280
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:336
util-conf.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:469
DETECT_FLOWBITS_CMD_NOALERT
#define DETECT_FLOWBITS_CMD_NOALERT
Definition: detect-flowbits.h:33
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3308
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
VAR_TYPE_FLOW_BIT
@ VAR_TYPE_FLOW_BIT
Definition: util-var.h:35
FBAnalyze::state_cnts
uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX]
Definition: detect-flowbits.c:398
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3522
SigMatch_::type
uint16_t type
Definition: detect.h:342
GenericVar_
Definition: util-var.h:48
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
util-spm.h
FBAnalyze::set_sids_idx
uint32_t set_sids_idx
Definition: detect-flowbits.c:401
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:835
SIG_FLAG_NOALERT
#define SIG_FLAG_NOALERT
Definition: detect.h:236
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:90
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
ConfigGetLogDirectory
const char * ConfigGetLogDirectory(void)
Definition: util-conf.c:38
FlowBitIsset
int FlowBitIsset(Flow *f, uint32_t idx)
Definition: flow-bit.c:104
str
#define str(s)
Definition: suricata-common.h:286
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
FBAnalyze::isset_sids_size
uint32_t isset_sids_size
Definition: detect-flowbits.c:406
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectFlowbitsData_::or_list
uint32_t * or_list
Definition: detect-flowbits.h:40
Signature_::id
uint32_t id
Definition: detect.h:617
DETECT_FLOWBITS_CMD_UNSET
#define DETECT_FLOWBITS_CMD_UNSET
Definition: detect-flowbits.h:30
detect-parse.h
Signature_
Signature container.
Definition: detect.h:582
SigMatch_
a single match condition for a signature
Definition: detect.h:341
FBAnalyze::isnotset_sids_size
uint32_t isnotset_sids_size
Definition: detect-flowbits.c:410
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
DetectFlowbitMatch
int DetectFlowbitMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect-flowbits.c:196
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:844
Address_::family
char family
Definition: decode.h:116
Packet_::dst
Address dst
Definition: decode.h:435
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:829
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::sig_array_len
uint32_t sig_array_len
Definition: detect.h:846
FBAnalyze
Definition: detect-flowbits.c:396
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:573
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1469
SCMutex
#define SCMutex
Definition: threads-debug.h:114
rule_engine_analysis_set
bool rule_engine_analysis_set
Definition: detect-engine-loader.c:54
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:127
Packet_::src
Address src
Definition: decode.h:434
FlowBitIsnotset
int FlowBitIsnotset(Flow *f, uint32_t idx)
Definition: flow-bit.c:116
DETECT_FLOWBITS_CMD_SET
#define DETECT_FLOWBITS_CMD_SET
Definition: detect-flowbits.h:28
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1277