Go to the documentation of this file.
48 #define PARSE_REGEX "^([a-z]+)(?:,\\s*(.*))?"
51 #define MAX_TOKENS 100
86 while ((token = strtok_r(arrptr,
"|", &saveptr))) {
88 while(isspace((
unsigned char)*token))
92 char *end = token + strlen(token) - 1;
93 while(end > token && isspace((
unsigned char)*end))
97 if (strchr(token,
' ') != NULL) {
198 return DetectFlowbitMatchIsset(p,fd);
200 return DetectFlowbitMatchIsnotset(p,fd);
202 return DetectFlowbitMatchSet(p,fd);
204 return DetectFlowbitMatchUnset(p,fd);
206 return DetectFlowbitMatchToggle(p,fd);
215 static int DetectFlowbitParse(
const char *
str,
char *cmd,
int cmd_len,
char *name,
222 if (count != 2 && count != 3) {
224 "\"%s\" is not a valid setting for flowbits.",
str);
229 rc = pcre2_substring_copy_bynumber(parse_regex.
match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
237 rc = pcre2_substring_copy_bynumber(parse_regex.
match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
244 while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) {
245 name[strlen(name) - 1] =
'\0';
248 if (strchr(name,
'|') == NULL) {
250 for (
size_t i = 0; i < strlen(name); i++) {
251 if (isblank(name[i])) {
253 "spaces not allowed in flowbit names");
268 char fb_cmd_str[16] =
"", fb_name[256] =
"";
270 if (!DetectFlowbitParse(rawstr, fb_cmd_str,
sizeof(fb_cmd_str), fb_name,
275 if (strcmp(fb_cmd_str,
"noalert") == 0) {
277 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
279 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
281 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
283 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
285 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
294 if (strlen(fb_name) != 0)
304 if (strlen(fb_name) == 0)
312 if (strchr(fb_name,
'|') != NULL) {
313 int retval = FlowbitOrAddData(
de_ctx, cd, fb_name);
324 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
325 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
405 struct FBAnalyze *array, uint32_t elements);
414 uint32_t array_size = max_fb_id + 1;
423 (uint64_t)(array_size *
sizeof(
struct FBAnalyze)));
428 bool has_state =
false;
576 for (uint32_t i = 0; i < array_size; i++) {
581 bool to_state =
false;
589 "set. Checked in %u and %u other sigs",
595 SCLogDebug(
"flowbit %s/%u: isset in state, set not in state", varname, i);
604 SCLogDebug(
"flowbit %s/%u: isset not in state, set in state", varname, i);
608 SCLogDebug(
"ALL flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
612 SCLogDebug(
"STATE flowbit %s/%u: sets %u toggles %u unsets %u isnotsets %u issets %u", varname, i,
617 SCLogDebug(
"SET flowbit %s/%u: SID %u", varname, i,
622 SCLogDebug(
"GET flowbit %s/%u: SID %u", varname, i, s->
id);
626 SCLogDebug(
"made SID %u stateful because it depends on "
627 "stateful rules that set flowbit %s", s->
id, varname);
634 DetectFlowbitsAnalyzeDump(
de_ctx, array, array_size);
638 for (uint32_t i = 0; i < array_size; i++) {
652 struct FBAnalyze *array, uint32_t elements)
654 JsonBuilder *js = jb_new_object();
658 jb_open_array(js,
"flowbits");
659 for (uint32_t x = 0; x < elements; x++) {
667 jb_set_string(js,
"name", varname);
668 jb_set_uint(js,
"internal_id", x);
677 jb_open_array(js,
"sets");
680 jb_append_uint(js, s->
id);
686 jb_open_array(js,
"isset");
689 jb_append_uint(js, s->
id);
695 jb_open_array(js,
"isnotset");
698 jb_append_uint(js, s->
id);
704 jb_open_array(js,
"unset");
707 jb_append_uint(js, s->
id);
713 jb_open_array(js,
"toggle");
716 jb_append_uint(js, s->
id);
726 const char *filename =
"flowbits.json";
728 char log_path[PATH_MAX] =
"";
729 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir, filename);
732 FILE *fp = fopen(log_path,
"w");
734 fwrite(jb_ptr(js), jb_len(js), 1, fp);
745 static int FlowBitsTestParse01(
void)
747 char command[16] =
"", name[16] =
"";
750 FAIL_IF(!DetectFlowbitParse(
"noalert", command,
sizeof(command), name,
752 FAIL_IF(strcmp(command,
"noalert") != 0);
755 FAIL_IF(!DetectFlowbitParse(
"set,flowbit", command,
sizeof(command), name,
757 FAIL_IF(strcmp(command,
"set") != 0);
758 FAIL_IF(strcmp(name,
"flowbit") != 0);
761 FAIL_IF(!DetectFlowbitParse(
"set, flowbit", command,
sizeof(command), name,
763 FAIL_IF(strcmp(command,
"set") != 0);
764 FAIL_IF(strcmp(name,
"flowbit") != 0);
767 FAIL_IF(!DetectFlowbitParse(
"set,flowbit ", command,
sizeof(command), name,
769 FAIL_IF(strcmp(command,
"set") != 0);
770 FAIL_IF(strcmp(name,
"flowbit") != 0);
773 FAIL_IF(!DetectFlowbitParse(
"set, flowbit ", command,
sizeof(command), name,
775 FAIL_IF(strcmp(command,
"set") != 0);
776 FAIL_IF(strcmp(name,
"flowbit") != 0);
779 FAIL_IF(DetectFlowbitParse(
"set,namewith space", command,
sizeof(command),
780 name,
sizeof(name)));
792 static int FlowBitsTestSig01(
void)
802 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert,wrongusage; content:\"GET \"; sid:1;)");
817 static int FlowBitsTestSig02(
void)
823 memset(&th_v, 0,
sizeof(th_v));
830 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset rule need an option\"; flowbits:isset; content:\"GET \"; sid:1;)");
833 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isnotset rule need an option\"; flowbits:isnotset; content:\"GET \"; sid:2;)");
836 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"set rule need an option\"; flowbits:set; content:\"GET \"; sid:3;)");
839 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"unset rule need an option\"; flowbits:unset; content:\"GET \"; sid:4;)");
842 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
845 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
861 static int FlowBitsTestSig03(
void)
871 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
886 static int FlowBitsTestSig04(
void)
896 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
914 static int FlowBitsTestSig05(
void)
924 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Noalert\"; flowbits:noalert; content:\"GET \"; sid:1;)");
940 static int FlowBitsTestSig06(
void)
942 uint8_t *buf = (uint8_t *)
943 "GET /one/ HTTP/1.1\r\n"
944 "Host: one.example.org\r\n"
946 uint16_t buflen = strlen((
char *)buf);
958 memset(&th_v, 0,
sizeof(th_v));
959 memset(&f, 0,
sizeof(
Flow));
970 p->
proto = IPPROTO_TCP;
990 for ( ; gv != NULL; gv = gv->
next) {
1013 static int FlowBitsTestSig07(
void)
1015 uint8_t *buf = (uint8_t *)
1016 "GET /one/ HTTP/1.1\r\n"
1017 "Host: one.example.org\r\n"
1019 uint16_t buflen = strlen((
char *)buf);
1031 memset(&th_v, 0,
sizeof(th_v));
1032 memset(&f, 0,
sizeof(
Flow));
1043 p->
proto = IPPROTO_TCP;
1053 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
1065 for ( ; gv != NULL; gv = gv->
next) {
1088 static int FlowBitsTestSig08(
void)
1090 uint8_t *buf = (uint8_t *)
1091 "GET /one/ HTTP/1.1\r\n"
1092 "Host: one.example.org\r\n"
1094 uint16_t buflen = strlen((
char *)buf);
1107 memset(&th_v, 0,
sizeof(th_v));
1108 memset(&f, 0,
sizeof(
Flow));
1119 p->
proto = IPPROTO_TCP;
1129 s = s->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:toggle,myflow2; sid:11;)");
1141 for ( ; gv != NULL; gv = gv->
next) {
uint16_t cnts[DETECT_FLOWBITS_CMD_MAX]
uint32_t isnotset_sids_idx
SCMutex g_flowbits_dump_write_m
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define DETECT_FLOWBITS_CMD_MAX
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
void FlowBitsRegisterTests(void)
this function registers unit tests for FlowBits
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
struct HtpBodyChunk_ * next
@ DETECT_SM_LIST_DYNAMIC_START
#define DETECT_FLOWBITS_CMD_ISNOTSET
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
main detection engine ctx
char * VarNameStoreSetupLookup(uint32_t idx, const enum VarTypes type)
@ SC_ERR_INVALID_SIGNATURE
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define FLOW_PKT_TOSERVER
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
#define SCMUTEX_INITIALIZER
#define DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_ISSET
@ SC_ERR_PCRE_GET_SUBSTRING
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void FlowBitUnset(Flow *f, uint32_t idx)
@ DETECT_SM_LIST_POSTMATCH
#define FLOW_INITIALIZE(f)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
struct GenericVar_ * next
#define PASS
Pass the test.
#define SCMutexUnlock(mut)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void FlowBitSet(Flow *f, uint32_t idx)
Per thread variable structure.
void DetectFlowbitFree(DetectEngineCtx *, void *)
void DetectFlowbitsRegister(void)
SignatureInitData * init_data
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
struct SigMatch_ ** smlists
SigMatch * SigMatchAlloc(void)
void FlowBitToggle(Flow *f, uint32_t idx)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint32_t toggle_sids_size
#define SCRealloc(ptr, sz)
#define SIG_FLAG_INIT_STATE_MATCH
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_FLOWBITS_CMD_NOALERT
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
uint16_t state_cnts[DETECT_FLOWBITS_CMD_MAX]
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int rule_engine_analysis_set
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
int FlowBitIsset(Flow *f, uint32_t idx)
const char * ConfigGetLogDirectory()
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
#define DETECT_FLOWBITS_CMD_UNSET
a single match condition for a signature
uint32_t isnotset_sids_size
DetectEngineCtx * DetectEngineCtxInit(void)
int DetectFlowbitMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
#define SIGMATCH_IPONLY_COMPAT
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
int FlowBitIsnotset(Flow *f, uint32_t idx)
#define DETECT_FLOWBITS_CMD_SET
void(* RegisterTests)(void)
uint32_t smlists_array_size