#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "threads.h"
#include "flow.h"
#include "flow-var.h"
#include "detect-flowint.h"
#include "util-spm.h"
#include "util-var-name.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-sigorder.h"
#include "detect-engine-build.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-engine-alert.h"

Include dependency graph for detect-flowint.c:

Macros
#define	PARSE_REGEX "^\\s([a-zA-Z][\\w\\d_./]+)\\s,\\s([+=-]{1}\|==\|!=\|<\|<=\|>\|>=\|isset\|notset)\\s,?\\s([a-zA-Z][\\w\\d]+\|[\\d]{1,10})?\\s$"

Functions
int	DetectFlowintMatch (DetectEngineThreadCtx det_ctx, Packet p, const Signature s, const SigMatchCtx ctx)
	This function is used to create a flowint, add/substract values, compare it with other flowints, etc. More...

void	DetectFlowintFree (DetectEngineCtx de_ctx, void tmp)
	This function is used to free the data of DetectFlowintData. More...

void	DetectFlowintRegister (void)

Detailed Description

Author: Pablo Rincon pablo.nosp@m..rin.nosp@m.con.c.nosp@m.resp.nosp@m.o@gma.nosp@m.il.c.nosp@m.om

Flowvar management for integer types, part of the detection engine Keyword: flowint

Definition in file detect-flowint.c.

Macro Definition Documentation

◆ PARSE_REGEX

#define PARSE_REGEX "^\\s*([a-zA-Z][\\w\\d_./]+)\\s*,\\s*([+=-]{1}|==|!=|<|<=|>|>=|isset|notset)\\s*,?\\s*([a-zA-Z][\\w\\d]+|[\\d]{1,10})?\\s*$"

Definition at line 52 of file detect-flowint.c.

Function Documentation

◆ DetectFlowintFree()

void DetectFlowintFree	(	DetectEngineCtx *	de_ctx,
		void *	tmp
	)

This function is used to free the data of DetectFlowintData.

Definition at line 418 of file detect-flowint.c.

References FLOWINT_TARGET_VAR, DetectFlowintData_::idx, TargetVar_::name, DetectFlowintData_::name, SCFree, DetectFlowintData_::target, DetectFlowintData_::targettype, DetectFlowintData_::tvar, VAR_TYPE_FLOW_INT, and VarNameStoreUnregister().

Here is the call graph for this function:

◆ DetectFlowintMatch()

int DetectFlowintMatch	(	DetectEngineThreadCtx *	det_ctx,
		Packet *	p,
		const Signature *	s,
		const SigMatchCtx *	ctx
	)

This function is used to create a flowint, add/substract values, compare it with other flowints, etc.

Parameters

t	pointer to thread vars
det_ctx	pointer to the pattern matcher thread
p	pointer to the current packet
s	pointer to the current Signature
m	pointer to the sigmatch that we will cast into DetectFlowintData

Return values

0	no match, when a var doesn't exist
1	match, when a var is initialized well, add/subtracted, or a true condition

ATM If we are going to compare the current var with another that doesn't exist, the default value will be zero; if you don't want this behaviour, you can use the keyword "isset" to make it match or not before using the default value of zero; But it is mandatory that the current var exist, otherwise, it will return zero(not match).

Definition at line 92 of file detect-flowint.c.

References BUG_ON, ctx, FlowVar_::data, FlowVar_::datatype, Packet_::flow, FLOWINT_MODIFIER_ADD, FLOWINT_MODIFIER_EQ, FLOWINT_MODIFIER_GE, FLOWINT_MODIFIER_GT, FLOWINT_MODIFIER_ISSET, FLOWINT_MODIFIER_LE, FLOWINT_MODIFIER_LT, FLOWINT_MODIFIER_NE, FLOWINT_MODIFIER_NOTSET, FLOWINT_MODIFIER_SET, FLOWINT_MODIFIER_SUB, FLOWINT_TARGET_VAR, FLOWVAR_TYPE_INT, FlowVarAddIntNoLock(), FlowVarGet(), FlowVar_::fv_int, DetectFlowintData_::idx, DetectFlowintData_::modifier, TargetVar_::name, DetectFlowintData_::name, SCLogDebug, DetectFlowintData_::target, DetectFlowintData_::targettype, DetectFlowintData_::tvar, FlowVarTypeInt_::value, DetectFlowintData_::value, VAR_TYPE_FLOW_INT, and VarNameStoreLookupByName().