50 #define PARSE_REGEX "^\\s*([a-zA-Z][\\w\\d_./]+)\\s*,\\s*([+=-]{1}|==|!=|<|<=|>|>=|isset|notset)\\s*,?\\s*([a-zA-Z][\\w\\d]+|[\\d]{1,10})?\\s*$"
60 static void DetectFlowintRegisterTests(
void);
229 char *varname = NULL;
232 int ret = 0,
res = 0;
235 unsigned long long value_long = 0;
239 if (ret < 3 || ret > 4) {
245 res = pcre2_substring_get_bynumber(parse_regex.
match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
246 if (
res < 0 || str_ptr == NULL) {
250 varname = (
char *)str_ptr;
252 res = pcre2_substring_get_bynumber(parse_regex.
match, 2, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
253 if (
res < 0 || str_ptr == NULL) {
257 modstr = (
char *)str_ptr;
260 if (strcmp(
"=", modstr) == 0)
262 if (strcmp(
"+", modstr) == 0)
264 if (strcmp(
"-", modstr) == 0)
267 if (strcmp(
"<", modstr) == 0)
269 if (strcmp(
"<=", modstr) == 0)
271 if (strcmp(
"!=", modstr) == 0)
273 if (strcmp(
"==", modstr) == 0)
275 if (strcmp(
">=", modstr) == 0)
277 if (strcmp(
">", modstr) == 0)
279 if (strcmp(
"isset", modstr) == 0)
281 if (strcmp(
"notset", modstr) == 0)
298 res = pcre2_substring_get_bynumber(
299 parse_regex.
match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
300 varval = (
char *)str_ptr;
301 if (
res < 0 || varval == NULL || strcmp(varval,
"") == 0) {
306 if (varval[0] >=
'0' && varval[0] <=
'9') {
308 value_long = atoll(varval);
309 if (value_long > UINT32_MAX) {
310 SCLogDebug(
"DetectFlowintParse: Cannot load this value."
311 " Values should be between 0 and %"PRIu32, UINT32_MAX);
337 pcre2_substring_free((PCRE2_UCHAR *)varname);
338 pcre2_substring_free((PCRE2_UCHAR *)modstr);
340 pcre2_substring_free((PCRE2_UCHAR *)varval);
344 pcre2_substring_free((PCRE2_UCHAR *)varname);
346 pcre2_substring_free((PCRE2_UCHAR *)varval);
348 pcre2_substring_free((PCRE2_UCHAR *)modstr);
369 sfd = DetectFlowintParse(
de_ctx, rawstr);
420 if (sfd->
name != NULL)
436 SCLogDebug(
"DetectFlowintPrintData: Error, DetectFlowintData == NULL!");
440 SCLogDebug(
"Varname: %s, modifier: %"PRIu8
", idx: %"PRIu32
" Target: ",
451 SCLogDebug(
"DetectFlowintPrintData: Error, Targettype not known!");
459 static int DetectFlowintTestParseVal01(
void)
469 sfd = DetectFlowintParse(
de_ctx,
"myvar,=,35");
470 DetectFlowintPrintData(sfd);
471 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
486 static int DetectFlowintTestParseVar01(
void)
496 sfd = DetectFlowintParse(
de_ctx,
"myvar,=,targetvar");
497 DetectFlowintPrintData(sfd);
498 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
516 static int DetectFlowintTestParseVal02(
void)
526 sfd = DetectFlowintParse(
de_ctx,
"myvar,+,35");
527 DetectFlowintPrintData(sfd);
528 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
543 static int DetectFlowintTestParseVar02(
void)
553 sfd = DetectFlowintParse(
de_ctx,
"myvar,+,targetvar");
554 DetectFlowintPrintData(sfd);
555 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
573 static int DetectFlowintTestParseVal03(
void)
583 sfd = DetectFlowintParse(
de_ctx,
"myvar,-,35");
584 DetectFlowintPrintData(sfd);
585 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
600 static int DetectFlowintTestParseVar03(
void)
610 sfd = DetectFlowintParse(
de_ctx,
"myvar,-,targetvar");
611 DetectFlowintPrintData(sfd);
612 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
631 static int DetectFlowintTestParseVal04(
void)
641 sfd = DetectFlowintParse(
de_ctx,
"myvar,==,35");
642 DetectFlowintPrintData(sfd);
643 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
658 static int DetectFlowintTestParseVar04(
void)
668 sfd = DetectFlowintParse(
de_ctx,
"myvar,==,targetvar");
669 DetectFlowintPrintData(sfd);
670 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
688 static int DetectFlowintTestParseVal05(
void)
698 sfd = DetectFlowintParse(
de_ctx,
"myvar,!=,35");
699 DetectFlowintPrintData(sfd);
700 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
715 static int DetectFlowintTestParseVar05(
void)
725 sfd = DetectFlowintParse(
de_ctx,
"myvar,!=,targetvar");
726 DetectFlowintPrintData(sfd);
727 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
745 static int DetectFlowintTestParseVal06(
void)
755 sfd = DetectFlowintParse(
de_ctx,
"myvar, >,35");
756 DetectFlowintPrintData(sfd);
757 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
772 static int DetectFlowintTestParseVar06(
void)
782 sfd = DetectFlowintParse(
de_ctx,
"myvar, >,targetvar");
783 DetectFlowintPrintData(sfd);
784 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
802 static int DetectFlowintTestParseVal07(
void)
812 sfd = DetectFlowintParse(
de_ctx,
"myvar, >= ,35");
813 DetectFlowintPrintData(sfd);
814 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
829 static int DetectFlowintTestParseVar07(
void)
839 sfd = DetectFlowintParse(
de_ctx,
"myvar, >= ,targetvar");
840 DetectFlowintPrintData(sfd);
841 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
859 static int DetectFlowintTestParseVal08(
void)
869 sfd = DetectFlowintParse(
de_ctx,
"myvar, <= ,35");
870 DetectFlowintPrintData(sfd);
871 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
886 static int DetectFlowintTestParseVar08(
void)
896 sfd = DetectFlowintParse(
de_ctx,
"myvar, <= ,targetvar");
897 DetectFlowintPrintData(sfd);
898 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
916 static int DetectFlowintTestParseVal09(
void)
926 sfd = DetectFlowintParse(
de_ctx,
"myvar, < ,35");
927 DetectFlowintPrintData(sfd);
928 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
943 static int DetectFlowintTestParseVar09(
void)
953 sfd = DetectFlowintParse(
de_ctx,
"myvar, < ,targetvar");
954 DetectFlowintPrintData(sfd);
955 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
973 static int DetectFlowintTestParseIsset10(
void)
983 sfd = DetectFlowintParse(
de_ctx,
"myvar, isset");
984 DetectFlowintPrintData(sfd);
985 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
995 sfd = DetectFlowintParse(
de_ctx,
"myvar, notset");
996 DetectFlowintPrintData(sfd);
997 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
1016 static int DetectFlowintTestParseInvalidSyntaxis01(
void)
1026 sfd = DetectFlowintParse(
de_ctx,
"myvar,=,9999999999");
1028 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=,9532458716234857");
1033 sfd = DetectFlowintParse(
de_ctx,
"myvar,=,45targetvar");
1035 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=,45targetvar ");
1040 sfd = DetectFlowintParse(
de_ctx,
"657myvar,=,targetvar");
1042 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at 657myvar,=,targetvar ");
1047 sfd = DetectFlowintParse(
de_ctx,
"myvar,=<,targetvar");
1049 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=<,targetvar ");
1054 sfd = DetectFlowintParse(
de_ctx,
"myvar,===,targetvar");
1056 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,===,targetvar ");
1061 sfd = DetectFlowintParse(
de_ctx,
"myvar,==");
1063 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,==");
1068 sfd = DetectFlowintParse(
de_ctx,
"myvar,");
1070 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,");
1075 sfd = DetectFlowintParse(
de_ctx,
"myvar");
1077 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar");
1102 static int DetectFlowintTestPacket01Real(
void)
1107 memset(&th_v, 0,
sizeof(th_v));
1114 const char *sigs[5];
1115 sigs[0] =
"alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint:myvar,=,1; flowint:maxvar,=,6; sid:101;)";
1116 sigs[1] =
"alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint: myvar,+,2; sid:102;)";
1117 sigs[2] =
"alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar,==,3; flowint: cntpackets, =, 0; sid:103;)";
1118 sigs[3] =
"alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: myvar,==,3; flowint: cntpackets, +, 1; noalert;sid:104;)";
1119 sigs[4] =
"alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, ==, maxvar; sid:105;)";
1131 f->
proto = IPPROTO_TCP;
1175 static int DetectFlowintTestPacket02Real(
void)
1180 memset(&th_v, 0,
sizeof(th_v));
1187 const char *sigs[5];
1188 sigs[0] =
"alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint: myvar, notset; flowint:maxvar,notset; flowint: myvar,=,1; flowint: maxvar,=,6; sid:101;)";
1189 sigs[1] =
"alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: myvar,+,2; sid:102;)";
1190 sigs[2] =
"alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; sid:103;)";
1191 sigs[3] =
"alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: cntpackets,isset; flowint: cntpackets, +, 1; noalert;sid:104;)";
1192 sigs[4] =
"alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, isset; flowint: maxvar,isset; flowint: cntpackets, ==, maxvar; sid:105;)";
1204 f->
proto = IPPROTO_TCP;
1248 static int DetectFlowintTestPacket03Real(
void)
1253 memset(&th_v, 0,
sizeof(th_v));
1260 const char *sigs[3];
1261 sigs[0] =
"alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)";
1262 sigs[1] =
"alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; sid:102;)";
1263 sigs[2] =
"alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; sid:103;)";
1275 f->
proto = IPPROTO_TCP;
1310 void DetectFlowintRegisterTests(
void)
1312 UtRegisterTest(
"DetectFlowintTestParseVal01", DetectFlowintTestParseVal01);
1313 UtRegisterTest(
"DetectFlowintTestParseVar01", DetectFlowintTestParseVar01);
1314 UtRegisterTest(
"DetectFlowintTestParseVal02", DetectFlowintTestParseVal02);
1315 UtRegisterTest(
"DetectFlowintTestParseVar02", DetectFlowintTestParseVar02);
1316 UtRegisterTest(
"DetectFlowintTestParseVal03", DetectFlowintTestParseVal03);
1317 UtRegisterTest(
"DetectFlowintTestParseVar03", DetectFlowintTestParseVar03);
1318 UtRegisterTest(
"DetectFlowintTestParseVal04", DetectFlowintTestParseVal04);
1319 UtRegisterTest(
"DetectFlowintTestParseVar04", DetectFlowintTestParseVar04);
1320 UtRegisterTest(
"DetectFlowintTestParseVal05", DetectFlowintTestParseVal05);
1321 UtRegisterTest(
"DetectFlowintTestParseVar05", DetectFlowintTestParseVar05);
1322 UtRegisterTest(
"DetectFlowintTestParseVal06", DetectFlowintTestParseVal06);
1323 UtRegisterTest(
"DetectFlowintTestParseVar06", DetectFlowintTestParseVar06);
1324 UtRegisterTest(
"DetectFlowintTestParseVal07", DetectFlowintTestParseVal07);
1325 UtRegisterTest(
"DetectFlowintTestParseVar07", DetectFlowintTestParseVar07);
1326 UtRegisterTest(
"DetectFlowintTestParseVal08", DetectFlowintTestParseVal08);
1327 UtRegisterTest(
"DetectFlowintTestParseVar08", DetectFlowintTestParseVar08);
1328 UtRegisterTest(
"DetectFlowintTestParseVal09", DetectFlowintTestParseVal09);
1329 UtRegisterTest(
"DetectFlowintTestParseVar09", DetectFlowintTestParseVar09);
1331 DetectFlowintTestParseIsset10);
1333 DetectFlowintTestParseInvalidSyntaxis01);
1335 DetectFlowintTestPacket01Real);
1337 DetectFlowintTestPacket02Real);
1339 DetectFlowintTestPacket03Real);