suricata
detect-fragbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements fragbits keyword
25  */
26 
27 #include "suricata-common.h"
28 #include "suricata.h"
29 #include "decode.h"
30 #include "rust.h"
31 
32 #include "detect.h"
33 #include "detect-parse.h"
34 #include "detect-engine-prefilter.h"
35 #include "detect-engine-prefilter-common.h"
36 #include "detect-engine-uint.h"
37 
38 #include "flow-var.h"
39 #include "decode-events.h"
40 #include "app-layer.h"
41 #include "app-layer-detect-proto.h"
42 
43 #include "detect-fragbits.h"
44 #include "util-unittest.h"
45 #include "util-debug.h"
46 
47 #include "pkt-var.h"
48 #include "host.h"
49 #include "util-profiling.h"
50 
51 static int DetectFragBitsMatch (DetectEngineThreadCtx *, Packet *,
52  const Signature *, const SigMatchCtx *);
53 static int DetectFragBitsSetup (DetectEngineCtx *, Signature *, const char *);
54 static void DetectFragBitsFree(DetectEngineCtx *, void *);
55 
56 static int PrefilterSetupFragBits(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
57 static bool PrefilterFragBitsIsPrefilterable(const Signature *s);
58 #ifdef UNITTESTS
59 static void FragBitsRegisterTests(void);
60 #endif
61 
62 /**
63  * \brief Registration function for fragbits: keyword
64  */
65 
66 void DetectFragBitsRegister (void)
67 {
68  sigmatch_table[DETECT_FRAGBITS].name = "fragbits";
69  sigmatch_table[DETECT_FRAGBITS].desc = "check if the fragmentation and reserved bits are set in the IP header";
70  sigmatch_table[DETECT_FRAGBITS].url = "/rules/header-keywords.html#fragbits-ip-fragmentation";
71  sigmatch_table[DETECT_FRAGBITS].Match = DetectFragBitsMatch;
72  sigmatch_table[DETECT_FRAGBITS].Setup = DetectFragBitsSetup;
73  sigmatch_table[DETECT_FRAGBITS].Free = DetectFragBitsFree;
74 #ifdef UNITTESTS
75  sigmatch_table[DETECT_FRAGBITS].RegisterTests = FragBitsRegisterTests;
76 #endif
77  sigmatch_table[DETECT_FRAGBITS].SetupPrefilter = PrefilterSetupFragBits;
78  sigmatch_table[DETECT_FRAGBITS].SupportsPrefilter = PrefilterFragBitsIsPrefilterable;
79  sigmatch_table[DETECT_FRAGBITS].flags = SIGMATCH_INFO_UINT16 | SIGMATCH_INFO_BITFLAGS_UINT;
80 }
81 
82 /**
83  * \internal
84  * \brief This function is used to match fragbits on a packet with those passed via fragbits:
85  *
86  * \param t pointer to thread vars
87  * \param det_ctx pointer to the pattern matcher thread
88  * \param p pointer to the current packet
89  * \param s pointer to the Signature
90  * \param m pointer to the sigmatch
91  *
92  * \retval 0 no match
93  * \retval 1 match
94  */
95 static int DetectFragBitsMatch (DetectEngineThreadCtx *det_ctx,
96  Packet *p, const Signature *s, const SigMatchCtx *ctx)
97 {
98  DEBUG_VALIDATE_BUG_ON(PKT_IS_PSEUDOPKT(p));
99  if (!ctx || !PacketIsIPv4(p))
100  return 0;
101 
102  const IPV4Hdr *ip4h = PacketGetIPv4(p);
103  DetectU16Data *du16 = (DetectU16Data *)ctx;
104  return DetectU16Match(IPV4_GET_RAW_IPOFFSET(ip4h), du16);
105 }
106 
107 /**
108  * \internal
109  * \brief this function is used to add the parsed fragbits into the current signature
110  *
111  * \param de_ctx pointer to the Detection Engine Context
112  * \param s pointer to the Current Signature
113  * \param m pointer to the Current SigMatch
114  * \param rawstr pointer to the user provided fragbits options
115  *
116  * \retval 0 on Success
117  * \retval -1 on Failure
118  */
119 static int DetectFragBitsSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
120 {
121  DetectU16Data *du16 = SCDetectIpv4FragbitsParse(rawstr);
122  if (du16 == NULL)
123  return -1;
124 
125  if (SCSigMatchAppendSMToList(
126  de_ctx, s, DETECT_FRAGBITS, (SigMatchCtx *)du16, DETECT_SM_LIST_MATCH) == NULL) {
127  goto error;
128  }
129  s->flags |= SIG_FLAG_REQUIRE_PACKET;
130 
131  return 0;
132 
133 error:
134  if (du16)
135  DetectFragBitsFree(NULL, du16);
136  return -1;
137 }
138 
139 /**
140  * \internal
141  * \brief this function will free memory associated with DetectU16Data
142  *
143  * \param de pointer to DetectU16Data
144  */
145 static void DetectFragBitsFree(DetectEngineCtx *de_ctx, void *de_ptr)
146 {
147  SCDetectU16Free(de_ptr);
148 }
149 
150 static void
151 PrefilterPacketFragBitsMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
152 {
153  DEBUG_VALIDATE_BUG_ON(PKT_IS_PSEUDOPKT(p));
154  const PrefilterPacketHeaderCtx *ctx = pectx;
155 
156  if (!PacketIsIPv4(p))
157  return;
158 
159  const IPV4Hdr *ip4h = PacketGetIPv4(p);
160  DetectU16Data du16;
161  du16.mode = ctx->v1.u8[0];
162  du16.arg1 = ctx->v1.u16[1];
163  du16.arg2 = ctx->v1.u16[2];
164 
165  if (DetectU16Match(IPV4_GET_RAW_IPOFFSET(ip4h), &du16)) {
166  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
167  }
168 }
169 
170 static int PrefilterSetupFragBits(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
171 {
172  return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FRAGBITS, SIG_MASK_REQUIRE_REAL_PKT,
173  PrefilterPacketU16Set, PrefilterPacketU16Compare, PrefilterPacketFragBitsMatch);
174 }
175 
176 static bool PrefilterFragBitsIsPrefilterable(const Signature *s)
177 {
178  const SigMatch *sm;
179  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
180  switch (sm->type) {
181  case DETECT_FRAGBITS:
182  return true;
183  }
184  }
185  return false;
186 }
187 
188 /*
189  * ONLY TESTS BELOW THIS COMMENT
190  */
191 
192 #ifdef UNITTESTS
193 #include "util-unittest-helper.h"
194 #include "packet.h"
195 
196 /**
197  * \test FragBitsTestParse03 test if DONT FRAG is set. Must return success
198  *
199  * \retval 1 on success
200  * \retval 0 on failure
201  */
202 static int FragBitsTestParse03 (void)
203 {
204  uint8_t raw_eth[] = {
205  0x00 ,0x40 ,0x33 ,0xd9 ,0x7c ,0xfd ,0x00 ,0x00,
206  0x39 ,0xcf ,0xd9 ,0xcd ,0x08 ,0x00 ,0x45 ,0x00,
207  0x01 ,0x13 ,0x9c ,0x5d ,0x40 ,0x00 ,0xf6 ,0x11,
208  0x44 ,0xca ,0x97 ,0xa4 ,0x01 ,0x08 ,0x0a ,0x00,
209  0x00 ,0x06 ,0x00 ,0x35 ,0x04 ,0x0b ,0x00 ,0xff,
210  0x3c ,0x87 ,0x7d ,0x9e ,0x85 ,0x80 ,0x00 ,0x01,
211  0x00 ,0x01 ,0x00 ,0x05 ,0x00 ,0x05 ,0x06 ,0x70,
212  0x69 ,0x63 ,0x61 ,0x72 ,0x64 ,0x07 ,0x75 ,0x74,
213  0x68 ,0x73 ,0x63 ,0x73 ,0x61 ,0x03 ,0x65 ,0x64,
214  0x75 ,0x00 ,0x00 ,0x01 ,0x00 ,0x01 ,0xc0 ,0x0c,
215  0x00 ,0x01 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10,
216  0x00 ,0x04 ,0x81 ,0x6f ,0x1e ,0x1b ,0x07 ,0x75,
217  0x74 ,0x68 ,0x73 ,0x63 ,0x73 ,0x61 ,0x03 ,0x65,
218  0x64 ,0x75 ,0x00 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
219  0x00 ,0x0e ,0x10 ,0x00 ,0x09 ,0x06 ,0x6b ,0x65,
220  0x6e ,0x6f ,0x62 ,0x69 ,0xc0 ,0x34 ,0xc0 ,0x34,
221  0x00 ,0x02 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10,
222  0x00 ,0x07 ,0x04 ,0x6a ,0x69 ,0x6e ,0x6e ,0xc0,
223  0x34 ,0xc0 ,0x34 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
224  0x00 ,0x0e ,0x10 ,0x00 ,0x0c ,0x04 ,0x64 ,0x6e,
225  0x73 ,0x31 ,0x04 ,0x6e ,0x6a ,0x69 ,0x74 ,0xc0,
226  0x3c ,0xc0 ,0x34 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
227  0x00 ,0x0e ,0x10 ,0x00 ,0x08 ,0x05 ,0x65 ,0x6c,
228  0x7a ,0x69 ,0x70 ,0xc0 ,0x34 ,0xc0 ,0x34 ,0x00,
229  0x02 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10 ,0x00,
230  0x08 ,0x05 ,0x61 ,0x72 ,0x77 ,0x65 ,0x6e ,0xc0,
231  0x34 ,0xc0 ,0x4b ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
232  0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x1a,
233  0x06 ,0xc0 ,0x60 ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
234  0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x1a,
235  0x07 ,0xc0 ,0x73 ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
236  0x01 ,0x03 ,0x82 ,0x00 ,0x04 ,0x80 ,0xeb ,0xfb,
237  0x0a ,0xc0 ,0x8b ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
238  0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x01,
239  0x0b ,0xc0 ,0x9f ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
240  0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x0b,
241  0x51};
242  Packet *p = PacketGetFromAlloc();
243  FAIL_IF(unlikely(p == NULL));
244  ThreadVars tv;
245  DecodeThreadVars dtv;
246 
247  memset(&tv, 0, sizeof(ThreadVars));
248  memset(&dtv, 0, sizeof(DecodeThreadVars));
249  dtv.app_tctx = AppLayerGetCtxThread();
250 
251  FlowInitConfig(FLOW_QUIET);
252 
253  DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
254 
255  DetectU16Data *de = SCDetectIpv4FragbitsParse("D");
256  FAIL_IF(de == NULL);
257  FAIL_IF(de->arg1 != 0x4000);
258  FAIL_IF(de->mode != DetectUintModeEqual);
259 
260  SigMatch *sm = SigMatchAlloc();
261  FAIL_IF(sm == NULL);
262  sm->type = DETECT_FRAGBITS;
263  sm->ctx = (SigMatchCtx *)de;
264 
265  int ret = DetectFragBitsMatch(NULL, p, NULL, sm->ctx);
266  FAIL_IF(ret == 0);
267 
268  DetectFragBitsFree(NULL, de);
269  SCFree(sm);
270  PacketFree(p);
271 
272  AppLayerDestroyCtxThread(dtv.app_tctx);
273  FlowShutdown();
274  PASS;
275 }
276 
277 /**
278  * \test FragBitsTestParse04 test if DONT FRAG is not set. Must fails.
279  *
280  * \retval 1 on success
281  * \retval 0 on failure
282  */
283 static int FragBitsTestParse04 (void)
284 {
285  uint8_t raw_eth[] = {
286  0x00 ,0x40 ,0x33 ,0xd9 ,0x7c ,0xfd ,0x00 ,0x00,
287  0x39 ,0xcf ,0xd9 ,0xcd ,0x08 ,0x00 ,0x45 ,0x00,
288  0x01 ,0x13 ,0x9c ,0x5d ,0x40 ,0x00 ,0xf6 ,0x11,
289  0x44 ,0xca ,0x97 ,0xa4 ,0x01 ,0x08 ,0x0a ,0x00,
290  0x00 ,0x06 ,0x00 ,0x35 ,0x04 ,0x0b ,0x00 ,0xff,
291  0x3c ,0x87 ,0x7d ,0x9e ,0x85 ,0x80 ,0x00 ,0x01,
292  0x00 ,0x01 ,0x00 ,0x05 ,0x00 ,0x05 ,0x06 ,0x70,
293  0x69 ,0x63 ,0x61 ,0x72 ,0x64 ,0x07 ,0x75 ,0x74,
294  0x68 ,0x73 ,0x63 ,0x73 ,0x61 ,0x03 ,0x65 ,0x64,
295  0x75 ,0x00 ,0x00 ,0x01 ,0x00 ,0x01 ,0xc0 ,0x0c,
296  0x00 ,0x01 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10,
297  0x00 ,0x04 ,0x81 ,0x6f ,0x1e ,0x1b ,0x07 ,0x75,
298  0x74 ,0x68 ,0x73 ,0x63 ,0x73 ,0x61 ,0x03 ,0x65,
299  0x64 ,0x75 ,0x00 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
300  0x00 ,0x0e ,0x10 ,0x00 ,0x09 ,0x06 ,0x6b ,0x65,
301  0x6e ,0x6f ,0x62 ,0x69 ,0xc0 ,0x34 ,0xc0 ,0x34,
302  0x00 ,0x02 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10,
303  0x00 ,0x07 ,0x04 ,0x6a ,0x69 ,0x6e ,0x6e ,0xc0,
304  0x34 ,0xc0 ,0x34 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
305  0x00 ,0x0e ,0x10 ,0x00 ,0x0c ,0x04 ,0x64 ,0x6e,
306  0x73 ,0x31 ,0x04 ,0x6e ,0x6a ,0x69 ,0x74 ,0xc0,
307  0x3c ,0xc0 ,0x34 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
308  0x00 ,0x0e ,0x10 ,0x00 ,0x08 ,0x05 ,0x65 ,0x6c,
309  0x7a ,0x69 ,0x70 ,0xc0 ,0x34 ,0xc0 ,0x34 ,0x00,
310  0x02 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10 ,0x00,
311  0x08 ,0x05 ,0x61 ,0x72 ,0x77 ,0x65 ,0x6e ,0xc0,
312  0x34 ,0xc0 ,0x4b ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
313  0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x1a,
314  0x06 ,0xc0 ,0x60 ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
315  0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x1a,
316  0x07 ,0xc0 ,0x73 ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
317  0x01 ,0x03 ,0x82 ,0x00 ,0x04 ,0x80 ,0xeb ,0xfb,
318  0x0a ,0xc0 ,0x8b ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
319  0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x01,
320  0x0b ,0xc0 ,0x9f ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
321  0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x0b,
322  0x51};
323  Packet *p = PacketGetFromAlloc();
324  FAIL_IF(unlikely(p == NULL));
325  ThreadVars tv;
326  DecodeThreadVars dtv;
327 
328  memset(&tv, 0, sizeof(ThreadVars));
329  memset(&dtv, 0, sizeof(DecodeThreadVars));
330  dtv.app_tctx = AppLayerGetCtxThread();
331 
332  FlowInitConfig(FLOW_QUIET);
333 
334  DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth));
335 
336  DetectU16Data *de = SCDetectIpv4FragbitsParse("!D");
337  FAIL_IF(de == NULL);
338  FAIL_IF(de->arg1 != 0x4000);
339  FAIL_IF(de->arg2 != 0x4000);
340  FAIL_IF(de->mode != DetectUintModeNegBitmask);
341 
342  SigMatch *sm = SigMatchAlloc();
343  FAIL_IF(sm == NULL);
344  sm->type = DETECT_FRAGBITS;
345  sm->ctx = (SigMatchCtx *)de;
346 
347  int ret = DetectFragBitsMatch(NULL, p, NULL, sm->ctx);
348  FAIL_IF(ret);
349  DetectFragBitsFree(NULL, de);
350  SCFree(sm);
351  PacketFree(p);
352 
353  AppLayerDestroyCtxThread(dtv.app_tctx);
354  FlowShutdown();
355  PASS;
356 }
357 
358 /**
359  * \brief this function registers unit tests for FragBits
360  */
361 static void FragBitsRegisterTests(void)
362 {
363  UtRegisterTest("FragBitsTestParse03", FragBitsTestParse03);
364  UtRegisterTest("FragBitsTestParse04", FragBitsTestParse04);
365 }
366 #endif /* UNITTESTS */
DetectFragBitsRegister
void DetectFragBitsRegister(void)
Registration function for fragbits: keyword.
Definition: detect-fragbits.c:66
SIGMATCH_INFO_UINT16
#define SIGMATCH_INFO_UINT16
Definition: detect.h:1688
detect-engine-uint.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1460
SIG_MASK_REQUIRE_REAL_PKT
#define SIG_MASK_REQUIRE_REAL_PKT
Definition: detect.h:316
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:642
PrefilterPacketU16Set
void PrefilterPacketU16Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:126
SigTableElmt_::desc
const char * desc
Definition: detect.h:1459
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1444
SigTableElmt_::name
const char * name
Definition: detect.h:1457
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1323
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1627
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1448
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1347
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
IPV4_GET_RAW_IPOFFSET
#define IPV4_GET_RAW_IPOFFSET(ip4h)
Definition: decode-ipv4.h:100
rust.h
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1439
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1442
DETECT_FRAGBITS
@ DETECT_FRAGBITS
Definition: detect-engine-register.h:43
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:547
app-layer-detect-proto.h
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
detect-fragbits.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
pkt-var.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:219
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
util-profiling.h
Signature_::flags
uint32_t flags
Definition: detect.h:669
Packet_
Definition: decode.h:501
DecodeThreadVars_::app_tctx
AppLayerThreadCtx * app_tctx
Definition: decode.h:965
SIGMATCH_INFO_BITFLAGS_UINT
#define SIGMATCH_INFO_BITFLAGS_UINT
Definition: detect.h:1698
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:470
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(void)
Creates a new app layer thread context.
Definition: app-layer.c:1102
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1419
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:274
decode-events.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
IPV4Hdr_
Definition: decode-ipv4.h:72
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectU16Match
int DetectU16Match(const uint16_t parg, const DetectUintData_u16 *du16)
Definition: detect-engine-uint.c:107
PrefilterPacketU16Compare
bool PrefilterPacketU16Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:134
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:691
packet.h
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:258
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:963
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1441
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1123
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
suricata.h
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
detect-engine-prefilter-common.h
DetectU16Data
DetectUintData_u16 DetectU16Data
Definition: detect-engine-uint.h:42
flow-var.h
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1446
app-layer.h
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:254