suricata
detect-geoip.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Ignacio Sanchez <sanchezmartin.ji@gmail.com>
22  * \author Bill Meeks <billmeeks8@gmail.com>
23  *
24  * Implements the geoip keyword.
25  * Updated to use MaxMind GeoIP2 database.
26  */
27 
28 #include "suricata-common.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 
36 #include "detect-geoip.h"
37 
38 #include "util-mem.h"
39 #include "util-unittest.h"
40 #include "util-unittest-helper.h"
41 
42 #ifndef HAVE_GEOIP
43 
44 static int DetectGeoipSetupNoSupport (DetectEngineCtx *a, Signature *b, const char *c)
45 {
46  SCLogError("no GeoIP support built in, needed for geoip keyword");
47  return -1;
48 }
49 
50 /**
51  * \brief Registration function for geoip keyword (no libgeoip support)
52  * \todo add support for src_only and dst_only
53  */
55 {
56  sigmatch_table[DETECT_GEOIP].name = "geoip";
57  sigmatch_table[DETECT_GEOIP].desc = "match on the source, destination or source and destination IP addresses of network traffic, and to see to which country it belongs";
58  sigmatch_table[DETECT_GEOIP].url = "/rules/header-keywords.html#geoip";
59  sigmatch_table[DETECT_GEOIP].Setup = DetectGeoipSetupNoSupport;
61 }
62 
63 #else /* HAVE_GEOIP */
64 
65 #include <maxminddb.h>
66 
67 static int DetectGeoipMatch(DetectEngineThreadCtx *, Packet *,
68  const Signature *, const SigMatchCtx *);
69 static int DetectGeoipSetup(DetectEngineCtx *, Signature *, const char *);
70 #ifdef UNITTESTS
71 static void DetectGeoipRegisterTests(void);
72 #endif
73 static void DetectGeoipDataFree(DetectEngineCtx *, void *);
74 
75 /**
76  * \brief Registration function for geoip keyword
77  * \todo add support for src_only and dst_only
78  */
79 void DetectGeoipRegister(void)
80 {
81  sigmatch_table[DETECT_GEOIP].name = "geoip";
82  sigmatch_table[DETECT_GEOIP].url = "/rules/header-keywords.html#geoip";
83  sigmatch_table[DETECT_GEOIP].desc = "keyword to match on country of src and or dst IP";
84  sigmatch_table[DETECT_GEOIP].Match = DetectGeoipMatch;
85  sigmatch_table[DETECT_GEOIP].Setup = DetectGeoipSetup;
86  sigmatch_table[DETECT_GEOIP].Free = DetectGeoipDataFree;
87 #ifdef UNITTESTS
88  sigmatch_table[DETECT_GEOIP].RegisterTests = DetectGeoipRegisterTests;
89 #endif
90 }
91 
92 /**
93  * \internal
94  * \brief This function is used to initialize the geolocation MaxMind engine
95  *
96  * \retval false if the engine couldn't be initialized
97  */
98 static bool InitGeolocationEngine(DetectGeoipData *geoipdata)
99 {
100  const char *filename = NULL;
101 
102  /* Get location and name of GeoIP2 database from YAML conf */
103  (void)ConfGet("geoip-database", &filename);
104 
105  if (filename == NULL) {
106  SCLogWarning("Unable to locate a GeoIP2"
107  "database filename in YAML conf. GeoIP rule matching "
108  "is disabled.");
109  geoipdata->mmdb_status = MMDB_FILE_OPEN_ERROR;
110  return false;
111  }
112 
113  /* Attempt to open MaxMind DB and save file handle if successful */
114  int status = MMDB_open(filename, MMDB_MODE_MMAP, &geoipdata->mmdb);
115 
116  if (status == MMDB_SUCCESS) {
117  geoipdata->mmdb_status = status;
118  return true;
119  }
120 
121  SCLogWarning("Failed to open GeoIP2 database: %s. "
122  "Error was: %s. GeoIP rule matching is disabled.",
123  filename, MMDB_strerror(status));
124  geoipdata->mmdb_status = status;
125  return false;
126 }
127 
128 /**
129  * \internal
130  * \brief This function is used to geolocate the IP using the MaxMind libraries
131  *
132  * \param ip IPv4 to geolocate (uint32_t ip)
133  *
134  * \retval NULL if it couldn't be geolocated
135  * \retval ptr (const char *) to the country code string
136  */
137 static const char *GeolocateIPv4(const DetectGeoipData *geoipdata, uint32_t ip)
138 {
139  int mmdb_error;
140  struct sockaddr_in sa;
141  sa.sin_family = AF_INET;
142  sa.sin_port = 0;
143  sa.sin_addr.s_addr = ip;
144  MMDB_lookup_result_s result;
145  MMDB_entry_data_s entry_data;
146 
147  /* Return if no GeoIP database access available */
148  if (geoipdata->mmdb_status != MMDB_SUCCESS)
149  return NULL;
150 
151  /* Attempt to find the IPv4 address in the database */
152  result = MMDB_lookup_sockaddr((MMDB_s *)&geoipdata->mmdb,
153  (struct sockaddr*)&sa, &mmdb_error);
154  if (mmdb_error != MMDB_SUCCESS)
155  return NULL;
156 
157  /* The IPv4 address was found, so grab ISO country code if available */
158  if (result.found_entry) {
159  mmdb_error = MMDB_get_value(&result.entry, &entry_data, "country",
160  "iso_code", NULL);
161  if (mmdb_error != MMDB_SUCCESS)
162  return NULL;
163 
164  /* If ISO country code was found, then return it */
165  if (entry_data.has_data) {
166  if (entry_data.type == MMDB_DATA_TYPE_UTF8_STRING) {
167  char *country_code = SCStrndup((char *)entry_data.utf8_string,
168  entry_data.data_size);
169  return country_code;
170  }
171  }
172  }
173 
174  /* The country code for the IP was not found */
175  return NULL;
176 }
177 
178 /* Match-on conditions supported */
179 #define GEOIP_MATCH_SRC_STR "src"
180 #define GEOIP_MATCH_DST_STR "dst"
181 #define GEOIP_MATCH_BOTH_STR "both"
182 #define GEOIP_MATCH_ANY_STR "any"
183 
184 #define GEOIP_MATCH_NO_FLAG 0
185 #define GEOIP_MATCH_SRC_FLAG 1
186 #define GEOIP_MATCH_DST_FLAG 2
187 #define GEOIP_MATCH_ANY_FLAG 3 /* default src and dst*/
188 #define GEOIP_MATCH_BOTH_FLAG 4
189 #define GEOIP_MATCH_NEGATED 8
190 
191 /**
192  * \internal
193  * \brief This function is used to geolocate the IP using the MaxMind libraries
194  *
195  * \param ip IPv4 to geolocate (uint32_t ip)
196  *
197  * \retval 0 no match
198  * \retval 1 match
199  */
200 static int CheckGeoMatchIPv4(const DetectGeoipData *geoipdata, uint32_t ip)
201 {
202  int i;
203 
204  /* Attempt country code lookup for the IP address */
205  const char *country = GeolocateIPv4(geoipdata, ip);
206 
207  /* Skip further checks if did not find a country code */
208  if (country == NULL)
209  return 0;
210 
211  /* Check if NOT NEGATED match-on condition */
212  if ((geoipdata->flags & GEOIP_MATCH_NEGATED) == 0)
213  {
214  for (i = 0; i < geoipdata->nlocations; i++) {
215  if (strcmp(country, (char *)geoipdata->location[i])==0) {
216  SCFree((void *)country);
217  return 1;
218  }
219  }
220  } else {
221  /* Check if NEGATED match-on condition */
222  for (i = 0; i < geoipdata->nlocations; i++) {
223  if (strcmp(country, (char *)geoipdata->location[i])==0) {
224  SCFree((void *)country);
225  return 0; /* if one matches, rule does NOT match (negated) */
226  }
227  }
228  SCFree((void *)country);
229  return 1; /* returns 1 if no location matches (negated) */
230  }
231  SCFree((void *)country);
232  return 0;
233 }
234 
235 /**
236  * \internal
237  * \brief This function is used to match packets with a IPs in an specified country
238  *
239  * \param t pointer to thread vars
240  * \param det_ctx pointer to the pattern matcher thread
241  * \param p pointer to the current packet
242  * \param m pointer to the sigmatch that we will cast into DetectGeoipData
243  *
244  * \retval 0 no match
245  * \retval 1 match
246  */
247 static int DetectGeoipMatch(DetectEngineThreadCtx *det_ctx,
248  Packet *p, const Signature *s, const SigMatchCtx *ctx)
249 {
250  const DetectGeoipData *geoipdata = (const DetectGeoipData *)ctx;
251  int matches = 0;
252 
253  if (PKT_IS_PSEUDOPKT(p))
254  return 0;
255 
256  if (PKT_IS_IPV4(p))
257  {
258  if (geoipdata->flags & ( GEOIP_MATCH_SRC_FLAG | GEOIP_MATCH_BOTH_FLAG ))
259  {
260  if (CheckGeoMatchIPv4(geoipdata, GET_IPV4_SRC_ADDR_U32(p)))
261  {
262  if (geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
263  matches++;
264  else
265  return 1;
266  }
267  }
268  if (geoipdata->flags & ( GEOIP_MATCH_DST_FLAG | GEOIP_MATCH_BOTH_FLAG ))
269  {
270  if (CheckGeoMatchIPv4(geoipdata, GET_IPV4_DST_ADDR_U32(p)))
271  {
272  if (geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
273  matches++;
274  else
275  return 1;
276  }
277  }
278  /* if matches == 2 is because match-on is "both" */
279  if (matches == 2)
280  return 1;
281  }
282 
283  return 0;
284 }
285 
286 /**
287  * \brief This function is used to parse geoipdata
288  *
289  * \param de_ctx Pointer to the detection engine context
290  * \param str Pointer to the geoipdata value string
291  *
292  * \retval pointer to DetectGeoipData on success
293  * \retval NULL on failure
294  */
295 static DetectGeoipData *DetectGeoipDataParse (DetectEngineCtx *de_ctx, const char *str)
296 {
297  DetectGeoipData *geoipdata = NULL;
298  uint16_t pos = 0;
299  uint16_t prevpos = 0;
300  uint16_t slen = 0;
301  int skiplocationparsing = 0;
302 
303  slen = strlen(str);
304  if (slen == 0)
305  goto error;
306 
307  /* We have a correct geoip options string */
308  geoipdata = SCMalloc(sizeof(DetectGeoipData));
309  if (unlikely(geoipdata == NULL))
310  goto error;
311 
312  memset(geoipdata, 0x00, sizeof(DetectGeoipData));
313 
314  /* Parse the geoip option string */
315  while (pos <= slen)
316  {
317  /* search for ',' or end of string */
318  if (str[pos] == ',' || pos == slen)
319  {
320  if (geoipdata->flags == GEOIP_MATCH_NO_FLAG)
321  {
322  /* Parse match-on condition */
323  if (pos == slen) /* if end of option str then there are no match-on cond. */
324  {
325  /* There was NO match-on condition! we default to ANY*/
326  skiplocationparsing = 0;
327  geoipdata->flags |= GEOIP_MATCH_ANY_FLAG;
328  } else {
329  skiplocationparsing = 1;
330  if (strncmp(&str[prevpos], GEOIP_MATCH_SRC_STR, pos-prevpos) == 0)
331  geoipdata->flags |= GEOIP_MATCH_SRC_FLAG;
332  else if (strncmp(&str[prevpos], GEOIP_MATCH_DST_STR, pos-prevpos) == 0)
333  geoipdata->flags |= GEOIP_MATCH_DST_FLAG;
334  else if (strncmp(&str[prevpos], GEOIP_MATCH_BOTH_STR, pos-prevpos) == 0)
335  geoipdata->flags |= GEOIP_MATCH_BOTH_FLAG;
336  else if (strncmp(&str[prevpos], GEOIP_MATCH_ANY_STR, pos-prevpos) == 0)
337  geoipdata->flags |= GEOIP_MATCH_ANY_FLAG;
338  else {
339  /* There was NO match-on condition! we default to ANY*/
340  skiplocationparsing = 0;
341  geoipdata->flags |= GEOIP_MATCH_ANY_FLAG;
342  }
343  }
344  }
345  if (geoipdata->flags != GEOIP_MATCH_NO_FLAG && skiplocationparsing == 0)
346  {
347  /* Parse location string: for now just the country code(s) */
348  if (str[prevpos] == '!') {
349  geoipdata->flags |= GEOIP_MATCH_NEGATED;
350  prevpos++; /* dot not copy the ! */
351  }
352 
353  if (geoipdata->nlocations >= GEOOPTION_MAXLOCATIONS) {
354  SCLogError("too many arguments for geoip keyword");
355  goto error;
356  }
357 
358  if (pos-prevpos > GEOOPTION_MAXSIZE)
359  strlcpy((char *)geoipdata->location[geoipdata->nlocations], &str[prevpos],
360  GEOOPTION_MAXSIZE);
361  else
362  strlcpy((char *)geoipdata->location[geoipdata->nlocations], &str[prevpos],
363  pos-prevpos+1);
364 
365  if (geoipdata->nlocations < GEOOPTION_MAXLOCATIONS)
366  geoipdata->nlocations++;
367  }
368  prevpos = pos+1;
369  skiplocationparsing = 0; /* match-on condition for sure has been parsed already */
370  }
371  pos++;
372  }
373 
374  SCLogDebug("GeoIP: %"PRIu32" countries loaded", geoipdata->nlocations);
375  for (int i=0; i<geoipdata->nlocations; i++)
376  SCLogDebug("GeoIP country code: %s", geoipdata->location[i]);
377 
378  SCLogDebug("flags %02X", geoipdata->flags);
379  if (geoipdata->flags & GEOIP_MATCH_NEGATED) {
380  SCLogDebug("negated geoip");
381  }
382 
383  /* init geo engine, but not when running as unittests */
384  if (!(RunmodeIsUnittests())) {
385  /* Initialize the geolocation engine */
386  if (InitGeolocationEngine(geoipdata) == false)
387  goto error;
388  }
389 
390  return geoipdata;
391 
392 error:
393  if (geoipdata != NULL)
394  DetectGeoipDataFree(de_ctx, geoipdata);
395  return NULL;
396 }
397 
398 /**
399  * \internal
400  * \brief this function is used to add the geoip option into the signature
401  *
402  * \param de_ctx pointer to the Detection Engine Context
403  * \param s pointer to the Current Signature
404  * \param optstr pointer to the user provided options
405  *
406  * \retval 0 on Success
407  * \retval -1 on Failure
408  */
409 static int DetectGeoipSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
410 {
411  DetectGeoipData *geoipdata = NULL;
412  SigMatch *sm = NULL;
413 
414  geoipdata = DetectGeoipDataParse(de_ctx, optstr);
415  if (geoipdata == NULL)
416  goto error;
417 
418  /* Get this into a SigMatch and put it in the Signature. */
419  sm = SigMatchAlloc();
420  if (sm == NULL)
421  goto error;
422 
423  sm->type = DETECT_GEOIP;
424  sm->ctx = (SigMatchCtx *)geoipdata;
425 
428 
429  return 0;
430 
431 error:
432  if (geoipdata != NULL)
433  DetectGeoipDataFree(de_ctx, geoipdata);
434  if (sm != NULL)
435  SCFree(sm);
436  return -1;
437 
438 }
439 
440 /**
441  * \brief this function will free memory associated with DetectGeoipData
442  *
443  * \param geoipdata pointer to DetectGeoipData
444  */
445 static void DetectGeoipDataFree(DetectEngineCtx *de_ctx, void *ptr)
446 {
447  if (ptr != NULL) {
448  DetectGeoipData *geoipdata = (DetectGeoipData *)ptr;
449  if (geoipdata->mmdb_status == MMDB_SUCCESS)
450  MMDB_close(&geoipdata->mmdb);
451  SCFree(geoipdata);
452  }
453 }
454 
455 #ifdef UNITTESTS
456 
457 static int GeoipParseTest(const char *rule, int ncountries, const char **countries, uint32_t flags)
458 {
459  DetectEngineCtx *de_ctx = NULL;
460  Signature *s = NULL;
461  DetectGeoipData *data = NULL;
462 
464  FAIL_IF(de_ctx == NULL);
465  de_ctx->flags |= DE_QUIET;
466 
467  de_ctx->sig_list = SigInit(de_ctx, rule);
468  FAIL_IF(de_ctx->sig_list == NULL);
469 
470  s = de_ctx->sig_list;
472 
474 
475  data = (DetectGeoipData *)s->init_data->smlists_tail[DETECT_SM_LIST_MATCH]->ctx;
476  FAIL_IF(data->flags != flags);
477 
478  FAIL_IF(data->nlocations!=ncountries);
479 
480  for (int i=0; i<ncountries; i++)
481  {
482  FAIL_IF(strcmp((char *)data->location[i],countries[i])!=0);
483  }
484 
486  PASS;
487 }
488 
489 static int GeoipParseTest01(void)
490 {
491  const char *ccodes[1] = {"US"};
492  return GeoipParseTest("alert tcp any any -> any any (geoip:US;sid:1;)", 1, ccodes,
493  GEOIP_MATCH_ANY_FLAG);
494 }
495 
496 static int GeoipParseTest02(void)
497 {
498  const char *ccodes[1] = {"US"};
499  return GeoipParseTest("alert tcp any any -> any any (geoip:!US;sid:1;)", 1, ccodes,
500  GEOIP_MATCH_ANY_FLAG | GEOIP_MATCH_NEGATED);
501 }
502 
503 static int GeoipParseTest03(void)
504 {
505  const char *ccodes[1] = {"US"};
506  return GeoipParseTest("alert tcp any any -> any any (geoip:!US;sid:1;)", 1, ccodes,
507  GEOIP_MATCH_ANY_FLAG | GEOIP_MATCH_NEGATED);
508 }
509 
510 static int GeoipParseTest04(void)
511 {
512  const char *ccodes[1] = {"US"};
513  return GeoipParseTest("alert tcp any any -> any any (geoip:src,US;sid:1;)", 1, ccodes,
514  GEOIP_MATCH_SRC_FLAG);
515 }
516 
517 static int GeoipParseTest05(void)
518 {
519  const char *ccodes[1] = {"US"};
520  return GeoipParseTest("alert tcp any any -> any any (geoip:dst,!US;sid:1;)", 1, ccodes,
521  GEOIP_MATCH_DST_FLAG | GEOIP_MATCH_NEGATED);
522 }
523 
524 static int GeoipParseTest06(void)
525 {
526  const char *ccodes[3] = {"US", "ES", "UK"};
527  return GeoipParseTest("alert tcp any any -> any any (geoip:US,ES,UK;sid:1;)", 3, ccodes,
528  GEOIP_MATCH_ANY_FLAG);
529 }
530 
531 static int GeoipParseTest07(void)
532 {
533  const char *ccodes[3] = {"US", "ES", "UK"};
534  return GeoipParseTest("alert tcp any any -> any any (geoip:both,!US,ES,UK;sid:1;)", 3, ccodes,
535  GEOIP_MATCH_BOTH_FLAG | GEOIP_MATCH_NEGATED);
536 }
537 
538 /**
539  * \internal
540  * \brief This function registers unit tests for DetectGeoip
541  */
542 static void DetectGeoipRegisterTests(void)
543 {
544  UtRegisterTest("GeoipParseTest01", GeoipParseTest01);
545  UtRegisterTest("GeoipParseTest02", GeoipParseTest02);
546  UtRegisterTest("GeoipParseTest03", GeoipParseTest03);
547  UtRegisterTest("GeoipParseTest04", GeoipParseTest04);
548  UtRegisterTest("GeoipParseTest05", GeoipParseTest05);
549  UtRegisterTest("GeoipParseTest06", GeoipParseTest06);
550  UtRegisterTest("GeoipParseTest07", GeoipParseTest07);
551 }
552 #endif /* UNITTESTS */
553 #endif /* HAVE_GEOIP */
SigTableElmt_::url
const char * url
Definition: detect.h:1287
detect-engine.h
DetectGeoipRegister
void DetectGeoipRegister(void)
Registration function for geoip keyword (no libgeoip support)
Definition: detect-geoip.c:54
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
SigTableElmt_::desc
const char * desc
Definition: detect.h:1286
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1274
SigTableElmt_::name
const char * name
Definition: detect.h:1284
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:568
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1053
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:826
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
DE_QUIET
#define DE_QUIET
Definition: detect.h:314
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1269
util-unittest.h
util-unittest-helper.h
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:335
decode.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1074
DETECT_GEOIP
@ DETECT_GEOIP
Definition: detect-engine-register.h:79
detect-engine-mpm.h
detect.h
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:108
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2264
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:343
Signature_::flags
uint32_t flags
Definition: detect.h:582
Packet_
Definition: decode.h:430
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:653
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1252
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:251
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:335
util-mem.h
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:341
SCStrndup
#define SCStrndup(s, n)
Definition: util-mem.h:59
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:834
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
str
#define str(s)
Definition: suricata-common.h:286
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:581
SigMatch_
a single match condition for a signature
Definition: detect.h:340
detect-geoip.h
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:828
GET_IPV4_SRC_ADDR_U32
#define GET_IPV4_SRC_ADDR_U32(p)
Definition: decode.h:207
GET_IPV4_DST_ADDR_U32
#define GET_IPV4_DST_ADDR_U32(p)
Definition: decode.h:208
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:245
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1276
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:242