suricata
detect-geoip.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Ignacio Sanchez <sanchezmartin.ji@gmail.com>
22  * \author Bill Meeks <billmeeks8@gmail.com>
23  *
24  * Implements the geoip keyword.
25  * Updated to use MaxMind GeoIP2 database.
26  */
27 
28 #include "suricata-common.h"
29 #include "debug.h"
30 #include "decode.h"
31 #include "detect.h"
32 
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 
37 #include "detect-geoip.h"
38 
39 #include "util-mem.h"
40 #include "util-unittest.h"
41 #include "util-unittest-helper.h"
42 
43 #ifndef HAVE_GEOIP
44 
45 static int DetectGeoipSetupNoSupport (DetectEngineCtx *a, Signature *b, const char *c)
46 {
47  SCLogError(SC_ERR_NO_GEOIP_SUPPORT, "no GeoIP support built in, needed for geoip keyword");
48  return -1;
49 }
50 
51 /**
52  * \brief Registration function for geoip keyword (no libgeoip support)
53  * \todo add support for src_only and dst_only
54  */
56 {
57  sigmatch_table[DETECT_GEOIP].name = "geoip";
58  sigmatch_table[DETECT_GEOIP].desc = "match on the source, destination or source and destination IP addresses of network traffic, and to see to which country it belongs";
59  sigmatch_table[DETECT_GEOIP].url = "/rules/header-keywords.html#geoip";
60  sigmatch_table[DETECT_GEOIP].Setup = DetectGeoipSetupNoSupport;
62 }
63 
64 #else /* HAVE_GEOIP */
65 
66 #include <maxminddb.h>
67 
68 static int DetectGeoipMatch(DetectEngineThreadCtx *, Packet *,
69  const Signature *, const SigMatchCtx *);
70 static int DetectGeoipSetup(DetectEngineCtx *, Signature *, const char *);
71 #ifdef UNITTESTS
72 static void DetectGeoipRegisterTests(void);
73 #endif
74 static void DetectGeoipDataFree(DetectEngineCtx *, void *);
75 
76 /**
77  * \brief Registration function for geoip keyword
78  * \todo add support for src_only and dst_only
79  */
80 void DetectGeoipRegister(void)
81 {
82  sigmatch_table[DETECT_GEOIP].name = "geoip";
83  sigmatch_table[DETECT_GEOIP].url = "/rules/header-keywords.html#geoip";
84  sigmatch_table[DETECT_GEOIP].desc = "keyword to match on country of src and or dst IP";
85  sigmatch_table[DETECT_GEOIP].Match = DetectGeoipMatch;
86  sigmatch_table[DETECT_GEOIP].Setup = DetectGeoipSetup;
87  sigmatch_table[DETECT_GEOIP].Free = DetectGeoipDataFree;
88 #ifdef UNITTESTS
89  sigmatch_table[DETECT_GEOIP].RegisterTests = DetectGeoipRegisterTests;
90 #endif
91 }
92 
93 /**
94  * \internal
95  * \brief This function is used to initialize the geolocation MaxMind engine
96  *
97  * \retval false if the engine couldn't be initialized
98  */
99 static bool InitGeolocationEngine(DetectGeoipData *geoipdata)
100 {
101  const char *filename = NULL;
102 
103  /* Get location and name of GeoIP2 database from YAML conf */
104  (void)ConfGet("geoip-database", &filename);
105 
106  if (filename == NULL) {
107  SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Unable to locate a GeoIP2"
108  "database filename in YAML conf. GeoIP rule matching "
109  "is disabled.");
110  geoipdata->mmdb_status = MMDB_FILE_OPEN_ERROR;
111  return false;
112  }
113 
114  /* Attempt to open MaxMind DB and save file handle if successful */
115  int status = MMDB_open(filename, MMDB_MODE_MMAP, &geoipdata->mmdb);
116 
117  if (status == MMDB_SUCCESS) {
118  geoipdata->mmdb_status = status;
119  return true;
120  }
121 
122  SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Failed to open GeoIP2 database: %s. "
123  "Error was: %s. GeoIP rule matching is disabled.", filename,
124  MMDB_strerror(status));
125  geoipdata->mmdb_status = status;
126  return false;
127 }
128 
129 /**
130  * \internal
131  * \brief This function is used to geolocate the IP using the MaxMind libraries
132  *
133  * \param ip IPv4 to geolocate (uint32_t ip)
134  *
135  * \retval NULL if it couldn't be geolocated
136  * \retval ptr (const char *) to the country code string
137  */
138 static const char *GeolocateIPv4(const DetectGeoipData *geoipdata, uint32_t ip)
139 {
140  int mmdb_error;
141  struct sockaddr_in sa;
142  sa.sin_family = AF_INET;
143  sa.sin_port = 0;
144  sa.sin_addr.s_addr = ip;
145  MMDB_lookup_result_s result;
146  MMDB_entry_data_s entry_data;
147 
148  /* Return if no GeoIP database access available */
149  if (geoipdata->mmdb_status != MMDB_SUCCESS)
150  return NULL;
151 
152  /* Attempt to find the IPv4 address in the database */
153  result = MMDB_lookup_sockaddr((MMDB_s *)&geoipdata->mmdb,
154  (struct sockaddr*)&sa, &mmdb_error);
155  if (mmdb_error != MMDB_SUCCESS)
156  return NULL;
157 
158  /* The IPv4 address was found, so grab ISO country code if available */
159  if (result.found_entry) {
160  mmdb_error = MMDB_get_value(&result.entry, &entry_data, "country",
161  "iso_code", NULL);
162  if (mmdb_error != MMDB_SUCCESS)
163  return NULL;
164 
165  /* If ISO country code was found, then return it */
166  if (entry_data.has_data) {
167  if (entry_data.type == MMDB_DATA_TYPE_UTF8_STRING) {
168  char *country_code = SCStrndup((char *)entry_data.utf8_string,
169  entry_data.data_size);
170  return country_code;
171  }
172  }
173  }
174 
175  /* The country code for the IP was not found */
176  return NULL;
177 }
178 
179 /* Match-on conditions supported */
180 #define GEOIP_MATCH_SRC_STR "src"
181 #define GEOIP_MATCH_DST_STR "dst"
182 #define GEOIP_MATCH_BOTH_STR "both"
183 #define GEOIP_MATCH_ANY_STR "any"
184 
185 #define GEOIP_MATCH_NO_FLAG 0
186 #define GEOIP_MATCH_SRC_FLAG 1
187 #define GEOIP_MATCH_DST_FLAG 2
188 #define GEOIP_MATCH_ANY_FLAG 3 /* default src and dst*/
189 #define GEOIP_MATCH_BOTH_FLAG 4
190 #define GEOIP_MATCH_NEGATED 8
191 
192 /**
193  * \internal
194  * \brief This function is used to geolocate the IP using the MaxMind libraries
195  *
196  * \param ip IPv4 to geolocate (uint32_t ip)
197  *
198  * \retval 0 no match
199  * \retval 1 match
200  */
201 static int CheckGeoMatchIPv4(const DetectGeoipData *geoipdata, uint32_t ip)
202 {
203  int i;
204 
205  /* Attempt country code lookup for the IP address */
206  const char *country = GeolocateIPv4(geoipdata, ip);
207 
208  /* Skip further checks if did not find a country code */
209  if (country == NULL)
210  return 0;
211 
212  /* Check if NOT NEGATED match-on condition */
213  if ((geoipdata->flags & GEOIP_MATCH_NEGATED) == 0)
214  {
215  for (i = 0; i < geoipdata->nlocations; i++) {
216  if (strcmp(country, (char *)geoipdata->location[i])==0) {
217  SCFree((void *)country);
218  return 1;
219  }
220  }
221  } else {
222  /* Check if NEGATED match-on condition */
223  for (i = 0; i < geoipdata->nlocations; i++) {
224  if (strcmp(country, (char *)geoipdata->location[i])==0) {
225  SCFree((void *)country);
226  return 0; /* if one matches, rule does NOT match (negated) */
227  }
228  }
229  SCFree((void *)country);
230  return 1; /* returns 1 if no location matches (negated) */
231  }
232  SCFree((void *)country);
233  return 0;
234 }
235 
236 /**
237  * \internal
238  * \brief This function is used to match packets with a IPs in an specified country
239  *
240  * \param t pointer to thread vars
241  * \param det_ctx pointer to the pattern matcher thread
242  * \param p pointer to the current packet
243  * \param m pointer to the sigmatch that we will cast into DetectGeoipData
244  *
245  * \retval 0 no match
246  * \retval 1 match
247  */
248 static int DetectGeoipMatch(DetectEngineThreadCtx *det_ctx,
249  Packet *p, const Signature *s, const SigMatchCtx *ctx)
250 {
251  const DetectGeoipData *geoipdata = (const DetectGeoipData *)ctx;
252  int matches = 0;
253 
254  if (PKT_IS_PSEUDOPKT(p))
255  return 0;
256 
257  if (PKT_IS_IPV4(p))
258  {
259  if (geoipdata->flags & ( GEOIP_MATCH_SRC_FLAG | GEOIP_MATCH_BOTH_FLAG ))
260  {
261  if (CheckGeoMatchIPv4(geoipdata, GET_IPV4_SRC_ADDR_U32(p)))
262  {
263  if (geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
264  matches++;
265  else
266  return 1;
267  }
268  }
269  if (geoipdata->flags & ( GEOIP_MATCH_DST_FLAG | GEOIP_MATCH_BOTH_FLAG ))
270  {
271  if (CheckGeoMatchIPv4(geoipdata, GET_IPV4_DST_ADDR_U32(p)))
272  {
273  if (geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
274  matches++;
275  else
276  return 1;
277  }
278  }
279  /* if matches == 2 is because match-on is "both" */
280  if (matches == 2)
281  return 1;
282  }
283 
284  return 0;
285 }
286 
287 /**
288  * \brief This function is used to parse geoipdata
289  *
290  * \param de_ctx Pointer to the detection engine context
291  * \param str Pointer to the geoipdata value string
292  *
293  * \retval pointer to DetectGeoipData on success
294  * \retval NULL on failure
295  */
296 static DetectGeoipData *DetectGeoipDataParse (DetectEngineCtx *de_ctx, const char *str)
297 {
298  DetectGeoipData *geoipdata = NULL;
299  uint16_t pos = 0;
300  uint16_t prevpos = 0;
301  uint16_t slen = 0;
302  int skiplocationparsing = 0;
303 
304  slen = strlen(str);
305  if (slen == 0)
306  goto error;
307 
308  /* We have a correct geoip options string */
309  geoipdata = SCMalloc(sizeof(DetectGeoipData));
310  if (unlikely(geoipdata == NULL))
311  goto error;
312 
313  memset(geoipdata, 0x00, sizeof(DetectGeoipData));
314 
315  /* Parse the geoip option string */
316  while (pos <= slen)
317  {
318  /* search for ',' or end of string */
319  if (str[pos] == ',' || pos == slen)
320  {
321  if (geoipdata->flags == GEOIP_MATCH_NO_FLAG)
322  {
323  /* Parse match-on condition */
324  if (pos == slen) /* if end of option str then there are no match-on cond. */
325  {
326  /* There was NO match-on condition! we default to ANY*/
327  skiplocationparsing = 0;
328  geoipdata->flags |= GEOIP_MATCH_ANY_FLAG;
329  } else {
330  skiplocationparsing = 1;
331  if (strncmp(&str[prevpos], GEOIP_MATCH_SRC_STR, pos-prevpos) == 0)
332  geoipdata->flags |= GEOIP_MATCH_SRC_FLAG;
333  else if (strncmp(&str[prevpos], GEOIP_MATCH_DST_STR, pos-prevpos) == 0)
334  geoipdata->flags |= GEOIP_MATCH_DST_FLAG;
335  else if (strncmp(&str[prevpos], GEOIP_MATCH_BOTH_STR, pos-prevpos) == 0)
336  geoipdata->flags |= GEOIP_MATCH_BOTH_FLAG;
337  else if (strncmp(&str[prevpos], GEOIP_MATCH_ANY_STR, pos-prevpos) == 0)
338  geoipdata->flags |= GEOIP_MATCH_ANY_FLAG;
339  else {
340  /* There was NO match-on condition! we default to ANY*/
341  skiplocationparsing = 0;
342  geoipdata->flags |= GEOIP_MATCH_ANY_FLAG;
343  }
344  }
345  }
346  if (geoipdata->flags != GEOIP_MATCH_NO_FLAG && skiplocationparsing == 0)
347  {
348  /* Parse location string: for now just the country code(s) */
349  if (str[prevpos] == '!') {
350  geoipdata->flags |= GEOIP_MATCH_NEGATED;
351  prevpos++; /* dot not copy the ! */
352  }
353 
354  if (geoipdata->nlocations >= GEOOPTION_MAXLOCATIONS) {
355  SCLogError(SC_ERR_INVALID_ARGUMENT, "too many arguements for geoip keyword");
356  goto error;
357  }
358 
359  if (pos-prevpos > GEOOPTION_MAXSIZE)
360  strlcpy((char *)geoipdata->location[geoipdata->nlocations], &str[prevpos],
361  GEOOPTION_MAXSIZE);
362  else
363  strlcpy((char *)geoipdata->location[geoipdata->nlocations], &str[prevpos],
364  pos-prevpos+1);
365 
366  if (geoipdata->nlocations < GEOOPTION_MAXLOCATIONS)
367  geoipdata->nlocations++;
368  }
369  prevpos = pos+1;
370  skiplocationparsing = 0; /* match-on condition for sure has been parsed already */
371  }
372  pos++;
373  }
374 
375  SCLogDebug("GeoIP: %"PRIu32" countries loaded", geoipdata->nlocations);
376  for (int i=0; i<geoipdata->nlocations; i++)
377  SCLogDebug("GeoIP country code: %s", geoipdata->location[i]);
378 
379  SCLogDebug("flags %02X", geoipdata->flags);
380  if (geoipdata->flags & GEOIP_MATCH_NEGATED) {
381  SCLogDebug("negated geoip");
382  }
383 
384  /* init geo engine, but not when running as unittests */
385  if (!(RunmodeIsUnittests())) {
386  /* Initialize the geolocation engine */
387  if (InitGeolocationEngine(geoipdata) == false)
388  goto error;
389  }
390 
391  return geoipdata;
392 
393 error:
394  if (geoipdata != NULL)
395  DetectGeoipDataFree(de_ctx, geoipdata);
396  return NULL;
397 }
398 
399 /**
400  * \internal
401  * \brief this function is used to add the geoip option into the signature
402  *
403  * \param de_ctx pointer to the Detection Engine Context
404  * \param s pointer to the Current Signature
405  * \param optstr pointer to the user provided options
406  *
407  * \retval 0 on Success
408  * \retval -1 on Failure
409  */
410 static int DetectGeoipSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
411 {
412  DetectGeoipData *geoipdata = NULL;
413  SigMatch *sm = NULL;
414 
415  geoipdata = DetectGeoipDataParse(de_ctx, optstr);
416  if (geoipdata == NULL)
417  goto error;
418 
419  /* Get this into a SigMatch and put it in the Signature. */
420  sm = SigMatchAlloc();
421  if (sm == NULL)
422  goto error;
423 
424  sm->type = DETECT_GEOIP;
425  sm->ctx = (SigMatchCtx *)geoipdata;
426 
429 
430  return 0;
431 
432 error:
433  if (geoipdata != NULL)
434  DetectGeoipDataFree(de_ctx, geoipdata);
435  if (sm != NULL)
436  SCFree(sm);
437  return -1;
438 
439 }
440 
441 /**
442  * \brief this function will free memory associated with DetectGeoipData
443  *
444  * \param geoipdata pointer to DetectGeoipData
445  */
446 static void DetectGeoipDataFree(DetectEngineCtx *de_ctx, void *ptr)
447 {
448  if (ptr != NULL) {
449  DetectGeoipData *geoipdata = (DetectGeoipData *)ptr;
450  if (geoipdata->mmdb_status == MMDB_SUCCESS)
451  MMDB_close(&geoipdata->mmdb);
452  SCFree(geoipdata);
453  }
454 }
455 
456 #ifdef UNITTESTS
457 
458 static int GeoipParseTest(const char *rule, int ncountries, const char **countries, uint32_t flags)
459 {
460  DetectEngineCtx *de_ctx = NULL;
461  Signature *s = NULL;
462  DetectGeoipData *data = NULL;
463 
465  FAIL_IF(de_ctx == NULL);
466  de_ctx->flags |= DE_QUIET;
467 
468  de_ctx->sig_list = SigInit(de_ctx, rule);
469  FAIL_IF(de_ctx->sig_list == NULL);
470 
471  s = de_ctx->sig_list;
472  FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_MATCH] == NULL);
473 
474  FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_MATCH]->type != DETECT_GEOIP);
475 
476  data = (DetectGeoipData *)s->sm_lists_tail[DETECT_SM_LIST_MATCH]->ctx;
477  FAIL_IF(data->flags != flags);
478 
479  FAIL_IF(data->nlocations!=ncountries);
480 
481  for (int i=0; i<ncountries; i++)
482  {
483  FAIL_IF(strcmp((char *)data->location[i],countries[i])!=0);
484  }
485 
487  PASS;
488 }
489 
490 static int GeoipParseTest01(void)
491 {
492  const char *ccodes[1] = {"US"};
493  return GeoipParseTest("alert tcp any any -> any any (geoip:US;sid:1;)", 1, ccodes,
494  GEOIP_MATCH_ANY_FLAG);
495 }
496 
497 static int GeoipParseTest02(void)
498 {
499  const char *ccodes[1] = {"US"};
500  return GeoipParseTest("alert tcp any any -> any any (geoip:!US;sid:1;)", 1, ccodes,
501  GEOIP_MATCH_ANY_FLAG | GEOIP_MATCH_NEGATED);
502 }
503 
504 static int GeoipParseTest03(void)
505 {
506  const char *ccodes[1] = {"US"};
507  return GeoipParseTest("alert tcp any any -> any any (geoip:!US;sid:1;)", 1, ccodes,
508  GEOIP_MATCH_ANY_FLAG | GEOIP_MATCH_NEGATED);
509 }
510 
511 static int GeoipParseTest04(void)
512 {
513  const char *ccodes[1] = {"US"};
514  return GeoipParseTest("alert tcp any any -> any any (geoip:src,US;sid:1;)", 1, ccodes,
515  GEOIP_MATCH_SRC_FLAG);
516 }
517 
518 static int GeoipParseTest05(void)
519 {
520  const char *ccodes[1] = {"US"};
521  return GeoipParseTest("alert tcp any any -> any any (geoip:dst,!US;sid:1;)", 1, ccodes,
522  GEOIP_MATCH_DST_FLAG | GEOIP_MATCH_NEGATED);
523 }
524 
525 static int GeoipParseTest06(void)
526 {
527  const char *ccodes[3] = {"US", "ES", "UK"};
528  return GeoipParseTest("alert tcp any any -> any any (geoip:US,ES,UK;sid:1;)", 3, ccodes,
529  GEOIP_MATCH_ANY_FLAG);
530 }
531 
532 static int GeoipParseTest07(void)
533 {
534  const char *ccodes[3] = {"US", "ES", "UK"};
535  return GeoipParseTest("alert tcp any any -> any any (geoip:both,!US,ES,UK;sid:1;)", 3, ccodes,
536  GEOIP_MATCH_BOTH_FLAG | GEOIP_MATCH_NEGATED);
537 }
538 
539 /**
540  * \internal
541  * \brief This function registers unit tests for DetectGeoip
542  */
543 static void DetectGeoipRegisterTests(void)
544 {
545  UtRegisterTest("GeoipParseTest01", GeoipParseTest01);
546  UtRegisterTest("GeoipParseTest02", GeoipParseTest02);
547  UtRegisterTest("GeoipParseTest03", GeoipParseTest03);
548  UtRegisterTest("GeoipParseTest04", GeoipParseTest04);
549  UtRegisterTest("GeoipParseTest05", GeoipParseTest05);
550  UtRegisterTest("GeoipParseTest06", GeoipParseTest06);
551  UtRegisterTest("GeoipParseTest07", GeoipParseTest07);
552 }
553 #endif /* UNITTESTS */
554 #endif /* HAVE_GEOIP */
SigTableElmt_::url
const char * url
Definition: detect.h:1213
detect-engine.h
DetectGeoipRegister
void DetectGeoipRegister(void)
Registration function for geoip keyword (no libgeoip support)
Definition: detect-geoip.c:55
SigTableElmt_::desc
const char * desc
Definition: detect.h:1212
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
SigTableElmt_::name
const char * name
Definition: detect.h:1210
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1142
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2039
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
util-unittest.h
util-unittest-helper.h
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:330
decode.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
DETECT_GEOIP
@ DETECT_GEOIP
Definition: detect-engine-register.h:76
detect-engine-mpm.h
detect.h
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
Signature_::flags
uint32_t flags
Definition: detect.h:528
Packet_
Definition: decode.h:412
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
RunmodeIsUnittests
int RunmodeIsUnittests(void)
Definition: suricata.c:264
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
util-mem.h
SC_ERR_NO_GEOIP_SUPPORT
@ SC_ERR_NO_GEOIP_SUPPORT
Definition: util-error.h:259
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
SCStrndup
#define SCStrndup(s, n)
Definition: util-mem.h:59
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
str
#define str(s)
Definition: suricata-common.h:273
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
detect-geoip.h
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
GET_IPV4_SRC_ADDR_U32
#define GET_IPV4_SRC_ADDR_U32(p)
Definition: decode.h:216
GET_IPV4_DST_ADDR_U32
#define GET_IPV4_DST_ADDR_U32(p)
Definition: decode.h:217
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:255
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1202
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223