suricata
detect-geoip.c
Go to the documentation of this file.
1 /* Copyright (C) 2012 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Ignacio Sanchez <sanchezmartin.ji@gmail.com>
22  *
23  * Implements the geoip keyword.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 
31 #include "detect-parse.h"
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 
35 #include "detect-geoip.h"
36 
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 
40 #ifndef HAVE_GEOIP
41 
42 static int DetectGeoipSetupNoSupport (DetectEngineCtx *a, Signature *b, const char *c)
43 {
44  SCLogError(SC_ERR_NO_GEOIP_SUPPORT, "no GeoIP support built in, needed for geoip keyword");
45  return -1;
46 }
47 
48 /**
49  * \brief Registration function for geoip keyword (no libgeoip support)
50  * \todo add support for src_only and dst_only
51  */
53 {
54  sigmatch_table[DETECT_GEOIP].name = "geoip";
55  sigmatch_table[DETECT_GEOIP].Setup = DetectGeoipSetupNoSupport;
58 }
59 
60 #else /* HAVE_GEOIP */
61 
62 #include <GeoIP.h>
63 
64 static int DetectGeoipMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *,
65  const Signature *, const SigMatchCtx *);
66 static int DetectGeoipSetup(DetectEngineCtx *, Signature *, const char *);
67 static void DetectGeoipRegisterTests(void);
68 static void DetectGeoipDataFree(void *);
69 
70 /**
71  * \brief Registration function for geoip keyword
72  * \todo add support for src_only and dst_only
73  */
74 void DetectGeoipRegister(void)
75 {
76  sigmatch_table[DETECT_GEOIP].name = "geoip";
77  sigmatch_table[DETECT_GEOIP].Match = DetectGeoipMatch;
78  sigmatch_table[DETECT_GEOIP].Setup = DetectGeoipSetup;
79  sigmatch_table[DETECT_GEOIP].Free = DetectGeoipDataFree;
80  sigmatch_table[DETECT_GEOIP].RegisterTests = DetectGeoipRegisterTests;
81 }
82 
83 /**
84  * \internal
85  * \brief This function is used to initialize the geolocation MaxMind engine
86  *
87  * \retval NULL if the engine couldn't be initialized
88  * \retval (GeoIP *) to the geolocation engine
89  */
90 static GeoIP *InitGeolocationEngine(void)
91 {
92  return GeoIP_new(GEOIP_MEMORY_CACHE);
93 }
94 
95 /**
96  * \internal
97  * \brief This function is used to geolocate the IP using the MaxMind libraries
98  *
99  * \param ip IP to geolocate (uint32_t ip)
100  *
101  * \retval NULL if it couldn't be geolocated
102  * \retval ptr (const char *) to the country code string
103  */
104 static const char *GeolocateIPv4(GeoIP *geoengine, uint32_t ip)
105 {
106  if (geoengine != NULL)
107  return GeoIP_country_code_by_ipnum(geoengine, SCNtohl(ip));
108  return NULL;
109 }
110 
111 /* Match-on conditions supported */
112 #define GEOIP_MATCH_SRC_STR "src"
113 #define GEOIP_MATCH_DST_STR "dst"
114 #define GEOIP_MATCH_BOTH_STR "both"
115 #define GEOIP_MATCH_ANY_STR "any"
116 
117 #define GEOIP_MATCH_NO_FLAG 0
118 #define GEOIP_MATCH_SRC_FLAG 1
119 #define GEOIP_MATCH_DST_FLAG 2
120 #define GEOIP_MATCH_ANY_FLAG 3 /* default src and dst*/
121 #define GEOIP_MATCH_BOTH_FLAG 4
122 #define GEOIP_MATCH_NEGATED 8
123 
124 /**
125  * \internal
126  * \brief This function is used to geolocate the IP using the MaxMind libraries
127  *
128  * \param ip IP to geolocate (uint32_t ip)
129  *
130  * \retval 0 no match
131  * \retval 1 match
132  */
133 static int CheckGeoMatchIPv4(const DetectGeoipData *geoipdata, uint32_t ip)
134 {
135  const char *country;
136  int i;
137  country = GeolocateIPv4(geoipdata->geoengine, ip);
138  /* Check if NOT NEGATED match-on condition */
139  if ((geoipdata->flags & GEOIP_MATCH_NEGATED) == 0)
140  {
141  for (i = 0; i < geoipdata->nlocations; i++)
142  if (country != NULL && strcmp(country, (char *)geoipdata->location[i])==0)
143  return 1;
144  } else {
145  /* Check if NEGATED match-on condition */
146  for (i = 0; i < geoipdata->nlocations; i++)
147  if (country != NULL && strcmp(country, (char *)geoipdata->location[i])==0)
148  return 0; /* if one matches, rule does NOT match (negated) */
149  return 1; /* returns 1 if no location matches (negated) */
150  }
151  return 0;
152 }
153 
154 /**
155  * \internal
156  * \brief This function is used to match packets with a IPs in an specified country
157  *
158  * \param t pointer to thread vars
159  * \param det_ctx pointer to the pattern matcher thread
160  * \param p pointer to the current packet
161  * \param m pointer to the sigmatch that we will cast into DetectGeoipData
162  *
163  * \retval 0 no match
164  * \retval 1 match
165  */
166 static int DetectGeoipMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
167  Packet *p, const Signature *s, const SigMatchCtx *ctx)
168 {
169  const DetectGeoipData *geoipdata = (const DetectGeoipData *)ctx;
170  int matches = 0;
171 
172  if (PKT_IS_PSEUDOPKT(p))
173  return 0;
174 
175  if (PKT_IS_IPV4(p))
176  {
177  if (geoipdata->flags & ( GEOIP_MATCH_SRC_FLAG | GEOIP_MATCH_BOTH_FLAG ))
178  {
179  if (CheckGeoMatchIPv4(geoipdata, GET_IPV4_SRC_ADDR_U32(p)))
180  {
181  if (geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
182  matches++;
183  else
184  return 1;
185  }
186  }
187  if (geoipdata->flags & ( GEOIP_MATCH_DST_FLAG | GEOIP_MATCH_BOTH_FLAG ))
188  {
189  if (CheckGeoMatchIPv4(geoipdata, GET_IPV4_DST_ADDR_U32(p)))
190  {
191  if (geoipdata->flags & GEOIP_MATCH_BOTH_FLAG)
192  matches++;
193  else
194  return 1;
195  }
196  }
197  /* if matches == 2 is because match-on is "both" */
198  if (matches == 2)
199  return 1;
200  }
201 
202  return 0;
203 }
204 
205 /**
206  * \brief This function is used to parse geoipdata
207  *
208  * \param str Pointer to the geoipdata value string
209  *
210  * \retval pointer to DetectGeoipData on success
211  * \retval NULL on failure
212  */
213 static DetectGeoipData *DetectGeoipDataParse (const char *str)
214 {
215  DetectGeoipData *geoipdata = NULL;
216  uint16_t pos = 0;
217  uint16_t prevpos = 0;
218  uint16_t slen = 0;
219  int skiplocationparsing = 0;
220 
221  slen = strlen(str);
222  if (slen == 0)
223  goto error;
224 
225  /* We have a correct geoip options string */
226  geoipdata = SCMalloc(sizeof(DetectGeoipData));
227  if (unlikely(geoipdata == NULL))
228  goto error;
229 
230  memset(geoipdata, 0x00, sizeof(DetectGeoipData));
231 
232  /* Parse the geoip option string */
233  while (pos <= slen)
234  {
235  /* search for ',' or end of string */
236  if (str[pos] == ',' || pos == slen)
237  {
238  if (geoipdata->flags == GEOIP_MATCH_NO_FLAG)
239  {
240  /* Parse match-on condition */
241  if (pos == slen) /* if end of option str then there are no match-on cond. */
242  {
243  /* There was NO match-on condition! we default to ANY*/
244  skiplocationparsing = 0;
245  geoipdata->flags |= GEOIP_MATCH_ANY_FLAG;
246  } else {
247  skiplocationparsing = 1;
248  if (strncmp(&str[prevpos], GEOIP_MATCH_SRC_STR, pos-prevpos) == 0)
249  geoipdata->flags |= GEOIP_MATCH_SRC_FLAG;
250  else if (strncmp(&str[prevpos], GEOIP_MATCH_DST_STR, pos-prevpos) == 0)
251  geoipdata->flags |= GEOIP_MATCH_DST_FLAG;
252  else if (strncmp(&str[prevpos], GEOIP_MATCH_BOTH_STR, pos-prevpos) == 0)
253  geoipdata->flags |= GEOIP_MATCH_BOTH_FLAG;
254  else if (strncmp(&str[prevpos], GEOIP_MATCH_ANY_STR, pos-prevpos) == 0)
255  geoipdata->flags |= GEOIP_MATCH_ANY_FLAG;
256  else {
257  /* There was NO match-on condition! we default to ANY*/
258  skiplocationparsing = 0;
259  geoipdata->flags |= GEOIP_MATCH_ANY_FLAG;
260  }
261  }
262  }
263  if (geoipdata->flags != GEOIP_MATCH_NO_FLAG && skiplocationparsing == 0)
264  {
265  /* Parse location string: for now just the country code(s) */
266  if (str[prevpos] == '!') {
267  geoipdata->flags |= GEOIP_MATCH_NEGATED;
268  prevpos++; /* dot not copy the ! */
269  }
270 
271  if (geoipdata->nlocations >= GEOOPTION_MAXLOCATIONS) {
272  SCLogError(SC_ERR_INVALID_ARGUMENT, "too many arguements for geoip keyword");
273  goto error;
274  }
275 
276  if (pos-prevpos > GEOOPTION_MAXSIZE)
277  strlcpy((char *)geoipdata->location[geoipdata->nlocations], &str[prevpos],
278  GEOOPTION_MAXSIZE);
279  else
280  strlcpy((char *)geoipdata->location[geoipdata->nlocations], &str[prevpos],
281  pos-prevpos+1);
282 
283  if (geoipdata->nlocations < GEOOPTION_MAXLOCATIONS)
284  geoipdata->nlocations++;
285  }
286  prevpos = pos+1;
287  skiplocationparsing = 0; /* match-on condition for sure has been parsed already */
288  }
289  pos++;
290  }
291 
292  SCLogDebug("GeoIP: %"PRIu32" countries loaded", geoipdata->nlocations);
293  for (int i=0; i<geoipdata->nlocations; i++)
294  SCLogDebug("GeoIP country code: %s", geoipdata->location[i]);
295 
296  SCLogDebug("flags %02X", geoipdata->flags);
297  if (geoipdata->flags & GEOIP_MATCH_NEGATED) {
298  SCLogDebug("negated geoip");
299  }
300 
301  /* Initialize the geolocation engine */
302  geoipdata->geoengine = InitGeolocationEngine();
303  if (geoipdata->geoengine == NULL)
304  goto error;
305 
306  return geoipdata;
307 
308 error:
309  if (geoipdata != NULL)
310  DetectGeoipDataFree(geoipdata);
311  return NULL;
312 }
313 
314 /**
315  * \internal
316  * \brief this function is used to add the geoip option into the signature
317  *
318  * \param de_ctx pointer to the Detection Engine Context
319  * \param s pointer to the Current Signature
320  * \param optstr pointer to the user provided options
321  *
322  * \retval 0 on Success
323  * \retval -1 on Failure
324  */
325 static int DetectGeoipSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
326 {
327  DetectGeoipData *geoipdata = NULL;
328  SigMatch *sm = NULL;
329 
330  geoipdata = DetectGeoipDataParse(optstr);
331  if (geoipdata == NULL)
332  goto error;
333 
334  /* Get this into a SigMatch and put it in the Signature. */
335  sm = SigMatchAlloc();
336  if (sm == NULL)
337  goto error;
338 
339  sm->type = DETECT_GEOIP;
340  sm->ctx = (SigMatchCtx *)geoipdata;
341 
344 
345  return 0;
346 
347 error:
348  if (geoipdata != NULL)
349  DetectGeoipDataFree(geoipdata);
350  if (sm != NULL)
351  SCFree(sm);
352  return -1;
353 
354 }
355 
356 /**
357  * \brief this function will free memory associated with DetectGeoipData
358  *
359  * \param geoipdata pointer to DetectGeoipData
360  */
361 static void DetectGeoipDataFree(void *ptr)
362 {
363  if (ptr != NULL) {
364  DetectGeoipData *geoipdata = (DetectGeoipData *)ptr;
365  SCFree(geoipdata);
366  }
367 }
368 
369 #ifdef UNITTESTS
370 
371 static int GeoipParseTest(const char *rule, int ncountries, const char **countries, uint32_t flags)
372 {
373  DetectEngineCtx *de_ctx = NULL;
374  Signature *s = NULL;
375  DetectGeoipData *data = NULL;
376 
377  de_ctx = DetectEngineCtxInit();
378  FAIL_IF(de_ctx == NULL);
379  de_ctx->flags |= DE_QUIET;
380 
381  de_ctx->sig_list = SigInit(de_ctx, rule);
382  FAIL_IF(de_ctx->sig_list == NULL);
383 
384  s = de_ctx->sig_list;
385  FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_MATCH] == NULL);
386 
387  FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_MATCH]->type != DETECT_GEOIP);
388 
389  data = (DetectGeoipData *)s->sm_lists_tail[DETECT_SM_LIST_MATCH]->ctx;
390  FAIL_IF(data->flags != flags);
391 
392  FAIL_IF(data->nlocations!=ncountries);
393 
394  for (int i=0; i<ncountries; i++)
395  {
396  FAIL_IF(strcmp((char *)data->location[i],countries[i])!=0);
397  }
398 
399  DetectEngineCtxFree(de_ctx);
400  PASS;
401 }
402 
403 static int GeoipParseTest01(void)
404 {
405  const char *ccodes[1] = {"US"};
406  return GeoipParseTest("alert tcp any any -> any any (geoip:US;sid:1;)", 1, ccodes,
407  GEOIP_MATCH_ANY_FLAG);
408 }
409 
410 static int GeoipParseTest02(void)
411 {
412  const char *ccodes[1] = {"US"};
413  return GeoipParseTest("alert tcp any any -> any any (geoip:!US;sid:1;)", 1, ccodes,
414  GEOIP_MATCH_ANY_FLAG | GEOIP_MATCH_NEGATED);
415 }
416 
417 static int GeoipParseTest03(void)
418 {
419  const char *ccodes[1] = {"US"};
420  return GeoipParseTest("alert tcp any any -> any any (geoip:!US;sid:1;)", 1, ccodes,
421  GEOIP_MATCH_ANY_FLAG | GEOIP_MATCH_NEGATED);
422 }
423 
424 static int GeoipParseTest04(void)
425 {
426  const char *ccodes[1] = {"US"};
427  return GeoipParseTest("alert tcp any any -> any any (geoip:src,US;sid:1;)", 1, ccodes,
428  GEOIP_MATCH_SRC_FLAG);
429 }
430 
431 static int GeoipParseTest05(void)
432 {
433  const char *ccodes[1] = {"US"};
434  return GeoipParseTest("alert tcp any any -> any any (geoip:dst,!US;sid:1;)", 1, ccodes,
435  GEOIP_MATCH_DST_FLAG | GEOIP_MATCH_NEGATED);
436 }
437 
438 static int GeoipParseTest06(void)
439 {
440  const char *ccodes[3] = {"US", "ES", "UK"};
441  return GeoipParseTest("alert tcp any any -> any any (geoip:US,ES,UK;sid:1;)", 3, ccodes,
442  GEOIP_MATCH_ANY_FLAG);
443 }
444 
445 static int GeoipParseTest07(void)
446 {
447  const char *ccodes[3] = {"US", "ES", "UK"};
448  return GeoipParseTest("alert tcp any any -> any any (geoip:both,!US,ES,UK;sid:1;)", 3, ccodes,
449  GEOIP_MATCH_BOTH_FLAG | GEOIP_MATCH_NEGATED);
450 }
451 
452 /**
453  * \internal
454  * \brief This test tests geoip success and failure.
455  */
456 static int GeoipMatchTest(const char *rule, const char *srcip, const char *dstip)
457 {
458  uint8_t *buf = (uint8_t *) "GET / HTTP/1.0\r\n\r\n";
459  uint16_t buflen = strlen((char *)buf);
460  Packet *p1 = NULL;
461  ThreadVars th_v;
462  DetectEngineThreadCtx *det_ctx;
463  int result = 0;
464 
465  memset(&th_v, 0, sizeof(th_v));
466 
467  p1 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, srcip, dstip);
468 
470  if (de_ctx == NULL) {
471  goto end;
472  }
473 
474  de_ctx->flags |= DE_QUIET;
475 
476  de_ctx->sig_list = SigInit(de_ctx, rule);
477 
478  if (de_ctx->sig_list == NULL) {
479  goto end;
480  }
481 
482  SigGroupBuild(de_ctx);
483  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
484 
485  result = 2;
486 
487  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
488  if (PacketAlertCheck(p1, 1) == 0) {
489  goto cleanup;
490  }
491 
492  result = 1;
493 
494 cleanup:
495  SigGroupCleanup(de_ctx);
496  SigCleanSignatures(de_ctx);
497 
498  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
499  DetectEngineCtxFree(de_ctx);
500 
501 end:
502  return result;
503 }
504 
505 static int GeoipMatchTest01(void)
506 {
507  /* Tests with IP of google DNS as US for both src and dst IPs */
508  return GeoipMatchTest("alert tcp any any -> any any (geoip:US;sid:1;)", "8.8.8.8", "8.8.8.8");
509  /* Expected result 1 = match */
510 }
511 
512 static int GeoipMatchTest02(void)
513 {
514  /* Tests with IP of google DNS as US, and m.root-servers.net as japan */
515  return GeoipMatchTest("alert tcp any any -> any any (geoip:JP;sid:1;)", "8.8.8.8",
516  "202.12.27.33");
517  /* Expected result 1 = match */
518 }
519 
520 static int GeoipMatchTest03(void)
521 {
522  /* Tests with IP of google DNS as US, and m.root-servers.net as japan */
523  return GeoipMatchTest("alert tcp any any -> any any (geoip:dst,JP;sid:1;)",
524  "8.8.8.8", "202.12.27.33");
525  /* Expected result 1 = match */
526 }
527 
528 static int GeoipMatchTest04(void)
529 {
530  /* Tests with IP of google DNS as US, and m.root-servers.net as japan */
531  return GeoipMatchTest("alert tcp any any -> any any (geoip:src,JP;sid:1;)",
532  "8.8.8.8", "202.12.27.33");
533  /* Expected result 2 = NO match */
534 }
535 
536 static int GeoipMatchTest05(void)
537 {
538  /* Tests with IP of google DNS as US, and m.root-servers.net as japan */
539  return GeoipMatchTest("alert tcp any any -> any any (geoip:src,JP,US;sid:1;)",
540  "8.8.8.8", "202.12.27.33");
541  /* Expected result 1 = match */
542 }
543 
544 static int GeoipMatchTest06(void)
545 {
546  /* Tests with IP of google DNS as US, and m.root-servers.net as japan */
547  return GeoipMatchTest("alert tcp any any -> any any (geoip:src,ES,JP,US,UK,PT;sid:1;)",
548  "8.8.8.8", "202.12.27.33");
549  /* Expected result 1 = match */
550 }
551 
552 static int GeoipMatchTest07(void)
553 {
554  /* Tests with IP of google DNS as US, and m.root-servers.net as japan */
555  return GeoipMatchTest("alert tcp any any -> any any (geoip:src,!ES,JP,US,UK,PT;sid:1;)",
556  "8.8.8.8", "202.12.27.33");
557  /* Expected result 2 = NO match */
558 }
559 
560 
561 #endif /* UNITTESTS */
562 
563 /**
564  * \internal
565  * \brief This function registers unit tests for DetectGeoip
566  */
567 static void DetectGeoipRegisterTests(void)
568 {
569 #ifdef UNITTESTS
570  UtRegisterTest("GeoipParseTest01", GeoipParseTest01);
571  UtRegisterTest("GeoipParseTest02", GeoipParseTest02);
572  UtRegisterTest("GeoipParseTest03", GeoipParseTest03);
573  UtRegisterTest("GeoipParseTest04", GeoipParseTest04);
574  UtRegisterTest("GeoipParseTest05", GeoipParseTest05);
575  UtRegisterTest("GeoipParseTest06", GeoipParseTest06);
576  UtRegisterTest("GeoipParseTest07", GeoipParseTest07);
577 
578  UtRegisterTest("GeoipMatchTest01", GeoipMatchTest01);
579  UtRegisterTest("GeoipMatchTest02", GeoipMatchTest02);
580  UtRegisterTest("GeoipMatchTest03", GeoipMatchTest03);
581  UtRegisterTest("GeoipMatchTest04", GeoipMatchTest04);
582  UtRegisterTest("GeoipMatchTest05", GeoipMatchTest05);
583  UtRegisterTest("GeoipMatchTest06", GeoipMatchTest06);
584  UtRegisterTest("GeoipMatchTest07", GeoipMatchTest07);
585 #endif /* UNITTESTS */
586 }
587 
588 #endif /* HAVE_GEOIP */
#define GET_IPV4_SRC_ADDR_U32(p)
Definition: decode.h:210
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1409
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1150
#define SCLogDebug(...)
Definition: util-debug.h:335
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint32_t flags
Definition: detect.h:497
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define GET_IPV4_DST_ADDR_U32(p)
Definition: decode.h:211
Signature * sig_list
Definition: detect.h:730
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:228
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1164
Signature container.
Definition: detect.h:496
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
#define PKT_IS_IPV4(p)
Definition: decode.h:249
main detection engine ctx
Definition: detect.h:724
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define DE_QUIET
Definition: detect.h:296
#define str(s)
uint8_t flags
Definition: detect.h:725
void(* Free)(void *)
Definition: detect.h:1155
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1742
void DetectGeoipRegister(void)
Registration function for geoip keyword (no libgeoip support)
Definition: detect-geoip.c:52
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:323
#define SCNtohl(x)
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
#define SCFree(a)
Definition: util-mem.h:228
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1133
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1131
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Per thread variable structure.
Definition: threadvars.h:57
Packet * UTHBuildPacketSrcDst(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst)
UTHBuildPacketSrcDst is a wrapper that build packets specifying IPs and defaulting ports...
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void(* RegisterTests)(void)
Definition: detect.h:1156
a single match condition for a signature
Definition: detect.h:322
DetectEngineCtx * DetectEngineCtxInit(void)