Go to the documentation of this file.
64 #define PARSE_REGEX "^([a-z]+)" \
65 "(?:\\s*,\\s*([^\\s,]+))?(?:\\s*)?" \
66 "(?:\\s*,\\s*([^,\\s]+))?(?:\\s*)?" \
249 return DetectHostbitMatchIsset(p,xd);
251 return DetectHostbitMatchIsnotset(p,xd);
253 return DetectHostbitMatchSet(p,xd);
255 return DetectHostbitMatchUnset(p,xd);
257 return DetectHostbitMatchToggle(p,xd);
282 static int DetectHostbitParse(
const char *
str,
char *cmd,
int cmd_len,
283 char *name,
int name_len,
char *dir,
int dir_len)
289 if (count != 2 && count != 3 && count != 4) {
291 "\"%s\" is not a valid setting for hostbits.",
str);
296 rc = pcre2_substring_copy_bynumber(parse_regex.
match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
304 rc = pcre2_substring_copy_bynumber(parse_regex.
match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
311 rc = pcre2_substring_copy_bynumber(
312 parse_regex.
match, 3, (PCRE2_UCHAR8 *)dir, &pcre2len);
329 char fb_cmd_str[16] =
"", fb_name[256] =
"";
330 char hb_dir_str[16] =
"";
332 if (!DetectHostbitParse(rawstr, fb_cmd_str,
sizeof(fb_cmd_str),
333 fb_name,
sizeof(fb_name), hb_dir_str,
sizeof(hb_dir_str))) {
337 if (strlen(hb_dir_str) > 0) {
338 if (strcmp(hb_dir_str,
"src") == 0)
340 else if (strcmp(hb_dir_str,
"dst") == 0)
342 else if (strcmp(hb_dir_str,
"both") == 0) {
352 if (strcmp(fb_cmd_str,
"noalert") == 0) {
354 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
356 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
358 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
360 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
362 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
371 if (strlen(fb_name) != 0)
381 if (strlen(fb_name) == 0)
396 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
397 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
406 sm->
ctx = (
void *)cd;
452 static void HostBitsTestSetup(
void)
460 static void HostBitsTestShutdown(
void)
466 static int HostBitsTestParse01(
void)
468 char cmd[16] =
"", name[256] =
"", dir[16] =
"";
471 FAIL_IF(!DetectHostbitParse(
"isset,name", cmd,
sizeof(cmd), name,
472 sizeof(name), dir,
sizeof(dir)));
473 FAIL_IF(strcmp(cmd,
"isset") != 0);
474 FAIL_IF(strcmp(name,
"name") != 0);
481 FAIL_IF(!DetectHostbitParse(
"isset, name", cmd,
sizeof(cmd), name,
482 sizeof(name), dir,
sizeof(dir)));
483 FAIL_IF(strcmp(cmd,
"isset") != 0);
484 FAIL_IF(strcmp(name,
"name") != 0);
490 FAIL_IF(!DetectHostbitParse(
"isset,name ", cmd,
sizeof(cmd), name,
491 sizeof(name), dir,
sizeof(dir)));
492 FAIL_IF(strcmp(cmd,
"isset") != 0);
493 FAIL_IF(strcmp(name,
"name") != 0);
499 FAIL_IF(!DetectHostbitParse(
"isset, name ", cmd,
sizeof(cmd), name,
500 sizeof(name), dir,
sizeof(dir)));
501 FAIL_IF(strcmp(cmd,
"isset") != 0);
502 FAIL_IF(strcmp(name,
"name") != 0);
508 FAIL_IF(!DetectHostbitParse(
"isset,name,src", cmd,
sizeof(cmd), name,
509 sizeof(name), dir,
sizeof(dir)));
510 FAIL_IF(strcmp(cmd,
"isset") != 0);
511 FAIL_IF(strcmp(name,
"name") != 0);
512 FAIL_IF(strcmp(dir,
"src") != 0);
518 FAIL_IF(!DetectHostbitParse(
"isset, name ,src", cmd,
sizeof(cmd), name,
519 sizeof(name), dir,
sizeof(dir)));
520 FAIL_IF(strcmp(cmd,
"isset") != 0);
521 FAIL_IF(strcmp(name,
"name") != 0);
522 FAIL_IF(strcmp(dir,
"src") != 0);
528 FAIL_IF(!DetectHostbitParse(
"isset, name , src ", cmd,
sizeof(cmd), name,
529 sizeof(name), dir,
sizeof(dir)));
530 FAIL_IF(strcmp(cmd,
"isset") != 0);
531 FAIL_IF(strcmp(name,
"name") != 0);
532 FAIL_IF(strcmp(dir,
"src") != 0);
538 FAIL_IF(DetectHostbitParse(
"isset, name withspace ", cmd,
sizeof(cmd), name,
539 sizeof(name), dir,
sizeof(dir)));
551 static int HostBitsTestSig01(
void)
553 uint8_t *buf = (uint8_t *)
554 "GET /one/ HTTP/1.1\r\n"
555 "Host: one.example.org\r\n"
557 uint16_t buflen = strlen((
char *)buf);
565 memset(&th_v, 0,
sizeof(th_v));
570 p->
proto = IPPROTO_TCP;
590 HostBitsTestShutdown();
601 static int HostBitsTestSig02(
void)
607 memset(&th_v, 0,
sizeof(th_v));
615 "alert ip any any -> any any (hostbits:isset,abc,src; content:\"GET \"; sid:1;)");
619 "alert ip any any -> any any (hostbits:isnotset,abc,dst; content:\"GET \"; sid:2;)");
623 "alert ip any any -> any any (hostbits:!isset,abc,dst; content:\"GET \"; sid:3;)");
632 "alert ip any any -> any any (hostbits:unset,abc,src; content:\"GET \"; sid:4;)");
636 "alert ip any any -> any any (hostbits:toggle,abc,dst; content:\"GET \"; sid:5;)");
650 static int HostBitsTestSig03(
void)
652 uint8_t *buf = (uint8_t *)
653 "GET /one/ HTTP/1.1\r\n"
654 "Host: one.example.org\r\n"
656 uint16_t buflen = strlen((
char *)buf);
666 memset(&th_v, 0,
sizeof(th_v));
671 p->
proto = IPPROTO_TCP;
680 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
693 HostBitsTestShutdown();
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void HostBitToggle(Host *h, uint32_t idx, uint32_t expire)
void(* Free)(DetectEngineCtx *, void *)
void HostBitsRegisterTests(void)
this function registers unit tests for HostBits
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
main detection engine ctx
Host * HostGetHostFromHash(Address *a)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void StorageCleanup(void)
#define DETECT_XBITS_TRACK_IPDST
void DetectHostbitsRegister(void)
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
@ SC_ERR_PCRE_GET_SUBSTRING
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void HostBitInitCtx(void)
int HostBitIsset(Host *h, uint32_t idx, uint32_t ts)
@ DETECT_SM_LIST_POSTMATCH
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
#define DETECT_XBITS_CMD_ISNOTSET
int HostBitIsnotset(Host *h, uint32_t idx, uint32_t ts)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
void HostBitUnset(Host *h, uint32_t idx)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void HostCleanup(void)
Cleanup the host engine.
Per thread variable structure.
void PacketFree(Packet *p)
Return a malloced packet.
void HostBitSet(Host *h, uint32_t idx, uint32_t expire)
int StorageFinalize(void)
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define DETECT_XBITS_TRACK_IPSRC
a single match condition for a signature
#define DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_ISSET
DetectEngineCtx * DetectEngineCtxInit(void)
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
void HostInitConfig(bool quiet)
initialize the configuration
#define DETECT_XBITS_CMD_SET
void DetectHostbitFree(DetectEngineCtx *, void *)
#define DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_UNSET
#define SIGMATCH_IPONLY_COMPAT
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)