suricata
detect-hostbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the hostbits keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "action-globals.h"
29 #include "detect.h"
30 #include "threads.h"
31 #include "flow.h"
32 #include "flow-util.h"
33 #include "detect-hostbits.h"
34 #include "util-spm.h"
35 
36 #include "detect-engine-sigorder.h"
37 
38 #include "app-layer-parser.h"
39 
40 #include "detect-parse.h"
41 #include "detect-engine.h"
42 #include "detect-engine-mpm.h"
43 #include "detect-engine-state.h"
44 #include "detect-engine-build.h"
45 
46 #include "flow-bit.h"
47 #include "host-bit.h"
48 #include "util-var-name.h"
49 #include "util-unittest.h"
50 #include "util-debug.h"
51 
52 /*
53  hostbits:isset,bitname;
54  hostbits:set,bitname;
55 
56  hostbits:set,bitname,src;
57  hostbits:set,bitname,dst;
58 TODO:
59  hostbits:set,bitname,both;
60 
61  hostbits:set,bitname,src,3600;
62  hostbits:set,bitname,dst,60;
63  hostbits:set,bitname,both,120;
64  */
65 
66 #define PARSE_REGEX \
67  "^([a-z]+)" /* Action */ \
68  "(?:\\s*,\\s*([^\\s,]+))?(?:\\s*)?" /* Name. */ \
69  "(?:\\s*,\\s*([^,\\s]+))?(?:\\s*)?" /* Direction. */ \
70  "(.+)?" /* Any remaining data. */
71 static DetectParseRegex parse_regex;
72 
73 static int DetectHostbitMatch (DetectEngineThreadCtx *, Packet *,
74  const Signature *, const SigMatchCtx *);
75 static int DetectHostbitSetup (DetectEngineCtx *, Signature *, const char *);
76 void DetectHostbitFree (DetectEngineCtx *, void *);
77 #ifdef UNITTESTS
78 void HostBitsRegisterTests(void);
79 #endif
80 
81 void DetectHostbitsRegister (void)
82 {
83  sigmatch_table[DETECT_HOSTBITS].name = "hostbits";
84  sigmatch_table[DETECT_HOSTBITS].desc = "operate on host flag";
85 // sigmatch_table[DETECT_HOSTBITS].url = "/rules/flow-keywords.html#flowbits";
86  sigmatch_table[DETECT_HOSTBITS].Match = DetectHostbitMatch;
87  sigmatch_table[DETECT_HOSTBITS].Setup = DetectHostbitSetup;
88  sigmatch_table[DETECT_HOSTBITS].Free = DetectHostbitFree;
89 #ifdef UNITTESTS
90  sigmatch_table[DETECT_HOSTBITS].RegisterTests = HostBitsRegisterTests;
91 #endif
92  /* this is compatible to ip-only signatures */
93  sigmatch_table[DETECT_HOSTBITS].flags |= SIGMATCH_IPONLY_COMPAT;
94 
95  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
96 }
97 
98 static int DetectHostbitMatchToggle (Packet *p, const DetectXbitsData *fd)
99 {
100  switch (fd->tracker) {
101  case DETECT_XBITS_TRACK_IPSRC:
102  if (p->host_src == NULL) {
103  p->host_src = HostGetHostFromHash(&p->src);
104  if (p->host_src == NULL)
105  return 0;
106  }
107  else
108  HostLock(p->host_src);
109 
110  HostBitToggle(p->host_src, fd->idx, SCTIME_ADD_SECS(p->ts, fd->expire));
111  HostUnlock(p->host_src);
112  break;
113  case DETECT_XBITS_TRACK_IPDST:
114  if (p->host_dst == NULL) {
115  p->host_dst = HostGetHostFromHash(&p->dst);
116  if (p->host_dst == NULL)
117  return 0;
118  }
119  else
120  HostLock(p->host_dst);
121 
122  HostBitToggle(p->host_dst, fd->idx, SCTIME_ADD_SECS(p->ts, fd->expire));
123  HostUnlock(p->host_dst);
124  break;
125  }
126  return 1;
127 }
128 
129 /* return true even if bit not found */
130 static int DetectHostbitMatchUnset (Packet *p, const DetectXbitsData *fd)
131 {
132  switch (fd->tracker) {
133  case DETECT_XBITS_TRACK_IPSRC:
134  if (p->host_src == NULL) {
135  p->host_src = HostLookupHostFromHash(&p->src);
136  if (p->host_src == NULL)
137  return 1;
138  } else
139  HostLock(p->host_src);
140 
141  HostBitUnset(p->host_src,fd->idx);
142  HostUnlock(p->host_src);
143  break;
144  case DETECT_XBITS_TRACK_IPDST:
145  if (p->host_dst == NULL) {
146  p->host_dst = HostLookupHostFromHash(&p->dst);
147  if (p->host_dst == NULL)
148  return 1;
149  } else
150  HostLock(p->host_dst);
151 
152  HostBitUnset(p->host_dst,fd->idx);
153  HostUnlock(p->host_dst);
154  break;
155  }
156  return 1;
157 }
158 
159 static int DetectHostbitMatchSet (Packet *p, const DetectXbitsData *fd)
160 {
161  switch (fd->tracker) {
162  case DETECT_XBITS_TRACK_IPSRC:
163  if (p->host_src == NULL) {
164  p->host_src = HostGetHostFromHash(&p->src);
165  if (p->host_src == NULL)
166  return 0;
167  } else
168  HostLock(p->host_src);
169 
170  HostBitSet(p->host_src, fd->idx, SCTIME_ADD_SECS(p->ts, fd->expire));
171  HostUnlock(p->host_src);
172  break;
173  case DETECT_XBITS_TRACK_IPDST:
174  if (p->host_dst == NULL) {
175  p->host_dst = HostGetHostFromHash(&p->dst);
176  if (p->host_dst == NULL)
177  return 0;
178  } else
179  HostLock(p->host_dst);
180 
181  HostBitSet(p->host_dst, fd->idx, SCTIME_ADD_SECS(p->ts, fd->expire));
182  HostUnlock(p->host_dst);
183  break;
184  }
185  return 1;
186 }
187 
188 static int DetectHostbitMatchIsset (Packet *p, const DetectXbitsData *fd)
189 {
190  int r = 0;
191  switch (fd->tracker) {
192  case DETECT_XBITS_TRACK_IPSRC:
193  if (p->host_src == NULL) {
194  p->host_src = HostLookupHostFromHash(&p->src);
195  if (p->host_src == NULL)
196  return 0;
197  } else
198  HostLock(p->host_src);
199 
200  r = HostBitIsset(p->host_src, fd->idx, p->ts);
201  HostUnlock(p->host_src);
202  return r;
203  case DETECT_XBITS_TRACK_IPDST:
204  if (p->host_dst == NULL) {
205  p->host_dst = HostLookupHostFromHash(&p->dst);
206  if (p->host_dst == NULL)
207  return 0;
208  } else
209  HostLock(p->host_dst);
210 
211  r = HostBitIsset(p->host_dst, fd->idx, p->ts);
212  HostUnlock(p->host_dst);
213  return r;
214  }
215  return 0;
216 }
217 
218 static int DetectHostbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
219 {
220  int r = 0;
221  switch (fd->tracker) {
222  case DETECT_XBITS_TRACK_IPSRC:
223  if (p->host_src == NULL) {
224  p->host_src = HostLookupHostFromHash(&p->src);
225  if (p->host_src == NULL)
226  return 1;
227  } else
228  HostLock(p->host_src);
229 
230  r = HostBitIsnotset(p->host_src, fd->idx, p->ts);
231  HostUnlock(p->host_src);
232  return r;
233  case DETECT_XBITS_TRACK_IPDST:
234  if (p->host_dst == NULL) {
235  p->host_dst = HostLookupHostFromHash(&p->dst);
236  if (p->host_dst == NULL)
237  return 1;
238  } else
239  HostLock(p->host_dst);
240 
241  r = HostBitIsnotset(p->host_dst, fd->idx, p->ts);
242  HostUnlock(p->host_dst);
243  return r;
244  }
245  return 0;
246 }
247 
248 int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
249 {
250  switch (xd->cmd) {
251  case DETECT_XBITS_CMD_ISSET:
252  return DetectHostbitMatchIsset(p,xd);
253  case DETECT_XBITS_CMD_ISNOTSET:
254  return DetectHostbitMatchIsnotset(p,xd);
255  case DETECT_XBITS_CMD_SET:
256  return DetectHostbitMatchSet(p,xd);
257  case DETECT_XBITS_CMD_UNSET:
258  return DetectHostbitMatchUnset(p,xd);
259  case DETECT_XBITS_CMD_TOGGLE:
260  return DetectHostbitMatchToggle(p,xd);
261  default:
262  SCLogError("unknown cmd %" PRIu32 "", xd->cmd);
263  return 0;
264  }
265 
266  return 0;
267 }
268 
269 /*
270  * returns 0: no match
271  * 1: match
272  * -1: error
273  */
274 
275 static int DetectHostbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
276  const Signature *s, const SigMatchCtx *ctx)
277 {
278  const DetectXbitsData *xd = (const DetectXbitsData *)ctx;
279  if (xd == NULL)
280  return 0;
281 
282  return DetectXbitMatchHost(p, xd);
283 }
284 
285 static int DetectHostbitParse(const char *str, char *cmd, int cmd_len,
286  char *name, int name_len, char *dir, int dir_len)
287 {
288  int rc;
289  size_t pcre2len;
290 
291  pcre2_match_data *match = NULL;
292  int count = DetectParsePcreExec(&parse_regex, &match, str, 0, 0);
293  if (count != 2 && count != 3 && count != 4) {
294  SCLogError("\"%s\" is not a valid setting for hostbits.", str);
295  goto error;
296  }
297 
298  pcre2len = cmd_len;
299  rc = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
300  if (rc < 0) {
301  SCLogError("pcre2_substring_copy_bynumber failed");
302  goto error;
303  }
304 
305  if (count >= 3) {
306  pcre2len = name_len;
307  rc = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
308  if (rc < 0) {
309  SCLogError("pcre2_substring_copy_bynumber failed");
310  goto error;
311  }
312  if (count >= 4) {
313  pcre2len = dir_len;
314  rc = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)dir, &pcre2len);
315  if (rc < 0) {
316  SCLogError("pcre2_substring_copy_bynumber failed");
317  goto error;
318  }
319  }
320  }
321 
322  pcre2_match_data_free(match);
323  return 1;
324 
325 error:
326  if (match) {
327  pcre2_match_data_free(match);
328  }
329  return 0;
330 }
331 
332 int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
333 {
334  DetectXbitsData *cd = NULL;
335  uint8_t fb_cmd = 0;
336  uint8_t hb_dir = 0;
337  char fb_cmd_str[16] = "", fb_name[256] = "";
338  char hb_dir_str[16] = "";
339 
340  if (!DetectHostbitParse(rawstr, fb_cmd_str, sizeof(fb_cmd_str),
341  fb_name, sizeof(fb_name), hb_dir_str, sizeof(hb_dir_str))) {
342  return -1;
343  }
344 
345  if (strlen(hb_dir_str) > 0) {
346  if (strcmp(hb_dir_str, "src") == 0)
347  hb_dir = DETECT_XBITS_TRACK_IPSRC;
348  else if (strcmp(hb_dir_str, "dst") == 0)
349  hb_dir = DETECT_XBITS_TRACK_IPDST;
350  else if (strcmp(hb_dir_str, "both") == 0) {
351  //hb_dir = DETECT_XBITS_TRACK_IPBOTH;
352  SCLogError("'both' not implemented");
353  goto error;
354  } else {
355  // TODO
356  goto error;
357  }
358  }
359 
360  if (strcmp(fb_cmd_str,"noalert") == 0) {
361  fb_cmd = DETECT_XBITS_CMD_NOALERT;
362  } else if (strcmp(fb_cmd_str,"isset") == 0) {
363  fb_cmd = DETECT_XBITS_CMD_ISSET;
364  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
365  fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
366  } else if (strcmp(fb_cmd_str,"set") == 0) {
367  fb_cmd = DETECT_XBITS_CMD_SET;
368  } else if (strcmp(fb_cmd_str,"unset") == 0) {
369  fb_cmd = DETECT_XBITS_CMD_UNSET;
370  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
371  fb_cmd = DETECT_XBITS_CMD_TOGGLE;
372  } else {
373  SCLogError("ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
374  goto error;
375  }
376 
377  switch (fb_cmd) {
378  case DETECT_XBITS_CMD_NOALERT:
379  if (strlen(fb_name) != 0)
380  goto error;
381  s->action &= ~ACTION_ALERT;
382  return 0;
383  case DETECT_XBITS_CMD_ISNOTSET:
384  case DETECT_XBITS_CMD_ISSET:
385  case DETECT_XBITS_CMD_SET:
386  case DETECT_XBITS_CMD_UNSET:
387  case DETECT_XBITS_CMD_TOGGLE:
388  default:
389  if (strlen(fb_name) == 0)
390  goto error;
391  break;
392  }
393 
394  cd = SCMalloc(sizeof(DetectXbitsData));
395  if (unlikely(cd == NULL))
396  goto error;
397 
398  uint32_t varname_id = VarNameStoreRegister(fb_name, VAR_TYPE_HOST_BIT);
399  if (unlikely(varname_id == 0))
400  goto error;
401  cd->idx = varname_id;
402  cd->cmd = fb_cmd;
403  cd->tracker = hb_dir;
404  cd->type = VAR_TYPE_HOST_BIT;
405  cd->expire = 300;
406 
407  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
408  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
409 
410  /* Okay so far so good, lets get this into a SigMatch
411  * and put it in the Signature. */
412 
413  switch (fb_cmd) {
414  /* case DETECT_XBITS_CMD_NOALERT can't happen here */
415 
416  case DETECT_XBITS_CMD_ISNOTSET:
417  case DETECT_XBITS_CMD_ISSET:
418  /* checks, so packet list */
419  if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_HOSTBITS, (SigMatchCtx *)cd,
420  DETECT_SM_LIST_MATCH) == NULL) {
421  goto error;
422  }
423  break;
424 
425  case DETECT_XBITS_CMD_SET:
426  case DETECT_XBITS_CMD_UNSET:
427  case DETECT_XBITS_CMD_TOGGLE:
428  /* modifiers, only run when entire sig has matched */
429  if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_HOSTBITS, (SigMatchCtx *)cd,
430  DETECT_SM_LIST_POSTMATCH) == NULL) {
431  goto error;
432  }
433  break;
434 
435  // suppress coverity warning as scan-build-7 warns w/o this.
436  // coverity[deadcode : FALSE]
437  default:
438  goto error;
439  }
440 
441  return 0;
442 
443 error:
444  if (cd != NULL)
445  SCFree(cd);
446  return -1;
447 }
448 
449 void DetectHostbitFree (DetectEngineCtx *de_ctx, void *ptr)
450 {
451  DetectXbitsData *fd = (DetectXbitsData *)ptr;
452 
453  if (fd == NULL)
454  return;
455  VarNameStoreUnregister(fd->idx, VAR_TYPE_HOST_BIT);
456 
457  SCFree(fd);
458 }
459 
460 #ifdef UNITTESTS
461 
462 static void HostBitsTestSetup(void)
463 {
464  StorageCleanup();
465  StorageInit();
466  HostBitInitCtx();
467  StorageFinalize();
468  HostInitConfig(true);
469 }
470 
471 static void HostBitsTestShutdown(void)
472 {
473  HostShutdown();
474  StorageCleanup();
475 }
476 
477 static int HostBitsTestParse01(void)
478 {
479  char cmd[16] = "", name[256] = "", dir[16] = "";
480 
481  /* No direction. */
482  FAIL_IF(!DetectHostbitParse("isset,name", cmd, sizeof(cmd), name,
483  sizeof(name), dir, sizeof(dir)));
484  FAIL_IF(strcmp(cmd, "isset") != 0);
485  FAIL_IF(strcmp(name, "name") != 0);
486  FAIL_IF(strlen(dir));
487 
488  /* No direction, leading space. */
489  *cmd = '\0';
490  *name = '\0';
491  *dir = '\0';
492  FAIL_IF(!DetectHostbitParse("isset, name", cmd, sizeof(cmd), name,
493  sizeof(name), dir, sizeof(dir)));
494  FAIL_IF(strcmp(cmd, "isset") != 0);
495  FAIL_IF(strcmp(name, "name") != 0);
496 
497  /* No direction, trailing space. */
498  *cmd = '\0';
499  *name = '\0';
500  *dir = '\0';
501  FAIL_IF(!DetectHostbitParse("isset,name ", cmd, sizeof(cmd), name,
502  sizeof(name), dir, sizeof(dir)));
503  FAIL_IF(strcmp(cmd, "isset") != 0);
504  FAIL_IF(strcmp(name, "name") != 0);
505 
506  /* No direction, leading and trailing space. */
507  *cmd = '\0';
508  *name = '\0';
509  *dir = '\0';
510  FAIL_IF(!DetectHostbitParse("isset, name ", cmd, sizeof(cmd), name,
511  sizeof(name), dir, sizeof(dir)));
512  FAIL_IF(strcmp(cmd, "isset") != 0);
513  FAIL_IF(strcmp(name, "name") != 0);
514 
515  /* With direction. */
516  *cmd = '\0';
517  *name = '\0';
518  *dir = '\0';
519  FAIL_IF(!DetectHostbitParse("isset,name,src", cmd, sizeof(cmd), name,
520  sizeof(name), dir, sizeof(dir)));
521  FAIL_IF(strcmp(cmd, "isset") != 0);
522  FAIL_IF(strcmp(name, "name") != 0);
523  FAIL_IF(strcmp(dir, "src") != 0);
524 
525  /* With direction - leading and trailing spaces on name. */
526  *cmd = '\0';
527  *name = '\0';
528  *dir = '\0';
529  FAIL_IF(!DetectHostbitParse("isset, name ,src", cmd, sizeof(cmd), name,
530  sizeof(name), dir, sizeof(dir)));
531  FAIL_IF(strcmp(cmd, "isset") != 0);
532  FAIL_IF(strcmp(name, "name") != 0);
533  FAIL_IF(strcmp(dir, "src") != 0);
534 
535  /* With direction - space around direction. */
536  *cmd = '\0';
537  *name = '\0';
538  *dir = '\0';
539  FAIL_IF(!DetectHostbitParse("isset, name , src ", cmd, sizeof(cmd), name,
540  sizeof(name), dir, sizeof(dir)));
541  FAIL_IF(strcmp(cmd, "isset") != 0);
542  FAIL_IF(strcmp(name, "name") != 0);
543  FAIL_IF(strcmp(dir, "src") != 0);
544 
545  /* Name with space, no direction - should fail. */
546  *cmd = '\0';
547  *name = '\0';
548  *dir = '\0';
549  FAIL_IF(DetectHostbitParse("isset, name withspace ", cmd, sizeof(cmd), name,
550  sizeof(name), dir, sizeof(dir)));
551 
552  PASS;
553 }
554 
555 /**
556  * \test HostBitsTestSig01 is a test for a valid noalert flowbits option
557  *
558  * \retval 1 on success
559  * \retval 0 on failure
560  */
561 
562 static int HostBitsTestSig01(void)
563 {
564  uint8_t *buf = (uint8_t *)
565  "GET /one/ HTTP/1.1\r\n"
566  "Host: one.example.org\r\n"
567  "\r\n";
568  uint16_t buflen = strlen((char *)buf);
569  Packet *p = PacketGetFromAlloc();
570  FAIL_IF_NULL(p);
571  Signature *s = NULL;
572  ThreadVars th_v;
573  DetectEngineThreadCtx *det_ctx = NULL;
574  DetectEngineCtx *de_ctx = NULL;
575 
576  memset(&th_v, 0, sizeof(th_v));
577  p->src.family = AF_INET;
578  p->dst.family = AF_INET;
579  p->payload = buf;
580  p->payload_len = buflen;
581  p->proto = IPPROTO_TCP;
582 
583  HostBitsTestSetup();
584 
585  de_ctx = DetectEngineCtxInit();
586  FAIL_IF_NULL(de_ctx);
587 
588  de_ctx->flags |= DE_QUIET;
589 
590  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (hostbits:set,abc; content:\"GET \"; sid:1;)");
591  FAIL_IF_NULL(s);
592 
593  SigGroupBuild(de_ctx);
594  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
595 
596  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
597 
598  PacketFree(p);
599  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
600  DetectEngineCtxFree(de_ctx);
601  HostBitsTestShutdown();
602  StatsThreadCleanup(&th_v);
603  PASS;
604 }
605 
606 /**
607  * \test various options
608  *
609  * \retval 1 on success
610  * \retval 0 on failure
611  */
612 
613 static int HostBitsTestSig02(void)
614 {
615  Signature *s = NULL;
616  ThreadVars th_v;
617  DetectEngineCtx *de_ctx = NULL;
618 
619  memset(&th_v, 0, sizeof(th_v));
620 
621  de_ctx = DetectEngineCtxInit();
622  FAIL_IF_NULL(de_ctx);
623 
624  de_ctx->flags |= DE_QUIET;
625 
626  s = DetectEngineAppendSig(de_ctx,
627  "alert ip any any -> any any (hostbits:isset,abc,src; content:\"GET \"; sid:1;)");
628  FAIL_IF_NULL(s);
629 
630  s = DetectEngineAppendSig(de_ctx,
631  "alert ip any any -> any any (hostbits:isnotset,abc,dst; content:\"GET \"; sid:2;)");
632  FAIL_IF_NULL(s);
633 
634  s = DetectEngineAppendSig(de_ctx,
635  "alert ip any any -> any any (hostbits:!isset,abc,dst; content:\"GET \"; sid:3;)");
636  FAIL_IF_NOT_NULL(s);
637 
638 /* TODO reenable after both is supported
639  s = DetectEngineAppendSig(de_ctx,
640  "alert ip any any -> any any (hostbits:set,abc,both; content:\"GET \"; sid:3;)");
641  FAIL_IF_NULL(s);
642 */
643  s = DetectEngineAppendSig(de_ctx,
644  "alert ip any any -> any any (hostbits:unset,abc,src; content:\"GET \"; sid:4;)");
645  FAIL_IF_NULL(s);
646 
647  s = DetectEngineAppendSig(de_ctx,
648  "alert ip any any -> any any (hostbits:toggle,abc,dst; content:\"GET \"; sid:5;)");
649  FAIL_IF_NULL(s);
650 
651  DetectEngineCtxFree(de_ctx);
652  PASS;
653 }
654 
655 /**
656  * \test HostBitsTestSig03 is a test check idx value
657  *
658  * \retval 1 on success
659  * \retval 0 on failure
660  */
661 
662 static int HostBitsTestSig03(void)
663 {
664  uint8_t *buf = (uint8_t *)
665  "GET /one/ HTTP/1.1\r\n"
666  "Host: one.example.org\r\n"
667  "\r\n";
668  uint16_t buflen = strlen((char *)buf);
669  Packet *p = PacketGetFromAlloc();
670  if (unlikely(p == NULL))
671  return 0;
672  Signature *s = NULL;
673  ThreadVars th_v;
674  DetectEngineThreadCtx *det_ctx = NULL;
675  DetectEngineCtx *de_ctx = NULL;
676  int idx = 0;
677 
678  memset(&th_v, 0, sizeof(th_v));
679  p->src.family = AF_INET;
680  p->dst.family = AF_INET;
681  p->payload = buf;
682  p->payload_len = buflen;
683  p->proto = IPPROTO_TCP;
684 
685  HostBitsTestSetup();
686 
687  de_ctx = DetectEngineCtxInit();
688  FAIL_IF_NULL(de_ctx);
689 
690  de_ctx->flags |= DE_QUIET;
691 
692  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
693  FAIL_IF_NULL(s);
694 
695  idx = VarNameStoreRegister("fbt", VAR_TYPE_HOST_BIT);
696  FAIL_IF(idx == 0);
697 
698  SigGroupBuild(de_ctx);
699  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
700 
701  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
702 
703  PacketFree(p);
704  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
705  DetectEngineCtxFree(de_ctx);
706  HostBitsTestShutdown();
707  StatsThreadCleanup(&th_v);
708  PASS;
709 }
710 
711 /**
712  * \brief this function registers unit tests for HostBits
713  */
714 void HostBitsRegisterTests(void)
715 {
716  UtRegisterTest("HostBitsTestParse01", HostBitsTestParse01);
717  UtRegisterTest("HostBitsTestSig01", HostBitsTestSig01);
718  UtRegisterTest("HostBitsTestSig02", HostBitsTestSig02);
719  UtRegisterTest("HostBitsTestSig03", HostBitsTestSig03);
720 }
721 #endif /* UNITTESTS */
HostUnlock
void HostUnlock(Host *h)
Definition: host.c:472
Packet_::proto
uint8_t proto
Definition: decode.h:523
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1459
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:45
StorageInit
void StorageInit(void)
Definition: util-storage.c:70
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1444
flow-util.h
DetectParseRegex
Definition: detect-parse.h:93
SigTableElmt_::name
const char * name
Definition: detect.h:1457
HostBitsRegisterTests
void HostBitsRegisterTests(void)
this function registers unit tests for HostBits
Definition: detect-hostbits.c:714
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:622
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1448
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
Packet_::payload
uint8_t * payload
Definition: decode.h:605
action-globals.h
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-hostbits.c:66
threads.h
ctx
struct Thresholds ctx
HostBitSet
void HostBitSet(Host *h, uint32_t idx, SCTime_t expire)
Definition: host-bit.c:131
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:43
HostGetHostFromHash
Host * HostGetHostFromHash(Address *a)
Definition: host.c:486
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
StorageCleanup
void StorageCleanup(void)
Definition: util-storage.c:78
flow-bit.h
util-var-name.h
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:35
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
DetectHostbitsRegister
void DetectHostbitsRegister(void)
Definition: detect-hostbits.c:81
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:3493
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:155
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:623
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1439
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:606
DetectXbitsData_
Definition: detect-xbits.h:41
util-unittest.h
DETECT_HOSTBITS
@ DETECT_HOSTBITS
Definition: detect-engine-register.h:63
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:127
DetectXbitMatchHost
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
Definition: detect-hostbits.c:248
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
Packet_::ts
SCTime_t ts
Definition: decode.h:555
HostBitUnset
void HostBitUnset(Host *h, uint32_t idx)
Definition: host-bit.c:139
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:3619
detect-engine-mpm.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:204
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:223
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3097
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:467
Signature_::action
uint8_t action
Definition: detect.h:683
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:47
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:501
detect-engine-build.h
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:140
name
const char * name
Definition: tm-threads.c:2163
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1419
HostBitIsset
int HostBitIsset(Host *h, uint32_t idx, SCTime_t ts)
Definition: host-bit.c:157
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
HostBitToggle
void HostBitToggle(Host *h, uint32_t idx, SCTime_t expire)
Definition: host-bit.c:147
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3596
util-spm.h
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:42
HostBitIsnotset
int HostBitIsnotset(Host *h, uint32_t idx, SCTime_t ts)
Definition: host-bit.c:170
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:296
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
detect-hostbits.h
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:41
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:262
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:44
str
#define str(s)
Definition: suricata-common.h:308
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:271
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:34
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_NOALERT
Definition: detect-xbits.h:32
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:585
Address_::family
char family
Definition: decode.h:113
Packet_::dst
Address dst
Definition: decode.h:506
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
DetectHostbitFree
void DetectHostbitFree(DetectEngineCtx *, void *)
Definition: detect-hostbits.c:449
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
flow.h
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
SCTIME_ADD_SECS
#define SCTIME_ADD_SECS(ts, s)
Definition: util-time.h:64
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1651
Packet_::src
Address src
Definition: decode.h:505
host-bit.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1446