suricata
detect-hostbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the hostbits keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-util.h"
32 #include "detect-hostbits.h"
33 #include "util-spm.h"
34 
35 #include "detect-engine-sigorder.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "detect-parse.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-engine-state.h"
43 
44 #include "flow-bit.h"
45 #include "host-bit.h"
46 #include "util-var-name.h"
47 #include "util-unittest.h"
48 #include "util-debug.h"
49 
50 /*
51  hostbits:isset,bitname;
52  hostbits:set,bitname;
53 
54  hostbits:set,bitname,src;
55  hostbits:set,bitname,dst;
56 TODO:
57  hostbits:set,bitname,both;
58 
59  hostbits:set,bitname,src,3600;
60  hostbits:set,bitname,dst,60;
61  hostbits:set,bitname,both,120;
62  */
63 
64 #define PARSE_REGEX "^([a-z]+)" /* Action */ \
65  "(?:\\s*,\\s*([^\\s,]+))?(?:\\s*)?" /* Name. */ \
66  "(?:\\s*,\\s*([^,\\s]+))?(?:\\s*)?" /* Direction. */ \
67  "(.+)?" /* Any remainding data. */
68 static DetectParseRegex parse_regex;
69 
70 static int DetectHostbitMatch (DetectEngineThreadCtx *, Packet *,
71  const Signature *, const SigMatchCtx *);
72 static int DetectHostbitSetup (DetectEngineCtx *, Signature *, const char *);
73 void DetectHostbitFree (void *);
74 void HostBitsRegisterTests(void);
75 
76 void DetectHostbitsRegister (void)
77 {
78  sigmatch_table[DETECT_HOSTBITS].name = "hostbits";
79  sigmatch_table[DETECT_HOSTBITS].desc = "operate on host flag";
80 // sigmatch_table[DETECT_HOSTBITS].url = DOC_URL DOC_VERSION "/rules/flow-keywords.html#flowbits";
81  sigmatch_table[DETECT_HOSTBITS].Match = DetectHostbitMatch;
82  sigmatch_table[DETECT_HOSTBITS].Setup = DetectHostbitSetup;
83  sigmatch_table[DETECT_HOSTBITS].Free = DetectHostbitFree;
84  sigmatch_table[DETECT_HOSTBITS].RegisterTests = HostBitsRegisterTests;
85  /* this is compatible to ip-only signatures */
86  sigmatch_table[DETECT_HOSTBITS].flags |= SIGMATCH_IPONLY_COMPAT;
87 
88  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
89 }
90 
91 static int DetectHostbitMatchToggle (Packet *p, const DetectXbitsData *fd)
92 {
93  switch (fd->tracker) {
94  case DETECT_XBITS_TRACK_IPSRC:
95  if (p->host_src == NULL) {
96  p->host_src = HostGetHostFromHash(&p->src);
97  if (p->host_src == NULL)
98  return 0;
99  }
100  else
101  HostLock(p->host_src);
102 
103  HostBitToggle(p->host_src,fd->idx,p->ts.tv_sec + fd->expire);
104  HostUnlock(p->host_src);
105  break;
106  case DETECT_XBITS_TRACK_IPDST:
107  if (p->host_dst == NULL) {
108  p->host_dst = HostGetHostFromHash(&p->dst);
109  if (p->host_dst == NULL)
110  return 0;
111  }
112  else
113  HostLock(p->host_dst);
114 
115  HostBitToggle(p->host_dst,fd->idx,p->ts.tv_sec + fd->expire);
116  HostUnlock(p->host_dst);
117  break;
118  }
119  return 1;
120 }
121 
122 /* return true even if bit not found */
123 static int DetectHostbitMatchUnset (Packet *p, const DetectXbitsData *fd)
124 {
125  switch (fd->tracker) {
126  case DETECT_XBITS_TRACK_IPSRC:
127  if (p->host_src == NULL) {
128  p->host_src = HostLookupHostFromHash(&p->src);
129  if (p->host_src == NULL)
130  return 1;
131  } else
132  HostLock(p->host_src);
133 
134  HostBitUnset(p->host_src,fd->idx);
135  HostUnlock(p->host_src);
136  break;
137  case DETECT_XBITS_TRACK_IPDST:
138  if (p->host_dst == NULL) {
139  p->host_dst = HostLookupHostFromHash(&p->dst);
140  if (p->host_dst == NULL)
141  return 1;
142  } else
143  HostLock(p->host_dst);
144 
145  HostBitUnset(p->host_dst,fd->idx);
146  HostUnlock(p->host_dst);
147  break;
148  }
149  return 1;
150 }
151 
152 static int DetectHostbitMatchSet (Packet *p, const DetectXbitsData *fd)
153 {
154  switch (fd->tracker) {
155  case DETECT_XBITS_TRACK_IPSRC:
156  if (p->host_src == NULL) {
157  p->host_src = HostGetHostFromHash(&p->src);
158  if (p->host_src == NULL)
159  return 0;
160  } else
161  HostLock(p->host_src);
162 
163  HostBitSet(p->host_src,fd->idx,p->ts.tv_sec + fd->expire);
164  HostUnlock(p->host_src);
165  break;
166  case DETECT_XBITS_TRACK_IPDST:
167  if (p->host_dst == NULL) {
168  p->host_dst = HostGetHostFromHash(&p->dst);
169  if (p->host_dst == NULL)
170  return 0;
171  } else
172  HostLock(p->host_dst);
173 
174  HostBitSet(p->host_dst,fd->idx, p->ts.tv_sec + fd->expire);
175  HostUnlock(p->host_dst);
176  break;
177  }
178  return 1;
179 }
180 
181 static int DetectHostbitMatchIsset (Packet *p, const DetectXbitsData *fd)
182 {
183  int r = 0;
184  switch (fd->tracker) {
185  case DETECT_XBITS_TRACK_IPSRC:
186  if (p->host_src == NULL) {
187  p->host_src = HostLookupHostFromHash(&p->src);
188  if (p->host_src == NULL)
189  return 0;
190  } else
191  HostLock(p->host_src);
192 
193  r = HostBitIsset(p->host_src,fd->idx, p->ts.tv_sec);
194  HostUnlock(p->host_src);
195  return r;
196  case DETECT_XBITS_TRACK_IPDST:
197  if (p->host_dst == NULL) {
198  p->host_dst = HostLookupHostFromHash(&p->dst);
199  if (p->host_dst == NULL)
200  return 0;
201  } else
202  HostLock(p->host_dst);
203 
204  r = HostBitIsset(p->host_dst,fd->idx, p->ts.tv_sec);
205  HostUnlock(p->host_dst);
206  return r;
207  }
208  return 0;
209 }
210 
211 static int DetectHostbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
212 {
213  int r = 0;
214  switch (fd->tracker) {
215  case DETECT_XBITS_TRACK_IPSRC:
216  if (p->host_src == NULL) {
217  p->host_src = HostLookupHostFromHash(&p->src);
218  if (p->host_src == NULL)
219  return 1;
220  } else
221  HostLock(p->host_src);
222 
223  r = HostBitIsnotset(p->host_src,fd->idx, p->ts.tv_sec);
224  HostUnlock(p->host_src);
225  return r;
226  case DETECT_XBITS_TRACK_IPDST:
227  if (p->host_dst == NULL) {
228  p->host_dst = HostLookupHostFromHash(&p->dst);
229  if (p->host_dst == NULL)
230  return 1;
231  } else
232  HostLock(p->host_dst);
233 
234  r = HostBitIsnotset(p->host_dst,fd->idx, p->ts.tv_sec);
235  HostUnlock(p->host_dst);
236  return r;
237  }
238  return 0;
239 }
240 
241 int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
242 {
243  switch (xd->cmd) {
244  case DETECT_XBITS_CMD_ISSET:
245  return DetectHostbitMatchIsset(p,xd);
246  case DETECT_XBITS_CMD_ISNOTSET:
247  return DetectHostbitMatchIsnotset(p,xd);
248  case DETECT_XBITS_CMD_SET:
249  return DetectHostbitMatchSet(p,xd);
250  case DETECT_XBITS_CMD_UNSET:
251  return DetectHostbitMatchUnset(p,xd);
252  case DETECT_XBITS_CMD_TOGGLE:
253  return DetectHostbitMatchToggle(p,xd);
254  default:
255  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown cmd %" PRIu32 "", xd->cmd);
256  return 0;
257  }
258 
259  return 0;
260 }
261 
262 /*
263  * returns 0: no match
264  * 1: match
265  * -1: error
266  */
267 
268 static int DetectHostbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
269  const Signature *s, const SigMatchCtx *ctx)
270 {
271  const DetectXbitsData *xd = (const DetectXbitsData *)ctx;
272  if (xd == NULL)
273  return 0;
274 
275  return DetectXbitMatchHost(p, xd);
276 }
277 
278 static int DetectHostbitParse(const char *str, char *cmd, int cmd_len,
279  char *name, int name_len, char *dir, int dir_len)
280 {
281  const int max_substrings = 30;
282  int count, rc;
283  int ov[max_substrings];
284 
285  count = DetectParsePcreExec(&parse_regex, str, 0, 0, ov, max_substrings);
286  if (count != 2 && count != 3 && count != 4) {
287  SCLogError(SC_ERR_PCRE_MATCH,
288  "\"%s\" is not a valid setting for hostbits.", str);
289  return 0;
290  }
291 
292  rc = pcre_copy_substring((char *)str, ov, max_substrings, 1, cmd, cmd_len);
293  if (rc < 0) {
294  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
295  return 0;
296  }
297 
298  if (count >= 3) {
299  rc = pcre_copy_substring((char *)str, ov, max_substrings, 2, name,
300  name_len);
301  if (rc < 0) {
302  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
303  return 0;
304  }
305  if (count >= 4) {
306  rc = pcre_copy_substring((char *)str, ov, max_substrings, 3, dir,
307  dir_len);
308  if (rc < 0) {
309  SCLogError(SC_ERR_PCRE_GET_SUBSTRING,
310  "pcre_copy_substring failed");
311  return 0;
312  }
313  }
314  }
315 
316  return 1;
317 }
318 
319 int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
320 {
321  DetectXbitsData *cd = NULL;
322  SigMatch *sm = NULL;
323  uint8_t fb_cmd = 0;
324  uint8_t hb_dir = 0;
325  char fb_cmd_str[16] = "", fb_name[256] = "";
326  char hb_dir_str[16] = "";
327 
328  if (!DetectHostbitParse(rawstr, fb_cmd_str, sizeof(fb_cmd_str),
329  fb_name, sizeof(fb_name), hb_dir_str, sizeof(hb_dir_str))) {
330  return -1;
331  }
332 
333  if (strlen(hb_dir_str) > 0) {
334  if (strcmp(hb_dir_str, "src") == 0)
335  hb_dir = DETECT_XBITS_TRACK_IPSRC;
336  else if (strcmp(hb_dir_str, "dst") == 0)
337  hb_dir = DETECT_XBITS_TRACK_IPDST;
338  else if (strcmp(hb_dir_str, "both") == 0) {
339  //hb_dir = DETECT_XBITS_TRACK_IPBOTH;
340  SCLogError(SC_ERR_UNIMPLEMENTED, "'both' not implemented");
341  goto error;
342  } else {
343  // TODO
344  goto error;
345  }
346  }
347 
348  if (strcmp(fb_cmd_str,"noalert") == 0) {
349  fb_cmd = DETECT_XBITS_CMD_NOALERT;
350  } else if (strcmp(fb_cmd_str,"isset") == 0) {
351  fb_cmd = DETECT_XBITS_CMD_ISSET;
352  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
353  fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
354  } else if (strcmp(fb_cmd_str,"set") == 0) {
355  fb_cmd = DETECT_XBITS_CMD_SET;
356  } else if (strcmp(fb_cmd_str,"unset") == 0) {
357  fb_cmd = DETECT_XBITS_CMD_UNSET;
358  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
359  fb_cmd = DETECT_XBITS_CMD_TOGGLE;
360  } else {
361  SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
362  goto error;
363  }
364 
365  switch (fb_cmd) {
366  case DETECT_XBITS_CMD_NOALERT:
367  if (strlen(fb_name) != 0)
368  goto error;
369  s->flags |= SIG_FLAG_NOALERT;
370  return 0;
371  case DETECT_XBITS_CMD_ISNOTSET:
372  case DETECT_XBITS_CMD_ISSET:
373  case DETECT_XBITS_CMD_SET:
374  case DETECT_XBITS_CMD_UNSET:
375  case DETECT_XBITS_CMD_TOGGLE:
376  default:
377  if (strlen(fb_name) == 0)
378  goto error;
379  break;
380  }
381 
382  cd = SCMalloc(sizeof(DetectXbitsData));
383  if (unlikely(cd == NULL))
384  goto error;
385 
386  cd->idx = VarNameStoreSetupAdd(fb_name, VAR_TYPE_HOST_BIT);
387  cd->cmd = fb_cmd;
388  cd->tracker = hb_dir;
389  cd->type = VAR_TYPE_HOST_BIT;
390  cd->expire = 300;
391 
392  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
393  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
394 
395  /* Okay so far so good, lets get this into a SigMatch
396  * and put it in the Signature. */
397  sm = SigMatchAlloc();
398  if (sm == NULL)
399  goto error;
400 
401  sm->type = DETECT_HOSTBITS;
402  sm->ctx = (void *)cd;
403 
404  switch (fb_cmd) {
405  /* case DETECT_XBITS_CMD_NOALERT can't happen here */
406 
407  case DETECT_XBITS_CMD_ISNOTSET:
408  case DETECT_XBITS_CMD_ISSET:
409  /* checks, so packet list */
410  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
411  break;
412 
413  case DETECT_XBITS_CMD_SET:
414  case DETECT_XBITS_CMD_UNSET:
415  case DETECT_XBITS_CMD_TOGGLE:
416  /* modifiers, only run when entire sig has matched */
417  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
418  break;
419 
420  // suppress coverity warning as scan-build-7 warns w/o this.
421  // coverity[deadcode : FALSE]
422  default:
423  goto error;
424  }
425 
426  return 0;
427 
428 error:
429  if (cd != NULL)
430  SCFree(cd);
431  if (sm != NULL)
432  SCFree(sm);
433  return -1;
434 }
435 
436 void DetectHostbitFree (void *ptr)
437 {
438  DetectXbitsData *fd = (DetectXbitsData *)ptr;
439 
440  if (fd == NULL)
441  return;
442 
443  SCFree(fd);
444 }
445 
446 #ifdef UNITTESTS
447 
448 static void HostBitsTestSetup(void)
449 {
450  StorageInit();
451  HostBitInitCtx();
452  StorageFinalize();
453  HostInitConfig(TRUE);
454 }
455 
456 static void HostBitsTestShutdown(void)
457 {
458  HostCleanup();
459  StorageCleanup();
460 }
461 
462 static int HostBitsTestParse01(void)
463 {
464  char cmd[16] = "", name[256] = "", dir[16] = "";
465 
466  /* No direction. */
467  FAIL_IF(!DetectHostbitParse("isset,name", cmd, sizeof(cmd), name,
468  sizeof(name), dir, sizeof(dir)));
469  FAIL_IF(strcmp(cmd, "isset") != 0);
470  FAIL_IF(strcmp(name, "name") != 0);
471  FAIL_IF(strlen(dir));
472 
473  /* No direction, leading space. */
474  *cmd = '\0';
475  *name = '\0';
476  *dir = '\0';
477  FAIL_IF(!DetectHostbitParse("isset, name", cmd, sizeof(cmd), name,
478  sizeof(name), dir, sizeof(dir)));
479  FAIL_IF(strcmp(cmd, "isset") != 0);
480  FAIL_IF(strcmp(name, "name") != 0);
481 
482  /* No direction, trailing space. */
483  *cmd = '\0';
484  *name = '\0';
485  *dir = '\0';
486  FAIL_IF(!DetectHostbitParse("isset,name ", cmd, sizeof(cmd), name,
487  sizeof(name), dir, sizeof(dir)));
488  FAIL_IF(strcmp(cmd, "isset") != 0);
489  FAIL_IF(strcmp(name, "name") != 0);
490 
491  /* No direction, leading and trailing space. */
492  *cmd = '\0';
493  *name = '\0';
494  *dir = '\0';
495  FAIL_IF(!DetectHostbitParse("isset, name ", cmd, sizeof(cmd), name,
496  sizeof(name), dir, sizeof(dir)));
497  FAIL_IF(strcmp(cmd, "isset") != 0);
498  FAIL_IF(strcmp(name, "name") != 0);
499 
500  /* With direction. */
501  *cmd = '\0';
502  *name = '\0';
503  *dir = '\0';
504  FAIL_IF(!DetectHostbitParse("isset,name,src", cmd, sizeof(cmd), name,
505  sizeof(name), dir, sizeof(dir)));
506  FAIL_IF(strcmp(cmd, "isset") != 0);
507  FAIL_IF(strcmp(name, "name") != 0);
508  FAIL_IF(strcmp(dir, "src") != 0);
509 
510  /* With direction - leading and trailing spaces on name. */
511  *cmd = '\0';
512  *name = '\0';
513  *dir = '\0';
514  FAIL_IF(!DetectHostbitParse("isset, name ,src", cmd, sizeof(cmd), name,
515  sizeof(name), dir, sizeof(dir)));
516  FAIL_IF(strcmp(cmd, "isset") != 0);
517  FAIL_IF(strcmp(name, "name") != 0);
518  FAIL_IF(strcmp(dir, "src") != 0);
519 
520  /* With direction - space around direction. */
521  *cmd = '\0';
522  *name = '\0';
523  *dir = '\0';
524  FAIL_IF(!DetectHostbitParse("isset, name , src ", cmd, sizeof(cmd), name,
525  sizeof(name), dir, sizeof(dir)));
526  FAIL_IF(strcmp(cmd, "isset") != 0);
527  FAIL_IF(strcmp(name, "name") != 0);
528  FAIL_IF(strcmp(dir, "src") != 0);
529 
530  /* Name with space, no direction - should fail. */
531  *cmd = '\0';
532  *name = '\0';
533  *dir = '\0';
534  FAIL_IF(DetectHostbitParse("isset, name withspace ", cmd, sizeof(cmd), name,
535  sizeof(name), dir, sizeof(dir)));
536 
537  PASS;
538 }
539 
540 /**
541  * \test HostBitsTestSig01 is a test for a valid noalert flowbits option
542  *
543  * \retval 1 on succces
544  * \retval 0 on failure
545  */
546 
547 static int HostBitsTestSig01(void)
548 {
549  uint8_t *buf = (uint8_t *)
550  "GET /one/ HTTP/1.1\r\n"
551  "Host: one.example.org\r\n"
552  "\r\n";
553  uint16_t buflen = strlen((char *)buf);
554  Packet *p = SCMalloc(SIZE_OF_PACKET);
555  FAIL_IF_NULL(p);
556  Signature *s = NULL;
557  ThreadVars th_v;
558  DetectEngineThreadCtx *det_ctx = NULL;
559  DetectEngineCtx *de_ctx = NULL;
560 
561  memset(&th_v, 0, sizeof(th_v));
562  memset(p, 0, SIZE_OF_PACKET);
563  p->src.family = AF_INET;
564  p->dst.family = AF_INET;
565  p->payload = buf;
566  p->payload_len = buflen;
567  p->proto = IPPROTO_TCP;
568 
569  HostBitsTestSetup();
570 
571  de_ctx = DetectEngineCtxInit();
572  FAIL_IF_NULL(de_ctx);
573 
574  de_ctx->flags |= DE_QUIET;
575 
576  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (hostbits:set,abc; content:\"GET \"; sid:1;)");
577  FAIL_IF_NULL(s);
578 
579  SigGroupBuild(de_ctx);
580  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
581 
582  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
583 
584  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
585  DetectEngineCtxFree(de_ctx);
586  HostBitsTestShutdown();
587 
588  SCFree(p);
589  PASS;
590 }
591 
592 /**
593  * \test various options
594  *
595  * \retval 1 on succces
596  * \retval 0 on failure
597  */
598 
599 static int HostBitsTestSig02(void)
600 {
601  Signature *s = NULL;
602  ThreadVars th_v;
603  DetectEngineCtx *de_ctx = NULL;
604 
605  memset(&th_v, 0, sizeof(th_v));
606 
607  de_ctx = DetectEngineCtxInit();
608  FAIL_IF_NULL(de_ctx);
609 
610  de_ctx->flags |= DE_QUIET;
611 
612  s = DetectEngineAppendSig(de_ctx,
613  "alert ip any any -> any any (hostbits:isset,abc,src; content:\"GET \"; sid:1;)");
614  FAIL_IF_NULL(s);
615 
616  s = DetectEngineAppendSig(de_ctx,
617  "alert ip any any -> any any (hostbits:isnotset,abc,dst; content:\"GET \"; sid:2;)");
618  FAIL_IF_NULL(s);
619 
620  s = DetectEngineAppendSig(de_ctx,
621  "alert ip any any -> any any (hostbits:!isset,abc,dst; content:\"GET \"; sid:3;)");
622  FAIL_IF_NOT_NULL(s);
623 
624 /* TODO reenable after both is supported
625  s = DetectEngineAppendSig(de_ctx,
626  "alert ip any any -> any any (hostbits:set,abc,both; content:\"GET \"; sid:3;)");
627  FAIL_IF_NULL(s);
628 */
629  s = DetectEngineAppendSig(de_ctx,
630  "alert ip any any -> any any (hostbits:unset,abc,src; content:\"GET \"; sid:4;)");
631  FAIL_IF_NULL(s);
632 
633  s = DetectEngineAppendSig(de_ctx,
634  "alert ip any any -> any any (hostbits:toggle,abc,dst; content:\"GET \"; sid:5;)");
635  FAIL_IF_NULL(s);
636 
637  DetectEngineCtxFree(de_ctx);
638  PASS;
639 }
640 
641 #if 0
642 /**
643  * \test HostBitsTestSig03 is a test for a invalid flowbits option
644  *
645  * \retval 1 on succces
646  * \retval 0 on failure
647  */
648 
649 static int HostBitsTestSig03(void)
650 {
651  uint8_t *buf = (uint8_t *)
652  "GET /one/ HTTP/1.1\r\n"
653  "Host: one.example.org\r\n"
654  "\r\n";
655  uint16_t buflen = strlen((char *)buf);
656  Packet *p = SCMalloc(SIZE_OF_PACKET);
657  if (unlikely(p == NULL))
658  return 0;
659  Signature *s = NULL;
660  ThreadVars th_v;
661  DetectEngineThreadCtx *det_ctx = NULL;
662  DetectEngineCtx *de_ctx = NULL;
663  int result = 0;
664 
665  memset(&th_v, 0, sizeof(th_v));
666  memset(p, 0, SIZE_OF_PACKET);
667  p->src.family = AF_INET;
668  p->dst.family = AF_INET;
669  p->payload = buf;
670  p->payload_len = buflen;
671  p->proto = IPPROTO_TCP;
672 
673  de_ctx = DetectEngineCtxInit();
674 
675  if (de_ctx == NULL) {
676  goto end;
677  }
678 
679  de_ctx->flags |= DE_QUIET;
680 
681  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
682 
683  if (s == NULL) {
684  goto end;
685  }
686 
687  SigGroupBuild(de_ctx);
688  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
689 
690  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
691 
692  result = 1;
693 
694  SigGroupCleanup(de_ctx);
695  SigCleanSignatures(de_ctx);
696 
697  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
698  DetectEngineCtxFree(de_ctx);
699 
700 end:
701 
702  if (de_ctx != NULL) {
703  SigGroupCleanup(de_ctx);
704  SigCleanSignatures(de_ctx);
705  }
706 
707  if (det_ctx != NULL) {
708  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
709  }
710 
711  if (de_ctx != NULL) {
712  DetectEngineCtxFree(de_ctx);
713  }
714 
715 
716  SCFree(p);
717  return result;
718 }
719 #endif
720 
721 /**
722  * \test HostBitsTestSig04 is a test check idx value
723  *
724  * \retval 1 on succces
725  * \retval 0 on failure
726  */
727 
728 static int HostBitsTestSig04(void)
729 {
730  uint8_t *buf = (uint8_t *)
731  "GET /one/ HTTP/1.1\r\n"
732  "Host: one.example.org\r\n"
733  "\r\n";
734  uint16_t buflen = strlen((char *)buf);
735  Packet *p = SCMalloc(SIZE_OF_PACKET);
736  if (unlikely(p == NULL))
737  return 0;
738  Signature *s = NULL;
739  ThreadVars th_v;
740  DetectEngineThreadCtx *det_ctx = NULL;
741  DetectEngineCtx *de_ctx = NULL;
742  int idx = 0;
743 
744  memset(&th_v, 0, sizeof(th_v));
745  memset(p, 0, SIZE_OF_PACKET);
746  p->src.family = AF_INET;
747  p->dst.family = AF_INET;
748  p->payload = buf;
749  p->payload_len = buflen;
750  p->proto = IPPROTO_TCP;
751 
752  HostBitsTestSetup();
753 
754  de_ctx = DetectEngineCtxInit();
755  FAIL_IF_NULL(de_ctx);
756 
757  de_ctx->flags |= DE_QUIET;
758 
759  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
760  FAIL_IF_NULL(s);
761 
762  idx = VarNameStoreSetupAdd("fbt", VAR_TYPE_HOST_BIT);
763  FAIL_IF(idx != 1);
764 
765  SigGroupBuild(de_ctx);
766  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
767 
768  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
769 
770  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
771  DetectEngineCtxFree(de_ctx);
772  HostBitsTestShutdown();
773 
774  SCFree(p);
775  PASS;
776 }
777 
778 /**
779  * \test HostBitsTestSig05 is a test check noalert flag
780  *
781  * \retval 1 on succces
782  * \retval 0 on failure
783  */
784 
785 static int HostBitsTestSig05(void)
786 {
787  uint8_t *buf = (uint8_t *)
788  "GET /one/ HTTP/1.1\r\n"
789  "Host: one.example.org\r\n"
790  "\r\n";
791  uint16_t buflen = strlen((char *)buf);
792  Packet *p = SCMalloc(SIZE_OF_PACKET);
793  if (unlikely(p == NULL))
794  return 0;
795  Signature *s = NULL;
796  ThreadVars th_v;
797  DetectEngineThreadCtx *det_ctx = NULL;
798  DetectEngineCtx *de_ctx = NULL;
799 
800  memset(&th_v, 0, sizeof(th_v));
801  memset(p, 0, SIZE_OF_PACKET);
802  p->src.family = AF_INET;
803  p->dst.family = AF_INET;
804  p->payload = buf;
805  p->payload_len = buflen;
806  p->proto = IPPROTO_TCP;
807 
808  HostBitsTestSetup();
809 
810  de_ctx = DetectEngineCtxInit();
811  FAIL_IF_NULL(de_ctx);
812 
813  de_ctx->flags |= DE_QUIET;
814 
815  s = de_ctx->sig_list = SigInit(de_ctx,
816  "alert ip any any -> any any (hostbits:noalert; content:\"GET \"; sid:1;)");
817  FAIL_IF_NULL(s);
818  FAIL_IF((s->flags & SIG_FLAG_NOALERT) != SIG_FLAG_NOALERT);
819 
820  SigGroupBuild(de_ctx);
821  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
822 
823  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
824 
825  FAIL_IF(PacketAlertCheck(p, 1));
826 
827  SigGroupCleanup(de_ctx);
828  SigCleanSignatures(de_ctx);
829 
830  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
831  DetectEngineCtxFree(de_ctx);
832 
833  HostBitsTestShutdown();
834 
835  SCFree(p);
836  PASS;
837 }
838 
839 #if 0
840 /**
841  * \test HostBitsTestSig06 is a test set flowbits option
842  *
843  * \retval 1 on succces
844  * \retval 0 on failure
845  */
846 
847 static int HostBitsTestSig06(void)
848 {
849  uint8_t *buf = (uint8_t *)
850  "GET /one/ HTTP/1.1\r\n"
851  "Host: one.example.org\r\n"
852  "\r\n";
853  uint16_t buflen = strlen((char *)buf);
854  Packet *p = SCMalloc(SIZE_OF_PACKET);
855  if (unlikely(p == NULL))
856  return 0;
857  Signature *s = NULL;
858  ThreadVars th_v;
859  DetectEngineThreadCtx *det_ctx = NULL;
860  DetectEngineCtx *de_ctx = NULL;
861  Flow f;
862  GenericVar flowvar, *gv = NULL;
863  int result = 0;
864  int idx = 0;
865 
866  memset(p, 0, SIZE_OF_PACKET);
867  memset(&th_v, 0, sizeof(th_v));
868  memset(&f, 0, sizeof(Flow));
869  memset(&flowvar, 0, sizeof(GenericVar));
870 
871  FLOW_INITIALIZE(&f);
872  p->flow = &f;
873  p->flow->flowvar = &flowvar;
874 
875  p->src.family = AF_INET;
876  p->dst.family = AF_INET;
877  p->payload = buf;
878  p->payload_len = buflen;
879  p->proto = IPPROTO_TCP;
880  p->flags |= PKT_HAS_FLOW;
881  p->flowflags |= FLOW_PKT_TOSERVER;
882 
883  de_ctx = DetectEngineCtxInit();
884 
885  if (de_ctx == NULL) {
886  goto end;
887  }
888 
889  de_ctx->flags |= DE_QUIET;
890 
891  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow; sid:10;)");
892 
893  if (s == NULL) {
894  goto end;
895  }
896 
897  SigGroupBuild(de_ctx);
898  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
899 
900  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
901 
902  idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT);
903 
904  gv = p->flow->flowvar;
905 
906  for ( ; gv != NULL; gv = gv->next) {
907  if (gv->type == DETECT_HOSTBITS && gv->idx == idx) {
908  result = 1;
909  }
910  }
911 
912  SigGroupCleanup(de_ctx);
913  SigCleanSignatures(de_ctx);
914 
915  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
916  DetectEngineCtxFree(de_ctx);
917 
918  if(gv) GenericVarFree(gv);
919  FLOW_DESTROY(&f);
920 
921  SCFree(p);
922  return result;
923 end:
924 
925  if (de_ctx != NULL) {
926  SigGroupCleanup(de_ctx);
927  SigCleanSignatures(de_ctx);
928  }
929 
930  if (det_ctx != NULL) {
931  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
932  }
933 
934  if (de_ctx != NULL) {
935  DetectEngineCtxFree(de_ctx);
936  }
937 
938  if(gv) GenericVarFree(gv);
939  FLOW_DESTROY(&f);
940  SCFree(p);
941  return result;
942 }
943 
944 /**
945  * \test HostBitsTestSig07 is a test unset flowbits option
946  *
947  * \retval 1 on succces
948  * \retval 0 on failure
949  */
950 
951 static int HostBitsTestSig07(void)
952 {
953  uint8_t *buf = (uint8_t *)
954  "GET /one/ HTTP/1.1\r\n"
955  "Host: one.example.org\r\n"
956  "\r\n";
957  uint16_t buflen = strlen((char *)buf);
958  Packet *p = SCMalloc(SIZE_OF_PACKET);
959  if (unlikely(p == NULL))
960  return 0;
961  Signature *s = NULL;
962  ThreadVars th_v;
963  DetectEngineThreadCtx *det_ctx = NULL;
964  DetectEngineCtx *de_ctx = NULL;
965  Flow f;
966  GenericVar flowvar, *gv = NULL;
967  int result = 0;
968  int idx = 0;
969 
970  memset(p, 0, SIZE_OF_PACKET);
971  memset(&th_v, 0, sizeof(th_v));
972  memset(&f, 0, sizeof(Flow));
973  memset(&flowvar, 0, sizeof(GenericVar));
974 
975  FLOW_INITIALIZE(&f);
976  p->flow = &f;
977  p->flow->flowvar = &flowvar;
978 
979  p->src.family = AF_INET;
980  p->dst.family = AF_INET;
981  p->payload = buf;
982  p->payload_len = buflen;
983  p->proto = IPPROTO_TCP;
984 
985  de_ctx = DetectEngineCtxInit();
986 
987  if (de_ctx == NULL) {
988  goto end;
989  }
990 
991  de_ctx->flags |= DE_QUIET;
992 
993  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow2; sid:10;)");
994  if (s == NULL) {
995  goto end;
996  }
997 
998  s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
999  if (s == NULL) {
1000  goto end;
1001  }
1002 
1003  SigGroupBuild(de_ctx);
1004  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1005 
1006  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1007 
1008  idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT);
1009 
1010  gv = p->flow->flowvar;
1011 
1012  for ( ; gv != NULL; gv = gv->next) {
1013  if (gv->type == DETECT_HOSTBITS && gv->idx == idx) {
1014  result = 1;
1015  }
1016  }
1017 
1018  SigGroupCleanup(de_ctx);
1019  SigCleanSignatures(de_ctx);
1020 
1021  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1022  DetectEngineCtxFree(de_ctx);
1023 
1024  if(gv) GenericVarFree(gv);
1025  FLOW_DESTROY(&f);
1026 
1027  SCFree(p);
1028  return result;
1029 end:
1030 
1031  if (de_ctx != NULL) {
1032  SigGroupCleanup(de_ctx);
1033  SigCleanSignatures(de_ctx);
1034  }
1035 
1036  if (det_ctx != NULL) {
1037  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1038  }
1039 
1040  if (de_ctx != NULL) {
1041  DetectEngineCtxFree(de_ctx);
1042  }
1043 
1044  if(gv) GenericVarFree(gv);
1045  FLOW_DESTROY(&f);
1046 
1047  SCFree(p);
1048  return result;}
1049 #endif
1050 
1051 /**
1052  * \test set / isset
1053  *
1054  * \retval 1 on succces
1055  * \retval 0 on failure
1056  */
1057 static int HostBitsTestSig07(void)
1058 {
1059  uint8_t *buf = (uint8_t *)
1060  "GET /one/ HTTP/1.1\r\n"
1061  "Host: one.example.org\r\n"
1062  "\r\n";
1063  uint16_t buflen = strlen((char *)buf);
1064  Packet *p = SCMalloc(SIZE_OF_PACKET);
1065  if (unlikely(p == NULL))
1066  return 0;
1067  Signature *s = NULL;
1068  ThreadVars th_v;
1069  DetectEngineThreadCtx *det_ctx = NULL;
1070  DetectEngineCtx *de_ctx = NULL;
1071  Flow f;
1072  int result = 0;
1073 
1074  memset(p, 0, SIZE_OF_PACKET);
1075  memset(&th_v, 0, sizeof(th_v));
1076  memset(&f, 0, sizeof(Flow));
1077 
1078  HostBitsTestSetup();
1079 
1080  FLOW_INITIALIZE(&f);
1081  p->flow = &f;
1082  p->flowflags = FLOW_PKT_TOSERVER;
1083 
1084  p->src.family = AF_INET;
1085  p->dst.family = AF_INET;
1086  p->payload = buf;
1087  p->payload_len = buflen;
1088  p->proto = IPPROTO_TCP;
1089 
1090  de_ctx = DetectEngineCtxInit();
1091  FAIL_IF_NULL(de_ctx);
1092 
1093  de_ctx->flags |= DE_QUIET;
1094 
1095  s = de_ctx->sig_list = SigInit(de_ctx,
1096  "alert ip any any -> any any (hostbits:set,myflow2; sid:10;)");
1097  FAIL_IF_NULL(s);
1098 
1099  s = s->next = SigInit(de_ctx,
1100  "alert ip any any -> any any (hostbits:isset,myflow2; sid:11;)");
1101  FAIL_IF_NULL(s);
1102 
1103  SigGroupBuild(de_ctx);
1104  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1105 
1106  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1107 
1108  SCLogInfo("p->host_src %p", p->host_src);
1109 
1110  if (HostHasHostBits(p->host_src) == 1) {
1111  if (PacketAlertCheck(p, 11)) {
1112  result = 1;
1113  }
1114  }
1115  FAIL_IF_NOT(result);
1116 
1117  SigGroupCleanup(de_ctx);
1118  SigCleanSignatures(de_ctx);
1119 
1120  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1121  DetectEngineCtxFree(de_ctx);
1122 
1123  FLOW_DESTROY(&f);
1124 
1125  HostBitsTestShutdown();
1126  SCFree(p);
1127  PASS;
1128 }
1129 
1130 /**
1131  * \test set / toggle / toggle / isset
1132  *
1133  * \retval 1 on succces
1134  * \retval 0 on failure
1135  */
1136 static int HostBitsTestSig08(void)
1137 {
1138  uint8_t *buf = (uint8_t *)
1139  "GET /one/ HTTP/1.1\r\n"
1140  "Host: one.example.org\r\n"
1141  "\r\n";
1142  uint16_t buflen = strlen((char *)buf);
1143  Packet *p = SCMalloc(SIZE_OF_PACKET);
1144  if (unlikely(p == NULL))
1145  return 0;
1146  Signature *s = NULL;
1147  ThreadVars th_v;
1148  DetectEngineThreadCtx *det_ctx = NULL;
1149  DetectEngineCtx *de_ctx = NULL;
1150  Flow f;
1151 
1152  memset(p, 0, SIZE_OF_PACKET);
1153  memset(&th_v, 0, sizeof(th_v));
1154  memset(&f, 0, sizeof(Flow));
1155 
1156  HostBitsTestSetup();
1157 
1158  FLOW_INITIALIZE(&f);
1159  p->flow = &f;
1160 
1161  p->src.family = AF_INET;
1162  p->dst.family = AF_INET;
1163  p->payload = buf;
1164  p->payload_len = buflen;
1165  p->proto = IPPROTO_TCP;
1166 
1167  de_ctx = DetectEngineCtxInit();
1168  FAIL_IF_NULL(de_ctx);
1169 
1170  de_ctx->flags |= DE_QUIET;
1171 
1172  s = DetectEngineAppendSig(de_ctx,
1173  "alert ip any any -> any any (hostbits:set,myflow2; sid:10;)");
1174  FAIL_IF_NULL(s);
1175  s = DetectEngineAppendSig(de_ctx,
1176  "alert ip any any -> any any (hostbits:toggle,myflow2; sid:11;)");
1177  FAIL_IF_NULL(s);
1178  s = DetectEngineAppendSig(de_ctx,
1179  "alert ip any any -> any any (hostbits:toggle,myflow2; sid:12;)");
1180  FAIL_IF_NULL(s);
1181  s = DetectEngineAppendSig(de_ctx,
1182  "alert ip any any -> any any (hostbits:isset,myflow2; sid:13;)");
1183  FAIL_IF_NULL(s);
1184 
1185  SCSigRegisterSignatureOrderingFuncs(de_ctx);
1186  SCSigOrderSignatures(de_ctx);
1187  SCSigSignatureOrderingModuleCleanup(de_ctx);
1188 
1189  SigGroupBuild(de_ctx);
1190  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1191 
1192  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1193 
1194  SCLogInfo("p->host_src %p", p->host_src);
1195 
1196  if (HostHasHostBits(p->host_src) == 1) {
1197  if (PacketAlertCheck(p, 10)) {
1198  SCLogInfo("sid 10 matched");
1199  }
1200  if (PacketAlertCheck(p, 11)) {
1201  SCLogInfo("sid 11 matched");
1202  }
1203  if (PacketAlertCheck(p, 12)) {
1204  SCLogInfo("sid 12 matched");
1205  }
1206  if (PacketAlertCheck(p, 13)) {
1207  SCLogInfo("sid 13 matched");
1208  } else {
1209  FAIL;
1210  }
1211  }
1212 
1213  SigGroupCleanup(de_ctx);
1214  SigCleanSignatures(de_ctx);
1215 
1216  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1217  DetectEngineCtxFree(de_ctx);
1218 
1219  FLOW_DESTROY(&f);
1220 
1221  HostBitsTestShutdown();
1222 
1223  SCFree(p);
1224  PASS;
1225 }
1226 #endif /* UNITTESTS */
1227 
1228 /**
1229  * \brief this function registers unit tests for HostBits
1230  */
1231 void HostBitsRegisterTests(void)
1232 {
1233 #ifdef UNITTESTS
1234  UtRegisterTest("HostBitsTestParse01", HostBitsTestParse01);
1235  UtRegisterTest("HostBitsTestSig01", HostBitsTestSig01);
1236  UtRegisterTest("HostBitsTestSig02", HostBitsTestSig02);
1237 #if 0
1238  UtRegisterTest("HostBitsTestSig03", HostBitsTestSig03, 0);
1239 #endif
1240  UtRegisterTest("HostBitsTestSig04", HostBitsTestSig04);
1241  UtRegisterTest("HostBitsTestSig05", HostBitsTestSig05);
1242 #if 0
1243  UtRegisterTest("HostBitsTestSig06", HostBitsTestSig06, 1);
1244 #endif
1245  UtRegisterTest("HostBitsTestSig07", HostBitsTestSig07);
1246  UtRegisterTest("HostBitsTestSig08", HostBitsTestSig08);
1247 #endif /* UNITTESTS */
1248 }
GenericVar_::type
uint8_t type
Definition: util-var.h:49
HostUnlock
void HostUnlock(Host *h)
Definition: host.c:493
Packet_::proto
uint8_t proto
Definition: decode.h:431
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:46
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1077
HostBitToggle
void HostBitToggle(Host *h, uint32_t idx, uint32_t expire)
Definition: host-bit.c:148
StorageInit
void StorageInit(void)
Definition: util-storage.c:67
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1201
HostBitsRegisterTests
void HostBitsRegisterTests(void)
this function registers unit tests for HostBits
Definition: detect-hostbits.c:1231
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:558
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
Packet_::payload
uint8_t * payload
Definition: decode.h:541
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:444
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-hostbits.c:64
threads.h
Flow_
Flow data structure.
Definition: flow.h:340
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:175
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1195
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:44
HostGetHostFromHash
Host * HostGetHostFromHash(Address *a)
Definition: host.c:507
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2022
StorageCleanup
void StorageCleanup(void)
Definition: util-storage.c:75
SCSigSignatureOrderingModuleCleanup
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
Definition: detect-engine-sigorder.c:803
flow-bit.h
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:216
util-var-name.h
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:36
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
DetectHostbitsRegister
void DetectHostbitsRegister(void)
Definition: detect-hostbits.c:76
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1192
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:559
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:542
DetectXbitsData_
Definition: detect-xbits.h:42
HostBitIsset
int HostBitIsset(Host *h, uint32_t idx, uint32_t ts)
Definition: host-bit.c:158
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DETECT_HOSTBITS
@ DETECT_HOSTBITS
Definition: detect-engine-register.h:87
Signature_::next
struct Signature_ * next
Definition: detect.h:594
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
DetectXbitMatchHost
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
Definition: detect-hostbits.c:241
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
HostBitIsnotset
int HostBitIsnotset(Host *h, uint32_t idx, uint32_t ts)
Definition: host-bit.c:171
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:52
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
DetectEngineThreadCtx_
Definition: detect.h:1004
SCSigOrderSignatures
void SCSigOrderSignatures(DetectEngineCtx *de_ctx)
Orders the signatures.
Definition: detect-engine-sigorder.c:723
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
HostBitUnset
void HostBitUnset(Host *h, uint32_t idx)
Definition: host-bit.c:140
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2440
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:351
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SCSigRegisterSignatureOrderingFuncs
void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx)
Lets you register the Signature ordering functions. The order in which the functions are registered,...
Definition: detect-engine-sigorder.c:783
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:619
HostHasHostBits
int HostHasHostBits(Host *host)
Definition: host-bit.c:59
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:488
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
GenericVar_::idx
uint32_t idx
Definition: util-var.h:51
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1665
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:48
HostBitSet
void HostBitSet(Host *h, uint32_t idx, uint32_t expire)
Definition: host-bit.c:132
Signature_::flags
uint32_t flags
Definition: detect.h:523
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
Packet_
Definition: decode.h:408
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:139
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1171
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:462
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:319
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2316
Packet_::flow
struct Flow_ * flow
Definition: decode.h:446
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2718
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
Packet_::ts
struct timeval ts
Definition: decode.h:452
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2926
GenericVar_
Definition: util-var.h:48
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
util-spm.h
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:43
VarNameStoreSetupAdd
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
Definition: util-var-name.c:323
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
SIG_FLAG_NOALERT
#define SIG_FLAG_NOALERT
Definition: detect.h:216
detect-hostbits.h
SC_ERR_UNIMPLEMENTED
@ SC_ERR_UNIMPLEMENTED
Definition: util-error.h:118
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:39
detect-engine-sigorder.h
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:45
str
#define str(s)
Definition: suricata-common.h:256
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:35
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
FAIL
#define FAIL
Definition: util-unittest.h:60
DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_NOALERT
Definition: detect-xbits.h:32
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1977
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:606
Address_::family
char family
Definition: decode.h:112
Packet_::dst
Address dst
Definition: decode.h:414
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
flow.h
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
GenericVarFree
void GenericVarFree(GenericVar *gv)
Definition: util-var.c:47
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1372
DetectHostbitFree
void DetectHostbitFree(void *)
Definition: detect-hostbits.c:436
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
Packet_::src
Address src
Definition: decode.h:413
host-bit.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193