Go to the documentation of this file.
67 "(?:\\s*,\\s*([^\\s,]+))?(?:\\s*)?" \
68 "(?:\\s*,\\s*([^,\\s]+))?(?:\\s*)?" \
251 return DetectHostbitMatchIsset(p,xd);
253 return DetectHostbitMatchIsnotset(p,xd);
255 return DetectHostbitMatchSet(p,xd);
257 return DetectHostbitMatchUnset(p,xd);
259 return DetectHostbitMatchToggle(p,xd);
284 static int DetectHostbitParse(
const char *
str,
char *cmd,
int cmd_len,
285 char *name,
int name_len,
char *dir,
int dir_len)
290 pcre2_match_data *match = NULL;
292 if (count != 2 && count != 3 && count != 4) {
293 SCLogError(
"\"%s\" is not a valid setting for hostbits.",
str);
298 rc = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
300 SCLogError(
"pcre2_substring_copy_bynumber failed");
306 rc = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
308 SCLogError(
"pcre2_substring_copy_bynumber failed");
313 rc = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)dir, &pcre2len);
315 SCLogError(
"pcre2_substring_copy_bynumber failed");
321 pcre2_match_data_free(match);
326 pcre2_match_data_free(match);
336 char fb_cmd_str[16] =
"", fb_name[256] =
"";
337 char hb_dir_str[16] =
"";
339 if (!DetectHostbitParse(rawstr, fb_cmd_str,
sizeof(fb_cmd_str),
340 fb_name,
sizeof(fb_name), hb_dir_str,
sizeof(hb_dir_str))) {
344 if (strlen(hb_dir_str) > 0) {
345 if (strcmp(hb_dir_str,
"src") == 0)
347 else if (strcmp(hb_dir_str,
"dst") == 0)
349 else if (strcmp(hb_dir_str,
"both") == 0) {
359 if (strcmp(fb_cmd_str,
"noalert") == 0) {
361 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
363 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
365 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
367 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
369 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
372 SCLogError(
"ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
378 if (strlen(fb_name) != 0)
388 if (strlen(fb_name) == 0)
403 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
404 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
458 static void HostBitsTestSetup(
void)
466 static void HostBitsTestShutdown(
void)
472 static int HostBitsTestParse01(
void)
474 char cmd[16] =
"", name[256] =
"", dir[16] =
"";
477 FAIL_IF(!DetectHostbitParse(
"isset,name", cmd,
sizeof(cmd), name,
478 sizeof(name), dir,
sizeof(dir)));
479 FAIL_IF(strcmp(cmd,
"isset") != 0);
480 FAIL_IF(strcmp(name,
"name") != 0);
487 FAIL_IF(!DetectHostbitParse(
"isset, name", cmd,
sizeof(cmd), name,
488 sizeof(name), dir,
sizeof(dir)));
489 FAIL_IF(strcmp(cmd,
"isset") != 0);
490 FAIL_IF(strcmp(name,
"name") != 0);
496 FAIL_IF(!DetectHostbitParse(
"isset,name ", cmd,
sizeof(cmd), name,
497 sizeof(name), dir,
sizeof(dir)));
498 FAIL_IF(strcmp(cmd,
"isset") != 0);
499 FAIL_IF(strcmp(name,
"name") != 0);
505 FAIL_IF(!DetectHostbitParse(
"isset, name ", cmd,
sizeof(cmd), name,
506 sizeof(name), dir,
sizeof(dir)));
507 FAIL_IF(strcmp(cmd,
"isset") != 0);
508 FAIL_IF(strcmp(name,
"name") != 0);
514 FAIL_IF(!DetectHostbitParse(
"isset,name,src", cmd,
sizeof(cmd), name,
515 sizeof(name), dir,
sizeof(dir)));
516 FAIL_IF(strcmp(cmd,
"isset") != 0);
517 FAIL_IF(strcmp(name,
"name") != 0);
518 FAIL_IF(strcmp(dir,
"src") != 0);
524 FAIL_IF(!DetectHostbitParse(
"isset, name ,src", cmd,
sizeof(cmd), name,
525 sizeof(name), dir,
sizeof(dir)));
526 FAIL_IF(strcmp(cmd,
"isset") != 0);
527 FAIL_IF(strcmp(name,
"name") != 0);
528 FAIL_IF(strcmp(dir,
"src") != 0);
534 FAIL_IF(!DetectHostbitParse(
"isset, name , src ", cmd,
sizeof(cmd), name,
535 sizeof(name), dir,
sizeof(dir)));
536 FAIL_IF(strcmp(cmd,
"isset") != 0);
537 FAIL_IF(strcmp(name,
"name") != 0);
538 FAIL_IF(strcmp(dir,
"src") != 0);
544 FAIL_IF(DetectHostbitParse(
"isset, name withspace ", cmd,
sizeof(cmd), name,
545 sizeof(name), dir,
sizeof(dir)));
557 static int HostBitsTestSig01(
void)
559 uint8_t *buf = (uint8_t *)
560 "GET /one/ HTTP/1.1\r\n"
561 "Host: one.example.org\r\n"
563 uint16_t buflen = strlen((
char *)buf);
571 memset(&th_v, 0,
sizeof(th_v));
576 p->
proto = IPPROTO_TCP;
596 HostBitsTestShutdown();
607 static int HostBitsTestSig02(
void)
613 memset(&th_v, 0,
sizeof(th_v));
621 "alert ip any any -> any any (hostbits:isset,abc,src; content:\"GET \"; sid:1;)");
625 "alert ip any any -> any any (hostbits:isnotset,abc,dst; content:\"GET \"; sid:2;)");
629 "alert ip any any -> any any (hostbits:!isset,abc,dst; content:\"GET \"; sid:3;)");
638 "alert ip any any -> any any (hostbits:unset,abc,src; content:\"GET \"; sid:4;)");
642 "alert ip any any -> any any (hostbits:toggle,abc,dst; content:\"GET \"; sid:5;)");
656 static int HostBitsTestSig03(
void)
658 uint8_t *buf = (uint8_t *)
659 "GET /one/ HTTP/1.1\r\n"
660 "Host: one.example.org\r\n"
662 uint16_t buflen = strlen((
char *)buf);
672 memset(&th_v, 0,
sizeof(th_v));
677 p->
proto = IPPROTO_TCP;
686 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
699 HostBitsTestShutdown();
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void HostBitToggle(Host *h, uint32_t idx, uint32_t expire)
void(* Free)(DetectEngineCtx *, void *)
void HostBitsRegisterTests(void)
this function registers unit tests for HostBits
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
main detection engine ctx
Host * HostGetHostFromHash(Address *a)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void StorageCleanup(void)
#define DETECT_XBITS_TRACK_IPDST
void DetectHostbitsRegister(void)
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void HostBitInitCtx(void)
int HostBitIsset(Host *h, uint32_t idx, uint32_t ts)
@ DETECT_SM_LIST_POSTMATCH
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
#define DETECT_XBITS_CMD_ISNOTSET
int HostBitIsnotset(Host *h, uint32_t idx, uint32_t ts)
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
void HostBitUnset(Host *h, uint32_t idx)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void HostCleanup(void)
Cleanup the host engine.
Per thread variable structure.
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
void PacketFree(Packet *p)
Return a malloced packet.
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
void HostBitSet(Host *h, uint32_t idx, uint32_t expire)
int StorageFinalize(void)
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_ISSET
DetectEngineCtx * DetectEngineCtxInit(void)
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
void HostInitConfig(bool quiet)
initialize the configuration
#define DETECT_XBITS_CMD_SET
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
void DetectHostbitFree(DetectEngineCtx *, void *)
#define DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_UNSET
#define SIGMATCH_IPONLY_COMPAT
void(* RegisterTests)(void)