Go to the documentation of this file.
68 "(?:\\s*,\\s*([^\\s,]+))?(?:\\s*)?" \
69 "(?:\\s*,\\s*([^,\\s]+))?(?:\\s*)?" \
252 return DetectHostbitMatchIsset(p,xd);
254 return DetectHostbitMatchIsnotset(p,xd);
256 return DetectHostbitMatchSet(p,xd);
258 return DetectHostbitMatchUnset(p,xd);
260 return DetectHostbitMatchToggle(p,xd);
285 static int DetectHostbitParse(
const char *
str,
char *cmd,
int cmd_len,
286 char *
name,
int name_len,
char *dir,
int dir_len)
291 pcre2_match_data *match = NULL;
293 if (count != 2 && count != 3 && count != 4) {
294 SCLogError(
"\"%s\" is not a valid setting for hostbits.",
str);
299 rc = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
301 SCLogError(
"pcre2_substring_copy_bynumber failed");
307 rc = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)
name, &pcre2len);
309 SCLogError(
"pcre2_substring_copy_bynumber failed");
314 rc = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)dir, &pcre2len);
316 SCLogError(
"pcre2_substring_copy_bynumber failed");
322 pcre2_match_data_free(match);
327 pcre2_match_data_free(match);
337 char fb_cmd_str[16] =
"", fb_name[256] =
"";
338 char hb_dir_str[16] =
"";
340 if (!DetectHostbitParse(rawstr, fb_cmd_str,
sizeof(fb_cmd_str),
341 fb_name,
sizeof(fb_name), hb_dir_str,
sizeof(hb_dir_str))) {
345 if (strlen(hb_dir_str) > 0) {
346 if (strcmp(hb_dir_str,
"src") == 0)
348 else if (strcmp(hb_dir_str,
"dst") == 0)
350 else if (strcmp(hb_dir_str,
"both") == 0) {
360 if (strcmp(fb_cmd_str,
"noalert") == 0) {
362 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
364 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
366 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
368 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
370 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
373 SCLogError(
"ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
379 if (strlen(fb_name) != 0)
389 if (strlen(fb_name) == 0)
404 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
405 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
459 static void HostBitsTestSetup(
void)
468 static void HostBitsTestShutdown(
void)
474 static int HostBitsTestParse01(
void)
476 char cmd[16] =
"",
name[256] =
"", dir[16] =
"";
479 FAIL_IF(!DetectHostbitParse(
"isset,name", cmd,
sizeof(cmd),
name,
480 sizeof(
name), dir,
sizeof(dir)));
481 FAIL_IF(strcmp(cmd,
"isset") != 0);
489 FAIL_IF(!DetectHostbitParse(
"isset, name", cmd,
sizeof(cmd),
name,
490 sizeof(
name), dir,
sizeof(dir)));
491 FAIL_IF(strcmp(cmd,
"isset") != 0);
498 FAIL_IF(!DetectHostbitParse(
"isset,name ", cmd,
sizeof(cmd),
name,
499 sizeof(
name), dir,
sizeof(dir)));
500 FAIL_IF(strcmp(cmd,
"isset") != 0);
507 FAIL_IF(!DetectHostbitParse(
"isset, name ", cmd,
sizeof(cmd),
name,
508 sizeof(
name), dir,
sizeof(dir)));
509 FAIL_IF(strcmp(cmd,
"isset") != 0);
516 FAIL_IF(!DetectHostbitParse(
"isset,name,src", cmd,
sizeof(cmd),
name,
517 sizeof(
name), dir,
sizeof(dir)));
518 FAIL_IF(strcmp(cmd,
"isset") != 0);
520 FAIL_IF(strcmp(dir,
"src") != 0);
526 FAIL_IF(!DetectHostbitParse(
"isset, name ,src", cmd,
sizeof(cmd),
name,
527 sizeof(
name), dir,
sizeof(dir)));
528 FAIL_IF(strcmp(cmd,
"isset") != 0);
530 FAIL_IF(strcmp(dir,
"src") != 0);
536 FAIL_IF(!DetectHostbitParse(
"isset, name , src ", cmd,
sizeof(cmd),
name,
537 sizeof(
name), dir,
sizeof(dir)));
538 FAIL_IF(strcmp(cmd,
"isset") != 0);
540 FAIL_IF(strcmp(dir,
"src") != 0);
546 FAIL_IF(DetectHostbitParse(
"isset, name withspace ", cmd,
sizeof(cmd),
name,
547 sizeof(
name), dir,
sizeof(dir)));
559 static int HostBitsTestSig01(
void)
561 uint8_t *buf = (uint8_t *)
562 "GET /one/ HTTP/1.1\r\n"
563 "Host: one.example.org\r\n"
565 uint16_t buflen = strlen((
char *)buf);
573 memset(&th_v, 0,
sizeof(th_v));
578 p->
proto = IPPROTO_TCP;
598 HostBitsTestShutdown();
610 static int HostBitsTestSig02(
void)
616 memset(&th_v, 0,
sizeof(th_v));
624 "alert ip any any -> any any (hostbits:isset,abc,src; content:\"GET \"; sid:1;)");
628 "alert ip any any -> any any (hostbits:isnotset,abc,dst; content:\"GET \"; sid:2;)");
632 "alert ip any any -> any any (hostbits:!isset,abc,dst; content:\"GET \"; sid:3;)");
641 "alert ip any any -> any any (hostbits:unset,abc,src; content:\"GET \"; sid:4;)");
645 "alert ip any any -> any any (hostbits:toggle,abc,dst; content:\"GET \"; sid:5;)");
659 static int HostBitsTestSig03(
void)
661 uint8_t *buf = (uint8_t *)
662 "GET /one/ HTTP/1.1\r\n"
663 "Host: one.example.org\r\n"
665 uint16_t buflen = strlen((
char *)buf);
675 memset(&th_v, 0,
sizeof(th_v));
680 p->
proto = IPPROTO_TCP;
689 s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
703 HostBitsTestShutdown();
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
void HostBitsRegisterTests(void)
this function registers unit tests for HostBits
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void HostBitSet(Host *h, uint32_t idx, SCTime_t expire)
main detection engine ctx
Host * HostGetHostFromHash(Address *a)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void StorageCleanup(void)
#define DETECT_XBITS_TRACK_IPDST
void DetectHostbitsRegister(void)
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void HostBitInitCtx(void)
@ DETECT_SM_LIST_POSTMATCH
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
#define DETECT_XBITS_CMD_ISNOTSET
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
void HostBitUnset(Host *h, uint32_t idx)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Per thread variable structure.
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
void PacketFree(Packet *p)
Return a malloced packet.
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
int StorageFinalize(void)
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
int HostBitIsset(Host *h, uint32_t idx, SCTime_t ts)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
void HostBitToggle(Host *h, uint32_t idx, SCTime_t expire)
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
int HostBitIsnotset(Host *h, uint32_t idx, SCTime_t ts)
void HostShutdown(void)
shutdown the flow engine
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_ISSET
DetectEngineCtx * DetectEngineCtxInit(void)
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
void HostInitConfig(bool quiet)
initialize the configuration
#define DETECT_XBITS_CMD_SET
void DetectHostbitFree(DetectEngineCtx *, void *)
#define DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_UNSET
#define SCTIME_ADD_SECS(ts, s)
void StatsThreadCleanup(ThreadVars *tv)
#define SIGMATCH_IPONLY_COMPAT
void(* RegisterTests)(void)