suricata
detect-hostbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the hostbits keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-util.h"
32 #include "detect-hostbits.h"
33 #include "util-spm.h"
34 
35 #include "detect-engine-sigorder.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "detect-parse.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-engine-state.h"
43 #include "detect-engine-build.h"
44 
45 #include "flow-bit.h"
46 #include "host-bit.h"
47 #include "util-var-name.h"
48 #include "util-unittest.h"
49 #include "util-debug.h"
50 
51 /*
52  hostbits:isset,bitname;
53  hostbits:set,bitname;
54 
55  hostbits:set,bitname,src;
56  hostbits:set,bitname,dst;
57 TODO:
58  hostbits:set,bitname,both;
59 
60  hostbits:set,bitname,src,3600;
61  hostbits:set,bitname,dst,60;
62  hostbits:set,bitname,both,120;
63  */
64 
65 #define PARSE_REGEX \
66  "^([a-z]+)" /* Action */ \
67  "(?:\\s*,\\s*([^\\s,]+))?(?:\\s*)?" /* Name. */ \
68  "(?:\\s*,\\s*([^,\\s]+))?(?:\\s*)?" /* Direction. */ \
69  "(.+)?" /* Any remaining data. */
70 static DetectParseRegex parse_regex;
71 
72 static int DetectHostbitMatch (DetectEngineThreadCtx *, Packet *,
73  const Signature *, const SigMatchCtx *);
74 static int DetectHostbitSetup (DetectEngineCtx *, Signature *, const char *);
75 void DetectHostbitFree (DetectEngineCtx *, void *);
76 #ifdef UNITTESTS
77 void HostBitsRegisterTests(void);
78 #endif
79 
80 void DetectHostbitsRegister (void)
81 {
82  sigmatch_table[DETECT_HOSTBITS].name = "hostbits";
83  sigmatch_table[DETECT_HOSTBITS].desc = "operate on host flag";
84 // sigmatch_table[DETECT_HOSTBITS].url = "/rules/flow-keywords.html#flowbits";
85  sigmatch_table[DETECT_HOSTBITS].Match = DetectHostbitMatch;
86  sigmatch_table[DETECT_HOSTBITS].Setup = DetectHostbitSetup;
87  sigmatch_table[DETECT_HOSTBITS].Free = DetectHostbitFree;
88 #ifdef UNITTESTS
89  sigmatch_table[DETECT_HOSTBITS].RegisterTests = HostBitsRegisterTests;
90 #endif
91  /* this is compatible to ip-only signatures */
92  sigmatch_table[DETECT_HOSTBITS].flags |= SIGMATCH_IPONLY_COMPAT;
93 
94  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
95 }
96 
97 static int DetectHostbitMatchToggle (Packet *p, const DetectXbitsData *fd)
98 {
99  switch (fd->tracker) {
100  case DETECT_XBITS_TRACK_IPSRC:
101  if (p->host_src == NULL) {
102  p->host_src = HostGetHostFromHash(&p->src);
103  if (p->host_src == NULL)
104  return 0;
105  }
106  else
107  HostLock(p->host_src);
108 
109  HostBitToggle(p->host_src, fd->idx, SCTIME_SECS(p->ts) + fd->expire);
110  HostUnlock(p->host_src);
111  break;
112  case DETECT_XBITS_TRACK_IPDST:
113  if (p->host_dst == NULL) {
114  p->host_dst = HostGetHostFromHash(&p->dst);
115  if (p->host_dst == NULL)
116  return 0;
117  }
118  else
119  HostLock(p->host_dst);
120 
121  HostBitToggle(p->host_dst, fd->idx, SCTIME_SECS(p->ts) + fd->expire);
122  HostUnlock(p->host_dst);
123  break;
124  }
125  return 1;
126 }
127 
128 /* return true even if bit not found */
129 static int DetectHostbitMatchUnset (Packet *p, const DetectXbitsData *fd)
130 {
131  switch (fd->tracker) {
132  case DETECT_XBITS_TRACK_IPSRC:
133  if (p->host_src == NULL) {
134  p->host_src = HostLookupHostFromHash(&p->src);
135  if (p->host_src == NULL)
136  return 1;
137  } else
138  HostLock(p->host_src);
139 
140  HostBitUnset(p->host_src,fd->idx);
141  HostUnlock(p->host_src);
142  break;
143  case DETECT_XBITS_TRACK_IPDST:
144  if (p->host_dst == NULL) {
145  p->host_dst = HostLookupHostFromHash(&p->dst);
146  if (p->host_dst == NULL)
147  return 1;
148  } else
149  HostLock(p->host_dst);
150 
151  HostBitUnset(p->host_dst,fd->idx);
152  HostUnlock(p->host_dst);
153  break;
154  }
155  return 1;
156 }
157 
158 static int DetectHostbitMatchSet (Packet *p, const DetectXbitsData *fd)
159 {
160  switch (fd->tracker) {
161  case DETECT_XBITS_TRACK_IPSRC:
162  if (p->host_src == NULL) {
163  p->host_src = HostGetHostFromHash(&p->src);
164  if (p->host_src == NULL)
165  return 0;
166  } else
167  HostLock(p->host_src);
168 
169  HostBitSet(p->host_src, fd->idx, SCTIME_SECS(p->ts) + fd->expire);
170  HostUnlock(p->host_src);
171  break;
172  case DETECT_XBITS_TRACK_IPDST:
173  if (p->host_dst == NULL) {
174  p->host_dst = HostGetHostFromHash(&p->dst);
175  if (p->host_dst == NULL)
176  return 0;
177  } else
178  HostLock(p->host_dst);
179 
180  HostBitSet(p->host_dst, fd->idx, SCTIME_SECS(p->ts) + fd->expire);
181  HostUnlock(p->host_dst);
182  break;
183  }
184  return 1;
185 }
186 
187 static int DetectHostbitMatchIsset (Packet *p, const DetectXbitsData *fd)
188 {
189  int r = 0;
190  switch (fd->tracker) {
191  case DETECT_XBITS_TRACK_IPSRC:
192  if (p->host_src == NULL) {
193  p->host_src = HostLookupHostFromHash(&p->src);
194  if (p->host_src == NULL)
195  return 0;
196  } else
197  HostLock(p->host_src);
198 
199  r = HostBitIsset(p->host_src, fd->idx, SCTIME_SECS(p->ts));
200  HostUnlock(p->host_src);
201  return r;
202  case DETECT_XBITS_TRACK_IPDST:
203  if (p->host_dst == NULL) {
204  p->host_dst = HostLookupHostFromHash(&p->dst);
205  if (p->host_dst == NULL)
206  return 0;
207  } else
208  HostLock(p->host_dst);
209 
210  r = HostBitIsset(p->host_dst, fd->idx, SCTIME_SECS(p->ts));
211  HostUnlock(p->host_dst);
212  return r;
213  }
214  return 0;
215 }
216 
217 static int DetectHostbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
218 {
219  int r = 0;
220  switch (fd->tracker) {
221  case DETECT_XBITS_TRACK_IPSRC:
222  if (p->host_src == NULL) {
223  p->host_src = HostLookupHostFromHash(&p->src);
224  if (p->host_src == NULL)
225  return 1;
226  } else
227  HostLock(p->host_src);
228 
229  r = HostBitIsnotset(p->host_src, fd->idx, SCTIME_SECS(p->ts));
230  HostUnlock(p->host_src);
231  return r;
232  case DETECT_XBITS_TRACK_IPDST:
233  if (p->host_dst == NULL) {
234  p->host_dst = HostLookupHostFromHash(&p->dst);
235  if (p->host_dst == NULL)
236  return 1;
237  } else
238  HostLock(p->host_dst);
239 
240  r = HostBitIsnotset(p->host_dst, fd->idx, SCTIME_SECS(p->ts));
241  HostUnlock(p->host_dst);
242  return r;
243  }
244  return 0;
245 }
246 
247 int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
248 {
249  switch (xd->cmd) {
250  case DETECT_XBITS_CMD_ISSET:
251  return DetectHostbitMatchIsset(p,xd);
252  case DETECT_XBITS_CMD_ISNOTSET:
253  return DetectHostbitMatchIsnotset(p,xd);
254  case DETECT_XBITS_CMD_SET:
255  return DetectHostbitMatchSet(p,xd);
256  case DETECT_XBITS_CMD_UNSET:
257  return DetectHostbitMatchUnset(p,xd);
258  case DETECT_XBITS_CMD_TOGGLE:
259  return DetectHostbitMatchToggle(p,xd);
260  default:
261  SCLogError("unknown cmd %" PRIu32 "", xd->cmd);
262  return 0;
263  }
264 
265  return 0;
266 }
267 
268 /*
269  * returns 0: no match
270  * 1: match
271  * -1: error
272  */
273 
274 static int DetectHostbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
275  const Signature *s, const SigMatchCtx *ctx)
276 {
277  const DetectXbitsData *xd = (const DetectXbitsData *)ctx;
278  if (xd == NULL)
279  return 0;
280 
281  return DetectXbitMatchHost(p, xd);
282 }
283 
284 static int DetectHostbitParse(const char *str, char *cmd, int cmd_len,
285  char *name, int name_len, char *dir, int dir_len)
286 {
287  int rc;
288  size_t pcre2len;
289 
290  pcre2_match_data *match = NULL;
291  int count = DetectParsePcreExec(&parse_regex, &match, str, 0, 0);
292  if (count != 2 && count != 3 && count != 4) {
293  SCLogError("\"%s\" is not a valid setting for hostbits.", str);
294  goto error;
295  }
296 
297  pcre2len = cmd_len;
298  rc = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
299  if (rc < 0) {
300  SCLogError("pcre2_substring_copy_bynumber failed");
301  goto error;
302  }
303 
304  if (count >= 3) {
305  pcre2len = name_len;
306  rc = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
307  if (rc < 0) {
308  SCLogError("pcre2_substring_copy_bynumber failed");
309  goto error;
310  }
311  if (count >= 4) {
312  pcre2len = dir_len;
313  rc = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)dir, &pcre2len);
314  if (rc < 0) {
315  SCLogError("pcre2_substring_copy_bynumber failed");
316  goto error;
317  }
318  }
319  }
320 
321  pcre2_match_data_free(match);
322  return 1;
323 
324 error:
325  if (match) {
326  pcre2_match_data_free(match);
327  }
328  return 0;
329 }
330 
331 int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
332 {
333  DetectXbitsData *cd = NULL;
334  uint8_t fb_cmd = 0;
335  uint8_t hb_dir = 0;
336  char fb_cmd_str[16] = "", fb_name[256] = "";
337  char hb_dir_str[16] = "";
338 
339  if (!DetectHostbitParse(rawstr, fb_cmd_str, sizeof(fb_cmd_str),
340  fb_name, sizeof(fb_name), hb_dir_str, sizeof(hb_dir_str))) {
341  return -1;
342  }
343 
344  if (strlen(hb_dir_str) > 0) {
345  if (strcmp(hb_dir_str, "src") == 0)
346  hb_dir = DETECT_XBITS_TRACK_IPSRC;
347  else if (strcmp(hb_dir_str, "dst") == 0)
348  hb_dir = DETECT_XBITS_TRACK_IPDST;
349  else if (strcmp(hb_dir_str, "both") == 0) {
350  //hb_dir = DETECT_XBITS_TRACK_IPBOTH;
351  SCLogError("'both' not implemented");
352  goto error;
353  } else {
354  // TODO
355  goto error;
356  }
357  }
358 
359  if (strcmp(fb_cmd_str,"noalert") == 0) {
360  fb_cmd = DETECT_XBITS_CMD_NOALERT;
361  } else if (strcmp(fb_cmd_str,"isset") == 0) {
362  fb_cmd = DETECT_XBITS_CMD_ISSET;
363  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
364  fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
365  } else if (strcmp(fb_cmd_str,"set") == 0) {
366  fb_cmd = DETECT_XBITS_CMD_SET;
367  } else if (strcmp(fb_cmd_str,"unset") == 0) {
368  fb_cmd = DETECT_XBITS_CMD_UNSET;
369  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
370  fb_cmd = DETECT_XBITS_CMD_TOGGLE;
371  } else {
372  SCLogError("ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
373  goto error;
374  }
375 
376  switch (fb_cmd) {
377  case DETECT_XBITS_CMD_NOALERT:
378  if (strlen(fb_name) != 0)
379  goto error;
380  s->flags |= SIG_FLAG_NOALERT;
381  return 0;
382  case DETECT_XBITS_CMD_ISNOTSET:
383  case DETECT_XBITS_CMD_ISSET:
384  case DETECT_XBITS_CMD_SET:
385  case DETECT_XBITS_CMD_UNSET:
386  case DETECT_XBITS_CMD_TOGGLE:
387  default:
388  if (strlen(fb_name) == 0)
389  goto error;
390  break;
391  }
392 
393  cd = SCMalloc(sizeof(DetectXbitsData));
394  if (unlikely(cd == NULL))
395  goto error;
396 
397  cd->idx = VarNameStoreRegister(fb_name, VAR_TYPE_HOST_BIT);
398  cd->cmd = fb_cmd;
399  cd->tracker = hb_dir;
400  cd->type = VAR_TYPE_HOST_BIT;
401  cd->expire = 300;
402 
403  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
404  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
405 
406  /* Okay so far so good, lets get this into a SigMatch
407  * and put it in the Signature. */
408 
409  switch (fb_cmd) {
410  /* case DETECT_XBITS_CMD_NOALERT can't happen here */
411 
412  case DETECT_XBITS_CMD_ISNOTSET:
413  case DETECT_XBITS_CMD_ISSET:
414  /* checks, so packet list */
415  if (SigMatchAppendSMToList(de_ctx, s, DETECT_HOSTBITS, (SigMatchCtx *)cd,
416  DETECT_SM_LIST_MATCH) == NULL) {
417  goto error;
418  }
419  break;
420 
421  case DETECT_XBITS_CMD_SET:
422  case DETECT_XBITS_CMD_UNSET:
423  case DETECT_XBITS_CMD_TOGGLE:
424  /* modifiers, only run when entire sig has matched */
425  if (SigMatchAppendSMToList(de_ctx, s, DETECT_HOSTBITS, (SigMatchCtx *)cd,
426  DETECT_SM_LIST_POSTMATCH) == NULL) {
427  goto error;
428  }
429  break;
430 
431  // suppress coverity warning as scan-build-7 warns w/o this.
432  // coverity[deadcode : FALSE]
433  default:
434  goto error;
435  }
436 
437  return 0;
438 
439 error:
440  if (cd != NULL)
441  SCFree(cd);
442  return -1;
443 }
444 
445 void DetectHostbitFree (DetectEngineCtx *de_ctx, void *ptr)
446 {
447  DetectXbitsData *fd = (DetectXbitsData *)ptr;
448 
449  if (fd == NULL)
450  return;
451  VarNameStoreUnregister(fd->idx, VAR_TYPE_HOST_BIT);
452 
453  SCFree(fd);
454 }
455 
456 #ifdef UNITTESTS
457 
458 static void HostBitsTestSetup(void)
459 {
460  StorageInit();
461  HostBitInitCtx();
462  StorageFinalize();
463  HostInitConfig(true);
464 }
465 
466 static void HostBitsTestShutdown(void)
467 {
468  HostCleanup();
469  StorageCleanup();
470 }
471 
472 static int HostBitsTestParse01(void)
473 {
474  char cmd[16] = "", name[256] = "", dir[16] = "";
475 
476  /* No direction. */
477  FAIL_IF(!DetectHostbitParse("isset,name", cmd, sizeof(cmd), name,
478  sizeof(name), dir, sizeof(dir)));
479  FAIL_IF(strcmp(cmd, "isset") != 0);
480  FAIL_IF(strcmp(name, "name") != 0);
481  FAIL_IF(strlen(dir));
482 
483  /* No direction, leading space. */
484  *cmd = '\0';
485  *name = '\0';
486  *dir = '\0';
487  FAIL_IF(!DetectHostbitParse("isset, name", cmd, sizeof(cmd), name,
488  sizeof(name), dir, sizeof(dir)));
489  FAIL_IF(strcmp(cmd, "isset") != 0);
490  FAIL_IF(strcmp(name, "name") != 0);
491 
492  /* No direction, trailing space. */
493  *cmd = '\0';
494  *name = '\0';
495  *dir = '\0';
496  FAIL_IF(!DetectHostbitParse("isset,name ", cmd, sizeof(cmd), name,
497  sizeof(name), dir, sizeof(dir)));
498  FAIL_IF(strcmp(cmd, "isset") != 0);
499  FAIL_IF(strcmp(name, "name") != 0);
500 
501  /* No direction, leading and trailing space. */
502  *cmd = '\0';
503  *name = '\0';
504  *dir = '\0';
505  FAIL_IF(!DetectHostbitParse("isset, name ", cmd, sizeof(cmd), name,
506  sizeof(name), dir, sizeof(dir)));
507  FAIL_IF(strcmp(cmd, "isset") != 0);
508  FAIL_IF(strcmp(name, "name") != 0);
509 
510  /* With direction. */
511  *cmd = '\0';
512  *name = '\0';
513  *dir = '\0';
514  FAIL_IF(!DetectHostbitParse("isset,name,src", cmd, sizeof(cmd), name,
515  sizeof(name), dir, sizeof(dir)));
516  FAIL_IF(strcmp(cmd, "isset") != 0);
517  FAIL_IF(strcmp(name, "name") != 0);
518  FAIL_IF(strcmp(dir, "src") != 0);
519 
520  /* With direction - leading and trailing spaces on name. */
521  *cmd = '\0';
522  *name = '\0';
523  *dir = '\0';
524  FAIL_IF(!DetectHostbitParse("isset, name ,src", cmd, sizeof(cmd), name,
525  sizeof(name), dir, sizeof(dir)));
526  FAIL_IF(strcmp(cmd, "isset") != 0);
527  FAIL_IF(strcmp(name, "name") != 0);
528  FAIL_IF(strcmp(dir, "src") != 0);
529 
530  /* With direction - space around direction. */
531  *cmd = '\0';
532  *name = '\0';
533  *dir = '\0';
534  FAIL_IF(!DetectHostbitParse("isset, name , src ", cmd, sizeof(cmd), name,
535  sizeof(name), dir, sizeof(dir)));
536  FAIL_IF(strcmp(cmd, "isset") != 0);
537  FAIL_IF(strcmp(name, "name") != 0);
538  FAIL_IF(strcmp(dir, "src") != 0);
539 
540  /* Name with space, no direction - should fail. */
541  *cmd = '\0';
542  *name = '\0';
543  *dir = '\0';
544  FAIL_IF(DetectHostbitParse("isset, name withspace ", cmd, sizeof(cmd), name,
545  sizeof(name), dir, sizeof(dir)));
546 
547  PASS;
548 }
549 
550 /**
551  * \test HostBitsTestSig01 is a test for a valid noalert flowbits option
552  *
553  * \retval 1 on success
554  * \retval 0 on failure
555  */
556 
557 static int HostBitsTestSig01(void)
558 {
559  uint8_t *buf = (uint8_t *)
560  "GET /one/ HTTP/1.1\r\n"
561  "Host: one.example.org\r\n"
562  "\r\n";
563  uint16_t buflen = strlen((char *)buf);
564  Packet *p = PacketGetFromAlloc();
565  FAIL_IF_NULL(p);
566  Signature *s = NULL;
567  ThreadVars th_v;
568  DetectEngineThreadCtx *det_ctx = NULL;
569  DetectEngineCtx *de_ctx = NULL;
570 
571  memset(&th_v, 0, sizeof(th_v));
572  p->src.family = AF_INET;
573  p->dst.family = AF_INET;
574  p->payload = buf;
575  p->payload_len = buflen;
576  p->proto = IPPROTO_TCP;
577 
578  HostBitsTestSetup();
579 
580  de_ctx = DetectEngineCtxInit();
581  FAIL_IF_NULL(de_ctx);
582 
583  de_ctx->flags |= DE_QUIET;
584 
585  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (hostbits:set,abc; content:\"GET \"; sid:1;)");
586  FAIL_IF_NULL(s);
587 
588  SigGroupBuild(de_ctx);
589  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
590 
591  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
592 
593  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
594  DetectEngineCtxFree(de_ctx);
595  PacketFree(p);
596  HostBitsTestShutdown();
597  PASS;
598 }
599 
600 /**
601  * \test various options
602  *
603  * \retval 1 on success
604  * \retval 0 on failure
605  */
606 
607 static int HostBitsTestSig02(void)
608 {
609  Signature *s = NULL;
610  ThreadVars th_v;
611  DetectEngineCtx *de_ctx = NULL;
612 
613  memset(&th_v, 0, sizeof(th_v));
614 
615  de_ctx = DetectEngineCtxInit();
616  FAIL_IF_NULL(de_ctx);
617 
618  de_ctx->flags |= DE_QUIET;
619 
620  s = DetectEngineAppendSig(de_ctx,
621  "alert ip any any -> any any (hostbits:isset,abc,src; content:\"GET \"; sid:1;)");
622  FAIL_IF_NULL(s);
623 
624  s = DetectEngineAppendSig(de_ctx,
625  "alert ip any any -> any any (hostbits:isnotset,abc,dst; content:\"GET \"; sid:2;)");
626  FAIL_IF_NULL(s);
627 
628  s = DetectEngineAppendSig(de_ctx,
629  "alert ip any any -> any any (hostbits:!isset,abc,dst; content:\"GET \"; sid:3;)");
630  FAIL_IF_NOT_NULL(s);
631 
632 /* TODO reenable after both is supported
633  s = DetectEngineAppendSig(de_ctx,
634  "alert ip any any -> any any (hostbits:set,abc,both; content:\"GET \"; sid:3;)");
635  FAIL_IF_NULL(s);
636 */
637  s = DetectEngineAppendSig(de_ctx,
638  "alert ip any any -> any any (hostbits:unset,abc,src; content:\"GET \"; sid:4;)");
639  FAIL_IF_NULL(s);
640 
641  s = DetectEngineAppendSig(de_ctx,
642  "alert ip any any -> any any (hostbits:toggle,abc,dst; content:\"GET \"; sid:5;)");
643  FAIL_IF_NULL(s);
644 
645  DetectEngineCtxFree(de_ctx);
646  PASS;
647 }
648 
649 /**
650  * \test HostBitsTestSig03 is a test check idx value
651  *
652  * \retval 1 on success
653  * \retval 0 on failure
654  */
655 
656 static int HostBitsTestSig03(void)
657 {
658  uint8_t *buf = (uint8_t *)
659  "GET /one/ HTTP/1.1\r\n"
660  "Host: one.example.org\r\n"
661  "\r\n";
662  uint16_t buflen = strlen((char *)buf);
663  Packet *p = PacketGetFromAlloc();
664  if (unlikely(p == NULL))
665  return 0;
666  Signature *s = NULL;
667  ThreadVars th_v;
668  DetectEngineThreadCtx *det_ctx = NULL;
669  DetectEngineCtx *de_ctx = NULL;
670  int idx = 0;
671 
672  memset(&th_v, 0, sizeof(th_v));
673  p->src.family = AF_INET;
674  p->dst.family = AF_INET;
675  p->payload = buf;
676  p->payload_len = buflen;
677  p->proto = IPPROTO_TCP;
678 
679  HostBitsTestSetup();
680 
681  de_ctx = DetectEngineCtxInit();
682  FAIL_IF_NULL(de_ctx);
683 
684  de_ctx->flags |= DE_QUIET;
685 
686  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
687  FAIL_IF_NULL(s);
688 
689  idx = VarNameStoreRegister("fbt", VAR_TYPE_HOST_BIT);
690  FAIL_IF(idx == 0);
691 
692  SigGroupBuild(de_ctx);
693  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
694 
695  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
696 
697  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
698  DetectEngineCtxFree(de_ctx);
699  HostBitsTestShutdown();
700 
701  SCFree(p);
702  PASS;
703 }
704 
705 /**
706  * \brief this function registers unit tests for HostBits
707  */
708 void HostBitsRegisterTests(void)
709 {
710  UtRegisterTest("HostBitsTestParse01", HostBitsTestParse01);
711  UtRegisterTest("HostBitsTestSig01", HostBitsTestSig01);
712  UtRegisterTest("HostBitsTestSig02", HostBitsTestSig02);
713  UtRegisterTest("HostBitsTestSig03", HostBitsTestSig03);
714 }
715 #endif /* UNITTESTS */
HostUnlock
void HostUnlock(Host *h)
Definition: host.c:483
Packet_::proto
uint8_t proto
Definition: decode.h:452
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1286
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:44
HostBitToggle
void HostBitToggle(Host *h, uint32_t idx, uint32_t expire)
Definition: host-bit.c:147
StorageInit
void StorageInit(void)
Definition: util-storage.c:68
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1274
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1284
HostBitsRegisterTests
void HostBitsRegisterTests(void)
this function registers unit tests for HostBits
Definition: detect-hostbits.c:708
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:594
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::payload
uint8_t * payload
Definition: decode.h:577
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-hostbits.c:65
threads.h
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1278
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:832
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:42
HostGetHostFromHash
Host * HostGetHostFromHash(Address *a)
Definition: host.c:497
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2586
StorageCleanup
void StorageCleanup(void)
Definition: util-storage.c:76
flow-bit.h
util-var-name.h
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:35
DE_QUIET
#define DE_QUIET
Definition: detect.h:318
DetectHostbitsRegister
void DetectHostbitsRegister(void)
Definition: detect-hostbits.c:80
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1824
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2656
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:155
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:595
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2602
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1269
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:578
DetectXbitsData_
Definition: detect-xbits.h:40
HostBitIsset
int HostBitIsset(Host *h, uint32_t idx, uint32_t ts)
Definition: host-bit.c:157
util-unittest.h
DETECT_HOSTBITS
@ DETECT_HOSTBITS
Definition: detect-engine-register.h:91
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:118
DetectXbitMatchHost
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
Definition: detect-hostbits.c:247
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
HostBitIsnotset
int HostBitIsnotset(Host *h, uint32_t idx, uint32_t ts)
Definition: host-bit.c:170
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1080
Packet_::ts
SCTime_t ts
Definition: decode.h:475
HostBitUnset
void HostBitUnset(Host *h, uint32_t idx)
Definition: host-bit.c:139
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2780
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:341
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:201
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:134
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:108
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2298
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:478
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:46
HostBitSet
void HostBitSet(Host *h, uint32_t idx, uint32_t expire)
Definition: host-bit.c:131
Signature_::flags
uint32_t flags
Definition: detect.h:588
Packet_
Definition: decode.h:430
detect-engine-build.h
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:138
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1252
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1976
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:339
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3293
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3503
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
util-spm.h
SCTIME_SECS
#define SCTIME_SECS(t)
Definition: util-time.h:57
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:41
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:840
SIG_FLAG_NOALERT
#define SIG_FLAG_NOALERT
Definition: detect.h:236
detect-hostbits.h
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:39
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:43
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:34
detect-parse.h
Signature_
Signature container.
Definition: detect.h:587
DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_NOALERT
Definition: detect-xbits.h:32
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2547
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:596
Address_::family
char family
Definition: decode.h:116
Packet_::dst
Address dst
Definition: decode.h:435
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:173
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:449
DetectHostbitFree
void DetectHostbitFree(DetectEngineCtx *, void *)
Definition: detect-hostbits.c:445
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:834
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
flow.h
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1468
Packet_::src
Address src
Definition: decode.h:434
host-bit.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1276