suricata
detect-hostbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the hostbits keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-util.h"
32 #include "detect-hostbits.h"
33 #include "util-spm.h"
34 
35 #include "detect-engine-sigorder.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "detect-parse.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-engine-state.h"
43 
44 #include "flow-bit.h"
45 #include "host-bit.h"
46 #include "util-var-name.h"
47 #include "util-unittest.h"
48 #include "util-debug.h"
49 
50 /*
51  hostbits:isset,bitname;
52  hostbits:set,bitname;
53 
54  hostbits:set,bitname,src;
55  hostbits:set,bitname,dst;
56 TODO:
57  hostbits:set,bitname,both;
58 
59  hostbits:set,bitname,src,3600;
60  hostbits:set,bitname,dst,60;
61  hostbits:set,bitname,both,120;
62  */
63 
64 #define PARSE_REGEX "^([a-z]+)" /* Action */ \
65  "(?:\\s*,\\s*([^\\s,]+))?(?:\\s*)?" /* Name. */ \
66  "(?:\\s*,\\s*([^,\\s]+))?(?:\\s*)?" /* Direction. */ \
67  "(.+)?" /* Any remainding data. */
68 static DetectParseRegex parse_regex;
69 
70 static int DetectHostbitMatch (DetectEngineThreadCtx *, Packet *,
71  const Signature *, const SigMatchCtx *);
72 static int DetectHostbitSetup (DetectEngineCtx *, Signature *, const char *);
73 void DetectHostbitFree (DetectEngineCtx *, void *);
74 #ifdef UNITTESTS
75 void HostBitsRegisterTests(void);
76 #endif
77 
79 {
80  sigmatch_table[DETECT_HOSTBITS].name = "hostbits";
81  sigmatch_table[DETECT_HOSTBITS].desc = "operate on host flag";
82 // sigmatch_table[DETECT_HOSTBITS].url = "/rules/flow-keywords.html#flowbits";
83  sigmatch_table[DETECT_HOSTBITS].Match = DetectHostbitMatch;
84  sigmatch_table[DETECT_HOSTBITS].Setup = DetectHostbitSetup;
86 #ifdef UNITTESTS
88 #endif
89  /* this is compatible to ip-only signatures */
91 
92  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
93 }
94 
95 static int DetectHostbitMatchToggle (Packet *p, const DetectXbitsData *fd)
96 {
97  switch (fd->tracker) {
99  if (p->host_src == NULL) {
100  p->host_src = HostGetHostFromHash(&p->src);
101  if (p->host_src == NULL)
102  return 0;
103  }
104  else
105  HostLock(p->host_src);
106 
107  HostBitToggle(p->host_src,fd->idx,p->ts.tv_sec + fd->expire);
108  HostUnlock(p->host_src);
109  break;
111  if (p->host_dst == NULL) {
112  p->host_dst = HostGetHostFromHash(&p->dst);
113  if (p->host_dst == NULL)
114  return 0;
115  }
116  else
117  HostLock(p->host_dst);
118 
119  HostBitToggle(p->host_dst,fd->idx,p->ts.tv_sec + fd->expire);
120  HostUnlock(p->host_dst);
121  break;
122  }
123  return 1;
124 }
125 
126 /* return true even if bit not found */
127 static int DetectHostbitMatchUnset (Packet *p, const DetectXbitsData *fd)
128 {
129  switch (fd->tracker) {
131  if (p->host_src == NULL) {
133  if (p->host_src == NULL)
134  return 1;
135  } else
136  HostLock(p->host_src);
137 
138  HostBitUnset(p->host_src,fd->idx);
139  HostUnlock(p->host_src);
140  break;
142  if (p->host_dst == NULL) {
144  if (p->host_dst == NULL)
145  return 1;
146  } else
147  HostLock(p->host_dst);
148 
149  HostBitUnset(p->host_dst,fd->idx);
150  HostUnlock(p->host_dst);
151  break;
152  }
153  return 1;
154 }
155 
156 static int DetectHostbitMatchSet (Packet *p, const DetectXbitsData *fd)
157 {
158  switch (fd->tracker) {
160  if (p->host_src == NULL) {
161  p->host_src = HostGetHostFromHash(&p->src);
162  if (p->host_src == NULL)
163  return 0;
164  } else
165  HostLock(p->host_src);
166 
167  HostBitSet(p->host_src,fd->idx,p->ts.tv_sec + fd->expire);
168  HostUnlock(p->host_src);
169  break;
171  if (p->host_dst == NULL) {
172  p->host_dst = HostGetHostFromHash(&p->dst);
173  if (p->host_dst == NULL)
174  return 0;
175  } else
176  HostLock(p->host_dst);
177 
178  HostBitSet(p->host_dst,fd->idx, p->ts.tv_sec + fd->expire);
179  HostUnlock(p->host_dst);
180  break;
181  }
182  return 1;
183 }
184 
185 static int DetectHostbitMatchIsset (Packet *p, const DetectXbitsData *fd)
186 {
187  int r = 0;
188  switch (fd->tracker) {
190  if (p->host_src == NULL) {
192  if (p->host_src == NULL)
193  return 0;
194  } else
195  HostLock(p->host_src);
196 
197  r = HostBitIsset(p->host_src,fd->idx, p->ts.tv_sec);
198  HostUnlock(p->host_src);
199  return r;
201  if (p->host_dst == NULL) {
203  if (p->host_dst == NULL)
204  return 0;
205  } else
206  HostLock(p->host_dst);
207 
208  r = HostBitIsset(p->host_dst,fd->idx, p->ts.tv_sec);
209  HostUnlock(p->host_dst);
210  return r;
211  }
212  return 0;
213 }
214 
215 static int DetectHostbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
216 {
217  int r = 0;
218  switch (fd->tracker) {
220  if (p->host_src == NULL) {
222  if (p->host_src == NULL)
223  return 1;
224  } else
225  HostLock(p->host_src);
226 
227  r = HostBitIsnotset(p->host_src,fd->idx, p->ts.tv_sec);
228  HostUnlock(p->host_src);
229  return r;
231  if (p->host_dst == NULL) {
233  if (p->host_dst == NULL)
234  return 1;
235  } else
236  HostLock(p->host_dst);
237 
238  r = HostBitIsnotset(p->host_dst,fd->idx, p->ts.tv_sec);
239  HostUnlock(p->host_dst);
240  return r;
241  }
242  return 0;
243 }
244 
246 {
247  switch (xd->cmd) {
249  return DetectHostbitMatchIsset(p,xd);
251  return DetectHostbitMatchIsnotset(p,xd);
253  return DetectHostbitMatchSet(p,xd);
255  return DetectHostbitMatchUnset(p,xd);
257  return DetectHostbitMatchToggle(p,xd);
258  default:
259  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown cmd %" PRIu32 "", xd->cmd);
260  return 0;
261  }
262 
263  return 0;
264 }
265 
266 /*
267  * returns 0: no match
268  * 1: match
269  * -1: error
270  */
271 
272 static int DetectHostbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
273  const Signature *s, const SigMatchCtx *ctx)
274 {
275  const DetectXbitsData *xd = (const DetectXbitsData *)ctx;
276  if (xd == NULL)
277  return 0;
278 
279  return DetectXbitMatchHost(p, xd);
280 }
281 
282 static int DetectHostbitParse(const char *str, char *cmd, int cmd_len,
283  char *name, int name_len, char *dir, int dir_len)
284 {
285  const int max_substrings = 30;
286  int count, rc;
287  int ov[max_substrings];
288 
289  count = DetectParsePcreExec(&parse_regex, str, 0, 0, ov, max_substrings);
290  if (count != 2 && count != 3 && count != 4) {
292  "\"%s\" is not a valid setting for hostbits.", str);
293  return 0;
294  }
295 
296  rc = pcre_copy_substring((char *)str, ov, max_substrings, 1, cmd, cmd_len);
297  if (rc < 0) {
298  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
299  return 0;
300  }
301 
302  if (count >= 3) {
303  rc = pcre_copy_substring((char *)str, ov, max_substrings, 2, name,
304  name_len);
305  if (rc < 0) {
306  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
307  return 0;
308  }
309  if (count >= 4) {
310  rc = pcre_copy_substring((char *)str, ov, max_substrings, 3, dir,
311  dir_len);
312  if (rc < 0) {
314  "pcre_copy_substring failed");
315  return 0;
316  }
317  }
318  }
319 
320  return 1;
321 }
322 
323 int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
324 {
325  DetectXbitsData *cd = NULL;
326  SigMatch *sm = NULL;
327  uint8_t fb_cmd = 0;
328  uint8_t hb_dir = 0;
329  char fb_cmd_str[16] = "", fb_name[256] = "";
330  char hb_dir_str[16] = "";
331 
332  if (!DetectHostbitParse(rawstr, fb_cmd_str, sizeof(fb_cmd_str),
333  fb_name, sizeof(fb_name), hb_dir_str, sizeof(hb_dir_str))) {
334  return -1;
335  }
336 
337  if (strlen(hb_dir_str) > 0) {
338  if (strcmp(hb_dir_str, "src") == 0)
339  hb_dir = DETECT_XBITS_TRACK_IPSRC;
340  else if (strcmp(hb_dir_str, "dst") == 0)
341  hb_dir = DETECT_XBITS_TRACK_IPDST;
342  else if (strcmp(hb_dir_str, "both") == 0) {
343  //hb_dir = DETECT_XBITS_TRACK_IPBOTH;
344  SCLogError(SC_ERR_UNIMPLEMENTED, "'both' not implemented");
345  goto error;
346  } else {
347  // TODO
348  goto error;
349  }
350  }
351 
352  if (strcmp(fb_cmd_str,"noalert") == 0) {
353  fb_cmd = DETECT_XBITS_CMD_NOALERT;
354  } else if (strcmp(fb_cmd_str,"isset") == 0) {
355  fb_cmd = DETECT_XBITS_CMD_ISSET;
356  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
357  fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
358  } else if (strcmp(fb_cmd_str,"set") == 0) {
359  fb_cmd = DETECT_XBITS_CMD_SET;
360  } else if (strcmp(fb_cmd_str,"unset") == 0) {
361  fb_cmd = DETECT_XBITS_CMD_UNSET;
362  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
363  fb_cmd = DETECT_XBITS_CMD_TOGGLE;
364  } else {
365  SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
366  goto error;
367  }
368 
369  switch (fb_cmd) {
371  if (strlen(fb_name) != 0)
372  goto error;
373  s->flags |= SIG_FLAG_NOALERT;
374  return 0;
380  default:
381  if (strlen(fb_name) == 0)
382  goto error;
383  break;
384  }
385 
386  cd = SCMalloc(sizeof(DetectXbitsData));
387  if (unlikely(cd == NULL))
388  goto error;
389 
391  cd->cmd = fb_cmd;
392  cd->tracker = hb_dir;
393  cd->type = VAR_TYPE_HOST_BIT;
394  cd->expire = 300;
395 
396  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
397  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
398 
399  /* Okay so far so good, lets get this into a SigMatch
400  * and put it in the Signature. */
401  sm = SigMatchAlloc();
402  if (sm == NULL)
403  goto error;
404 
405  sm->type = DETECT_HOSTBITS;
406  sm->ctx = (void *)cd;
407 
408  switch (fb_cmd) {
409  /* case DETECT_XBITS_CMD_NOALERT can't happen here */
410 
413  /* checks, so packet list */
415  break;
416 
420  /* modifiers, only run when entire sig has matched */
422  break;
423 
424  // suppress coverity warning as scan-build-7 warns w/o this.
425  // coverity[deadcode : FALSE]
426  default:
427  goto error;
428  }
429 
430  return 0;
431 
432 error:
433  if (cd != NULL)
434  SCFree(cd);
435  if (sm != NULL)
436  SCFree(sm);
437  return -1;
438 }
439 
441 {
442  DetectXbitsData *fd = (DetectXbitsData *)ptr;
443 
444  if (fd == NULL)
445  return;
446 
447  SCFree(fd);
448 }
449 
450 #ifdef UNITTESTS
451 
452 static void HostBitsTestSetup(void)
453 {
454  StorageInit();
455  HostBitInitCtx();
456  StorageFinalize();
458 }
459 
460 static void HostBitsTestShutdown(void)
461 {
462  HostCleanup();
463  StorageCleanup();
464 }
465 
466 static int HostBitsTestParse01(void)
467 {
468  char cmd[16] = "", name[256] = "", dir[16] = "";
469 
470  /* No direction. */
471  FAIL_IF(!DetectHostbitParse("isset,name", cmd, sizeof(cmd), name,
472  sizeof(name), dir, sizeof(dir)));
473  FAIL_IF(strcmp(cmd, "isset") != 0);
474  FAIL_IF(strcmp(name, "name") != 0);
475  FAIL_IF(strlen(dir));
476 
477  /* No direction, leading space. */
478  *cmd = '\0';
479  *name = '\0';
480  *dir = '\0';
481  FAIL_IF(!DetectHostbitParse("isset, name", cmd, sizeof(cmd), name,
482  sizeof(name), dir, sizeof(dir)));
483  FAIL_IF(strcmp(cmd, "isset") != 0);
484  FAIL_IF(strcmp(name, "name") != 0);
485 
486  /* No direction, trailing space. */
487  *cmd = '\0';
488  *name = '\0';
489  *dir = '\0';
490  FAIL_IF(!DetectHostbitParse("isset,name ", cmd, sizeof(cmd), name,
491  sizeof(name), dir, sizeof(dir)));
492  FAIL_IF(strcmp(cmd, "isset") != 0);
493  FAIL_IF(strcmp(name, "name") != 0);
494 
495  /* No direction, leading and trailing space. */
496  *cmd = '\0';
497  *name = '\0';
498  *dir = '\0';
499  FAIL_IF(!DetectHostbitParse("isset, name ", cmd, sizeof(cmd), name,
500  sizeof(name), dir, sizeof(dir)));
501  FAIL_IF(strcmp(cmd, "isset") != 0);
502  FAIL_IF(strcmp(name, "name") != 0);
503 
504  /* With direction. */
505  *cmd = '\0';
506  *name = '\0';
507  *dir = '\0';
508  FAIL_IF(!DetectHostbitParse("isset,name,src", cmd, sizeof(cmd), name,
509  sizeof(name), dir, sizeof(dir)));
510  FAIL_IF(strcmp(cmd, "isset") != 0);
511  FAIL_IF(strcmp(name, "name") != 0);
512  FAIL_IF(strcmp(dir, "src") != 0);
513 
514  /* With direction - leading and trailing spaces on name. */
515  *cmd = '\0';
516  *name = '\0';
517  *dir = '\0';
518  FAIL_IF(!DetectHostbitParse("isset, name ,src", cmd, sizeof(cmd), name,
519  sizeof(name), dir, sizeof(dir)));
520  FAIL_IF(strcmp(cmd, "isset") != 0);
521  FAIL_IF(strcmp(name, "name") != 0);
522  FAIL_IF(strcmp(dir, "src") != 0);
523 
524  /* With direction - space around direction. */
525  *cmd = '\0';
526  *name = '\0';
527  *dir = '\0';
528  FAIL_IF(!DetectHostbitParse("isset, name , src ", cmd, sizeof(cmd), name,
529  sizeof(name), dir, sizeof(dir)));
530  FAIL_IF(strcmp(cmd, "isset") != 0);
531  FAIL_IF(strcmp(name, "name") != 0);
532  FAIL_IF(strcmp(dir, "src") != 0);
533 
534  /* Name with space, no direction - should fail. */
535  *cmd = '\0';
536  *name = '\0';
537  *dir = '\0';
538  FAIL_IF(DetectHostbitParse("isset, name withspace ", cmd, sizeof(cmd), name,
539  sizeof(name), dir, sizeof(dir)));
540 
541  PASS;
542 }
543 
544 /**
545  * \test HostBitsTestSig01 is a test for a valid noalert flowbits option
546  *
547  * \retval 1 on succces
548  * \retval 0 on failure
549  */
550 
551 static int HostBitsTestSig01(void)
552 {
553  uint8_t *buf = (uint8_t *)
554  "GET /one/ HTTP/1.1\r\n"
555  "Host: one.example.org\r\n"
556  "\r\n";
557  uint16_t buflen = strlen((char *)buf);
559  FAIL_IF_NULL(p);
560  Signature *s = NULL;
561  ThreadVars th_v;
562  DetectEngineThreadCtx *det_ctx = NULL;
563  DetectEngineCtx *de_ctx = NULL;
564 
565  memset(&th_v, 0, sizeof(th_v));
566  memset(p, 0, SIZE_OF_PACKET);
567  p->src.family = AF_INET;
568  p->dst.family = AF_INET;
569  p->payload = buf;
570  p->payload_len = buflen;
571  p->proto = IPPROTO_TCP;
572 
573  HostBitsTestSetup();
574 
577 
578  de_ctx->flags |= DE_QUIET;
579 
580  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (hostbits:set,abc; content:\"GET \"; sid:1;)");
581  FAIL_IF_NULL(s);
582 
584  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
585 
586  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
587 
588  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
590  HostBitsTestShutdown();
591 
592  SCFree(p);
593  PASS;
594 }
595 
596 /**
597  * \test various options
598  *
599  * \retval 1 on succces
600  * \retval 0 on failure
601  */
602 
603 static int HostBitsTestSig02(void)
604 {
605  Signature *s = NULL;
606  ThreadVars th_v;
607  DetectEngineCtx *de_ctx = NULL;
608 
609  memset(&th_v, 0, sizeof(th_v));
610 
613 
614  de_ctx->flags |= DE_QUIET;
615 
617  "alert ip any any -> any any (hostbits:isset,abc,src; content:\"GET \"; sid:1;)");
618  FAIL_IF_NULL(s);
619 
621  "alert ip any any -> any any (hostbits:isnotset,abc,dst; content:\"GET \"; sid:2;)");
622  FAIL_IF_NULL(s);
623 
625  "alert ip any any -> any any (hostbits:!isset,abc,dst; content:\"GET \"; sid:3;)");
626  FAIL_IF_NOT_NULL(s);
627 
628 /* TODO reenable after both is supported
629  s = DetectEngineAppendSig(de_ctx,
630  "alert ip any any -> any any (hostbits:set,abc,both; content:\"GET \"; sid:3;)");
631  FAIL_IF_NULL(s);
632 */
634  "alert ip any any -> any any (hostbits:unset,abc,src; content:\"GET \"; sid:4;)");
635  FAIL_IF_NULL(s);
636 
638  "alert ip any any -> any any (hostbits:toggle,abc,dst; content:\"GET \"; sid:5;)");
639  FAIL_IF_NULL(s);
640 
642  PASS;
643 }
644 
645 #if 0
646 /**
647  * \test HostBitsTestSig03 is a test for a invalid flowbits option
648  *
649  * \retval 1 on succces
650  * \retval 0 on failure
651  */
652 
653 static int HostBitsTestSig03(void)
654 {
655  uint8_t *buf = (uint8_t *)
656  "GET /one/ HTTP/1.1\r\n"
657  "Host: one.example.org\r\n"
658  "\r\n";
659  uint16_t buflen = strlen((char *)buf);
661  if (unlikely(p == NULL))
662  return 0;
663  Signature *s = NULL;
664  ThreadVars th_v;
665  DetectEngineThreadCtx *det_ctx = NULL;
666  DetectEngineCtx *de_ctx = NULL;
667  int result = 0;
668 
669  memset(&th_v, 0, sizeof(th_v));
670  memset(p, 0, SIZE_OF_PACKET);
671  p->src.family = AF_INET;
672  p->dst.family = AF_INET;
673  p->payload = buf;
674  p->payload_len = buflen;
675  p->proto = IPPROTO_TCP;
676 
678 
679  if (de_ctx == NULL) {
680  goto end;
681  }
682 
683  de_ctx->flags |= DE_QUIET;
684 
685  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
686 
687  if (s == NULL) {
688  goto end;
689  }
690 
692  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
693 
694  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
695 
696  result = 1;
697 
700 
701  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
703 
704 end:
705 
706  if (de_ctx != NULL) {
709  }
710 
711  if (det_ctx != NULL) {
712  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
713  }
714 
715  if (de_ctx != NULL) {
717  }
718 
719 
720  SCFree(p);
721  return result;
722 }
723 #endif
724 
725 /**
726  * \test HostBitsTestSig04 is a test check idx value
727  *
728  * \retval 1 on succces
729  * \retval 0 on failure
730  */
731 
732 static int HostBitsTestSig04(void)
733 {
734  uint8_t *buf = (uint8_t *)
735  "GET /one/ HTTP/1.1\r\n"
736  "Host: one.example.org\r\n"
737  "\r\n";
738  uint16_t buflen = strlen((char *)buf);
740  if (unlikely(p == NULL))
741  return 0;
742  Signature *s = NULL;
743  ThreadVars th_v;
744  DetectEngineThreadCtx *det_ctx = NULL;
745  DetectEngineCtx *de_ctx = NULL;
746  int idx = 0;
747 
748  memset(&th_v, 0, sizeof(th_v));
749  memset(p, 0, SIZE_OF_PACKET);
750  p->src.family = AF_INET;
751  p->dst.family = AF_INET;
752  p->payload = buf;
753  p->payload_len = buflen;
754  p->proto = IPPROTO_TCP;
755 
756  HostBitsTestSetup();
757 
760 
761  de_ctx->flags |= DE_QUIET;
762 
763  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
764  FAIL_IF_NULL(s);
765 
767  FAIL_IF(idx != 1);
768 
770  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
771 
772  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
773 
774  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
776  HostBitsTestShutdown();
777 
778  SCFree(p);
779  PASS;
780 }
781 
782 /**
783  * \test HostBitsTestSig05 is a test check noalert flag
784  *
785  * \retval 1 on succces
786  * \retval 0 on failure
787  */
788 
789 static int HostBitsTestSig05(void)
790 {
791  uint8_t *buf = (uint8_t *)
792  "GET /one/ HTTP/1.1\r\n"
793  "Host: one.example.org\r\n"
794  "\r\n";
795  uint16_t buflen = strlen((char *)buf);
797  if (unlikely(p == NULL))
798  return 0;
799  Signature *s = NULL;
800  ThreadVars th_v;
801  DetectEngineThreadCtx *det_ctx = NULL;
802  DetectEngineCtx *de_ctx = NULL;
803 
804  memset(&th_v, 0, sizeof(th_v));
805  memset(p, 0, SIZE_OF_PACKET);
806  p->src.family = AF_INET;
807  p->dst.family = AF_INET;
808  p->payload = buf;
809  p->payload_len = buflen;
810  p->proto = IPPROTO_TCP;
811 
812  HostBitsTestSetup();
813 
816 
817  de_ctx->flags |= DE_QUIET;
818 
819  s = de_ctx->sig_list = SigInit(de_ctx,
820  "alert ip any any -> any any (hostbits:noalert; content:\"GET \"; sid:1;)");
821  FAIL_IF_NULL(s);
823 
825  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
826 
827  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
828 
829  FAIL_IF(PacketAlertCheck(p, 1));
830 
833 
834  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
836 
837  HostBitsTestShutdown();
838 
839  SCFree(p);
840  PASS;
841 }
842 
843 #if 0
844 /**
845  * \test HostBitsTestSig06 is a test set flowbits option
846  *
847  * \retval 1 on succces
848  * \retval 0 on failure
849  */
850 
851 static int HostBitsTestSig06(void)
852 {
853  uint8_t *buf = (uint8_t *)
854  "GET /one/ HTTP/1.1\r\n"
855  "Host: one.example.org\r\n"
856  "\r\n";
857  uint16_t buflen = strlen((char *)buf);
859  if (unlikely(p == NULL))
860  return 0;
861  Signature *s = NULL;
862  ThreadVars th_v;
863  DetectEngineThreadCtx *det_ctx = NULL;
864  DetectEngineCtx *de_ctx = NULL;
865  Flow f;
866  GenericVar flowvar, *gv = NULL;
867  int result = 0;
868  int idx = 0;
869 
870  memset(p, 0, SIZE_OF_PACKET);
871  memset(&th_v, 0, sizeof(th_v));
872  memset(&f, 0, sizeof(Flow));
873  memset(&flowvar, 0, sizeof(GenericVar));
874 
875  FLOW_INITIALIZE(&f);
876  p->flow = &f;
877  p->flow->flowvar = &flowvar;
878 
879  p->src.family = AF_INET;
880  p->dst.family = AF_INET;
881  p->payload = buf;
882  p->payload_len = buflen;
883  p->proto = IPPROTO_TCP;
884  p->flags |= PKT_HAS_FLOW;
886 
888 
889  if (de_ctx == NULL) {
890  goto end;
891  }
892 
893  de_ctx->flags |= DE_QUIET;
894 
895  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow; sid:10;)");
896 
897  if (s == NULL) {
898  goto end;
899  }
900 
902  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
903 
904  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
905 
906  idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT);
907 
908  gv = p->flow->flowvar;
909 
910  for ( ; gv != NULL; gv = gv->next) {
911  if (gv->type == DETECT_HOSTBITS && gv->idx == idx) {
912  result = 1;
913  }
914  }
915 
918 
919  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
921 
922  if(gv) GenericVarFree(gv);
923  FLOW_DESTROY(&f);
924 
925  SCFree(p);
926  return result;
927 end:
928 
929  if (de_ctx != NULL) {
932  }
933 
934  if (det_ctx != NULL) {
935  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
936  }
937 
938  if (de_ctx != NULL) {
940  }
941 
942  if(gv) GenericVarFree(gv);
943  FLOW_DESTROY(&f);
944  SCFree(p);
945  return result;
946 }
947 
948 /**
949  * \test HostBitsTestSig07 is a test unset flowbits option
950  *
951  * \retval 1 on succces
952  * \retval 0 on failure
953  */
954 
955 static int HostBitsTestSig07(void)
956 {
957  uint8_t *buf = (uint8_t *)
958  "GET /one/ HTTP/1.1\r\n"
959  "Host: one.example.org\r\n"
960  "\r\n";
961  uint16_t buflen = strlen((char *)buf);
963  if (unlikely(p == NULL))
964  return 0;
965  Signature *s = NULL;
966  ThreadVars th_v;
967  DetectEngineThreadCtx *det_ctx = NULL;
968  DetectEngineCtx *de_ctx = NULL;
969  Flow f;
970  GenericVar flowvar, *gv = NULL;
971  int result = 0;
972  int idx = 0;
973 
974  memset(p, 0, SIZE_OF_PACKET);
975  memset(&th_v, 0, sizeof(th_v));
976  memset(&f, 0, sizeof(Flow));
977  memset(&flowvar, 0, sizeof(GenericVar));
978 
979  FLOW_INITIALIZE(&f);
980  p->flow = &f;
981  p->flow->flowvar = &flowvar;
982 
983  p->src.family = AF_INET;
984  p->dst.family = AF_INET;
985  p->payload = buf;
986  p->payload_len = buflen;
987  p->proto = IPPROTO_TCP;
988 
990 
991  if (de_ctx == NULL) {
992  goto end;
993  }
994 
995  de_ctx->flags |= DE_QUIET;
996 
997  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow2; sid:10;)");
998  if (s == NULL) {
999  goto end;
1000  }
1001 
1002  s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
1003  if (s == NULL) {
1004  goto end;
1005  }
1006 
1008  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1009 
1010  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1011 
1012  idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT);
1013 
1014  gv = p->flow->flowvar;
1015 
1016  for ( ; gv != NULL; gv = gv->next) {
1017  if (gv->type == DETECT_HOSTBITS && gv->idx == idx) {
1018  result = 1;
1019  }
1020  }
1021 
1024 
1025  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1027 
1028  if(gv) GenericVarFree(gv);
1029  FLOW_DESTROY(&f);
1030 
1031  SCFree(p);
1032  return result;
1033 end:
1034 
1035  if (de_ctx != NULL) {
1038  }
1039 
1040  if (det_ctx != NULL) {
1041  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1042  }
1043 
1044  if (de_ctx != NULL) {
1046  }
1047 
1048  if(gv) GenericVarFree(gv);
1049  FLOW_DESTROY(&f);
1050 
1051  SCFree(p);
1052  return result;}
1053 #endif
1054 
1055 /**
1056  * \test set / isset
1057  *
1058  * \retval 1 on succces
1059  * \retval 0 on failure
1060  */
1061 static int HostBitsTestSig07(void)
1062 {
1063  uint8_t *buf = (uint8_t *)
1064  "GET /one/ HTTP/1.1\r\n"
1065  "Host: one.example.org\r\n"
1066  "\r\n";
1067  uint16_t buflen = strlen((char *)buf);
1069  if (unlikely(p == NULL))
1070  return 0;
1071  Signature *s = NULL;
1072  ThreadVars th_v;
1073  DetectEngineThreadCtx *det_ctx = NULL;
1074  DetectEngineCtx *de_ctx = NULL;
1075  Flow f;
1076  int result = 0;
1077 
1078  memset(p, 0, SIZE_OF_PACKET);
1079  memset(&th_v, 0, sizeof(th_v));
1080  memset(&f, 0, sizeof(Flow));
1081 
1082  HostBitsTestSetup();
1083 
1084  FLOW_INITIALIZE(&f);
1085  p->flow = &f;
1087 
1088  p->src.family = AF_INET;
1089  p->dst.family = AF_INET;
1090  p->payload = buf;
1091  p->payload_len = buflen;
1092  p->proto = IPPROTO_TCP;
1093 
1096 
1097  de_ctx->flags |= DE_QUIET;
1098 
1099  s = de_ctx->sig_list = SigInit(de_ctx,
1100  "alert ip any any -> any any (hostbits:set,myflow2; sid:10;)");
1101  FAIL_IF_NULL(s);
1102 
1103  s = s->next = SigInit(de_ctx,
1104  "alert ip any any -> any any (hostbits:isset,myflow2; sid:11;)");
1105  FAIL_IF_NULL(s);
1106 
1108  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1109 
1110  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1111 
1112  SCLogInfo("p->host_src %p", p->host_src);
1113 
1114  if (HostHasHostBits(p->host_src) == 1) {
1115  if (PacketAlertCheck(p, 11)) {
1116  result = 1;
1117  }
1118  }
1119  FAIL_IF_NOT(result);
1120 
1123 
1124  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1126 
1127  FLOW_DESTROY(&f);
1128 
1129  HostBitsTestShutdown();
1130  SCFree(p);
1131  PASS;
1132 }
1133 
1134 /**
1135  * \test set / toggle / toggle / isset
1136  *
1137  * \retval 1 on succces
1138  * \retval 0 on failure
1139  */
1140 static int HostBitsTestSig08(void)
1141 {
1142  uint8_t *buf = (uint8_t *)
1143  "GET /one/ HTTP/1.1\r\n"
1144  "Host: one.example.org\r\n"
1145  "\r\n";
1146  uint16_t buflen = strlen((char *)buf);
1148  if (unlikely(p == NULL))
1149  return 0;
1150  Signature *s = NULL;
1151  ThreadVars th_v;
1152  DetectEngineThreadCtx *det_ctx = NULL;
1153  DetectEngineCtx *de_ctx = NULL;
1154  Flow f;
1155 
1156  memset(p, 0, SIZE_OF_PACKET);
1157  memset(&th_v, 0, sizeof(th_v));
1158  memset(&f, 0, sizeof(Flow));
1159 
1160  HostBitsTestSetup();
1161 
1162  FLOW_INITIALIZE(&f);
1163  p->flow = &f;
1164 
1165  p->src.family = AF_INET;
1166  p->dst.family = AF_INET;
1167  p->payload = buf;
1168  p->payload_len = buflen;
1169  p->proto = IPPROTO_TCP;
1170 
1173 
1174  de_ctx->flags |= DE_QUIET;
1175 
1177  "alert ip any any -> any any (hostbits:set,myflow2; sid:10;)");
1178  FAIL_IF_NULL(s);
1180  "alert ip any any -> any any (hostbits:toggle,myflow2; sid:11;)");
1181  FAIL_IF_NULL(s);
1183  "alert ip any any -> any any (hostbits:toggle,myflow2; sid:12;)");
1184  FAIL_IF_NULL(s);
1186  "alert ip any any -> any any (hostbits:isset,myflow2; sid:13;)");
1187  FAIL_IF_NULL(s);
1188 
1192 
1194  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1195 
1196  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1197 
1198  SCLogInfo("p->host_src %p", p->host_src);
1199 
1200  if (HostHasHostBits(p->host_src) == 1) {
1201  if (PacketAlertCheck(p, 10)) {
1202  SCLogInfo("sid 10 matched");
1203  }
1204  if (PacketAlertCheck(p, 11)) {
1205  SCLogInfo("sid 11 matched");
1206  }
1207  if (PacketAlertCheck(p, 12)) {
1208  SCLogInfo("sid 12 matched");
1209  }
1210  if (PacketAlertCheck(p, 13)) {
1211  SCLogInfo("sid 13 matched");
1212  } else {
1213  FAIL;
1214  }
1215  }
1216 
1219 
1220  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1222 
1223  FLOW_DESTROY(&f);
1224 
1225  HostBitsTestShutdown();
1226 
1227  SCFree(p);
1228  PASS;
1229 }
1230 
1231 /**
1232  * \brief this function registers unit tests for HostBits
1233  */
1235 {
1236  UtRegisterTest("HostBitsTestParse01", HostBitsTestParse01);
1237  UtRegisterTest("HostBitsTestSig01", HostBitsTestSig01);
1238  UtRegisterTest("HostBitsTestSig02", HostBitsTestSig02);
1239 #if 0
1240  UtRegisterTest("HostBitsTestSig03", HostBitsTestSig03, 0);
1241 #endif
1242  UtRegisterTest("HostBitsTestSig04", HostBitsTestSig04);
1243  UtRegisterTest("HostBitsTestSig05", HostBitsTestSig05);
1244 #if 0
1245  UtRegisterTest("HostBitsTestSig06", HostBitsTestSig06, 1);
1246 #endif
1247  UtRegisterTest("HostBitsTestSig07", HostBitsTestSig07);
1248  UtRegisterTest("HostBitsTestSig08", HostBitsTestSig08);
1249 }
1250 #endif /* UNITTESTS */
GenericVar_::type
uint8_t type
Definition: util-var.h:49
HostUnlock
void HostUnlock(Host *h)
Definition: host.c:485
Packet_::proto
uint8_t proto
Definition: decode.h:434
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1212
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:46
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1104
HostBitToggle
void HostBitToggle(Host *h, uint32_t idx, uint32_t expire)
Definition: host-bit.c:147
StorageInit
void StorageInit(void)
Definition: util-storage.c:67
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1210
HostBitsRegisterTests
void HostBitsRegisterTests(void)
this function registers unit tests for HostBits
Definition: detect-hostbits.c:1234
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:564
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::payload
uint8_t * payload
Definition: decode.h:547
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:447
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-hostbits.c:64
threads.h
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2039
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:173
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1204
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:44
HostGetHostFromHash
Host * HostGetHostFromHash(Address *a)
Definition: host.c:499
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
StorageCleanup
void StorageCleanup(void)
Definition: util-storage.c:75
SCSigSignatureOrderingModuleCleanup
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
Definition: detect-engine-sigorder.c:803
flow-bit.h
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
util-var-name.h
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:36
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
DetectHostbitsRegister
void DetectHostbitsRegister(void)
Definition: detect-hostbits.c:78
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:565
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:443
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:548
DetectXbitsData_
Definition: detect-xbits.h:42
HostBitIsset
int HostBitIsset(Host *h, uint32_t idx, uint32_t ts)
Definition: host-bit.c:157
util-unittest.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DETECT_HOSTBITS
@ DETECT_HOSTBITS
Definition: detect-engine-register.h:88
Signature_::next
struct Signature_ * next
Definition: detect.h:599
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
DetectXbitMatchHost
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
Definition: detect-hostbits.c:245
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
HostBitIsnotset
int HostBitIsnotset(Host *h, uint32_t idx, uint32_t ts)
Definition: host-bit.c:170
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:52
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
SCSigOrderSignatures
void SCSigOrderSignatures(DetectEngineCtx *de_ctx)
Orders the signatures.
Definition: detect-engine-sigorder.c:723
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
HostBitUnset
void HostBitUnset(Host *h, uint32_t idx)
Definition: host-bit.c:139
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2476
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:343
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SCSigRegisterSignatureOrderingFuncs
void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx)
Lets you register the Signature ordering functions. The order in which the functions are registered,...
Definition: detect-engine-sigorder.c:783
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:625
HostHasHostBits
int HostHasHostBits(Host *host)
Definition: host-bit.c:58
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:480
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
GenericVar_::idx
uint32_t idx
Definition: util-var.h:51
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1943
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:48
HostBitSet
void HostBitSet(Host *h, uint32_t idx, uint32_t expire)
Definition: host-bit.c:131
Signature_::flags
uint32_t flags
Definition: detect.h:528
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2406
Packet_
Definition: decode.h:412
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:139
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:217
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:486
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2344
Packet_::flow
struct Flow_ * flow
Definition: decode.h:449
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
Packet_::ts
struct timeval ts
Definition: decode.h:455
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
GenericVar_
Definition: util-var.h:48
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
util-spm.h
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:43
VarNameStoreSetupAdd
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
Definition: util-var-name.c:323
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
SIG_FLAG_NOALERT
#define SIG_FLAG_NOALERT
Definition: detect.h:216
detect-hostbits.h
SC_ERR_UNIMPLEMENTED
@ SC_ERR_UNIMPLEMENTED
Definition: util-error.h:118
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:39
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:45
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:35
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_NOALERT
Definition: detect-xbits.h:32
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:598
Address_::family
char family
Definition: decode.h:115
Packet_::dst
Address dst
Definition: decode.h:417
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
DetectHostbitFree
void DetectHostbitFree(DetectEngineCtx *, void *)
Definition: detect-hostbits.c:440
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
flow.h
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
GenericVarFree
void GenericVarFree(GenericVar *gv)
Definition: util-var.c:47
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1381
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
Packet_::src
Address src
Definition: decode.h:416
host-bit.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1202