suricata
detect-hostbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the hostbits keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-util.h"
32 #include "detect-hostbits.h"
33 #include "util-spm.h"
34 
35 #include "detect-engine-sigorder.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "detect-parse.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-engine-state.h"
43 
44 #include "flow-bit.h"
45 #include "host-bit.h"
46 #include "util-var-name.h"
47 #include "util-unittest.h"
48 #include "util-debug.h"
49 
50 /*
51  hostbits:isset,bitname;
52  hostbits:set,bitname;
53 
54  hostbits:set,bitname,src;
55  hostbits:set,bitname,dst;
56 TODO:
57  hostbits:set,bitname,both;
58 
59  hostbits:set,bitname,src,3600;
60  hostbits:set,bitname,dst,60;
61  hostbits:set,bitname,both,120;
62  */
63 
64 #define PARSE_REGEX "([a-z]+)" /* Action */ \
65  "(?:\\s*,\\s*([^\\s,]+))?(?:\\s*)?" /* Name. */ \
66  "(?:\\s*,\\s*([^,\\s]+))?(?:\\s*)?" /* Direction. */ \
67  "(.+)?" /* Any remainding data. */
68 static pcre *parse_regex;
69 static pcre_extra *parse_regex_study;
70 
71 static int DetectHostbitMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *,
72  const Signature *, const SigMatchCtx *);
73 static int DetectHostbitSetup (DetectEngineCtx *, Signature *, const char *);
74 void DetectHostbitFree (void *);
75 void HostBitsRegisterTests(void);
76 
77 void DetectHostbitsRegister (void)
78 {
79  sigmatch_table[DETECT_HOSTBITS].name = "hostbits";
80  sigmatch_table[DETECT_HOSTBITS].desc = "operate on host flag";
81 // sigmatch_table[DETECT_HOSTBITS].url = DOC_URL DOC_VERSION "/rules/flow-keywords.html#flowbits";
82  sigmatch_table[DETECT_HOSTBITS].Match = DetectHostbitMatch;
83  sigmatch_table[DETECT_HOSTBITS].Setup = DetectHostbitSetup;
84  sigmatch_table[DETECT_HOSTBITS].Free = DetectHostbitFree;
85  sigmatch_table[DETECT_HOSTBITS].RegisterTests = HostBitsRegisterTests;
86  /* this is compatible to ip-only signatures */
87  sigmatch_table[DETECT_HOSTBITS].flags |= SIGMATCH_IPONLY_COMPAT;
88 
89  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
90 }
91 
92 static int DetectHostbitMatchToggle (Packet *p, const DetectXbitsData *fd)
93 {
94  switch (fd->tracker) {
95  case DETECT_XBITS_TRACK_IPSRC:
96  if (p->host_src == NULL) {
97  p->host_src = HostGetHostFromHash(&p->src);
98  if (p->host_src == NULL)
99  return 0;
100  }
101  else
102  HostLock(p->host_src);
103 
104  HostBitToggle(p->host_src,fd->idx,p->ts.tv_sec + fd->expire);
105  HostUnlock(p->host_src);
106  break;
107  case DETECT_XBITS_TRACK_IPDST:
108  if (p->host_dst == NULL) {
109  p->host_dst = HostGetHostFromHash(&p->dst);
110  if (p->host_dst == NULL)
111  return 0;
112  }
113  else
114  HostLock(p->host_dst);
115 
116  HostBitToggle(p->host_dst,fd->idx,p->ts.tv_sec + fd->expire);
117  HostUnlock(p->host_dst);
118  break;
119  }
120  return 1;
121 }
122 
123 /* return true even if bit not found */
124 static int DetectHostbitMatchUnset (Packet *p, const DetectXbitsData *fd)
125 {
126  switch (fd->tracker) {
127  case DETECT_XBITS_TRACK_IPSRC:
128  if (p->host_src == NULL) {
129  p->host_src = HostLookupHostFromHash(&p->src);
130  if (p->host_src == NULL)
131  return 1;
132  } else
133  HostLock(p->host_src);
134 
135  HostBitUnset(p->host_src,fd->idx);
136  HostUnlock(p->host_src);
137  break;
138  case DETECT_XBITS_TRACK_IPDST:
139  if (p->host_dst == NULL) {
140  p->host_dst = HostLookupHostFromHash(&p->dst);
141  if (p->host_dst == NULL)
142  return 1;
143  } else
144  HostLock(p->host_dst);
145 
146  HostBitUnset(p->host_dst,fd->idx);
147  HostUnlock(p->host_dst);
148  break;
149  }
150  return 1;
151 }
152 
153 static int DetectHostbitMatchSet (Packet *p, const DetectXbitsData *fd)
154 {
155  switch (fd->tracker) {
156  case DETECT_XBITS_TRACK_IPSRC:
157  if (p->host_src == NULL) {
158  p->host_src = HostGetHostFromHash(&p->src);
159  if (p->host_src == NULL)
160  return 0;
161  } else
162  HostLock(p->host_src);
163 
164  HostBitSet(p->host_src,fd->idx,p->ts.tv_sec + fd->expire);
165  HostUnlock(p->host_src);
166  break;
167  case DETECT_XBITS_TRACK_IPDST:
168  if (p->host_dst == NULL) {
169  p->host_dst = HostGetHostFromHash(&p->dst);
170  if (p->host_dst == NULL)
171  return 0;
172  } else
173  HostLock(p->host_dst);
174 
175  HostBitSet(p->host_dst,fd->idx, p->ts.tv_sec + fd->expire);
176  HostUnlock(p->host_dst);
177  break;
178  }
179  return 1;
180 }
181 
182 static int DetectHostbitMatchIsset (Packet *p, const DetectXbitsData *fd)
183 {
184  int r = 0;
185  switch (fd->tracker) {
186  case DETECT_XBITS_TRACK_IPSRC:
187  if (p->host_src == NULL) {
188  p->host_src = HostLookupHostFromHash(&p->src);
189  if (p->host_src == NULL)
190  return 0;
191  } else
192  HostLock(p->host_src);
193 
194  r = HostBitIsset(p->host_src,fd->idx, p->ts.tv_sec);
195  HostUnlock(p->host_src);
196  return r;
197  case DETECT_XBITS_TRACK_IPDST:
198  if (p->host_dst == NULL) {
199  p->host_dst = HostLookupHostFromHash(&p->dst);
200  if (p->host_dst == NULL)
201  return 0;
202  } else
203  HostLock(p->host_dst);
204 
205  r = HostBitIsset(p->host_dst,fd->idx, p->ts.tv_sec);
206  HostUnlock(p->host_dst);
207  return r;
208  }
209  return 0;
210 }
211 
212 static int DetectHostbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
213 {
214  int r = 0;
215  switch (fd->tracker) {
216  case DETECT_XBITS_TRACK_IPSRC:
217  if (p->host_src == NULL) {
218  p->host_src = HostLookupHostFromHash(&p->src);
219  if (p->host_src == NULL)
220  return 1;
221  } else
222  HostLock(p->host_src);
223 
224  r = HostBitIsnotset(p->host_src,fd->idx, p->ts.tv_sec);
225  HostUnlock(p->host_src);
226  return r;
227  case DETECT_XBITS_TRACK_IPDST:
228  if (p->host_dst == NULL) {
229  p->host_dst = HostLookupHostFromHash(&p->dst);
230  if (p->host_dst == NULL)
231  return 1;
232  } else
233  HostLock(p->host_dst);
234 
235  r = HostBitIsnotset(p->host_dst,fd->idx, p->ts.tv_sec);
236  HostUnlock(p->host_dst);
237  return r;
238  }
239  return 0;
240 }
241 
242 int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
243 {
244  switch (xd->cmd) {
245  case DETECT_XBITS_CMD_ISSET:
246  return DetectHostbitMatchIsset(p,xd);
247  case DETECT_XBITS_CMD_ISNOTSET:
248  return DetectHostbitMatchIsnotset(p,xd);
249  case DETECT_XBITS_CMD_SET:
250  return DetectHostbitMatchSet(p,xd);
251  case DETECT_XBITS_CMD_UNSET:
252  return DetectHostbitMatchUnset(p,xd);
253  case DETECT_XBITS_CMD_TOGGLE:
254  return DetectHostbitMatchToggle(p,xd);
255  default:
256  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown cmd %" PRIu32 "", xd->cmd);
257  return 0;
258  }
259 
260  return 0;
261 }
262 
263 /*
264  * returns 0: no match
265  * 1: match
266  * -1: error
267  */
268 
269 static int DetectHostbitMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
270  const Signature *s, const SigMatchCtx *ctx)
271 {
272  const DetectXbitsData *xd = (const DetectXbitsData *)ctx;
273  if (xd == NULL)
274  return 0;
275 
276  return DetectXbitMatchHost(p, xd);
277 }
278 
279 static int DetectHostbitParse(const char *str, char *cmd, int cmd_len,
280  char *name, int name_len, char *dir, int dir_len)
281 {
282  const int max_substrings = 30;
283  int count, rc;
284  int ov[max_substrings];
285 
286  count = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), 0, 0,
287  ov, max_substrings);
288  if (count != 2 && count != 3 && count != 4) {
289  SCLogError(SC_ERR_PCRE_MATCH,
290  "\"%s\" is not a valid setting for hostbits.", str);
291  return 0;
292  }
293 
294  rc = pcre_copy_substring((char *)str, ov, max_substrings, 1, cmd, cmd_len);
295  if (rc < 0) {
296  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
297  return 0;
298  }
299 
300  if (count >= 3) {
301  rc = pcre_copy_substring((char *)str, ov, max_substrings, 2, name,
302  name_len);
303  if (rc < 0) {
304  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
305  return 0;
306  }
307  if (count >= 4) {
308  rc = pcre_copy_substring((char *)str, ov, max_substrings, 3, dir,
309  dir_len);
310  if (rc < 0) {
311  SCLogError(SC_ERR_PCRE_GET_SUBSTRING,
312  "pcre_copy_substring failed");
313  return 0;
314  }
315  }
316  }
317 
318  return 1;
319 }
320 
321 int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
322 {
323  DetectXbitsData *cd = NULL;
324  SigMatch *sm = NULL;
325  uint8_t fb_cmd = 0;
326  uint8_t hb_dir = 0;
327  char fb_cmd_str[16] = "", fb_name[256] = "";
328  char hb_dir_str[16] = "";
329 
330  if (!DetectHostbitParse(rawstr, fb_cmd_str, sizeof(fb_cmd_str),
331  fb_name, sizeof(fb_name), hb_dir_str, sizeof(hb_dir_str))) {
332  return -1;
333  }
334 
335  if (strlen(hb_dir_str) > 0) {
336  if (strcmp(hb_dir_str, "src") == 0)
337  hb_dir = DETECT_XBITS_TRACK_IPSRC;
338  else if (strcmp(hb_dir_str, "dst") == 0)
339  hb_dir = DETECT_XBITS_TRACK_IPDST;
340  else if (strcmp(hb_dir_str, "both") == 0) {
341  //hb_dir = DETECT_XBITS_TRACK_IPBOTH;
342  SCLogError(SC_ERR_UNIMPLEMENTED, "'both' not implemented");
343  goto error;
344  } else {
345  // TODO
346  goto error;
347  }
348  }
349 
350  if (strcmp(fb_cmd_str,"noalert") == 0) {
351  fb_cmd = DETECT_XBITS_CMD_NOALERT;
352  } else if (strcmp(fb_cmd_str,"isset") == 0) {
353  fb_cmd = DETECT_XBITS_CMD_ISSET;
354  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
355  fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
356  } else if (strcmp(fb_cmd_str,"set") == 0) {
357  fb_cmd = DETECT_XBITS_CMD_SET;
358  } else if (strcmp(fb_cmd_str,"unset") == 0) {
359  fb_cmd = DETECT_XBITS_CMD_UNSET;
360  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
361  fb_cmd = DETECT_XBITS_CMD_TOGGLE;
362  } else {
363  SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
364  goto error;
365  }
366 
367  switch (fb_cmd) {
368  case DETECT_XBITS_CMD_NOALERT:
369  if (strlen(fb_name) != 0)
370  goto error;
371  s->flags |= SIG_FLAG_NOALERT;
372  return 0;
373  case DETECT_XBITS_CMD_ISNOTSET:
374  case DETECT_XBITS_CMD_ISSET:
375  case DETECT_XBITS_CMD_SET:
376  case DETECT_XBITS_CMD_UNSET:
377  case DETECT_XBITS_CMD_TOGGLE:
378  default:
379  if (strlen(fb_name) == 0)
380  goto error;
381  break;
382  }
383 
384  cd = SCMalloc(sizeof(DetectXbitsData));
385  if (unlikely(cd == NULL))
386  goto error;
387 
388  cd->idx = VarNameStoreSetupAdd(fb_name, VAR_TYPE_HOST_BIT);
389  cd->cmd = fb_cmd;
390  cd->tracker = hb_dir;
391  cd->type = VAR_TYPE_HOST_BIT;
392  cd->expire = 300;
393 
394  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
395  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
396 
397  /* Okay so far so good, lets get this into a SigMatch
398  * and put it in the Signature. */
399  sm = SigMatchAlloc();
400  if (sm == NULL)
401  goto error;
402 
403  sm->type = DETECT_HOSTBITS;
404  sm->ctx = (void *)cd;
405 
406  switch (fb_cmd) {
407  /* case DETECT_XBITS_CMD_NOALERT can't happen here */
408 
409  case DETECT_XBITS_CMD_ISNOTSET:
410  case DETECT_XBITS_CMD_ISSET:
411  /* checks, so packet list */
412  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
413  break;
414 
415  case DETECT_XBITS_CMD_SET:
416  case DETECT_XBITS_CMD_UNSET:
417  case DETECT_XBITS_CMD_TOGGLE:
418  /* modifiers, only run when entire sig has matched */
419  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
420  break;
421 
422  // suppress coverity warning as scan-build-7 warns w/o this.
423  // coverity[deadcode : FALSE]
424  default:
425  goto error;
426  }
427 
428  return 0;
429 
430 error:
431  if (cd != NULL)
432  SCFree(cd);
433  if (sm != NULL)
434  SCFree(sm);
435  return -1;
436 }
437 
438 void DetectHostbitFree (void *ptr)
439 {
440  DetectXbitsData *fd = (DetectXbitsData *)ptr;
441 
442  if (fd == NULL)
443  return;
444 
445  SCFree(fd);
446 }
447 
448 #ifdef UNITTESTS
449 
450 static void HostBitsTestSetup(void)
451 {
452  StorageInit();
453  HostBitInitCtx();
454  StorageFinalize();
455  HostInitConfig(TRUE);
456 }
457 
458 static void HostBitsTestShutdown(void)
459 {
460  HostCleanup();
461  StorageCleanup();
462 }
463 
464 static int HostBitsTestParse01(void)
465 {
466  char cmd[16] = "", name[256] = "", dir[16] = "";
467 
468  /* No direction. */
469  FAIL_IF(!DetectHostbitParse("isset,name", cmd, sizeof(cmd), name,
470  sizeof(name), dir, sizeof(dir)));
471  FAIL_IF(strcmp(cmd, "isset") != 0);
472  FAIL_IF(strcmp(name, "name") != 0);
473  FAIL_IF(strlen(dir));
474 
475  /* No direction, leading space. */
476  *cmd = '\0';
477  *name = '\0';
478  *dir = '\0';
479  FAIL_IF(!DetectHostbitParse("isset, name", cmd, sizeof(cmd), name,
480  sizeof(name), dir, sizeof(dir)));
481  FAIL_IF(strcmp(cmd, "isset") != 0);
482  FAIL_IF(strcmp(name, "name") != 0);
483 
484  /* No direction, trailing space. */
485  *cmd = '\0';
486  *name = '\0';
487  *dir = '\0';
488  FAIL_IF(!DetectHostbitParse("isset,name ", cmd, sizeof(cmd), name,
489  sizeof(name), dir, sizeof(dir)));
490  FAIL_IF(strcmp(cmd, "isset") != 0);
491  FAIL_IF(strcmp(name, "name") != 0);
492 
493  /* No direction, leading and trailing space. */
494  *cmd = '\0';
495  *name = '\0';
496  *dir = '\0';
497  FAIL_IF(!DetectHostbitParse("isset, name ", cmd, sizeof(cmd), name,
498  sizeof(name), dir, sizeof(dir)));
499  FAIL_IF(strcmp(cmd, "isset") != 0);
500  FAIL_IF(strcmp(name, "name") != 0);
501 
502  /* With direction. */
503  *cmd = '\0';
504  *name = '\0';
505  *dir = '\0';
506  FAIL_IF(!DetectHostbitParse("isset,name,src", cmd, sizeof(cmd), name,
507  sizeof(name), dir, sizeof(dir)));
508  FAIL_IF(strcmp(cmd, "isset") != 0);
509  FAIL_IF(strcmp(name, "name") != 0);
510  FAIL_IF(strcmp(dir, "src") != 0);
511 
512  /* With direction - leading and trailing spaces on name. */
513  *cmd = '\0';
514  *name = '\0';
515  *dir = '\0';
516  FAIL_IF(!DetectHostbitParse("isset, name ,src", cmd, sizeof(cmd), name,
517  sizeof(name), dir, sizeof(dir)));
518  FAIL_IF(strcmp(cmd, "isset") != 0);
519  FAIL_IF(strcmp(name, "name") != 0);
520  FAIL_IF(strcmp(dir, "src") != 0);
521 
522  /* With direction - space around direction. */
523  *cmd = '\0';
524  *name = '\0';
525  *dir = '\0';
526  FAIL_IF(!DetectHostbitParse("isset, name , src ", cmd, sizeof(cmd), name,
527  sizeof(name), dir, sizeof(dir)));
528  FAIL_IF(strcmp(cmd, "isset") != 0);
529  FAIL_IF(strcmp(name, "name") != 0);
530  FAIL_IF(strcmp(dir, "src") != 0);
531 
532  /* Name with space, no direction - should fail. */
533  *cmd = '\0';
534  *name = '\0';
535  *dir = '\0';
536  FAIL_IF(DetectHostbitParse("isset, name withspace ", cmd, sizeof(cmd), name,
537  sizeof(name), dir, sizeof(dir)));
538 
539  PASS;
540 }
541 
542 /**
543  * \test HostBitsTestSig01 is a test for a valid noalert flowbits option
544  *
545  * \retval 1 on succces
546  * \retval 0 on failure
547  */
548 
549 static int HostBitsTestSig01(void)
550 {
551  uint8_t *buf = (uint8_t *)
552  "GET /one/ HTTP/1.1\r\n"
553  "Host: one.example.org\r\n"
554  "\r\n";
555  uint16_t buflen = strlen((char *)buf);
556  Packet *p = SCMalloc(SIZE_OF_PACKET);
557  FAIL_IF_NULL(p);
558  Signature *s = NULL;
559  ThreadVars th_v;
560  DetectEngineThreadCtx *det_ctx = NULL;
561  DetectEngineCtx *de_ctx = NULL;
562 
563  memset(&th_v, 0, sizeof(th_v));
564  memset(p, 0, SIZE_OF_PACKET);
565  p->src.family = AF_INET;
566  p->dst.family = AF_INET;
567  p->payload = buf;
568  p->payload_len = buflen;
569  p->proto = IPPROTO_TCP;
570 
571  HostBitsTestSetup();
572 
573  de_ctx = DetectEngineCtxInit();
574  FAIL_IF_NULL(de_ctx);
575 
576  de_ctx->flags |= DE_QUIET;
577 
578  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (hostbits:set,abc; content:\"GET \"; sid:1;)");
579  FAIL_IF_NULL(s);
580 
581  SigGroupBuild(de_ctx);
582  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
583 
584  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
585 
586  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
587  DetectEngineCtxFree(de_ctx);
588  HostBitsTestShutdown();
589 
590  SCFree(p);
591  PASS;
592 }
593 
594 /**
595  * \test various options
596  *
597  * \retval 1 on succces
598  * \retval 0 on failure
599  */
600 
601 static int HostBitsTestSig02(void)
602 {
603  Signature *s = NULL;
604  ThreadVars th_v;
605  DetectEngineCtx *de_ctx = NULL;
606 
607  memset(&th_v, 0, sizeof(th_v));
608 
609  de_ctx = DetectEngineCtxInit();
610  FAIL_IF_NULL(de_ctx);
611 
612  de_ctx->flags |= DE_QUIET;
613 
614  s = DetectEngineAppendSig(de_ctx,
615  "alert ip any any -> any any (hostbits:isset,abc,src; content:\"GET \"; sid:1;)");
616  FAIL_IF_NULL(s);
617 
618  s = DetectEngineAppendSig(de_ctx,
619  "alert ip any any -> any any (hostbits:isnotset,abc,dst; content:\"GET \"; sid:2;)");
620  FAIL_IF_NULL(s);
621 
622 /* TODO reenable after both is supported
623  s = DetectEngineAppendSig(de_ctx,
624  "alert ip any any -> any any (hostbits:set,abc,both; content:\"GET \"; sid:3;)");
625  FAIL_IF_NULL(s);
626 */
627  s = DetectEngineAppendSig(de_ctx,
628  "alert ip any any -> any any (hostbits:unset,abc,src; content:\"GET \"; sid:4;)");
629  FAIL_IF_NULL(s);
630 
631  s = DetectEngineAppendSig(de_ctx,
632  "alert ip any any -> any any (hostbits:toggle,abc,dst; content:\"GET \"; sid:5;)");
633  FAIL_IF_NULL(s);
634 
635  DetectEngineCtxFree(de_ctx);
636  PASS;
637 }
638 
639 #if 0
640 /**
641  * \test HostBitsTestSig03 is a test for a invalid flowbits option
642  *
643  * \retval 1 on succces
644  * \retval 0 on failure
645  */
646 
647 static int HostBitsTestSig03(void)
648 {
649  uint8_t *buf = (uint8_t *)
650  "GET /one/ HTTP/1.1\r\n"
651  "Host: one.example.org\r\n"
652  "\r\n";
653  uint16_t buflen = strlen((char *)buf);
654  Packet *p = SCMalloc(SIZE_OF_PACKET);
655  if (unlikely(p == NULL))
656  return 0;
657  Signature *s = NULL;
658  ThreadVars th_v;
659  DetectEngineThreadCtx *det_ctx = NULL;
660  DetectEngineCtx *de_ctx = NULL;
661  int result = 0;
662 
663  memset(&th_v, 0, sizeof(th_v));
664  memset(p, 0, SIZE_OF_PACKET);
665  p->src.family = AF_INET;
666  p->dst.family = AF_INET;
667  p->payload = buf;
668  p->payload_len = buflen;
669  p->proto = IPPROTO_TCP;
670 
671  de_ctx = DetectEngineCtxInit();
672 
673  if (de_ctx == NULL) {
674  goto end;
675  }
676 
677  de_ctx->flags |= DE_QUIET;
678 
679  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)");
680 
681  if (s == NULL) {
682  goto end;
683  }
684 
685  SigGroupBuild(de_ctx);
686  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
687 
688  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
689 
690  result = 1;
691 
692  SigGroupCleanup(de_ctx);
693  SigCleanSignatures(de_ctx);
694 
695  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
696  DetectEngineCtxFree(de_ctx);
697 
698 end:
699 
700  if (de_ctx != NULL) {
701  SigGroupCleanup(de_ctx);
702  SigCleanSignatures(de_ctx);
703  }
704 
705  if (det_ctx != NULL) {
706  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
707  }
708 
709  if (de_ctx != NULL) {
710  DetectEngineCtxFree(de_ctx);
711  }
712 
713 
714  SCFree(p);
715  return result;
716 }
717 #endif
718 
719 /**
720  * \test HostBitsTestSig04 is a test check idx value
721  *
722  * \retval 1 on succces
723  * \retval 0 on failure
724  */
725 
726 static int HostBitsTestSig04(void)
727 {
728  uint8_t *buf = (uint8_t *)
729  "GET /one/ HTTP/1.1\r\n"
730  "Host: one.example.org\r\n"
731  "\r\n";
732  uint16_t buflen = strlen((char *)buf);
733  Packet *p = SCMalloc(SIZE_OF_PACKET);
734  if (unlikely(p == NULL))
735  return 0;
736  Signature *s = NULL;
737  ThreadVars th_v;
738  DetectEngineThreadCtx *det_ctx = NULL;
739  DetectEngineCtx *de_ctx = NULL;
740  int idx = 0;
741 
742  memset(&th_v, 0, sizeof(th_v));
743  memset(p, 0, SIZE_OF_PACKET);
744  p->src.family = AF_INET;
745  p->dst.family = AF_INET;
746  p->payload = buf;
747  p->payload_len = buflen;
748  p->proto = IPPROTO_TCP;
749 
750  HostBitsTestSetup();
751 
752  de_ctx = DetectEngineCtxInit();
753  FAIL_IF_NULL(de_ctx);
754 
755  de_ctx->flags |= DE_QUIET;
756 
757  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
758  FAIL_IF_NULL(s);
759 
760  idx = VarNameStoreSetupAdd("fbt", VAR_TYPE_HOST_BIT);
761  FAIL_IF(idx != 1);
762 
763  SigGroupBuild(de_ctx);
764  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
765 
766  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
767 
768  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
769  DetectEngineCtxFree(de_ctx);
770  HostBitsTestShutdown();
771 
772  SCFree(p);
773  PASS;
774 }
775 
776 /**
777  * \test HostBitsTestSig05 is a test check noalert flag
778  *
779  * \retval 1 on succces
780  * \retval 0 on failure
781  */
782 
783 static int HostBitsTestSig05(void)
784 {
785  uint8_t *buf = (uint8_t *)
786  "GET /one/ HTTP/1.1\r\n"
787  "Host: one.example.org\r\n"
788  "\r\n";
789  uint16_t buflen = strlen((char *)buf);
790  Packet *p = SCMalloc(SIZE_OF_PACKET);
791  if (unlikely(p == NULL))
792  return 0;
793  Signature *s = NULL;
794  ThreadVars th_v;
795  DetectEngineThreadCtx *det_ctx = NULL;
796  DetectEngineCtx *de_ctx = NULL;
797 
798  memset(&th_v, 0, sizeof(th_v));
799  memset(p, 0, SIZE_OF_PACKET);
800  p->src.family = AF_INET;
801  p->dst.family = AF_INET;
802  p->payload = buf;
803  p->payload_len = buflen;
804  p->proto = IPPROTO_TCP;
805 
806  HostBitsTestSetup();
807 
808  de_ctx = DetectEngineCtxInit();
809  FAIL_IF_NULL(de_ctx);
810 
811  de_ctx->flags |= DE_QUIET;
812 
813  s = de_ctx->sig_list = SigInit(de_ctx,
814  "alert ip any any -> any any (hostbits:noalert; content:\"GET \"; sid:1;)");
815  FAIL_IF_NULL(s);
816  FAIL_IF((s->flags & SIG_FLAG_NOALERT) != SIG_FLAG_NOALERT);
817 
818  SigGroupBuild(de_ctx);
819  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
820 
821  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
822 
823  FAIL_IF(PacketAlertCheck(p, 1));
824 
825  SigGroupCleanup(de_ctx);
826  SigCleanSignatures(de_ctx);
827 
828  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
829  DetectEngineCtxFree(de_ctx);
830 
831  HostBitsTestShutdown();
832 
833  SCFree(p);
834  PASS;
835 }
836 
837 #if 0
838 /**
839  * \test HostBitsTestSig06 is a test set flowbits option
840  *
841  * \retval 1 on succces
842  * \retval 0 on failure
843  */
844 
845 static int HostBitsTestSig06(void)
846 {
847  uint8_t *buf = (uint8_t *)
848  "GET /one/ HTTP/1.1\r\n"
849  "Host: one.example.org\r\n"
850  "\r\n";
851  uint16_t buflen = strlen((char *)buf);
852  Packet *p = SCMalloc(SIZE_OF_PACKET);
853  if (unlikely(p == NULL))
854  return 0;
855  Signature *s = NULL;
856  ThreadVars th_v;
857  DetectEngineThreadCtx *det_ctx = NULL;
858  DetectEngineCtx *de_ctx = NULL;
859  Flow f;
860  GenericVar flowvar, *gv = NULL;
861  int result = 0;
862  int idx = 0;
863 
864  memset(p, 0, SIZE_OF_PACKET);
865  memset(&th_v, 0, sizeof(th_v));
866  memset(&f, 0, sizeof(Flow));
867  memset(&flowvar, 0, sizeof(GenericVar));
868 
869  FLOW_INITIALIZE(&f);
870  p->flow = &f;
871  p->flow->flowvar = &flowvar;
872 
873  p->src.family = AF_INET;
874  p->dst.family = AF_INET;
875  p->payload = buf;
876  p->payload_len = buflen;
877  p->proto = IPPROTO_TCP;
878  p->flags |= PKT_HAS_FLOW;
879  p->flowflags |= FLOW_PKT_TOSERVER;
880 
881  de_ctx = DetectEngineCtxInit();
882 
883  if (de_ctx == NULL) {
884  goto end;
885  }
886 
887  de_ctx->flags |= DE_QUIET;
888 
889  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow; sid:10;)");
890 
891  if (s == NULL) {
892  goto end;
893  }
894 
895  SigGroupBuild(de_ctx);
896  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
897 
898  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
899 
900  idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT);
901 
902  gv = p->flow->flowvar;
903 
904  for ( ; gv != NULL; gv = gv->next) {
905  if (gv->type == DETECT_HOSTBITS && gv->idx == idx) {
906  result = 1;
907  }
908  }
909 
910  SigGroupCleanup(de_ctx);
911  SigCleanSignatures(de_ctx);
912 
913  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
914  DetectEngineCtxFree(de_ctx);
915 
916  if(gv) GenericVarFree(gv);
917  FLOW_DESTROY(&f);
918 
919  SCFree(p);
920  return result;
921 end:
922 
923  if (de_ctx != NULL) {
924  SigGroupCleanup(de_ctx);
925  SigCleanSignatures(de_ctx);
926  }
927 
928  if (det_ctx != NULL) {
929  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
930  }
931 
932  if (de_ctx != NULL) {
933  DetectEngineCtxFree(de_ctx);
934  }
935 
936  if(gv) GenericVarFree(gv);
937  FLOW_DESTROY(&f);
938  SCFree(p);
939  return result;
940 }
941 
942 /**
943  * \test HostBitsTestSig07 is a test unset flowbits option
944  *
945  * \retval 1 on succces
946  * \retval 0 on failure
947  */
948 
949 static int HostBitsTestSig07(void)
950 {
951  uint8_t *buf = (uint8_t *)
952  "GET /one/ HTTP/1.1\r\n"
953  "Host: one.example.org\r\n"
954  "\r\n";
955  uint16_t buflen = strlen((char *)buf);
956  Packet *p = SCMalloc(SIZE_OF_PACKET);
957  if (unlikely(p == NULL))
958  return 0;
959  Signature *s = NULL;
960  ThreadVars th_v;
961  DetectEngineThreadCtx *det_ctx = NULL;
962  DetectEngineCtx *de_ctx = NULL;
963  Flow f;
964  GenericVar flowvar, *gv = NULL;
965  int result = 0;
966  int idx = 0;
967 
968  memset(p, 0, SIZE_OF_PACKET);
969  memset(&th_v, 0, sizeof(th_v));
970  memset(&f, 0, sizeof(Flow));
971  memset(&flowvar, 0, sizeof(GenericVar));
972 
973  FLOW_INITIALIZE(&f);
974  p->flow = &f;
975  p->flow->flowvar = &flowvar;
976 
977  p->src.family = AF_INET;
978  p->dst.family = AF_INET;
979  p->payload = buf;
980  p->payload_len = buflen;
981  p->proto = IPPROTO_TCP;
982 
983  de_ctx = DetectEngineCtxInit();
984 
985  if (de_ctx == NULL) {
986  goto end;
987  }
988 
989  de_ctx->flags |= DE_QUIET;
990 
991  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow2; sid:10;)");
992  if (s == NULL) {
993  goto end;
994  }
995 
996  s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)");
997  if (s == NULL) {
998  goto end;
999  }
1000 
1001  SigGroupBuild(de_ctx);
1002  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1003 
1004  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1005 
1006  idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT);
1007 
1008  gv = p->flow->flowvar;
1009 
1010  for ( ; gv != NULL; gv = gv->next) {
1011  if (gv->type == DETECT_HOSTBITS && gv->idx == idx) {
1012  result = 1;
1013  }
1014  }
1015 
1016  SigGroupCleanup(de_ctx);
1017  SigCleanSignatures(de_ctx);
1018 
1019  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1020  DetectEngineCtxFree(de_ctx);
1021 
1022  if(gv) GenericVarFree(gv);
1023  FLOW_DESTROY(&f);
1024 
1025  SCFree(p);
1026  return result;
1027 end:
1028 
1029  if (de_ctx != NULL) {
1030  SigGroupCleanup(de_ctx);
1031  SigCleanSignatures(de_ctx);
1032  }
1033 
1034  if (det_ctx != NULL) {
1035  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1036  }
1037 
1038  if (de_ctx != NULL) {
1039  DetectEngineCtxFree(de_ctx);
1040  }
1041 
1042  if(gv) GenericVarFree(gv);
1043  FLOW_DESTROY(&f);
1044 
1045  SCFree(p);
1046  return result;}
1047 #endif
1048 
1049 /**
1050  * \test set / isset
1051  *
1052  * \retval 1 on succces
1053  * \retval 0 on failure
1054  */
1055 static int HostBitsTestSig07(void)
1056 {
1057  uint8_t *buf = (uint8_t *)
1058  "GET /one/ HTTP/1.1\r\n"
1059  "Host: one.example.org\r\n"
1060  "\r\n";
1061  uint16_t buflen = strlen((char *)buf);
1062  Packet *p = SCMalloc(SIZE_OF_PACKET);
1063  if (unlikely(p == NULL))
1064  return 0;
1065  Signature *s = NULL;
1066  ThreadVars th_v;
1067  DetectEngineThreadCtx *det_ctx = NULL;
1068  DetectEngineCtx *de_ctx = NULL;
1069  Flow f;
1070  int result = 0;
1071 
1072  memset(p, 0, SIZE_OF_PACKET);
1073  memset(&th_v, 0, sizeof(th_v));
1074  memset(&f, 0, sizeof(Flow));
1075 
1076  HostBitsTestSetup();
1077 
1078  FLOW_INITIALIZE(&f);
1079  p->flow = &f;
1080  p->flowflags = FLOW_PKT_TOSERVER;
1081 
1082  p->src.family = AF_INET;
1083  p->dst.family = AF_INET;
1084  p->payload = buf;
1085  p->payload_len = buflen;
1086  p->proto = IPPROTO_TCP;
1087 
1088  de_ctx = DetectEngineCtxInit();
1089  FAIL_IF_NULL(de_ctx);
1090 
1091  de_ctx->flags |= DE_QUIET;
1092 
1093  s = de_ctx->sig_list = SigInit(de_ctx,
1094  "alert ip any any -> any any (hostbits:set,myflow2; sid:10;)");
1095  FAIL_IF_NULL(s);
1096 
1097  s = s->next = SigInit(de_ctx,
1098  "alert ip any any -> any any (hostbits:isset,myflow2; sid:11;)");
1099  FAIL_IF_NULL(s);
1100 
1101  SigGroupBuild(de_ctx);
1102  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1103 
1104  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1105 
1106  SCLogInfo("p->host_src %p", p->host_src);
1107 
1108  if (HostHasHostBits(p->host_src) == 1) {
1109  if (PacketAlertCheck(p, 11)) {
1110  result = 1;
1111  }
1112  }
1113  FAIL_IF_NOT(result);
1114 
1115  SigGroupCleanup(de_ctx);
1116  SigCleanSignatures(de_ctx);
1117 
1118  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1119  DetectEngineCtxFree(de_ctx);
1120 
1121  FLOW_DESTROY(&f);
1122 
1123  HostBitsTestShutdown();
1124  SCFree(p);
1125  PASS;
1126 }
1127 
1128 /**
1129  * \test set / toggle / toggle / isset
1130  *
1131  * \retval 1 on succces
1132  * \retval 0 on failure
1133  */
1134 static int HostBitsTestSig08(void)
1135 {
1136  uint8_t *buf = (uint8_t *)
1137  "GET /one/ HTTP/1.1\r\n"
1138  "Host: one.example.org\r\n"
1139  "\r\n";
1140  uint16_t buflen = strlen((char *)buf);
1141  Packet *p = SCMalloc(SIZE_OF_PACKET);
1142  if (unlikely(p == NULL))
1143  return 0;
1144  Signature *s = NULL;
1145  ThreadVars th_v;
1146  DetectEngineThreadCtx *det_ctx = NULL;
1147  DetectEngineCtx *de_ctx = NULL;
1148  Flow f;
1149 
1150  memset(p, 0, SIZE_OF_PACKET);
1151  memset(&th_v, 0, sizeof(th_v));
1152  memset(&f, 0, sizeof(Flow));
1153 
1154  HostBitsTestSetup();
1155 
1156  FLOW_INITIALIZE(&f);
1157  p->flow = &f;
1158 
1159  p->src.family = AF_INET;
1160  p->dst.family = AF_INET;
1161  p->payload = buf;
1162  p->payload_len = buflen;
1163  p->proto = IPPROTO_TCP;
1164 
1165  de_ctx = DetectEngineCtxInit();
1166  FAIL_IF_NULL(de_ctx);
1167 
1168  de_ctx->flags |= DE_QUIET;
1169 
1170  s = DetectEngineAppendSig(de_ctx,
1171  "alert ip any any -> any any (hostbits:set,myflow2; sid:10;)");
1172  FAIL_IF_NULL(s);
1173  s = DetectEngineAppendSig(de_ctx,
1174  "alert ip any any -> any any (hostbits:toggle,myflow2; sid:11;)");
1175  FAIL_IF_NULL(s);
1176  s = DetectEngineAppendSig(de_ctx,
1177  "alert ip any any -> any any (hostbits:toggle,myflow2; sid:12;)");
1178  FAIL_IF_NULL(s);
1179  s = DetectEngineAppendSig(de_ctx,
1180  "alert ip any any -> any any (hostbits:isset,myflow2; sid:13;)");
1181  FAIL_IF_NULL(s);
1182 
1183  SCSigRegisterSignatureOrderingFuncs(de_ctx);
1184  SCSigOrderSignatures(de_ctx);
1185  SCSigSignatureOrderingModuleCleanup(de_ctx);
1186 
1187  SigGroupBuild(de_ctx);
1188  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1189 
1190  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1191 
1192  SCLogInfo("p->host_src %p", p->host_src);
1193 
1194  if (HostHasHostBits(p->host_src) == 1) {
1195  if (PacketAlertCheck(p, 10)) {
1196  SCLogInfo("sid 10 matched");
1197  }
1198  if (PacketAlertCheck(p, 11)) {
1199  SCLogInfo("sid 11 matched");
1200  }
1201  if (PacketAlertCheck(p, 12)) {
1202  SCLogInfo("sid 12 matched");
1203  }
1204  if (PacketAlertCheck(p, 13)) {
1205  SCLogInfo("sid 13 matched");
1206  } else {
1207  FAIL;
1208  }
1209  }
1210 
1211  SigGroupCleanup(de_ctx);
1212  SigCleanSignatures(de_ctx);
1213 
1214  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1215  DetectEngineCtxFree(de_ctx);
1216 
1217  FLOW_DESTROY(&f);
1218 
1219  HostBitsTestShutdown();
1220 
1221  SCFree(p);
1222  PASS;
1223 }
1224 #endif /* UNITTESTS */
1225 
1226 /**
1227  * \brief this function registers unit tests for HostBits
1228  */
1229 void HostBitsRegisterTests(void)
1230 {
1231 #ifdef UNITTESTS
1232  UtRegisterTest("HostBitsTestParse01", HostBitsTestParse01);
1233  UtRegisterTest("HostBitsTestSig01", HostBitsTestSig01);
1234  UtRegisterTest("HostBitsTestSig02", HostBitsTestSig02);
1235 #if 0
1236  UtRegisterTest("HostBitsTestSig03", HostBitsTestSig03, 0);
1237 #endif
1238  UtRegisterTest("HostBitsTestSig04", HostBitsTestSig04);
1239  UtRegisterTest("HostBitsTestSig05", HostBitsTestSig05);
1240 #if 0
1241  UtRegisterTest("HostBitsTestSig06", HostBitsTestSig06, 1);
1242 #endif
1243  UtRegisterTest("HostBitsTestSig07", HostBitsTestSig07);
1244  UtRegisterTest("HostBitsTestSig08", HostBitsTestSig08);
1245 #endif /* UNITTESTS */
1246 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2190
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
GenericVar_::type
uint8_t type
Definition: util-var.h:49
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:344
Packet_::flow
struct Flow_ * flow
Definition: decode.h:444
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:139
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Signature_::flags
uint32_t flags
Definition: detect.h:493
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1910
HostBitIsset
int HostBitIsset(Host *h, uint32_t idx, uint32_t ts)
Definition: host-bit.c:158
HostBitIsnotset
int HostBitIsnotset(Host *h, uint32_t idx, uint32_t ts)
Definition: host-bit.c:171
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:726
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
Packet_::dst
Address dst
Definition: decode.h:412
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:43
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
SigTableElmt_::name
const char * name
Definition: detect.h:1160
GenericVar_::idx
uint32_t idx
Definition: util-var.h:51
HostBitToggle
void HostBitToggle(Host *h, uint32_t idx, uint32_t expire)
Definition: host-bit.c:148
Signature_
Signature container.
Definition: detect.h:492
HostHasHostBits
int HostHasHostBits(Host *host)
Definition: host-bit.c:59
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
DetectXbitMatchHost
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
Definition: detect-hostbits.c:242
HostBitSet
void HostBitSet(Host *h, uint32_t idx, uint32_t expire)
Definition: host-bit.c:132
SCSigOrderSignatures
void SCSigOrderSignatures(DetectEngineCtx *de_ctx)
Orders the signatures.
Definition: detect-engine-sigorder.c:723
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:562
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:720
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:168
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:35
SCSigRegisterSignatureOrderingFuncs
void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx)
Lets you register the Signature ordering functions. The order in which the functions are registered...
Definition: detect-engine-sigorder.c:783
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
GenericVar_::next
struct GenericVar_ * next
Definition: util-var.h:52
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:48
DE_QUIET
#define DE_QUIET
Definition: detect.h:298
DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_NOALERT
Definition: detect-xbits.h:32
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:628
str
#define str(s)
Definition: suricata-common.h:258
DetectXbitsData_
Definition: detect-xbits.h:42
Address_::family
char family
Definition: decode.h:110
Packet_::proto
uint8_t proto
Definition: decode.h:429
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:721
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
DetectHostbitFree
void DetectHostbitFree(void *)
Definition: detect-hostbits.c:438
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1151
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-hostbits.c:64
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1893
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2276
SCSigSignatureOrderingModuleCleanup
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
Definition: detect-engine-sigorder.c:803
GenericVar_
Definition: util-var.h:48
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:563
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:438
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1965
Signature_::next
struct Signature_ * next
Definition: detect.h:563
SigMatch_::type
uint8_t type
Definition: detect.h:325
Packet_
Definition: decode.h:406
HostGetHostFromHash
Host * HostGetHostFromHash(Address *a)
Definition: host.c:500
HostBitUnset
void HostBitUnset(Host *h, uint32_t idx)
Definition: host-bit.c:140
Flow_::flowvar
GenericVar * flowvar
Definition: flow.h:446
SigTableElmt_::desc
const char * desc
Definition: detect.h:1162
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
FAIL
#define FAIL
Definition: util-unittest.h:60
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:327
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:174
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
SCFree
#define SCFree(a)
Definition: util-mem.h:236
SIG_FLAG_NOALERT
#define SIG_FLAG_NOALERT
Definition: detect.h:223
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:44
StorageInit
void StorageInit(void)
Definition: util-storage.c:67
GenericVarFree
void GenericVarFree(GenericVar *gv)
Definition: util-var.c:47
StorageCleanup
void StorageCleanup(void)
Definition: util-storage.c:75
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
DetectHostbitsRegister
void DetectHostbitsRegister(void)
Definition: detect-hostbits.c:77
VarNameStoreSetupAdd
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
Definition: util-var-name.c:320
HostUnlock
void HostUnlock(Host *h)
Definition: host.c:486
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:36
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
HostBitsRegisterTests
void HostBitsRegisterTests(void)
this function registers unit tests for HostBits
Definition: detect-hostbits.c:1229
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1101
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:45
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1330
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:46
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
Packet_::ts
struct timeval ts
Definition: decode.h:450
DetectEngineThreadCtx_
Definition: detect.h:962
Packet_::flags
uint32_t flags
Definition: decode.h:442
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:599
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:546
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1154
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
Flow_
Flow data structure.
Definition: flow.h:327
Packet_::payload
uint8_t * payload
Definition: decode.h:545
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1152
SigMatch_
a single match condition for a signature
Definition: detect.h:324
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
Packet_::src
Address src
Definition: decode.h:411
HostLock
void HostLock(Host *h)
Definition: host.c:481
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640