suricata
detect-hostbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the hostbits keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-util.h"
32 #include "detect-hostbits.h"
33 #include "util-spm.h"
34 
35 #include "detect-engine-sigorder.h"
36 
37 #include "app-layer-parser.h"
38 
39 #include "detect-parse.h"
40 #include "detect-engine.h"
41 #include "detect-engine-mpm.h"
42 #include "detect-engine-state.h"
43 #include "detect-engine-build.h"
44 
45 #include "flow-bit.h"
46 #include "host-bit.h"
47 #include "util-var-name.h"
48 #include "util-unittest.h"
49 #include "util-debug.h"
50 
51 /*
52  hostbits:isset,bitname;
53  hostbits:set,bitname;
54 
55  hostbits:set,bitname,src;
56  hostbits:set,bitname,dst;
57 TODO:
58  hostbits:set,bitname,both;
59 
60  hostbits:set,bitname,src,3600;
61  hostbits:set,bitname,dst,60;
62  hostbits:set,bitname,both,120;
63  */
64 
65 #define PARSE_REGEX "^([a-z]+)" /* Action */ \
66  "(?:\\s*,\\s*([^\\s,]+))?(?:\\s*)?" /* Name. */ \
67  "(?:\\s*,\\s*([^,\\s]+))?(?:\\s*)?" /* Direction. */ \
68  "(.+)?" /* Any remainding data. */
69 static DetectParseRegex parse_regex;
70 
71 static int DetectHostbitMatch (DetectEngineThreadCtx *, Packet *,
72  const Signature *, const SigMatchCtx *);
73 static int DetectHostbitSetup (DetectEngineCtx *, Signature *, const char *);
74 void DetectHostbitFree (DetectEngineCtx *, void *);
75 #ifdef UNITTESTS
76 void HostBitsRegisterTests(void);
77 #endif
78 
80 {
81  sigmatch_table[DETECT_HOSTBITS].name = "hostbits";
82  sigmatch_table[DETECT_HOSTBITS].desc = "operate on host flag";
83 // sigmatch_table[DETECT_HOSTBITS].url = "/rules/flow-keywords.html#flowbits";
84  sigmatch_table[DETECT_HOSTBITS].Match = DetectHostbitMatch;
85  sigmatch_table[DETECT_HOSTBITS].Setup = DetectHostbitSetup;
87 #ifdef UNITTESTS
89 #endif
90  /* this is compatible to ip-only signatures */
92 
93  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
94 }
95 
96 static int DetectHostbitMatchToggle (Packet *p, const DetectXbitsData *fd)
97 {
98  switch (fd->tracker) {
100  if (p->host_src == NULL) {
101  p->host_src = HostGetHostFromHash(&p->src);
102  if (p->host_src == NULL)
103  return 0;
104  }
105  else
106  HostLock(p->host_src);
107 
108  HostBitToggle(p->host_src,fd->idx,p->ts.tv_sec + fd->expire);
109  HostUnlock(p->host_src);
110  break;
112  if (p->host_dst == NULL) {
113  p->host_dst = HostGetHostFromHash(&p->dst);
114  if (p->host_dst == NULL)
115  return 0;
116  }
117  else
118  HostLock(p->host_dst);
119 
120  HostBitToggle(p->host_dst,fd->idx,p->ts.tv_sec + fd->expire);
121  HostUnlock(p->host_dst);
122  break;
123  }
124  return 1;
125 }
126 
127 /* return true even if bit not found */
128 static int DetectHostbitMatchUnset (Packet *p, const DetectXbitsData *fd)
129 {
130  switch (fd->tracker) {
132  if (p->host_src == NULL) {
134  if (p->host_src == NULL)
135  return 1;
136  } else
137  HostLock(p->host_src);
138 
139  HostBitUnset(p->host_src,fd->idx);
140  HostUnlock(p->host_src);
141  break;
143  if (p->host_dst == NULL) {
145  if (p->host_dst == NULL)
146  return 1;
147  } else
148  HostLock(p->host_dst);
149 
150  HostBitUnset(p->host_dst,fd->idx);
151  HostUnlock(p->host_dst);
152  break;
153  }
154  return 1;
155 }
156 
157 static int DetectHostbitMatchSet (Packet *p, const DetectXbitsData *fd)
158 {
159  switch (fd->tracker) {
161  if (p->host_src == NULL) {
162  p->host_src = HostGetHostFromHash(&p->src);
163  if (p->host_src == NULL)
164  return 0;
165  } else
166  HostLock(p->host_src);
167 
168  HostBitSet(p->host_src,fd->idx,p->ts.tv_sec + fd->expire);
169  HostUnlock(p->host_src);
170  break;
172  if (p->host_dst == NULL) {
173  p->host_dst = HostGetHostFromHash(&p->dst);
174  if (p->host_dst == NULL)
175  return 0;
176  } else
177  HostLock(p->host_dst);
178 
179  HostBitSet(p->host_dst,fd->idx, p->ts.tv_sec + fd->expire);
180  HostUnlock(p->host_dst);
181  break;
182  }
183  return 1;
184 }
185 
186 static int DetectHostbitMatchIsset (Packet *p, const DetectXbitsData *fd)
187 {
188  int r = 0;
189  switch (fd->tracker) {
191  if (p->host_src == NULL) {
193  if (p->host_src == NULL)
194  return 0;
195  } else
196  HostLock(p->host_src);
197 
198  r = HostBitIsset(p->host_src,fd->idx, p->ts.tv_sec);
199  HostUnlock(p->host_src);
200  return r;
202  if (p->host_dst == NULL) {
204  if (p->host_dst == NULL)
205  return 0;
206  } else
207  HostLock(p->host_dst);
208 
209  r = HostBitIsset(p->host_dst,fd->idx, p->ts.tv_sec);
210  HostUnlock(p->host_dst);
211  return r;
212  }
213  return 0;
214 }
215 
216 static int DetectHostbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
217 {
218  int r = 0;
219  switch (fd->tracker) {
221  if (p->host_src == NULL) {
223  if (p->host_src == NULL)
224  return 1;
225  } else
226  HostLock(p->host_src);
227 
228  r = HostBitIsnotset(p->host_src,fd->idx, p->ts.tv_sec);
229  HostUnlock(p->host_src);
230  return r;
232  if (p->host_dst == NULL) {
234  if (p->host_dst == NULL)
235  return 1;
236  } else
237  HostLock(p->host_dst);
238 
239  r = HostBitIsnotset(p->host_dst,fd->idx, p->ts.tv_sec);
240  HostUnlock(p->host_dst);
241  return r;
242  }
243  return 0;
244 }
245 
247 {
248  switch (xd->cmd) {
250  return DetectHostbitMatchIsset(p,xd);
252  return DetectHostbitMatchIsnotset(p,xd);
254  return DetectHostbitMatchSet(p,xd);
256  return DetectHostbitMatchUnset(p,xd);
258  return DetectHostbitMatchToggle(p,xd);
259  default:
260  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown cmd %" PRIu32 "", xd->cmd);
261  return 0;
262  }
263 
264  return 0;
265 }
266 
267 /*
268  * returns 0: no match
269  * 1: match
270  * -1: error
271  */
272 
273 static int DetectHostbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
274  const Signature *s, const SigMatchCtx *ctx)
275 {
276  const DetectXbitsData *xd = (const DetectXbitsData *)ctx;
277  if (xd == NULL)
278  return 0;
279 
280  return DetectXbitMatchHost(p, xd);
281 }
282 
283 static int DetectHostbitParse(const char *str, char *cmd, int cmd_len,
284  char *name, int name_len, char *dir, int dir_len)
285 {
286  int count, rc;
287  size_t pcre2len;
288 
289  count = DetectParsePcreExec(&parse_regex, str, 0, 0);
290  if (count != 2 && count != 3 && count != 4) {
292  "\"%s\" is not a valid setting for hostbits.", str);
293  return 0;
294  }
295 
296  pcre2len = cmd_len;
297  rc = pcre2_substring_copy_bynumber(parse_regex.match, 1, (PCRE2_UCHAR8 *)cmd, &pcre2len);
298  if (rc < 0) {
299  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
300  return 0;
301  }
302 
303  if (count >= 3) {
304  pcre2len = name_len;
305  rc = pcre2_substring_copy_bynumber(parse_regex.match, 2, (PCRE2_UCHAR8 *)name, &pcre2len);
306  if (rc < 0) {
307  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
308  return 0;
309  }
310  if (count >= 4) {
311  pcre2len = dir_len;
312  rc = pcre2_substring_copy_bynumber(
313  parse_regex.match, 3, (PCRE2_UCHAR8 *)dir, &pcre2len);
314  if (rc < 0) {
315  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed");
316  return 0;
317  }
318  }
319  }
320 
321  return 1;
322 }
323 
324 int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
325 {
326  DetectXbitsData *cd = NULL;
327  SigMatch *sm = NULL;
328  uint8_t fb_cmd = 0;
329  uint8_t hb_dir = 0;
330  char fb_cmd_str[16] = "", fb_name[256] = "";
331  char hb_dir_str[16] = "";
332 
333  if (!DetectHostbitParse(rawstr, fb_cmd_str, sizeof(fb_cmd_str),
334  fb_name, sizeof(fb_name), hb_dir_str, sizeof(hb_dir_str))) {
335  return -1;
336  }
337 
338  if (strlen(hb_dir_str) > 0) {
339  if (strcmp(hb_dir_str, "src") == 0)
340  hb_dir = DETECT_XBITS_TRACK_IPSRC;
341  else if (strcmp(hb_dir_str, "dst") == 0)
342  hb_dir = DETECT_XBITS_TRACK_IPDST;
343  else if (strcmp(hb_dir_str, "both") == 0) {
344  //hb_dir = DETECT_XBITS_TRACK_IPBOTH;
345  SCLogError(SC_ERR_UNIMPLEMENTED, "'both' not implemented");
346  goto error;
347  } else {
348  // TODO
349  goto error;
350  }
351  }
352 
353  if (strcmp(fb_cmd_str,"noalert") == 0) {
354  fb_cmd = DETECT_XBITS_CMD_NOALERT;
355  } else if (strcmp(fb_cmd_str,"isset") == 0) {
356  fb_cmd = DETECT_XBITS_CMD_ISSET;
357  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
358  fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
359  } else if (strcmp(fb_cmd_str,"set") == 0) {
360  fb_cmd = DETECT_XBITS_CMD_SET;
361  } else if (strcmp(fb_cmd_str,"unset") == 0) {
362  fb_cmd = DETECT_XBITS_CMD_UNSET;
363  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
364  fb_cmd = DETECT_XBITS_CMD_TOGGLE;
365  } else {
366  SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
367  goto error;
368  }
369 
370  switch (fb_cmd) {
372  if (strlen(fb_name) != 0)
373  goto error;
374  s->flags |= SIG_FLAG_NOALERT;
375  return 0;
381  default:
382  if (strlen(fb_name) == 0)
383  goto error;
384  break;
385  }
386 
387  cd = SCMalloc(sizeof(DetectXbitsData));
388  if (unlikely(cd == NULL))
389  goto error;
390 
392  cd->cmd = fb_cmd;
393  cd->tracker = hb_dir;
394  cd->type = VAR_TYPE_HOST_BIT;
395  cd->expire = 300;
396 
397  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
398  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
399 
400  /* Okay so far so good, lets get this into a SigMatch
401  * and put it in the Signature. */
402  sm = SigMatchAlloc();
403  if (sm == NULL)
404  goto error;
405 
406  sm->type = DETECT_HOSTBITS;
407  sm->ctx = (void *)cd;
408 
409  switch (fb_cmd) {
410  /* case DETECT_XBITS_CMD_NOALERT can't happen here */
411 
414  /* checks, so packet list */
416  break;
417 
421  /* modifiers, only run when entire sig has matched */
423  break;
424 
425  // suppress coverity warning as scan-build-7 warns w/o this.
426  // coverity[deadcode : FALSE]
427  default:
428  goto error;
429  }
430 
431  return 0;
432 
433 error:
434  if (cd != NULL)
435  SCFree(cd);
436  if (sm != NULL)
437  SCFree(sm);
438  return -1;
439 }
440 
442 {
443  DetectXbitsData *fd = (DetectXbitsData *)ptr;
444 
445  if (fd == NULL)
446  return;
447 
448  SCFree(fd);
449 }
450 
451 #ifdef UNITTESTS
452 
453 static void HostBitsTestSetup(void)
454 {
455  StorageInit();
456  HostBitInitCtx();
457  StorageFinalize();
458  HostInitConfig(true);
459 }
460 
461 static void HostBitsTestShutdown(void)
462 {
463  HostCleanup();
464  StorageCleanup();
465 }
466 
467 static int HostBitsTestParse01(void)
468 {
469  char cmd[16] = "", name[256] = "", dir[16] = "";
470 
471  /* No direction. */
472  FAIL_IF(!DetectHostbitParse("isset,name", cmd, sizeof(cmd), name,
473  sizeof(name), dir, sizeof(dir)));
474  FAIL_IF(strcmp(cmd, "isset") != 0);
475  FAIL_IF(strcmp(name, "name") != 0);
476  FAIL_IF(strlen(dir));
477 
478  /* No direction, leading space. */
479  *cmd = '\0';
480  *name = '\0';
481  *dir = '\0';
482  FAIL_IF(!DetectHostbitParse("isset, name", cmd, sizeof(cmd), name,
483  sizeof(name), dir, sizeof(dir)));
484  FAIL_IF(strcmp(cmd, "isset") != 0);
485  FAIL_IF(strcmp(name, "name") != 0);
486 
487  /* No direction, trailing space. */
488  *cmd = '\0';
489  *name = '\0';
490  *dir = '\0';
491  FAIL_IF(!DetectHostbitParse("isset,name ", cmd, sizeof(cmd), name,
492  sizeof(name), dir, sizeof(dir)));
493  FAIL_IF(strcmp(cmd, "isset") != 0);
494  FAIL_IF(strcmp(name, "name") != 0);
495 
496  /* No direction, leading and trailing space. */
497  *cmd = '\0';
498  *name = '\0';
499  *dir = '\0';
500  FAIL_IF(!DetectHostbitParse("isset, name ", cmd, sizeof(cmd), name,
501  sizeof(name), dir, sizeof(dir)));
502  FAIL_IF(strcmp(cmd, "isset") != 0);
503  FAIL_IF(strcmp(name, "name") != 0);
504 
505  /* With direction. */
506  *cmd = '\0';
507  *name = '\0';
508  *dir = '\0';
509  FAIL_IF(!DetectHostbitParse("isset,name,src", cmd, sizeof(cmd), name,
510  sizeof(name), dir, sizeof(dir)));
511  FAIL_IF(strcmp(cmd, "isset") != 0);
512  FAIL_IF(strcmp(name, "name") != 0);
513  FAIL_IF(strcmp(dir, "src") != 0);
514 
515  /* With direction - leading and trailing spaces on name. */
516  *cmd = '\0';
517  *name = '\0';
518  *dir = '\0';
519  FAIL_IF(!DetectHostbitParse("isset, name ,src", cmd, sizeof(cmd), name,
520  sizeof(name), dir, sizeof(dir)));
521  FAIL_IF(strcmp(cmd, "isset") != 0);
522  FAIL_IF(strcmp(name, "name") != 0);
523  FAIL_IF(strcmp(dir, "src") != 0);
524 
525  /* With direction - space around direction. */
526  *cmd = '\0';
527  *name = '\0';
528  *dir = '\0';
529  FAIL_IF(!DetectHostbitParse("isset, name , src ", cmd, sizeof(cmd), name,
530  sizeof(name), dir, sizeof(dir)));
531  FAIL_IF(strcmp(cmd, "isset") != 0);
532  FAIL_IF(strcmp(name, "name") != 0);
533  FAIL_IF(strcmp(dir, "src") != 0);
534 
535  /* Name with space, no direction - should fail. */
536  *cmd = '\0';
537  *name = '\0';
538  *dir = '\0';
539  FAIL_IF(DetectHostbitParse("isset, name withspace ", cmd, sizeof(cmd), name,
540  sizeof(name), dir, sizeof(dir)));
541 
542  PASS;
543 }
544 
545 /**
546  * \test HostBitsTestSig01 is a test for a valid noalert flowbits option
547  *
548  * \retval 1 on succces
549  * \retval 0 on failure
550  */
551 
552 static int HostBitsTestSig01(void)
553 {
554  uint8_t *buf = (uint8_t *)
555  "GET /one/ HTTP/1.1\r\n"
556  "Host: one.example.org\r\n"
557  "\r\n";
558  uint16_t buflen = strlen((char *)buf);
559  Packet *p = PacketGetFromAlloc();
560  FAIL_IF_NULL(p);
561  Signature *s = NULL;
562  ThreadVars th_v;
563  DetectEngineThreadCtx *det_ctx = NULL;
564  DetectEngineCtx *de_ctx = NULL;
565 
566  memset(&th_v, 0, sizeof(th_v));
567  p->src.family = AF_INET;
568  p->dst.family = AF_INET;
569  p->payload = buf;
570  p->payload_len = buflen;
571  p->proto = IPPROTO_TCP;
572 
573  HostBitsTestSetup();
574 
577 
578  de_ctx->flags |= DE_QUIET;
579 
580  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (hostbits:set,abc; content:\"GET \"; sid:1;)");
581  FAIL_IF_NULL(s);
582 
584  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
585 
586  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
587 
588  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
590  PacketFree(p);
591  HostBitsTestShutdown();
592  PASS;
593 }
594 
595 /**
596  * \test various options
597  *
598  * \retval 1 on succces
599  * \retval 0 on failure
600  */
601 
602 static int HostBitsTestSig02(void)
603 {
604  Signature *s = NULL;
605  ThreadVars th_v;
606  DetectEngineCtx *de_ctx = NULL;
607 
608  memset(&th_v, 0, sizeof(th_v));
609 
612 
613  de_ctx->flags |= DE_QUIET;
614 
616  "alert ip any any -> any any (hostbits:isset,abc,src; content:\"GET \"; sid:1;)");
617  FAIL_IF_NULL(s);
618 
620  "alert ip any any -> any any (hostbits:isnotset,abc,dst; content:\"GET \"; sid:2;)");
621  FAIL_IF_NULL(s);
622 
624  "alert ip any any -> any any (hostbits:!isset,abc,dst; content:\"GET \"; sid:3;)");
625  FAIL_IF_NOT_NULL(s);
626 
627 /* TODO reenable after both is supported
628  s = DetectEngineAppendSig(de_ctx,
629  "alert ip any any -> any any (hostbits:set,abc,both; content:\"GET \"; sid:3;)");
630  FAIL_IF_NULL(s);
631 */
633  "alert ip any any -> any any (hostbits:unset,abc,src; content:\"GET \"; sid:4;)");
634  FAIL_IF_NULL(s);
635 
637  "alert ip any any -> any any (hostbits:toggle,abc,dst; content:\"GET \"; sid:5;)");
638  FAIL_IF_NULL(s);
639 
641  PASS;
642 }
643 
644 /**
645  * \test HostBitsTestSig03 is a test check idx value
646  *
647  * \retval 1 on succces
648  * \retval 0 on failure
649  */
650 
651 static int HostBitsTestSig03(void)
652 {
653  uint8_t *buf = (uint8_t *)
654  "GET /one/ HTTP/1.1\r\n"
655  "Host: one.example.org\r\n"
656  "\r\n";
657  uint16_t buflen = strlen((char *)buf);
658  Packet *p = PacketGetFromAlloc();
659  if (unlikely(p == NULL))
660  return 0;
661  Signature *s = NULL;
662  ThreadVars th_v;
663  DetectEngineThreadCtx *det_ctx = NULL;
664  DetectEngineCtx *de_ctx = NULL;
665  int idx = 0;
666 
667  memset(&th_v, 0, sizeof(th_v));
668  p->src.family = AF_INET;
669  p->dst.family = AF_INET;
670  p->payload = buf;
671  p->payload_len = buflen;
672  p->proto = IPPROTO_TCP;
673 
674  HostBitsTestSetup();
675 
678 
679  de_ctx->flags |= DE_QUIET;
680 
681  s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
682  FAIL_IF_NULL(s);
683 
685  FAIL_IF(idx != 1);
686 
688  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
689 
690  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
691 
692  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
694  HostBitsTestShutdown();
695 
696  SCFree(p);
697  PASS;
698 }
699 
700 /**
701  * \brief this function registers unit tests for HostBits
702  */
704 {
705  UtRegisterTest("HostBitsTestParse01", HostBitsTestParse01);
706  UtRegisterTest("HostBitsTestSig01", HostBitsTestSig01);
707  UtRegisterTest("HostBitsTestSig02", HostBitsTestSig02);
708  UtRegisterTest("HostBitsTestSig03", HostBitsTestSig03);
709 }
710 #endif /* UNITTESTS */
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
HostUnlock
void HostUnlock(Host *h)
Definition: host.c:488
Packet_::proto
uint8_t proto
Definition: decode.h:456
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1247
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:46
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2475
HostBitToggle
void HostBitToggle(Host *h, uint32_t idx, uint32_t expire)
Definition: host-bit.c:147
StorageInit
void StorageInit(void)
Definition: util-storage.c:67
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1235
flow-util.h
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1245
HostBitsRegisterTests
void HostBitsRegisterTests(void)
this function registers unit tests for HostBits
Definition: detect-hostbits.c:703
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:591
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
Packet_::payload
uint8_t * payload
Definition: decode.h:574
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-hostbits.c:65
threads.h
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2116
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1239
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:44
HostGetHostFromHash
Host * HostGetHostFromHash(Address *a)
Definition: host.c:502
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
StorageCleanup
void StorageCleanup(void)
Definition: util-storage.c:75
flow-bit.h
util-var-name.h
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:36
DE_QUIET
#define DE_QUIET
Definition: detect.h:288
DetectHostbitsRegister
void DetectHostbitsRegister(void)
Definition: detect-hostbits.c:79
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1785
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:592
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1230
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:575
DetectXbitsData_
Definition: detect-xbits.h:42
HostBitIsset
int HostBitIsset(Host *h, uint32_t idx, uint32_t ts)
Definition: host-bit.c:157
util-unittest.h
DETECT_HOSTBITS
@ DETECT_HOSTBITS
Definition: detect-engine-register.h:89
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:89
DetectXbitMatchHost
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
Definition: detect-hostbits.c:246
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
HostBitIsnotset
int HostBitIsnotset(Host *h, uint32_t idx, uint32_t ts)
Definition: host-bit.c:170
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1034
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
HostBitUnset
void HostBitUnset(Host *h, uint32_t idx)
Definition: host-bit.c:139
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2598
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:343
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:56
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:137
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:80
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:483
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:317
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:48
HostBitSet
void HostBitSet(Host *h, uint32_t idx, uint32_t expire)
Definition: host-bit.c:131
Signature_::flags
uint32_t flags
Definition: detect.h:541
Packet_
Definition: decode.h:434
detect-engine-build.h
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:139
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1213
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1953
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:309
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2421
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3154
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
Packet_::ts
struct timeval ts
Definition: decode.h:477
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3368
SigMatch_::type
uint16_t type
Definition: detect.h:315
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
util-spm.h
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:43
VarNameStoreSetupAdd
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
Definition: util-var-name.c:323
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
SIG_FLAG_NOALERT
#define SIG_FLAG_NOALERT
Definition: detect.h:207
detect-hostbits.h
SC_ERR_UNIMPLEMENTED
@ SC_ERR_UNIMPLEMENTED
Definition: util-error.h:118
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:39
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:176
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:45
str
#define str(s)
Definition: suricata-common.h:272
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:35
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:314
DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_NOALERT
Definition: detect-xbits.h:32
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:601
Address_::family
char family
Definition: decode.h:114
Packet_::dst
Address dst
Definition: decode.h:439
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:175
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
DetectHostbitFree
void DetectHostbitFree(DetectEngineCtx *, void *)
Definition: detect-hostbits.c:441
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
flow.h
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1433
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
Packet_::src
Address src
Definition: decode.h:438
host-bit.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1237