suricata
detect-icmp-id.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias Galvan <iglesiasg@gmail.com>
22  *
23  * Implements the icmp_id keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 
34 #include "detect-icmp-id.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
42 
43 static DetectParseRegex parse_regex;
44 
45 static int DetectIcmpIdMatch(DetectEngineThreadCtx *, Packet *,
46  const Signature *, const SigMatchCtx *);
47 static int DetectIcmpIdSetup(DetectEngineCtx *, Signature *, const char *);
48 void DetectIcmpIdRegisterTests(void);
49 void DetectIcmpIdFree(void *);
50 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
51 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s);
52 
53 /**
54  * \brief Registration function for icode: icmp_id
55  */
57 {
58  sigmatch_table[DETECT_ICMP_ID].name = "icmp_id";
59  sigmatch_table[DETECT_ICMP_ID].desc = "check for a ICMP ID";
60  sigmatch_table[DETECT_ICMP_ID].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#icmp-id";
61  sigmatch_table[DETECT_ICMP_ID].Match = DetectIcmpIdMatch;
62  sigmatch_table[DETECT_ICMP_ID].Setup = DetectIcmpIdSetup;
65 
66  sigmatch_table[DETECT_ICMP_ID].SupportsPrefilter = PrefilterIcmpIdIsPrefilterable;
67  sigmatch_table[DETECT_ICMP_ID].SetupPrefilter = PrefilterSetupIcmpId;
68 
69  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
70 }
71 
72 static inline bool GetIcmpId(Packet *p, uint16_t *id)
73 {
74  if (PKT_IS_PSEUDOPKT(p))
75  return FALSE;
76 
77  uint16_t pid;
78  if (PKT_IS_ICMPV4(p)) {
79  switch (ICMPV4_GET_TYPE(p)){
80  case ICMP_ECHOREPLY:
81  case ICMP_ECHO:
82  case ICMP_TIMESTAMP:
83  case ICMP_TIMESTAMPREPLY:
84  case ICMP_INFO_REQUEST:
85  case ICMP_INFO_REPLY:
86  case ICMP_ADDRESS:
87  case ICMP_ADDRESSREPLY:
88  SCLogDebug("ICMPV4_GET_ID(p) %"PRIu16" (network byte order), "
89  "%"PRIu16" (host byte order)", ICMPV4_GET_ID(p),
91 
92  pid = ICMPV4_GET_ID(p);
93  break;
94  default:
95  SCLogDebug("Packet has no id field");
96  return FALSE;
97  }
98  } else if (PKT_IS_ICMPV6(p)) {
99  switch (ICMPV6_GET_TYPE(p)) {
100  case ICMP6_ECHO_REQUEST:
101  case ICMP6_ECHO_REPLY:
102  SCLogDebug("ICMPV6_GET_ID(p) %"PRIu16" (network byte order), "
103  "%"PRIu16" (host byte order)", ICMPV6_GET_ID(p),
104  SCNtohs(ICMPV6_GET_ID(p)));
105 
106  pid = ICMPV6_GET_ID(p);
107  break;
108  default:
109  SCLogDebug("Packet has no id field");
110  return FALSE;
111  }
112  } else {
113  SCLogDebug("Packet not ICMPV4 nor ICMPV6");
114  return FALSE;
115  }
116 
117  *id = pid;
118  return TRUE;
119 }
120 
121 /**
122  * \brief This function is used to match icmp_id rule option set on a packet
123  *
124  * \param t pointer to thread vars
125  * \param det_ctx pointer to the pattern matcher thread
126  * \param p pointer to the current packet
127  * \param m pointer to the sigmatch that we will cast into DetectIcmpIdData
128  *
129  * \retval 0 no match
130  * \retval 1 match
131  */
132 static int DetectIcmpIdMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
133  const Signature *s, const SigMatchCtx *ctx)
134 {
135  uint16_t pid;
136 
137  if (GetIcmpId(p, &pid) == FALSE)
138  return 0;
139 
140  const DetectIcmpIdData *iid = (const DetectIcmpIdData *)ctx;
141  if (pid == iid->id)
142  return 1;
143 
144  return 0;
145 }
146 
147 /**
148  * \brief This function is used to parse icmp_id option passed via icmp_id: keyword
149  *
150  * \param icmpidstr Pointer to the user provided icmp_id options
151  *
152  * \retval iid pointer to DetectIcmpIdData on success
153  * \retval NULL on failure
154  */
155 static DetectIcmpIdData *DetectIcmpIdParse (const char *icmpidstr)
156 {
157  DetectIcmpIdData *iid = NULL;
158  char *substr[3] = {NULL, NULL, NULL};
159  int ret = 0, res = 0;
160  int ov[MAX_SUBSTRINGS];
161 
162  ret = DetectParsePcreExec(&parse_regex, icmpidstr, 0, 0, ov, MAX_SUBSTRINGS);
163  if (ret < 1 || ret > 4) {
164  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", icmpidstr);
165  goto error;
166  }
167 
168  int i;
169  const char *str_ptr;
170  for (i = 1; i < ret; i++) {
171  res = pcre_get_substring((char *)icmpidstr, ov, MAX_SUBSTRINGS, i, &str_ptr);
172  if (res < 0) {
173  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
174  goto error;
175  }
176  substr[i-1] = (char *)str_ptr;
177  }
178 
179  iid = SCMalloc(sizeof(DetectIcmpIdData));
180  if (unlikely(iid == NULL))
181  goto error;
182  iid->id = 0;
183 
184  if (substr[0]!= NULL && strlen(substr[0]) != 0) {
185  if (substr[2] == NULL) {
186  SCLogError(SC_ERR_INVALID_ARGUMENT, "Missing close quote in input");
187  goto error;
188  }
189  } else {
190  if (substr[2] != NULL) {
191  SCLogError(SC_ERR_INVALID_ARGUMENT, "Missing open quote in input");
192  goto error;
193  }
194  }
195 
196  uint16_t id = 0;
197  if (StringParseUint16(&id, 10, 0, substr[1]) < 0) {
198  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp id %s is not "
199  "valid", substr[1]);
200  goto error;
201  }
202  iid->id = htons(id);
203 
204  for (i = 0; i < 3; i++) {
205  if (substr[i] != NULL) SCFree(substr[i]);
206  }
207  return iid;
208 
209 error:
210  for (i = 0; i < 3; i++) {
211  if (substr[i] != NULL) SCFree(substr[i]);
212  }
213  if (iid != NULL) DetectIcmpIdFree(iid);
214  return NULL;
215 
216 }
217 
218 /**
219  * \brief this function is used to add the parsed icmp_id data into the current signature
220  *
221  * \param de_ctx pointer to the Detection Engine Context
222  * \param s pointer to the Current Signature
223  * \param icmpidstr pointer to the user provided icmp_id option
224  *
225  * \retval 0 on Success
226  * \retval -1 on Failure
227  */
228 static int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, const char *icmpidstr)
229 {
230  DetectIcmpIdData *iid = NULL;
231  SigMatch *sm = NULL;
232 
233  iid = DetectIcmpIdParse(icmpidstr);
234  if (iid == NULL) goto error;
235 
236  sm = SigMatchAlloc();
237  if (sm == NULL) goto error;
238 
239  sm->type = DETECT_ICMP_ID;
240  sm->ctx = (SigMatchCtx *)iid;
241 
244 
245  return 0;
246 
247 error:
248  if (iid != NULL) DetectIcmpIdFree(iid);
249  if (sm != NULL) SCFree(sm);
250  return -1;
251 
252 }
253 
254 /**
255  * \brief this function will free memory associated with DetectIcmpIdData
256  *
257  * \param ptr pointer to DetectIcmpIdData
258  */
259 void DetectIcmpIdFree (void *ptr)
260 {
261  DetectIcmpIdData *iid = (DetectIcmpIdData *)ptr;
262  SCFree(iid);
263 }
264 
265 /* prefilter code */
266 
267 static void
268 PrefilterPacketIcmpIdMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
269 {
270  const PrefilterPacketHeaderCtx *ctx = pectx;
271 
272  uint16_t pid;
273  if (GetIcmpId(p, &pid) == FALSE)
274  return;
275 
276  if (pid == ctx->v1.u16[0])
277  {
278  SCLogDebug("packet matches ICMP ID %u", ctx->v1.u16[0]);
279  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
280  }
281 }
282 
283 static void
284 PrefilterPacketIcmpIdSet(PrefilterPacketHeaderValue *v, void *smctx)
285 {
286  const DetectIcmpIdData *a = smctx;
287  v->u16[0] = a->id;
288 }
289 
290 static bool
291 PrefilterPacketIcmpIdCompare(PrefilterPacketHeaderValue v, void *smctx)
292 {
293  const DetectIcmpIdData *a = smctx;
294  if (v.u16[0] == a->id)
295  return TRUE;
296  return FALSE;
297 }
298 
299 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
300 {
302  PrefilterPacketIcmpIdSet,
303  PrefilterPacketIcmpIdCompare,
304  PrefilterPacketIcmpIdMatch);
305 }
306 
307 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s)
308 {
309  const SigMatch *sm;
310  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
311  switch (sm->type) {
312  case DETECT_ICMP_ID:
313  return TRUE;
314  }
315  }
316  return FALSE;
317 }
318 
319 #ifdef UNITTESTS
320 #include "detect-engine.h"
321 #include "detect-engine-mpm.h"
322 
323 /**
324  * \test DetectIcmpIdParseTest01 is a test for setting a valid icmp_id value
325  */
326 static int DetectIcmpIdParseTest01 (void)
327 {
328  DetectIcmpIdData *iid = NULL;
329  iid = DetectIcmpIdParse("300");
330  if (iid != NULL && iid->id == htons(300)) {
331  DetectIcmpIdFree(iid);
332  return 1;
333  }
334  return 0;
335 }
336 
337 /**
338  * \test DetectIcmpIdParseTest02 is a test for setting a valid icmp_id value
339  * with spaces all around
340  */
341 static int DetectIcmpIdParseTest02 (void)
342 {
343  DetectIcmpIdData *iid = NULL;
344  iid = DetectIcmpIdParse(" 300 ");
345  if (iid != NULL && iid->id == htons(300)) {
346  DetectIcmpIdFree(iid);
347  return 1;
348  }
349  return 0;
350 }
351 
352 /**
353  * \test DetectIcmpIdParseTest03 is a test for setting a valid icmp_id value
354  * with quotation marks
355  */
356 static int DetectIcmpIdParseTest03 (void)
357 {
358  DetectIcmpIdData *iid = NULL;
359  iid = DetectIcmpIdParse("\"300\"");
360  if (iid != NULL && iid->id == htons(300)) {
361  DetectIcmpIdFree(iid);
362  return 1;
363  }
364  return 0;
365 }
366 
367 /**
368  * \test DetectIcmpIdParseTest04 is a test for setting a valid icmp_id value
369  * with quotation marks and spaces all around
370  */
371 static int DetectIcmpIdParseTest04 (void)
372 {
373  DetectIcmpIdData *iid = NULL;
374  iid = DetectIcmpIdParse(" \" 300 \"");
375  if (iid != NULL && iid->id == htons(300)) {
376  DetectIcmpIdFree(iid);
377  return 1;
378  }
379  return 0;
380 }
381 
382 /**
383  * \test DetectIcmpIdParseTest05 is a test for setting an invalid icmp_id
384  * value with missing quotation marks
385  */
386 static int DetectIcmpIdParseTest05 (void)
387 {
388  DetectIcmpIdData *iid = NULL;
389  iid = DetectIcmpIdParse("\"300");
390  if (iid == NULL) {
391  DetectIcmpIdFree(iid);
392  return 1;
393  }
394  return 0;
395 }
396 
397 /**
398  * \test DetectIcmpIdMatchTest01 is a test for checking the working of
399  * icmp_id keyword by creating 2 rules and matching a crafted packet
400  * against them. Only the first one shall trigger.
401  */
402 static int DetectIcmpIdMatchTest01 (void)
403 {
404  int result = 0;
405  Packet *p = NULL;
406  Signature *s = NULL;
407  ThreadVars th_v;
408  DetectEngineThreadCtx *det_ctx = NULL;
409 
410  memset(&th_v, 0, sizeof(ThreadVars));
411 
412  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
413  p->icmpv4vars.id = htons(21781);
414 
416  if (de_ctx == NULL) {
417  goto end;
418  }
419 
420  de_ctx->flags |= DE_QUIET;
421 
422  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21781; sid:1;)");
423  if (s == NULL) {
424  goto end;
425  }
426 
427  s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21782; sid:2;)");
428  if (s == NULL) {
429  goto end;
430  }
431 
433  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
434 
435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
436  if (PacketAlertCheck(p, 1) == 0) {
437  printf("sid 1 did not alert, but should have: ");
438  goto cleanup;
439  } else if (PacketAlertCheck(p, 2)) {
440  printf("sid 2 alerted, but should not have: ");
441  goto cleanup;
442  }
443 
444  result = 1;
445 
446 cleanup:
449 
450  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
452 
453  UTHFreePackets(&p, 1);
454 end:
455  return result;
456 
457 }
458 
459 /**
460  * \test DetectIcmpIdMatchTest02 is a test for checking the working of
461  * icmp_id keyword by creating 1 rule and matching a crafted packet
462  * against them. The packet is an ICMP packet with no "id" field,
463  * therefore the rule should not trigger.
464  */
465 static int DetectIcmpIdMatchTest02 (void)
466 {
467  int result = 0;
468 
469  uint8_t raw_icmpv4[] = {
470  0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
471  0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
472  0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
473  0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
474  0x00, 0x14, 0x00, 0x00 };
475 
476  Packet *p = PacketGetFromAlloc();
477  if (unlikely(p == NULL))
478  return 0;
479  Signature *s = NULL;
481  ThreadVars th_v;
482  DetectEngineThreadCtx *det_ctx = NULL;
483  IPV4Hdr ip4h;
484 
485  memset(&ip4h, 0, sizeof(IPV4Hdr));
486  memset(&dtv, 0, sizeof(DecodeThreadVars));
487  memset(&th_v, 0, sizeof(ThreadVars));
488 
490 
491  p->src.addr_data32[0] = 0x01020304;
492  p->dst.addr_data32[0] = 0x04030201;
493 
494  ip4h.s_ip_src.s_addr = p->src.addr_data32[0];
495  ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];
496  p->ip4h = &ip4h;
497 
498  DecodeICMPV4(&th_v, &dtv, p, raw_icmpv4, sizeof(raw_icmpv4));
499 
501  if (de_ctx == NULL) {
502  goto end;
503  }
504 
505  de_ctx->flags |= DE_QUIET;
506 
507  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:0; sid:1;)");
508  if (s == NULL) {
509  goto end;
510  }
511 
513  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
514 
515  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
516  if (PacketAlertCheck(p, 1)) {
517  printf("sid 1 alerted, but should not have: ");
518  goto cleanup;
519  }
520 
521  result = 1;
522 
523 cleanup:
526 
527  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
529 
530  FlowShutdown();
531 end:
532  SCFree(p);
533  return result;
534 }
535 #endif /* UNITTESTS */
536 
538 {
539 #ifdef UNITTESTS
540  UtRegisterTest("DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
541  UtRegisterTest("DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
542  UtRegisterTest("DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
543  UtRegisterTest("DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
544  UtRegisterTest("DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
545  UtRegisterTest("DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
546  UtRegisterTest("DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
547 #endif /* UNITTESTS */
548 }
549 
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1204
detect-engine.h
StringParseUint16
int StringParseUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:324
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
DetectIcmpIdData_
Definition: detect-icmp-id.h:27
SigTableElmt_::name
const char * name
Definition: detect.h:1201
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1115
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1337
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1103
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
FlowInitConfig
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:530
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-icmp-id.c:41
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:41
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2030
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
ICMPV6_GET_ID
#define ICMPV6_GET_ID(p)
Definition: decode-icmpv6.h:111
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1192
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:40
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:23
util-unittest.h
util-unittest-helper.h
ICMP6_ECHO_REQUEST
#define ICMP6_ECHO_REQUEST
Definition: decode-icmpv6.h:43
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1190
Signature_::next
struct Signature_ * next
Definition: detect.h:594
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:33
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
ICMP6_ECHO_REPLY
#define ICMP6_ECHO_REPLY
Definition: decode-icmpv6.h:44
DetectEngineThreadCtx_
Definition: detect.h:1004
ICMPV4_GET_TYPE
#define ICMPV4_GET_TYPE(p)
Definition: decode-icmpv4.h:215
DetectIcmpIdFree
void DetectIcmpIdFree(void *)
this function will free memory associated with DetectIcmpIdData
Definition: detect-icmp-id.c:259
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2440
detect-engine-mpm.h
DetectIcmpIdRegister
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
Definition: detect-icmp-id.c:56
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:322
DETECT_ICMP_ID
@ DETECT_ICMP_ID
Definition: detect-engine-register.h:47
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
ICMPV4Vars_::id
uint16_t id
Definition: decode-icmpv4.h:186
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:257
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1665
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
FALSE
#define FALSE
Definition: suricata-common.h:34
Signature_::flags
uint32_t flags
Definition: detect.h:523
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
Packet_
Definition: decode.h:408
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:501
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:591
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1171
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:516
DetectIcmpIdData_::id
uint16_t id
Definition: detect-icmp-id.h:28
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:319
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:34
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
IPV4Hdr_
Definition: decode-ipv4.h:70
ICMPV4_GET_ID
#define ICMPV4_GET_ID(p)
Definition: decode-icmpv4.h:225
Packet_::icmpv4vars
ICMPV4Vars icmpv4vars
Definition: decode.h:516
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2726
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:375
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2934
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:685
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DOC_URL
#define DOC_URL
Definition: suricata.h:86
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:407
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:256
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:144
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:622
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1189
DetectIcmpIdRegisterTests
void DetectIcmpIdRegisterTests(void)
Definition: detect-icmp-id.c:537
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
ICMPV6_GET_TYPE
#define ICMPV6_GET_TYPE(p)
Definition: decode-icmpv6.h:102
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1985
detect-icmp-id.h
Packet_::dst
Address dst
Definition: decode.h:414
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:38
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:21
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
detect-engine-prefilter-common.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
Packet_::src
Address src
Definition: decode.h:413
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
DecodeICMPV4
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Main ICMPv4 decoding function.
Definition: decode-icmpv4.c:155
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:393