Go to the documentation of this file.
42 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
50 static void DetectIcmpIdRegisterTests(
void);
54 static bool PrefilterIcmpIdIsPrefilterable(
const Signature *s);
76 static inline bool GetIcmpId(
Packet *p, uint16_t *
id)
92 SCLogDebug(
"ICMPV4_GET_ID(p) %"PRIu16
" (network byte order), "
106 SCLogDebug(
"ICMPV6_GET_ID(p) %"PRIu16
" (network byte order), "
141 if (!GetIcmpId(p, &pid))
163 char *substr[3] = {NULL, NULL, NULL};
167 pcre2_match_data *match = NULL;
169 if (ret < 1 || ret > 4) {
176 for (i = 1; i < ret; i++) {
179 SCLogError(
"pcre2_substring_get_bynumber failed");
182 substr[i-1] = (
char *)str_ptr;
190 if (substr[0]!= NULL && strlen(substr[0]) != 0) {
191 if (substr[2] == NULL) {
196 if (substr[2] != NULL) {
211 for (i = 0; i < 3; i++) {
212 if (substr[i] != NULL)
213 pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
215 pcre2_match_data_free(match);
220 pcre2_match_data_free(match);
222 for (i = 0; i < 3; i++) {
223 if (substr[i] != NULL)
224 pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
245 iid = DetectIcmpIdParse(
de_ctx, icmpidstr);
246 if (iid == NULL)
goto error;
282 if (!GetIcmpId(p, &pid))
285 if (pid == ctx->
v1.
u16[0])
303 if (v.
u16[0] == a->
id)
311 PrefilterPacketIcmpIdSet,
312 PrefilterPacketIcmpIdCompare,
313 PrefilterPacketIcmpIdMatch);
316 static bool PrefilterIcmpIdIsPrefilterable(
const Signature *s)
335 static int DetectIcmpIdParseTest01 (
void)
348 static int DetectIcmpIdParseTest02 (
void)
361 static int DetectIcmpIdParseTest03 (
void)
374 static int DetectIcmpIdParseTest04 (
void)
387 static int DetectIcmpIdParseTest05 (
void)
399 static int DetectIcmpIdMatchTest01 (
void)
424 s = s->
next =
SigInit(
de_ctx,
"alert icmp any any -> any any (icmp_id:21782; sid:2;)");
434 printf(
"sid 1 did not alert, but should have: ");
437 printf(
"sid 2 alerted, but should not have: ");
462 static int DetectIcmpIdMatchTest02 (
void)
466 uint8_t raw_icmpv4[] = {
467 0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
468 0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
469 0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
470 0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
471 0x00, 0x14, 0x00, 0x00 };
482 memset(&ip4h, 0,
sizeof(
IPV4Hdr));
488 p->
src.addr_data32[0] = 0x01020304;
489 p->
dst.addr_data32[0] = 0x04030201;
491 ip4h.s_ip_src.s_addr = p->
src.addr_data32[0];
492 ip4h.s_ip_dst.s_addr = p->
dst.addr_data32[0];
514 printf(
"sid 1 alerted, but should not have: ");
533 static void DetectIcmpIdRegisterTests (
void)
535 UtRegisterTest(
"DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
536 UtRegisterTest(
"DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
537 UtRegisterTest(
"DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
538 UtRegisterTest(
"DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
539 UtRegisterTest(
"DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
540 UtRegisterTest(
"DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
541 UtRegisterTest(
"DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
#define ICMP_INFO_REQUEST
void(* Free)(DetectEngineCtx *, void *)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
void SigCleanSignatures(DetectEngineCtx *de_ctx)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
#define ICMP6_ECHO_REQUEST
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
#define ICMP_ADDRESSREPLY
void FlowInitConfig(bool quiet)
initialize the configuration
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define ICMPV4_GET_TYPE(p)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
Per thread variable structure.
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
SignatureInitData * init_data
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void FlowShutdown(void)
shutdown the flow engine
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
Structure to hold thread specific data for all decode modules.
bool(* SupportsPrefilter)(const Signature *s)
a single match condition for a signature
void DetectIcmpIdFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpIdData
#define ICMPV6_GET_TYPE(p)
#define ICMP_TIMESTAMPREPLY
DetectEngineCtx * DetectEngineCtxInit(void)
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Main ICMPv4 decoding function.
#define SIG_FLAG_REQUIRE_PACKET
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.