suricata
detect-icmp-id.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias Galvan <iglesiasg@gmail.com>
22  *
23  * Implements the icmp_id keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 
34 #include "detect-icmp-id.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
42 
43 static DetectParseRegex parse_regex;
44 
45 static int DetectIcmpIdMatch(DetectEngineThreadCtx *, Packet *,
46  const Signature *, const SigMatchCtx *);
47 static int DetectIcmpIdSetup(DetectEngineCtx *, Signature *, const char *);
48 #ifdef UNITTESTS
49 static void DetectIcmpIdRegisterTests(void);
50 #endif
51 void DetectIcmpIdFree(DetectEngineCtx *, void *);
52 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
53 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s);
54 
55 /**
56  * \brief Registration function for icode: icmp_id
57  */
59 {
60  sigmatch_table[DETECT_ICMP_ID].name = "icmp_id";
61  sigmatch_table[DETECT_ICMP_ID].desc = "check for a ICMP ID";
62  sigmatch_table[DETECT_ICMP_ID].url = "/rules/header-keywords.html#icmp-id";
63  sigmatch_table[DETECT_ICMP_ID].Match = DetectIcmpIdMatch;
64  sigmatch_table[DETECT_ICMP_ID].Setup = DetectIcmpIdSetup;
66 #ifdef UNITTESTS
67  sigmatch_table[DETECT_ICMP_ID].RegisterTests = DetectIcmpIdRegisterTests;
68 #endif
69  sigmatch_table[DETECT_ICMP_ID].SupportsPrefilter = PrefilterIcmpIdIsPrefilterable;
70  sigmatch_table[DETECT_ICMP_ID].SetupPrefilter = PrefilterSetupIcmpId;
71 
72  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
73 }
74 
75 static inline bool GetIcmpId(Packet *p, uint16_t *id)
76 {
77  if (PKT_IS_PSEUDOPKT(p))
78  return FALSE;
79 
80  uint16_t pid;
81  if (PKT_IS_ICMPV4(p)) {
82  switch (ICMPV4_GET_TYPE(p)){
83  case ICMP_ECHOREPLY:
84  case ICMP_ECHO:
85  case ICMP_TIMESTAMP:
86  case ICMP_TIMESTAMPREPLY:
87  case ICMP_INFO_REQUEST:
88  case ICMP_INFO_REPLY:
89  case ICMP_ADDRESS:
90  case ICMP_ADDRESSREPLY:
91  SCLogDebug("ICMPV4_GET_ID(p) %"PRIu16" (network byte order), "
92  "%"PRIu16" (host byte order)", ICMPV4_GET_ID(p),
94 
95  pid = ICMPV4_GET_ID(p);
96  break;
97  default:
98  SCLogDebug("Packet has no id field");
99  return FALSE;
100  }
101  } else if (PKT_IS_ICMPV6(p)) {
102  switch (ICMPV6_GET_TYPE(p)) {
103  case ICMP6_ECHO_REQUEST:
104  case ICMP6_ECHO_REPLY:
105  SCLogDebug("ICMPV6_GET_ID(p) %"PRIu16" (network byte order), "
106  "%"PRIu16" (host byte order)", ICMPV6_GET_ID(p),
107  SCNtohs(ICMPV6_GET_ID(p)));
108 
109  pid = ICMPV6_GET_ID(p);
110  break;
111  default:
112  SCLogDebug("Packet has no id field");
113  return FALSE;
114  }
115  } else {
116  SCLogDebug("Packet not ICMPV4 nor ICMPV6");
117  return FALSE;
118  }
119 
120  *id = pid;
121  return TRUE;
122 }
123 
124 /**
125  * \brief This function is used to match icmp_id rule option set on a packet
126  *
127  * \param t pointer to thread vars
128  * \param det_ctx pointer to the pattern matcher thread
129  * \param p pointer to the current packet
130  * \param m pointer to the sigmatch that we will cast into DetectIcmpIdData
131  *
132  * \retval 0 no match
133  * \retval 1 match
134  */
135 static int DetectIcmpIdMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
136  const Signature *s, const SigMatchCtx *ctx)
137 {
138  uint16_t pid;
139 
140  if (GetIcmpId(p, &pid) == FALSE)
141  return 0;
142 
143  const DetectIcmpIdData *iid = (const DetectIcmpIdData *)ctx;
144  if (pid == iid->id)
145  return 1;
146 
147  return 0;
148 }
149 
150 /**
151  * \brief This function is used to parse icmp_id option passed via icmp_id: keyword
152  *
153  * \param de_ctx Pointer to the detection engine context
154  * \param icmpidstr Pointer to the user provided icmp_id options
155  *
156  * \retval iid pointer to DetectIcmpIdData on success
157  * \retval NULL on failure
158  */
159 static DetectIcmpIdData *DetectIcmpIdParse (DetectEngineCtx *de_ctx, const char *icmpidstr)
160 {
161  DetectIcmpIdData *iid = NULL;
162  char *substr[3] = {NULL, NULL, NULL};
163  int ret = 0, res = 0;
164  int ov[MAX_SUBSTRINGS];
165 
166  ret = DetectParsePcreExec(&parse_regex, icmpidstr, 0, 0, ov, MAX_SUBSTRINGS);
167  if (ret < 1 || ret > 4) {
168  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", icmpidstr);
169  goto error;
170  }
171 
172  int i;
173  const char *str_ptr;
174  for (i = 1; i < ret; i++) {
175  res = pcre_get_substring((char *)icmpidstr, ov, MAX_SUBSTRINGS, i, &str_ptr);
176  if (res < 0) {
177  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
178  goto error;
179  }
180  substr[i-1] = (char *)str_ptr;
181  }
182 
183  iid = SCMalloc(sizeof(DetectIcmpIdData));
184  if (unlikely(iid == NULL))
185  goto error;
186  iid->id = 0;
187 
188  if (substr[0]!= NULL && strlen(substr[0]) != 0) {
189  if (substr[2] == NULL) {
190  SCLogError(SC_ERR_INVALID_ARGUMENT, "Missing close quote in input");
191  goto error;
192  }
193  } else {
194  if (substr[2] != NULL) {
195  SCLogError(SC_ERR_INVALID_ARGUMENT, "Missing open quote in input");
196  goto error;
197  }
198  }
199 
200  uint16_t id = 0;
201  if (StringParseUint16(&id, 10, 0, substr[1]) < 0) {
202  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp id %s is not "
203  "valid", substr[1]);
204  goto error;
205  }
206  iid->id = htons(id);
207 
208  for (i = 0; i < 3; i++) {
209  if (substr[i] != NULL) SCFree(substr[i]);
210  }
211  return iid;
212 
213 error:
214  for (i = 0; i < 3; i++) {
215  if (substr[i] != NULL) SCFree(substr[i]);
216  }
217  if (iid != NULL) DetectIcmpIdFree(de_ctx, iid);
218  return NULL;
219 
220 }
221 
222 /**
223  * \brief this function is used to add the parsed icmp_id data into the current signature
224  *
225  * \param de_ctx pointer to the Detection Engine Context
226  * \param s pointer to the Current Signature
227  * \param icmpidstr pointer to the user provided icmp_id option
228  *
229  * \retval 0 on Success
230  * \retval -1 on Failure
231  */
232 static int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, const char *icmpidstr)
233 {
234  DetectIcmpIdData *iid = NULL;
235  SigMatch *sm = NULL;
236 
237  iid = DetectIcmpIdParse(de_ctx, icmpidstr);
238  if (iid == NULL) goto error;
239 
240  sm = SigMatchAlloc();
241  if (sm == NULL) goto error;
242 
243  sm->type = DETECT_ICMP_ID;
244  sm->ctx = (SigMatchCtx *)iid;
245 
248 
249  return 0;
250 
251 error:
252  if (iid != NULL) DetectIcmpIdFree(de_ctx, iid);
253  if (sm != NULL) SCFree(sm);
254  return -1;
255 
256 }
257 
258 /**
259  * \brief this function will free memory associated with DetectIcmpIdData
260  *
261  * \param ptr pointer to DetectIcmpIdData
262  */
264 {
265  DetectIcmpIdData *iid = (DetectIcmpIdData *)ptr;
266  SCFree(iid);
267 }
268 
269 /* prefilter code */
270 
271 static void
272 PrefilterPacketIcmpIdMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
273 {
274  const PrefilterPacketHeaderCtx *ctx = pectx;
275 
276  uint16_t pid;
277  if (GetIcmpId(p, &pid) == FALSE)
278  return;
279 
280  if (pid == ctx->v1.u16[0])
281  {
282  SCLogDebug("packet matches ICMP ID %u", ctx->v1.u16[0]);
283  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
284  }
285 }
286 
287 static void
288 PrefilterPacketIcmpIdSet(PrefilterPacketHeaderValue *v, void *smctx)
289 {
290  const DetectIcmpIdData *a = smctx;
291  v->u16[0] = a->id;
292 }
293 
294 static bool
295 PrefilterPacketIcmpIdCompare(PrefilterPacketHeaderValue v, void *smctx)
296 {
297  const DetectIcmpIdData *a = smctx;
298  if (v.u16[0] == a->id)
299  return TRUE;
300  return FALSE;
301 }
302 
303 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
304 {
306  PrefilterPacketIcmpIdSet,
307  PrefilterPacketIcmpIdCompare,
308  PrefilterPacketIcmpIdMatch);
309 }
310 
311 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s)
312 {
313  const SigMatch *sm;
314  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
315  switch (sm->type) {
316  case DETECT_ICMP_ID:
317  return TRUE;
318  }
319  }
320  return FALSE;
321 }
322 
323 #ifdef UNITTESTS
324 #include "detect-engine.h"
325 #include "detect-engine-mpm.h"
326 
327 /**
328  * \test DetectIcmpIdParseTest01 is a test for setting a valid icmp_id value
329  */
330 static int DetectIcmpIdParseTest01 (void)
331 {
332  DetectIcmpIdData *iid = NULL;
333  iid = DetectIcmpIdParse(NULL, "300");
334  if (iid != NULL && iid->id == htons(300)) {
335  DetectIcmpIdFree(NULL, iid);
336  return 1;
337  }
338  return 0;
339 }
340 
341 /**
342  * \test DetectIcmpIdParseTest02 is a test for setting a valid icmp_id value
343  * with spaces all around
344  */
345 static int DetectIcmpIdParseTest02 (void)
346 {
347  DetectIcmpIdData *iid = NULL;
348  iid = DetectIcmpIdParse(NULL, " 300 ");
349  if (iid != NULL && iid->id == htons(300)) {
350  DetectIcmpIdFree(NULL, iid);
351  return 1;
352  }
353  return 0;
354 }
355 
356 /**
357  * \test DetectIcmpIdParseTest03 is a test for setting a valid icmp_id value
358  * with quotation marks
359  */
360 static int DetectIcmpIdParseTest03 (void)
361 {
362  DetectIcmpIdData *iid = NULL;
363  iid = DetectIcmpIdParse(NULL, "\"300\"");
364  if (iid != NULL && iid->id == htons(300)) {
365  DetectIcmpIdFree(NULL, iid);
366  return 1;
367  }
368  return 0;
369 }
370 
371 /**
372  * \test DetectIcmpIdParseTest04 is a test for setting a valid icmp_id value
373  * with quotation marks and spaces all around
374  */
375 static int DetectIcmpIdParseTest04 (void)
376 {
377  DetectIcmpIdData *iid = NULL;
378  iid = DetectIcmpIdParse(NULL, " \" 300 \"");
379  if (iid != NULL && iid->id == htons(300)) {
380  DetectIcmpIdFree(NULL, iid);
381  return 1;
382  }
383  return 0;
384 }
385 
386 /**
387  * \test DetectIcmpIdParseTest05 is a test for setting an invalid icmp_id
388  * value with missing quotation marks
389  */
390 static int DetectIcmpIdParseTest05 (void)
391 {
392  DetectIcmpIdData *iid = NULL;
393  iid = DetectIcmpIdParse(NULL, "\"300");
394  if (iid == NULL) {
395  DetectIcmpIdFree(NULL, iid);
396  return 1;
397  }
398  return 0;
399 }
400 
401 /**
402  * \test DetectIcmpIdMatchTest01 is a test for checking the working of
403  * icmp_id keyword by creating 2 rules and matching a crafted packet
404  * against them. Only the first one shall trigger.
405  */
406 static int DetectIcmpIdMatchTest01 (void)
407 {
408  int result = 0;
409  Packet *p = NULL;
410  Signature *s = NULL;
411  ThreadVars th_v;
412  DetectEngineThreadCtx *det_ctx = NULL;
413 
414  memset(&th_v, 0, sizeof(ThreadVars));
415 
416  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
417  p->icmpv4vars.id = htons(21781);
418 
420  if (de_ctx == NULL) {
421  goto end;
422  }
423 
424  de_ctx->flags |= DE_QUIET;
425 
426  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21781; sid:1;)");
427  if (s == NULL) {
428  goto end;
429  }
430 
431  s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21782; sid:2;)");
432  if (s == NULL) {
433  goto end;
434  }
435 
437  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
438 
439  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
440  if (PacketAlertCheck(p, 1) == 0) {
441  printf("sid 1 did not alert, but should have: ");
442  goto cleanup;
443  } else if (PacketAlertCheck(p, 2)) {
444  printf("sid 2 alerted, but should not have: ");
445  goto cleanup;
446  }
447 
448  result = 1;
449 
450 cleanup:
453 
454  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
456 
457  UTHFreePackets(&p, 1);
458 end:
459  return result;
460 
461 }
462 
463 /**
464  * \test DetectIcmpIdMatchTest02 is a test for checking the working of
465  * icmp_id keyword by creating 1 rule and matching a crafted packet
466  * against them. The packet is an ICMP packet with no "id" field,
467  * therefore the rule should not trigger.
468  */
469 static int DetectIcmpIdMatchTest02 (void)
470 {
471  int result = 0;
472 
473  uint8_t raw_icmpv4[] = {
474  0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
475  0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
476  0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
477  0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
478  0x00, 0x14, 0x00, 0x00 };
479 
480  Packet *p = PacketGetFromAlloc();
481  if (unlikely(p == NULL))
482  return 0;
483  Signature *s = NULL;
485  ThreadVars th_v;
486  DetectEngineThreadCtx *det_ctx = NULL;
487  IPV4Hdr ip4h;
488 
489  memset(&ip4h, 0, sizeof(IPV4Hdr));
490  memset(&dtv, 0, sizeof(DecodeThreadVars));
491  memset(&th_v, 0, sizeof(ThreadVars));
492 
494 
495  p->src.addr_data32[0] = 0x01020304;
496  p->dst.addr_data32[0] = 0x04030201;
497 
498  ip4h.s_ip_src.s_addr = p->src.addr_data32[0];
499  ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];
500  p->ip4h = &ip4h;
501 
502  DecodeICMPV4(&th_v, &dtv, p, raw_icmpv4, sizeof(raw_icmpv4));
503 
505  if (de_ctx == NULL) {
506  goto end;
507  }
508 
509  de_ctx->flags |= DE_QUIET;
510 
511  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:0; sid:1;)");
512  if (s == NULL) {
513  goto end;
514  }
515 
517  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
518 
519  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
520  if (PacketAlertCheck(p, 1)) {
521  printf("sid 1 alerted, but should not have: ");
522  goto cleanup;
523  }
524 
525  result = 1;
526 
527 cleanup:
530 
531  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
533 
534  FlowShutdown();
535 end:
536  SCFree(p);
537  return result;
538 }
539 
540 static void DetectIcmpIdRegisterTests (void)
541 {
542  UtRegisterTest("DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
543  UtRegisterTest("DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
544  UtRegisterTest("DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
545  UtRegisterTest("DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
546  UtRegisterTest("DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
547  UtRegisterTest("DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
548  UtRegisterTest("DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
549 }
550 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1213
detect-engine.h
StringParseUint16
int StringParseUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:336
SigTableElmt_::desc
const char * desc
Definition: detect.h:1212
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
DetectIcmpIdData_
Definition: detect-icmp-id.h:27
SigTableElmt_::name
const char * name
Definition: detect.h:1210
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1142
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1346
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2039
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1110
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
FlowInitConfig
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:516
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-icmp-id.c:41
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:41
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
ICMPV6_GET_ID
#define ICMPV6_GET_ID(p)
Definition: decode-icmpv6.h:111
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:40
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:23
util-unittest.h
util-unittest-helper.h
ICMP6_ECHO_REQUEST
#define ICMP6_ECHO_REQUEST
Definition: decode-icmpv6.h:43
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1198
Signature_::next
struct Signature_ * next
Definition: detect.h:599
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:33
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
ICMP6_ECHO_REPLY
#define ICMP6_ECHO_REPLY
Definition: decode-icmpv6.h:44
DetectEngineThreadCtx_
Definition: detect.h:1009
ICMPV4_GET_TYPE
#define ICMPV4_GET_TYPE(p)
Definition: decode-icmpv4.h:215
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2476
detect-engine-mpm.h
DetectIcmpIdRegister
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
Definition: detect-icmp-id.c:58
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:323
DETECT_ICMP_ID
@ DETECT_ICMP_ID
Definition: detect-engine-register.h:47
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
ICMPV4Vars_::id
uint16_t id
Definition: decode-icmpv4.h:186
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:260
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1943
FALSE
#define FALSE
Definition: suricata-common.h:34
Signature_::flags
uint32_t flags
Definition: detect.h:528
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2406
Packet_
Definition: decode.h:412
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:507
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:521
DetectIcmpIdData_::id
uint16_t id
Definition: detect-icmp-id.h:28
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
SigMatch_::type
uint8_t type
Definition: detect.h:320
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:34
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
IPV4Hdr_
Definition: decode-ipv4.h:71
ICMPV4_GET_ID
#define ICMPV4_GET_ID(p)
Definition: decode-icmpv4.h:225
Packet_::icmpv4vars
ICMPV4Vars icmpv4vars
Definition: decode.h:522
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:398
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:641
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:407
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:259
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:144
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:629
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1197
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
DetectIcmpIdFree
void DetectIcmpIdFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpIdData
Definition: detect-icmp-id.c:263
ICMPV6_GET_TYPE
#define ICMPV6_GET_TYPE(p)
Definition: decode-icmpv6.h:102
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
detect-icmp-id.h
Packet_::dst
Address dst
Definition: decode.h:417
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:39
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:21
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
detect-engine-prefilter-common.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
Packet_::src
Address src
Definition: decode.h:416
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1202
DecodeICMPV4
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Main ICMPv4 decoding function.
Definition: decode-icmpv4.c:155
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468