Go to the documentation of this file.
41 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
49 static void DetectIcmpIdRegisterTests(
void);
53 static bool PrefilterIcmpIdIsPrefilterable(
const Signature *s);
75 static inline bool GetIcmpId(
Packet *p, uint16_t *
id)
86 case ICMP_TIMESTAMPREPLY:
87 case ICMP_INFO_REQUEST:
90 case ICMP_ADDRESSREPLY:
91 SCLogDebug(
"ICMPV4_GET_ID(p) %"PRIu16
" (network byte order), "
105 SCLogDebug(
"ICMPV6_GET_ID(p) %"PRIu16
" (network byte order), "
140 if (!GetIcmpId(p, &pid))
162 char *substr[3] = {NULL, NULL, NULL};
163 int ret = 0,
res = 0;
167 if (ret < 1 || ret > 4) {
174 for (i = 1; i < ret; i++) {
180 substr[i-1] = (
char *)str_ptr;
188 if (substr[0]!= NULL && strlen(substr[0]) != 0) {
189 if (substr[2] == NULL) {
194 if (substr[2] != NULL) {
208 for (i = 0; i < 3; i++) {
209 if (substr[i] != NULL)
210 pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
215 for (i = 0; i < 3; i++) {
216 if (substr[i] != NULL)
217 pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
239 iid = DetectIcmpIdParse(
de_ctx, icmpidstr);
240 if (iid == NULL)
goto error;
243 if (sm == NULL)
goto error;
255 if (sm != NULL)
SCFree(sm);
279 if (!GetIcmpId(p, &pid))
282 if (pid == ctx->
v1.
u16[0])
300 if (v.
u16[0] == a->
id)
308 PrefilterPacketIcmpIdSet,
309 PrefilterPacketIcmpIdCompare,
310 PrefilterPacketIcmpIdMatch);
313 static bool PrefilterIcmpIdIsPrefilterable(
const Signature *s)
332 static int DetectIcmpIdParseTest01 (
void)
335 iid = DetectIcmpIdParse(NULL,
"300");
336 if (iid != NULL && iid->
id == htons(300)) {
347 static int DetectIcmpIdParseTest02 (
void)
350 iid = DetectIcmpIdParse(NULL,
" 300 ");
351 if (iid != NULL && iid->
id == htons(300)) {
362 static int DetectIcmpIdParseTest03 (
void)
365 iid = DetectIcmpIdParse(NULL,
"\"300\"");
366 if (iid != NULL && iid->
id == htons(300)) {
377 static int DetectIcmpIdParseTest04 (
void)
380 iid = DetectIcmpIdParse(NULL,
" \" 300 \"");
381 if (iid != NULL && iid->
id == htons(300)) {
392 static int DetectIcmpIdParseTest05 (
void)
395 iid = DetectIcmpIdParse(NULL,
"\"300");
408 static int DetectIcmpIdMatchTest01 (
void)
433 s = s->
next =
SigInit(
de_ctx,
"alert icmp any any -> any any (icmp_id:21782; sid:2;)");
443 printf(
"sid 1 did not alert, but should have: ");
446 printf(
"sid 2 alerted, but should not have: ");
471 static int DetectIcmpIdMatchTest02 (
void)
475 uint8_t raw_icmpv4[] = {
476 0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
477 0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
478 0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
479 0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
480 0x00, 0x14, 0x00, 0x00 };
491 memset(&ip4h, 0,
sizeof(
IPV4Hdr));
497 p->
src.addr_data32[0] = 0x01020304;
498 p->
dst.addr_data32[0] = 0x04030201;
500 ip4h.s_ip_src.s_addr = p->
src.addr_data32[0];
501 ip4h.s_ip_dst.s_addr = p->
dst.addr_data32[0];
523 printf(
"sid 1 alerted, but should not have: ");
542 static void DetectIcmpIdRegisterTests (
void)
544 UtRegisterTest(
"DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
545 UtRegisterTest(
"DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
546 UtRegisterTest(
"DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
547 UtRegisterTest(
"DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
548 UtRegisterTest(
"DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
549 UtRegisterTest(
"DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
550 UtRegisterTest(
"DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
@ SC_ERR_PCRE_GET_SUBSTRING
void SigCleanSignatures(DetectEngineCtx *de_ctx)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define ICMP6_ECHO_REQUEST
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
void FlowInitConfig(bool quiet)
initialize the configuration
#define ICMPV4_GET_TYPE(p)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
Per thread variable structure.
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
@ SC_ERR_INVALID_ARGUMENT
int SigGroupCleanup(DetectEngineCtx *de_ctx)
SignatureInitData * init_data
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
struct SigMatch_ ** smlists
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void FlowShutdown(void)
shutdown the flow engine
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Structure to hold thread specific data for all decode modules.
bool(* SupportsPrefilter)(const Signature *s)
a single match condition for a signature
void DetectIcmpIdFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpIdData
#define ICMPV6_GET_TYPE(p)
DetectEngineCtx * DetectEngineCtxInit(void)
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Main ICMPv4 decoding function.
#define SIG_FLAG_REQUIRE_PACKET
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.