Go to the documentation of this file.
42 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
50 static void DetectIcmpIdRegisterTests(
void);
54 static bool PrefilterIcmpIdIsPrefilterable(
const Signature *s);
76 static inline bool GetIcmpId(
Packet *p, uint16_t *
id)
92 SCLogDebug(
"ICMPV4_GET_ID(p) %"PRIu16
" (network byte order), "
106 SCLogDebug(
"ICMPV6_GET_ID(p) %"PRIu16
" (network byte order), "
141 if (!GetIcmpId(p, &pid))
163 char *substr[3] = {NULL, NULL, NULL};
167 pcre2_match_data *match = NULL;
169 if (ret < 1 || ret > 4) {
176 for (i = 1; i < ret; i++) {
179 SCLogError(
"pcre2_substring_get_bynumber failed");
182 substr[i-1] = (
char *)str_ptr;
190 if (substr[0]!= NULL && strlen(substr[0]) != 0) {
191 if (substr[2] == NULL) {
196 if (substr[2] != NULL) {
211 for (i = 0; i < 3; i++) {
212 if (substr[i] != NULL)
213 pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
215 pcre2_match_data_free(match);
220 pcre2_match_data_free(match);
222 for (i = 0; i < 3; i++) {
223 if (substr[i] != NULL)
224 pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
246 iid = DetectIcmpIdParse(
de_ctx, icmpidstr);
247 if (iid == NULL)
goto error;
250 if (sm == NULL)
goto error;
262 if (sm != NULL)
SCFree(sm);
286 if (!GetIcmpId(p, &pid))
289 if (pid == ctx->
v1.
u16[0])
307 if (v.
u16[0] == a->
id)
315 PrefilterPacketIcmpIdSet,
316 PrefilterPacketIcmpIdCompare,
317 PrefilterPacketIcmpIdMatch);
320 static bool PrefilterIcmpIdIsPrefilterable(
const Signature *s)
339 static int DetectIcmpIdParseTest01 (
void)
352 static int DetectIcmpIdParseTest02 (
void)
365 static int DetectIcmpIdParseTest03 (
void)
378 static int DetectIcmpIdParseTest04 (
void)
391 static int DetectIcmpIdParseTest05 (
void)
403 static int DetectIcmpIdMatchTest01 (
void)
428 s = s->
next =
SigInit(
de_ctx,
"alert icmp any any -> any any (icmp_id:21782; sid:2;)");
438 printf(
"sid 1 did not alert, but should have: ");
441 printf(
"sid 2 alerted, but should not have: ");
466 static int DetectIcmpIdMatchTest02 (
void)
470 uint8_t raw_icmpv4[] = {
471 0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
472 0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
473 0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
474 0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
475 0x00, 0x14, 0x00, 0x00 };
486 memset(&ip4h, 0,
sizeof(
IPV4Hdr));
492 p->
src.addr_data32[0] = 0x01020304;
493 p->
dst.addr_data32[0] = 0x04030201;
495 ip4h.s_ip_src.s_addr = p->
src.addr_data32[0];
496 ip4h.s_ip_dst.s_addr = p->
dst.addr_data32[0];
518 printf(
"sid 1 alerted, but should not have: ");
537 static void DetectIcmpIdRegisterTests (
void)
539 UtRegisterTest(
"DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
540 UtRegisterTest(
"DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
541 UtRegisterTest(
"DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
542 UtRegisterTest(
"DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
543 UtRegisterTest(
"DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
544 UtRegisterTest(
"DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
545 UtRegisterTest(
"DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
#define ICMP_INFO_REQUEST
void(* Free)(DetectEngineCtx *, void *)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
void SigCleanSignatures(DetectEngineCtx *de_ctx)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
#define ICMP6_ECHO_REQUEST
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
#define ICMP_ADDRESSREPLY
void FlowInitConfig(bool quiet)
initialize the configuration
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define ICMPV4_GET_TYPE(p)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
Per thread variable structure.
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
SignatureInitData * init_data
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void FlowShutdown(void)
shutdown the flow engine
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
Structure to hold thread specific data for all decode modules.
bool(* SupportsPrefilter)(const Signature *s)
a single match condition for a signature
void DetectIcmpIdFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpIdData
#define ICMPV6_GET_TYPE(p)
#define ICMP_TIMESTAMPREPLY
DetectEngineCtx * DetectEngineCtxInit(void)
void(* RegisterTests)(void)
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Main ICMPv4 decoding function.
#define SIG_FLAG_REQUIRE_PACKET
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.