suricata
detect-icmp-id.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias Galvan <iglesiasg@gmail.com>
22  *
23  * Implements the icmp_id keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 #include "detect-engine-alert.h"
34 
35 #include "detect-icmp-id.h"
36 
37 #include "util-byte.h"
38 #include "util-unittest.h"
39 #include "util-unittest-helper.h"
40 #include "util-debug.h"
41 
42 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
43 
44 static DetectParseRegex parse_regex;
45 
46 static int DetectIcmpIdMatch(DetectEngineThreadCtx *, Packet *,
47  const Signature *, const SigMatchCtx *);
48 static int DetectIcmpIdSetup(DetectEngineCtx *, Signature *, const char *);
49 #ifdef UNITTESTS
50 static void DetectIcmpIdRegisterTests(void);
51 #endif
52 void DetectIcmpIdFree(DetectEngineCtx *, void *);
53 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
54 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s);
55 
56 /**
57  * \brief Registration function for icode: icmp_id
58  */
60 {
61  sigmatch_table[DETECT_ICMP_ID].name = "icmp_id";
62  sigmatch_table[DETECT_ICMP_ID].desc = "check for a ICMP ID";
63  sigmatch_table[DETECT_ICMP_ID].url = "/rules/header-keywords.html#icmp-id";
64  sigmatch_table[DETECT_ICMP_ID].Match = DetectIcmpIdMatch;
65  sigmatch_table[DETECT_ICMP_ID].Setup = DetectIcmpIdSetup;
67 #ifdef UNITTESTS
68  sigmatch_table[DETECT_ICMP_ID].RegisterTests = DetectIcmpIdRegisterTests;
69 #endif
70  sigmatch_table[DETECT_ICMP_ID].SupportsPrefilter = PrefilterIcmpIdIsPrefilterable;
71  sigmatch_table[DETECT_ICMP_ID].SetupPrefilter = PrefilterSetupIcmpId;
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 }
75 
76 static inline bool GetIcmpId(Packet *p, uint16_t *id)
77 {
78  if (PKT_IS_PSEUDOPKT(p))
79  return false;
80 
81  uint16_t pid;
82  if (PKT_IS_ICMPV4(p)) {
83  switch (ICMPV4_GET_TYPE(p)){
84  case ICMP_ECHOREPLY:
85  case ICMP_ECHO:
86  case ICMP_TIMESTAMP:
88  case ICMP_INFO_REQUEST:
89  case ICMP_INFO_REPLY:
90  case ICMP_ADDRESS:
91  case ICMP_ADDRESSREPLY:
92  SCLogDebug("ICMPV4_GET_ID(p) %"PRIu16" (network byte order), "
93  "%"PRIu16" (host byte order)", ICMPV4_GET_ID(p),
95 
96  pid = ICMPV4_GET_ID(p);
97  break;
98  default:
99  SCLogDebug("Packet has no id field");
100  return false;
101  }
102  } else if (PKT_IS_ICMPV6(p)) {
103  switch (ICMPV6_GET_TYPE(p)) {
104  case ICMP6_ECHO_REQUEST:
105  case ICMP6_ECHO_REPLY:
106  SCLogDebug("ICMPV6_GET_ID(p) %"PRIu16" (network byte order), "
107  "%"PRIu16" (host byte order)", ICMPV6_GET_ID(p),
108  SCNtohs(ICMPV6_GET_ID(p)));
109 
110  pid = ICMPV6_GET_ID(p);
111  break;
112  default:
113  SCLogDebug("Packet has no id field");
114  return false;
115  }
116  } else {
117  SCLogDebug("Packet not ICMPV4 nor ICMPV6");
118  return false;
119  }
120 
121  *id = pid;
122  return true;
123 }
124 
125 /**
126  * \brief This function is used to match icmp_id rule option set on a packet
127  *
128  * \param t pointer to thread vars
129  * \param det_ctx pointer to the pattern matcher thread
130  * \param p pointer to the current packet
131  * \param m pointer to the sigmatch that we will cast into DetectIcmpIdData
132  *
133  * \retval 0 no match
134  * \retval 1 match
135  */
136 static int DetectIcmpIdMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
137  const Signature *s, const SigMatchCtx *ctx)
138 {
139  uint16_t pid;
140 
141  if (!GetIcmpId(p, &pid))
142  return 0;
143 
144  const DetectIcmpIdData *iid = (const DetectIcmpIdData *)ctx;
145  if (pid == iid->id)
146  return 1;
147 
148  return 0;
149 }
150 
151 /**
152  * \brief This function is used to parse icmp_id option passed via icmp_id: keyword
153  *
154  * \param de_ctx Pointer to the detection engine context
155  * \param icmpidstr Pointer to the user provided icmp_id options
156  *
157  * \retval iid pointer to DetectIcmpIdData on success
158  * \retval NULL on failure
159  */
160 static DetectIcmpIdData *DetectIcmpIdParse (DetectEngineCtx *de_ctx, const char *icmpidstr)
161 {
162  DetectIcmpIdData *iid = NULL;
163  char *substr[3] = {NULL, NULL, NULL};
164  int ret = 0, res = 0;
165  size_t pcre2_len;
166 
167  ret = DetectParsePcreExec(&parse_regex, icmpidstr, 0, 0);
168  if (ret < 1 || ret > 4) {
169  SCLogError("Parse error %s", icmpidstr);
170  goto error;
171  }
172 
173  int i;
174  const char *str_ptr;
175  for (i = 1; i < ret; i++) {
176  res = SC_Pcre2SubstringGet(parse_regex.match, i, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
177  if (res < 0) {
178  SCLogError("pcre2_substring_get_bynumber failed");
179  goto error;
180  }
181  substr[i-1] = (char *)str_ptr;
182  }
183 
184  iid = SCMalloc(sizeof(DetectIcmpIdData));
185  if (unlikely(iid == NULL))
186  goto error;
187  iid->id = 0;
188 
189  if (substr[0]!= NULL && strlen(substr[0]) != 0) {
190  if (substr[2] == NULL) {
191  SCLogError("Missing close quote in input");
192  goto error;
193  }
194  } else {
195  if (substr[2] != NULL) {
196  SCLogError("Missing open quote in input");
197  goto error;
198  }
199  }
200 
201  uint16_t id = 0;
202  if (StringParseUint16(&id, 10, 0, substr[1]) < 0) {
203  SCLogError("specified icmp id %s is not "
204  "valid",
205  substr[1]);
206  goto error;
207  }
208  iid->id = htons(id);
209 
210  for (i = 0; i < 3; i++) {
211  if (substr[i] != NULL)
212  pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
213  }
214  return iid;
215 
216 error:
217  for (i = 0; i < 3; i++) {
218  if (substr[i] != NULL)
219  pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
220  }
221  if (iid != NULL) DetectIcmpIdFree(de_ctx, iid);
222  return NULL;
223 
224 }
225 
226 /**
227  * \brief this function is used to add the parsed icmp_id data into the current signature
228  *
229  * \param de_ctx pointer to the Detection Engine Context
230  * \param s pointer to the Current Signature
231  * \param icmpidstr pointer to the user provided icmp_id option
232  *
233  * \retval 0 on Success
234  * \retval -1 on Failure
235  */
236 static int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, const char *icmpidstr)
237 {
238  DetectIcmpIdData *iid = NULL;
239  SigMatch *sm = NULL;
240 
241  iid = DetectIcmpIdParse(de_ctx, icmpidstr);
242  if (iid == NULL) goto error;
243 
244  sm = SigMatchAlloc();
245  if (sm == NULL) goto error;
246 
247  sm->type = DETECT_ICMP_ID;
248  sm->ctx = (SigMatchCtx *)iid;
249 
252 
253  return 0;
254 
255 error:
256  if (iid != NULL) DetectIcmpIdFree(de_ctx, iid);
257  if (sm != NULL) SCFree(sm);
258  return -1;
259 
260 }
261 
262 /**
263  * \brief this function will free memory associated with DetectIcmpIdData
264  *
265  * \param ptr pointer to DetectIcmpIdData
266  */
268 {
269  DetectIcmpIdData *iid = (DetectIcmpIdData *)ptr;
270  SCFree(iid);
271 }
272 
273 /* prefilter code */
274 
275 static void
276 PrefilterPacketIcmpIdMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
277 {
278  const PrefilterPacketHeaderCtx *ctx = pectx;
279 
280  uint16_t pid;
281  if (!GetIcmpId(p, &pid))
282  return;
283 
284  if (pid == ctx->v1.u16[0])
285  {
286  SCLogDebug("packet matches ICMP ID %u", ctx->v1.u16[0]);
287  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
288  }
289 }
290 
291 static void
292 PrefilterPacketIcmpIdSet(PrefilterPacketHeaderValue *v, void *smctx)
293 {
294  const DetectIcmpIdData *a = smctx;
295  v->u16[0] = a->id;
296 }
297 
298 static bool
299 PrefilterPacketIcmpIdCompare(PrefilterPacketHeaderValue v, void *smctx)
300 {
301  const DetectIcmpIdData *a = smctx;
302  if (v.u16[0] == a->id)
303  return true;
304  return false;
305 }
306 
307 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
308 {
310  PrefilterPacketIcmpIdSet,
311  PrefilterPacketIcmpIdCompare,
312  PrefilterPacketIcmpIdMatch);
313 }
314 
315 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s)
316 {
317  const SigMatch *sm;
318  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
319  switch (sm->type) {
320  case DETECT_ICMP_ID:
321  return true;
322  }
323  }
324  return false;
325 }
326 
327 #ifdef UNITTESTS
328 #include "detect-engine.h"
329 #include "detect-engine-mpm.h"
330 
331 /**
332  * \test DetectIcmpIdParseTest01 is a test for setting a valid icmp_id value
333  */
334 static int DetectIcmpIdParseTest01 (void)
335 {
336  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, "300");
337  FAIL_IF_NULL(iid);
338  FAIL_IF_NOT(iid->id == htons(300));
339  DetectIcmpIdFree(NULL, iid);
340  PASS;
341 }
342 
343 /**
344  * \test DetectIcmpIdParseTest02 is a test for setting a valid icmp_id value
345  * with spaces all around
346  */
347 static int DetectIcmpIdParseTest02 (void)
348 {
349  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, " 300 ");
350  FAIL_IF_NULL(iid);
351  FAIL_IF_NOT(iid->id == htons(300));
352  DetectIcmpIdFree(NULL, iid);
353  PASS;
354 }
355 
356 /**
357  * \test DetectIcmpIdParseTest03 is a test for setting a valid icmp_id value
358  * with quotation marks
359  */
360 static int DetectIcmpIdParseTest03 (void)
361 {
362  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, "\"300\"");
363  FAIL_IF_NULL(iid);
364  FAIL_IF_NOT(iid->id == htons(300));
365  DetectIcmpIdFree(NULL, iid);
366  PASS;
367 }
368 
369 /**
370  * \test DetectIcmpIdParseTest04 is a test for setting a valid icmp_id value
371  * with quotation marks and spaces all around
372  */
373 static int DetectIcmpIdParseTest04 (void)
374 {
375  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, " \" 300 \"");
376  FAIL_IF_NULL(iid);
377  FAIL_IF_NOT(iid->id == htons(300));
378  DetectIcmpIdFree(NULL, iid);
379  PASS;
380 }
381 
382 /**
383  * \test DetectIcmpIdParseTest05 is a test for setting an invalid icmp_id
384  * value with missing quotation marks
385  */
386 static int DetectIcmpIdParseTest05 (void)
387 {
388  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, "\"300");
389  FAIL_IF_NOT_NULL(iid);
390  PASS;
391 }
392 
393 /**
394  * \test DetectIcmpIdMatchTest01 is a test for checking the working of
395  * icmp_id keyword by creating 2 rules and matching a crafted packet
396  * against them. Only the first one shall trigger.
397  */
398 static int DetectIcmpIdMatchTest01 (void)
399 {
400  int result = 0;
401  Packet *p = NULL;
402  Signature *s = NULL;
403  ThreadVars th_v;
404  DetectEngineThreadCtx *det_ctx = NULL;
405 
406  memset(&th_v, 0, sizeof(ThreadVars));
407 
408  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
409  p->icmpv4vars.id = htons(21781);
410 
412  if (de_ctx == NULL) {
413  goto end;
414  }
415 
416  de_ctx->flags |= DE_QUIET;
417 
418  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21781; sid:1;)");
419  if (s == NULL) {
420  goto end;
421  }
422 
423  s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21782; sid:2;)");
424  if (s == NULL) {
425  goto end;
426  }
427 
429  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
430 
431  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
432  if (PacketAlertCheck(p, 1) == 0) {
433  printf("sid 1 did not alert, but should have: ");
434  goto cleanup;
435  } else if (PacketAlertCheck(p, 2)) {
436  printf("sid 2 alerted, but should not have: ");
437  goto cleanup;
438  }
439 
440  result = 1;
441 
442 cleanup:
445 
446  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
448 
449  UTHFreePackets(&p, 1);
450 end:
451  return result;
452 
453 }
454 
455 /**
456  * \test DetectIcmpIdMatchTest02 is a test for checking the working of
457  * icmp_id keyword by creating 1 rule and matching a crafted packet
458  * against them. The packet is an ICMP packet with no "id" field,
459  * therefore the rule should not trigger.
460  */
461 static int DetectIcmpIdMatchTest02 (void)
462 {
463  int result = 0;
464 
465  uint8_t raw_icmpv4[] = {
466  0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
467  0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
468  0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
469  0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
470  0x00, 0x14, 0x00, 0x00 };
471 
472  Packet *p = PacketGetFromAlloc();
473  if (unlikely(p == NULL))
474  return 0;
475  Signature *s = NULL;
477  ThreadVars th_v;
478  DetectEngineThreadCtx *det_ctx = NULL;
479  IPV4Hdr ip4h;
480 
481  memset(&ip4h, 0, sizeof(IPV4Hdr));
482  memset(&dtv, 0, sizeof(DecodeThreadVars));
483  memset(&th_v, 0, sizeof(ThreadVars));
484 
486 
487  p->src.addr_data32[0] = 0x01020304;
488  p->dst.addr_data32[0] = 0x04030201;
489 
490  ip4h.s_ip_src.s_addr = p->src.addr_data32[0];
491  ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];
492  p->ip4h = &ip4h;
493 
494  DecodeICMPV4(&th_v, &dtv, p, raw_icmpv4, sizeof(raw_icmpv4));
495 
497  if (de_ctx == NULL) {
498  goto end;
499  }
500 
501  de_ctx->flags |= DE_QUIET;
502 
503  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:0; sid:1;)");
504  if (s == NULL) {
505  goto end;
506  }
507 
509  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
510 
511  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
512  if (PacketAlertCheck(p, 1)) {
513  printf("sid 1 alerted, but should not have: ");
514  goto cleanup;
515  }
516 
517  result = 1;
518 
519 cleanup:
522 
523  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
525 
526  FlowShutdown();
527 end:
528  SCFree(p);
529  return result;
530 }
531 
532 static void DetectIcmpIdRegisterTests (void)
533 {
534  UtRegisterTest("DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
535  UtRegisterTest("DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
536  UtRegisterTest("DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
537  UtRegisterTest("DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
538  UtRegisterTest("DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
539  UtRegisterTest("DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
540  UtRegisterTest("DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
541 }
542 #endif /* UNITTESTS */
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1241
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
ICMP_INFO_REQUEST
#define ICMP_INFO_REQUEST
Definition: decode-icmpv4.h:66
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1228
DetectIcmpIdData_
Definition: detect-icmp-id.h:27
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1238
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1059
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1395
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1134
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-icmp-id.c:42
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
ICMPV6_GET_ID
#define ICMPV6_GET_ID(p)
Definition: decode-icmpv6.h:110
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
ICMP6_ECHO_REQUEST
#define ICMP6_ECHO_REQUEST
Definition: decode-icmpv6.h:42
ICMP_ECHO
#define ICMP_ECHO
Definition: decode-icmpv4.h:45
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1226
Signature_::next
struct Signature_ * next
Definition: detect.h:614
ICMP_ADDRESSREPLY
#define ICMP_ADDRESSREPLY
Definition: decode-icmpv4.h:75
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:543
ICMP_ADDRESS
#define ICMP_ADDRESS
Definition: decode-icmpv4.h:72
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
ICMP6_ECHO_REPLY
#define ICMP6_ECHO_REPLY
Definition: decode-icmpv6.h:43
DetectEngineThreadCtx_
Definition: detect.h:1025
ICMPV4_GET_TYPE
#define ICMPV4_GET_TYPE(p)
Definition: decode-icmpv4.h:233
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2609
detect-engine-mpm.h
DetectIcmpIdRegister
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
Definition: detect-icmp-id.c:59
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
DETECT_ICMP_ID
@ DETECT_ICMP_ID
Definition: detect-engine-register.h:49
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
ICMPV4Vars_::id
uint16_t id
Definition: decode-icmpv4.h:184
SC_Pcre2SubstringGet
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2597
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:250
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2019
Signature_::flags
uint32_t flags
Definition: detect.h:541
Packet_
Definition: decode.h:428
detect-engine-build.h
ICMP_INFO_REPLY
#define ICMP_INFO_REPLY
Definition: decode-icmpv4.h:69
detect-engine-alert.h
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:531
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1206
ICMP_ECHOREPLY
#define ICMP_ECHOREPLY
Definition: decode-icmpv4.h:33
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
DetectIcmpIdData_::id
uint16_t id
Definition: detect-icmp-id.h:28
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:239
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
IPV4Hdr_
Definition: decode-ipv4.h:72
ICMPV4_GET_ID
#define ICMPV4_GET_ID(p)
Definition: decode-icmpv4.h:243
Packet_::icmpv4vars
ICMPV4Vars icmpv4vars
Definition: decode.h:546
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:403
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:689
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:249
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:664
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1225
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DetectIcmpIdFree
void DetectIcmpIdFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpIdData
Definition: detect-icmp-id.c:267
ICMPV6_GET_TYPE
#define ICMPV6_GET_TYPE(p)
Definition: decode-icmpv6.h:101
ICMP_TIMESTAMPREPLY
#define ICMP_TIMESTAMPREPLY
Definition: decode-icmpv4.h:63
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
detect-icmp-id.h
Packet_::dst
Address dst
Definition: decode.h:433
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:41
ICMP_TIMESTAMP
#define ICMP_TIMESTAMP
Definition: decode-icmpv4.h:60
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
detect-engine-prefilter-common.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:354
Packet_::src
Address src
Definition: decode.h:432
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
DecodeICMPV4
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Main ICMPv4 decoding function.
Definition: decode-icmpv4.c:156
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:215
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468