Go to the documentation of this file.
42 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
50 static void DetectIcmpIdRegisterTests(
void);
54 static bool PrefilterIcmpIdIsPrefilterable(
const Signature *s);
76 static inline bool GetIcmpId(
Packet *p, uint16_t *
id)
92 SCLogDebug(
"ICMPV4_GET_ID(p) %"PRIu16
" (network byte order), "
106 SCLogDebug(
"ICMPV6_GET_ID(p) %"PRIu16
" (network byte order), "
141 if (!GetIcmpId(p, &pid))
163 char *substr[3] = {NULL, NULL, NULL};
164 int ret = 0, res = 0;
168 if (ret < 1 || ret > 4) {
175 for (i = 1; i < ret; i++) {
178 SCLogError(
"pcre2_substring_get_bynumber failed");
181 substr[i-1] = (
char *)str_ptr;
189 if (substr[0]!= NULL && strlen(substr[0]) != 0) {
190 if (substr[2] == NULL) {
195 if (substr[2] != NULL) {
210 for (i = 0; i < 3; i++) {
211 if (substr[i] != NULL)
212 pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
217 for (i = 0; i < 3; i++) {
218 if (substr[i] != NULL)
219 pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
241 iid = DetectIcmpIdParse(
de_ctx, icmpidstr);
242 if (iid == NULL)
goto error;
245 if (sm == NULL)
goto error;
257 if (sm != NULL)
SCFree(sm);
281 if (!GetIcmpId(p, &pid))
284 if (pid == ctx->
v1.
u16[0])
302 if (v.
u16[0] == a->
id)
310 PrefilterPacketIcmpIdSet,
311 PrefilterPacketIcmpIdCompare,
312 PrefilterPacketIcmpIdMatch);
315 static bool PrefilterIcmpIdIsPrefilterable(
const Signature *s)
334 static int DetectIcmpIdParseTest01 (
void)
347 static int DetectIcmpIdParseTest02 (
void)
360 static int DetectIcmpIdParseTest03 (
void)
373 static int DetectIcmpIdParseTest04 (
void)
386 static int DetectIcmpIdParseTest05 (
void)
398 static int DetectIcmpIdMatchTest01 (
void)
423 s = s->
next =
SigInit(
de_ctx,
"alert icmp any any -> any any (icmp_id:21782; sid:2;)");
433 printf(
"sid 1 did not alert, but should have: ");
436 printf(
"sid 2 alerted, but should not have: ");
461 static int DetectIcmpIdMatchTest02 (
void)
465 uint8_t raw_icmpv4[] = {
466 0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
467 0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
468 0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
469 0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
470 0x00, 0x14, 0x00, 0x00 };
481 memset(&ip4h, 0,
sizeof(
IPV4Hdr));
487 p->
src.addr_data32[0] = 0x01020304;
488 p->
dst.addr_data32[0] = 0x04030201;
490 ip4h.s_ip_src.s_addr = p->
src.addr_data32[0];
491 ip4h.s_ip_dst.s_addr = p->
dst.addr_data32[0];
513 printf(
"sid 1 alerted, but should not have: ");
532 static void DetectIcmpIdRegisterTests (
void)
534 UtRegisterTest(
"DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
535 UtRegisterTest(
"DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
536 UtRegisterTest(
"DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
537 UtRegisterTest(
"DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
538 UtRegisterTest(
"DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
539 UtRegisterTest(
"DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
540 UtRegisterTest(
"DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define ICMP_INFO_REQUEST
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
void SigCleanSignatures(DetectEngineCtx *de_ctx)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
#define ICMP6_ECHO_REQUEST
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
#define ICMP_ADDRESSREPLY
void FlowInitConfig(bool quiet)
initialize the configuration
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
#define ICMPV4_GET_TYPE(p)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
Per thread variable structure.
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
SignatureInitData * init_data
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
struct SigMatch_ ** smlists
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void FlowShutdown(void)
shutdown the flow engine
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
Structure to hold thread specific data for all decode modules.
bool(* SupportsPrefilter)(const Signature *s)
a single match condition for a signature
void DetectIcmpIdFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpIdData
#define ICMPV6_GET_TYPE(p)
#define ICMP_TIMESTAMPREPLY
DetectEngineCtx * DetectEngineCtxInit(void)
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Main ICMPv4 decoding function.
#define SIG_FLAG_REQUIRE_PACKET
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.