suricata
detect-icmp-id.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias Galvan <iglesiasg@gmail.com>
22  *
23  * Implements the icmp_id keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 #include "detect-engine-alert.h"
34 
35 #include "detect-icmp-id.h"
36 
37 #include "util-byte.h"
38 #include "util-unittest.h"
39 #include "util-unittest-helper.h"
40 #include "util-debug.h"
41 
42 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
43 
44 static DetectParseRegex parse_regex;
45 
46 static int DetectIcmpIdMatch(DetectEngineThreadCtx *, Packet *,
47  const Signature *, const SigMatchCtx *);
48 static int DetectIcmpIdSetup(DetectEngineCtx *, Signature *, const char *);
49 #ifdef UNITTESTS
50 static void DetectIcmpIdRegisterTests(void);
51 #endif
52 void DetectIcmpIdFree(DetectEngineCtx *, void *);
53 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
54 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s);
55 
56 /**
57  * \brief Registration function for icode: icmp_id
58  */
60 {
61  sigmatch_table[DETECT_ICMP_ID].name = "icmp_id";
62  sigmatch_table[DETECT_ICMP_ID].desc = "check for a ICMP ID";
63  sigmatch_table[DETECT_ICMP_ID].url = "/rules/header-keywords.html#icmp-id";
64  sigmatch_table[DETECT_ICMP_ID].Match = DetectIcmpIdMatch;
65  sigmatch_table[DETECT_ICMP_ID].Setup = DetectIcmpIdSetup;
67 #ifdef UNITTESTS
68  sigmatch_table[DETECT_ICMP_ID].RegisterTests = DetectIcmpIdRegisterTests;
69 #endif
70  sigmatch_table[DETECT_ICMP_ID].SupportsPrefilter = PrefilterIcmpIdIsPrefilterable;
71  sigmatch_table[DETECT_ICMP_ID].SetupPrefilter = PrefilterSetupIcmpId;
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 }
75 
76 static inline bool GetIcmpId(Packet *p, uint16_t *id)
77 {
78  if (PKT_IS_PSEUDOPKT(p))
79  return false;
80 
81  uint16_t pid;
82  if (PacketIsICMPv4(p)) {
83  switch (p->icmp_s.type) {
84  case ICMP_ECHOREPLY:
85  case ICMP_ECHO:
86  case ICMP_TIMESTAMP:
88  case ICMP_INFO_REQUEST:
89  case ICMP_INFO_REPLY:
90  case ICMP_ADDRESS:
91  case ICMP_ADDRESSREPLY:
92  SCLogDebug("ICMPV4_GET_ID(p) %"PRIu16" (network byte order), "
93  "%"PRIu16" (host byte order)", ICMPV4_GET_ID(p),
95 
96  pid = ICMPV4_GET_ID(p);
97  break;
98  default:
99  SCLogDebug("Packet has no id field");
100  return false;
101  }
102  } else if (PacketIsICMPv6(p)) {
103  switch (ICMPV6_GET_TYPE(PacketGetICMPv6(p))) {
104  case ICMP6_ECHO_REQUEST:
105  case ICMP6_ECHO_REPLY:
106  SCLogDebug("ICMPV6_GET_ID(p) %"PRIu16" (network byte order), "
107  "%"PRIu16" (host byte order)", ICMPV6_GET_ID(p),
108  SCNtohs(ICMPV6_GET_ID(p)));
109 
110  pid = ICMPV6_GET_ID(p);
111  break;
112  default:
113  SCLogDebug("Packet has no id field");
114  return false;
115  }
116  } else {
117  SCLogDebug("Packet not ICMPV4 nor ICMPV6");
118  return false;
119  }
120 
121  *id = pid;
122  return true;
123 }
124 
125 /**
126  * \brief This function is used to match icmp_id rule option set on a packet
127  *
128  * \param t pointer to thread vars
129  * \param det_ctx pointer to the pattern matcher thread
130  * \param p pointer to the current packet
131  * \param m pointer to the sigmatch that we will cast into DetectIcmpIdData
132  *
133  * \retval 0 no match
134  * \retval 1 match
135  */
136 static int DetectIcmpIdMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
137  const Signature *s, const SigMatchCtx *ctx)
138 {
139  uint16_t pid;
140 
141  if (!GetIcmpId(p, &pid))
142  return 0;
143 
144  const DetectIcmpIdData *iid = (const DetectIcmpIdData *)ctx;
145  if (pid == iid->id)
146  return 1;
147 
148  return 0;
149 }
150 
151 /**
152  * \brief This function is used to parse icmp_id option passed via icmp_id: keyword
153  *
154  * \param de_ctx Pointer to the detection engine context
155  * \param icmpidstr Pointer to the user provided icmp_id options
156  *
157  * \retval iid pointer to DetectIcmpIdData on success
158  * \retval NULL on failure
159  */
160 static DetectIcmpIdData *DetectIcmpIdParse (DetectEngineCtx *de_ctx, const char *icmpidstr)
161 {
162  DetectIcmpIdData *iid = NULL;
163  char *substr[3] = {NULL, NULL, NULL};
164  int res = 0;
165  size_t pcre2_len;
166 
167  pcre2_match_data *match = NULL;
168  int ret = DetectParsePcreExec(&parse_regex, &match, icmpidstr, 0, 0);
169  if (ret < 1 || ret > 4) {
170  SCLogError("Parse error %s", icmpidstr);
171  goto error;
172  }
173 
174  int i;
175  const char *str_ptr;
176  for (i = 1; i < ret; i++) {
177  res = SC_Pcre2SubstringGet(match, i, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
178  if (res < 0) {
179  SCLogError("pcre2_substring_get_bynumber failed");
180  goto error;
181  }
182  substr[i-1] = (char *)str_ptr;
183  }
184 
185  iid = SCMalloc(sizeof(DetectIcmpIdData));
186  if (unlikely(iid == NULL))
187  goto error;
188  iid->id = 0;
189 
190  if (substr[0]!= NULL && strlen(substr[0]) != 0) {
191  if (substr[2] == NULL) {
192  SCLogError("Missing close quote in input");
193  goto error;
194  }
195  } else {
196  if (substr[2] != NULL) {
197  SCLogError("Missing open quote in input");
198  goto error;
199  }
200  }
201 
202  uint16_t id = 0;
203  if (StringParseUint16(&id, 10, 0, substr[1]) < 0) {
204  SCLogError("specified icmp id %s is not "
205  "valid",
206  substr[1]);
207  goto error;
208  }
209  iid->id = htons(id);
210 
211  for (i = 0; i < 3; i++) {
212  if (substr[i] != NULL)
213  pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
214  }
215  pcre2_match_data_free(match);
216  return iid;
217 
218 error:
219  if (match) {
220  pcre2_match_data_free(match);
221  }
222  for (i = 0; i < 3; i++) {
223  if (substr[i] != NULL)
224  pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
225  }
226  if (iid != NULL) DetectIcmpIdFree(de_ctx, iid);
227  return NULL;
228 
229 }
230 
231 /**
232  * \brief this function is used to add the parsed icmp_id data into the current signature
233  *
234  * \param de_ctx pointer to the Detection Engine Context
235  * \param s pointer to the Current Signature
236  * \param icmpidstr pointer to the user provided icmp_id option
237  *
238  * \retval 0 on Success
239  * \retval -1 on Failure
240  */
241 static int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, const char *icmpidstr)
242 {
243  DetectIcmpIdData *iid = NULL;
244 
245  iid = DetectIcmpIdParse(de_ctx, icmpidstr);
246  if (iid == NULL) goto error;
247 
249  de_ctx, s, DETECT_ICMP_ID, (SigMatchCtx *)iid, DETECT_SM_LIST_MATCH) == NULL) {
250  goto error;
251  }
253 
254  return 0;
255 
256 error:
257  if (iid != NULL)
258  DetectIcmpIdFree(de_ctx, iid);
259  return -1;
260 
261 }
262 
263 /**
264  * \brief this function will free memory associated with DetectIcmpIdData
265  *
266  * \param ptr pointer to DetectIcmpIdData
267  */
269 {
270  DetectIcmpIdData *iid = (DetectIcmpIdData *)ptr;
271  SCFree(iid);
272 }
273 
274 /* prefilter code */
275 
276 static void
277 PrefilterPacketIcmpIdMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
278 {
279  const PrefilterPacketHeaderCtx *ctx = pectx;
280 
281  uint16_t pid;
282  if (!GetIcmpId(p, &pid))
283  return;
284 
285  if (pid == ctx->v1.u16[0])
286  {
287  SCLogDebug("packet matches ICMP ID %u", ctx->v1.u16[0]);
288  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
289  }
290 }
291 
292 static void
293 PrefilterPacketIcmpIdSet(PrefilterPacketHeaderValue *v, void *smctx)
294 {
295  const DetectIcmpIdData *a = smctx;
296  v->u16[0] = a->id;
297 }
298 
299 static bool
300 PrefilterPacketIcmpIdCompare(PrefilterPacketHeaderValue v, void *smctx)
301 {
302  const DetectIcmpIdData *a = smctx;
303  if (v.u16[0] == a->id)
304  return true;
305  return false;
306 }
307 
308 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
309 {
311  PrefilterPacketIcmpIdSet,
312  PrefilterPacketIcmpIdCompare,
313  PrefilterPacketIcmpIdMatch);
314 }
315 
316 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s)
317 {
318  const SigMatch *sm;
319  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
320  switch (sm->type) {
321  case DETECT_ICMP_ID:
322  return true;
323  }
324  }
325  return false;
326 }
327 
328 #ifdef UNITTESTS
329 #include "detect-engine.h"
330 #include "detect-engine-mpm.h"
331 
332 /**
333  * \test DetectIcmpIdParseTest01 is a test for setting a valid icmp_id value
334  */
335 static int DetectIcmpIdParseTest01 (void)
336 {
337  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, "300");
338  FAIL_IF_NULL(iid);
339  FAIL_IF_NOT(iid->id == htons(300));
340  DetectIcmpIdFree(NULL, iid);
341  PASS;
342 }
343 
344 /**
345  * \test DetectIcmpIdParseTest02 is a test for setting a valid icmp_id value
346  * with spaces all around
347  */
348 static int DetectIcmpIdParseTest02 (void)
349 {
350  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, " 300 ");
351  FAIL_IF_NULL(iid);
352  FAIL_IF_NOT(iid->id == htons(300));
353  DetectIcmpIdFree(NULL, iid);
354  PASS;
355 }
356 
357 /**
358  * \test DetectIcmpIdParseTest03 is a test for setting a valid icmp_id value
359  * with quotation marks
360  */
361 static int DetectIcmpIdParseTest03 (void)
362 {
363  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, "\"300\"");
364  FAIL_IF_NULL(iid);
365  FAIL_IF_NOT(iid->id == htons(300));
366  DetectIcmpIdFree(NULL, iid);
367  PASS;
368 }
369 
370 /**
371  * \test DetectIcmpIdParseTest04 is a test for setting a valid icmp_id value
372  * with quotation marks and spaces all around
373  */
374 static int DetectIcmpIdParseTest04 (void)
375 {
376  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, " \" 300 \"");
377  FAIL_IF_NULL(iid);
378  FAIL_IF_NOT(iid->id == htons(300));
379  DetectIcmpIdFree(NULL, iid);
380  PASS;
381 }
382 
383 /**
384  * \test DetectIcmpIdParseTest05 is a test for setting an invalid icmp_id
385  * value with missing quotation marks
386  */
387 static int DetectIcmpIdParseTest05 (void)
388 {
389  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, "\"300");
390  FAIL_IF_NOT_NULL(iid);
391  PASS;
392 }
393 
394 /**
395  * \test DetectIcmpIdMatchTest01 is a test for checking the working of
396  * icmp_id keyword by creating 2 rules and matching a crafted packet
397  * against them. Only the first one shall trigger.
398  */
399 static int DetectIcmpIdMatchTest01 (void)
400 {
401  int result = 0;
402  Packet *p = NULL;
403  Signature *s = NULL;
404  ThreadVars th_v;
405  DetectEngineThreadCtx *det_ctx = NULL;
406 
407  memset(&th_v, 0, sizeof(ThreadVars));
408 
409  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
410  p->l4.vars.icmpv4.id = htons(21781);
411 
413  if (de_ctx == NULL) {
414  goto end;
415  }
416 
417  de_ctx->flags |= DE_QUIET;
418 
419  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21781; sid:1;)");
420  if (s == NULL) {
421  goto end;
422  }
423 
424  s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21782; sid:2;)");
425  if (s == NULL) {
426  goto end;
427  }
428 
430  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
431 
432  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
433  if (PacketAlertCheck(p, 1) == 0) {
434  printf("sid 1 did not alert, but should have: ");
435  goto cleanup;
436  } else if (PacketAlertCheck(p, 2)) {
437  printf("sid 2 alerted, but should not have: ");
438  goto cleanup;
439  }
440 
441  result = 1;
442 
443 cleanup:
446 
447  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
449 
450  UTHFreePackets(&p, 1);
451 end:
452  return result;
453 
454 }
455 
456 /**
457  * \test DetectIcmpIdMatchTest02 is a test for checking the working of
458  * icmp_id keyword by creating 1 rule and matching a crafted packet
459  * against them. The packet is an ICMP packet with no "id" field,
460  * therefore the rule should not trigger.
461  */
462 static int DetectIcmpIdMatchTest02 (void)
463 {
464  int result = 0;
465 
466  uint8_t raw_icmpv4[] = {
467  0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
468  0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
469  0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
470  0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
471  0x00, 0x14, 0x00, 0x00 };
472 
473  Packet *p = PacketGetFromAlloc();
474  if (unlikely(p == NULL))
475  return 0;
476  Signature *s = NULL;
478  ThreadVars th_v;
479  DetectEngineThreadCtx *det_ctx = NULL;
480  IPV4Hdr ip4h;
481 
482  memset(&ip4h, 0, sizeof(IPV4Hdr));
483  memset(&dtv, 0, sizeof(DecodeThreadVars));
484  memset(&th_v, 0, sizeof(ThreadVars));
485 
487 
488  p->src.addr_data32[0] = 0x01020304;
489  p->dst.addr_data32[0] = 0x04030201;
490 
491  ip4h.s_ip_src.s_addr = p->src.addr_data32[0];
492  ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];
493  UTHSetIPV4Hdr(p, &ip4h);
494 
495  DecodeICMPV4(&th_v, &dtv, p, raw_icmpv4, sizeof(raw_icmpv4));
496 
498  if (de_ctx == NULL) {
499  goto end;
500  }
501 
502  de_ctx->flags |= DE_QUIET;
503 
504  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:0; sid:1;)");
505  if (s == NULL) {
506  goto end;
507  }
508 
510  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
511 
512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
513  if (PacketAlertCheck(p, 1)) {
514  printf("sid 1 alerted, but should not have: ");
515  goto cleanup;
516  }
517 
518  result = 1;
519 
520 cleanup:
523 
524  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
526 
527  FlowShutdown();
528 end:
529  SCFree(p);
530  return result;
531 }
532 
533 static void DetectIcmpIdRegisterTests (void)
534 {
535  UtRegisterTest("DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
536  UtRegisterTest("DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
537  UtRegisterTest("DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
538  UtRegisterTest("DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
539  UtRegisterTest("DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
540  UtRegisterTest("DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
541  UtRegisterTest("DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
542 }
543 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1311
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:587
SigTableElmt_::desc
const char * desc
Definition: detect.h:1310
ICMP_INFO_REQUEST
#define ICMP_INFO_REQUEST
Definition: decode-icmpv4.h:66
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1298
DetectIcmpIdData_
Definition: detect-icmp-id.h:27
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1308
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1330
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1460
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1213
UTHSetIPV4Hdr
void UTHSetIPV4Hdr(Packet *p, IPV4Hdr *ip4h)
Definition: util-unittest-helper.c:126
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:848
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-icmp-id.c:42
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2588
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
ICMPV6_GET_ID
#define ICMPV6_GET_ID(p)
Definition: decode-icmpv6.h:107
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1899
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2663
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
Packet_::icmp_s
struct Packet_::@33::@40 icmp_s
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:54
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1293
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
ICMP6_ECHO_REQUEST
#define ICMP6_ECHO_REQUEST
Definition: decode-icmpv6.h:42
ICMP_ECHO
#define ICMP_ECHO
Definition: decode-icmpv4.h:45
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1296
Signature_::next
struct Signature_ * next
Definition: detect.h:674
ICMP_ADDRESSREPLY
#define ICMP_ADDRESSREPLY
Definition: decode-icmpv4.h:75
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:527
ICMP_ADDRESS
#define ICMP_ADDRESS
Definition: decode-icmpv4.h:72
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
ICMP6_ECHO_REPLY
#define ICMP6_ECHO_REPLY
Definition: decode-icmpv6.h:43
DetectEngineThreadCtx_
Definition: detect.h:1104
PacketL4::L4Vars::icmpv4
ICMPV4Vars icmpv4
Definition: decode.h:460
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2789
detect-engine-mpm.h
DetectIcmpIdRegister
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
Definition: detect-icmp-id.c:59
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:354
DETECT_ICMP_ID
@ DETECT_ICMP_ID
Definition: detect-engine-register.h:49
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
ICMPV4Vars_::id
uint16_t id
Definition: decode-icmpv4.h:186
SC_Pcre2SubstringGet
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2777
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2303
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2219
Signature_::flags
uint32_t flags
Definition: detect.h:603
Packet_
Definition: decode.h:482
detect-engine-build.h
ICMP_INFO_REPLY
#define ICMP_INFO_REPLY
Definition: decode-icmpv4.h:69
detect-engine-alert.h
Packet_::l4
struct PacketL4 l4
Definition: decode.h:584
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:671
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1276
ICMP_ECHOREPLY
#define ICMP_ECHOREPLY
Definition: decode-icmpv4.h:33
DetectIcmpIdData_::id
uint16_t id
Definition: detect-icmp-id.h:28
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2150
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:345
IPV4Hdr_
Definition: decode-ipv4.h:72
ICMPV4_GET_ID
#define ICMPV4_GET_ID(p)
Definition: decode-icmpv4.h:236
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3299
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:414
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3513
SigMatch_::type
uint16_t type
Definition: detect.h:351
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:675
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:856
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:946
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1295
detect-parse.h
Signature_
Signature container.
Definition: detect.h:602
SigMatch_
a single match condition for a signature
Definition: detect.h:350
DetectIcmpIdFree
void DetectIcmpIdFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpIdData
Definition: detect-icmp-id.c:268
ICMP_TIMESTAMPREPLY
#define ICMP_TIMESTAMPREPLY
Definition: decode-icmpv4.h:63
ICMPV6_GET_TYPE
#define ICMPV6_GET_TYPE(icmp6h)
Definition: decode-icmpv6.h:101
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2549
detect-icmp-id.h
Packet_::dst
Address dst
Definition: decode.h:487
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
ICMP_TIMESTAMP
#define ICMP_TIMESTAMP
Definition: decode-icmpv4.h:60
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:436
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:850
detect-engine-prefilter-common.h
Packet_::src
Address src
Definition: decode.h:486
PacketL4::vars
union PacketL4::L4Vars vars
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1300
DecodeICMPV4
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Main ICMPv4 decoding function.
Definition: decode-icmpv4.c:143
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:249
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450