suricata
detect-icmp-id.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias Galvan <iglesiasg@gmail.com>
22  *
23  * Implements the icmp_id keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 
34 #include "detect-icmp-id.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
42 
43 static pcre *parse_regex;
44 static pcre_extra *parse_regex_study;
45 
46 static int DetectIcmpIdMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *,
47  const Signature *, const SigMatchCtx *);
48 static int DetectIcmpIdSetup(DetectEngineCtx *, Signature *, const char *);
49 void DetectIcmpIdRegisterTests(void);
50 void DetectIcmpIdFree(void *);
51 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
52 static _Bool PrefilterIcmpIdIsPrefilterable(const Signature *s);
53 
54 /**
55  * \brief Registration function for icode: icmp_id
56  */
58 {
59  sigmatch_table[DETECT_ICMP_ID].name = "icmp_id";
60  sigmatch_table[DETECT_ICMP_ID].desc = "check for a ICMP id";
61  sigmatch_table[DETECT_ICMP_ID].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#icmp-id";
62  sigmatch_table[DETECT_ICMP_ID].Match = DetectIcmpIdMatch;
63  sigmatch_table[DETECT_ICMP_ID].Setup = DetectIcmpIdSetup;
66 
67  sigmatch_table[DETECT_ICMP_ID].SupportsPrefilter = PrefilterIcmpIdIsPrefilterable;
68  sigmatch_table[DETECT_ICMP_ID].SetupPrefilter = PrefilterSetupIcmpId;
69 
70  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
71 }
72 
73 static inline _Bool GetIcmpId(Packet *p, uint16_t *id)
74 {
75  if (PKT_IS_PSEUDOPKT(p))
76  return FALSE;
77 
78  uint16_t pid;
79  if (PKT_IS_ICMPV4(p)) {
80  switch (ICMPV4_GET_TYPE(p)){
81  case ICMP_ECHOREPLY:
82  case ICMP_ECHO:
83  case ICMP_TIMESTAMP:
84  case ICMP_TIMESTAMPREPLY:
85  case ICMP_INFO_REQUEST:
86  case ICMP_INFO_REPLY:
87  case ICMP_ADDRESS:
88  case ICMP_ADDRESSREPLY:
89  SCLogDebug("ICMPV4_GET_ID(p) %"PRIu16" (network byte order), "
90  "%"PRIu16" (host byte order)", ICMPV4_GET_ID(p),
92 
93  pid = ICMPV4_GET_ID(p);
94  break;
95  default:
96  SCLogDebug("Packet has no id field");
97  return FALSE;
98  }
99  } else if (PKT_IS_ICMPV6(p)) {
100  switch (ICMPV6_GET_TYPE(p)) {
101  case ICMP6_ECHO_REQUEST:
102  case ICMP6_ECHO_REPLY:
103  SCLogDebug("ICMPV6_GET_ID(p) %"PRIu16" (network byte order), "
104  "%"PRIu16" (host byte order)", ICMPV6_GET_ID(p),
105  SCNtohs(ICMPV6_GET_ID(p)));
106 
107  pid = ICMPV6_GET_ID(p);
108  break;
109  default:
110  SCLogDebug("Packet has no id field");
111  return FALSE;
112  }
113  } else {
114  SCLogDebug("Packet not ICMPV4 nor ICMPV6");
115  return FALSE;
116  }
117 
118  *id = pid;
119  return TRUE;
120 }
121 
122 /**
123  * \brief This function is used to match icmp_id rule option set on a packet
124  *
125  * \param t pointer to thread vars
126  * \param det_ctx pointer to the pattern matcher thread
127  * \param p pointer to the current packet
128  * \param m pointer to the sigmatch that we will cast into DetectIcmpIdData
129  *
130  * \retval 0 no match
131  * \retval 1 match
132  */
133 static int DetectIcmpIdMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
134  const Signature *s, const SigMatchCtx *ctx)
135 {
136  uint16_t pid;
137 
138  if (GetIcmpId(p, &pid) == FALSE)
139  return 0;
140 
141  const DetectIcmpIdData *iid = (const DetectIcmpIdData *)ctx;
142  if (pid == iid->id)
143  return 1;
144 
145  return 0;
146 }
147 
148 /**
149  * \brief This function is used to parse icmp_id option passed via icmp_id: keyword
150  *
151  * \param icmpidstr Pointer to the user provided icmp_id options
152  *
153  * \retval iid pointer to DetectIcmpIdData on success
154  * \retval NULL on failure
155  */
156 static DetectIcmpIdData *DetectIcmpIdParse (const char *icmpidstr)
157 {
158  DetectIcmpIdData *iid = NULL;
159  char *substr[3] = {NULL, NULL, NULL};
160 #define MAX_SUBSTRINGS 30
161  int ret = 0, res = 0;
162  int ov[MAX_SUBSTRINGS];
163 
164  ret = pcre_exec(parse_regex, parse_regex_study, icmpidstr, strlen(icmpidstr), 0, 0, ov, MAX_SUBSTRINGS);
165  if (ret < 1 || ret > 4) {
166  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", icmpidstr);
167  goto error;
168  }
169 
170  int i;
171  const char *str_ptr;
172  for (i = 1; i < ret; i++) {
173  res = pcre_get_substring((char *)icmpidstr, ov, MAX_SUBSTRINGS, i, &str_ptr);
174  if (res < 0) {
175  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
176  goto error;
177  }
178  substr[i-1] = (char *)str_ptr;
179  }
180 
181  iid = SCMalloc(sizeof(DetectIcmpIdData));
182  if (unlikely(iid == NULL))
183  goto error;
184  iid->id = 0;
185 
186  if (substr[0]!= NULL && strlen(substr[0]) != 0) {
187  if (substr[2] == NULL) {
188  SCLogError(SC_ERR_INVALID_ARGUMENT, "Missing close quote in input");
189  goto error;
190  }
191  } else {
192  if (substr[2] != NULL) {
193  SCLogError(SC_ERR_INVALID_ARGUMENT, "Missing open quote in input");
194  goto error;
195  }
196  }
197 
198  /** \todo can ByteExtractStringUint16 do this? */
199  uint16_t id = 0;
200  if (ByteExtractStringUint16(&id, 10, 0, substr[1]) < 0) {
201  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp id %s is not "
202  "valid", substr[1]);
203  goto error;
204  }
205  iid->id = htons(id);
206 
207  for (i = 0; i < 3; i++) {
208  if (substr[i] != NULL) SCFree(substr[i]);
209  }
210  return iid;
211 
212 error:
213  for (i = 0; i < 3; i++) {
214  if (substr[i] != NULL) SCFree(substr[i]);
215  }
216  if (iid != NULL) DetectIcmpIdFree(iid);
217  return NULL;
218 
219 }
220 
221 /**
222  * \brief this function is used to add the parsed icmp_id data into the current signature
223  *
224  * \param de_ctx pointer to the Detection Engine Context
225  * \param s pointer to the Current Signature
226  * \param icmpidstr pointer to the user provided icmp_id option
227  *
228  * \retval 0 on Success
229  * \retval -1 on Failure
230  */
231 static int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, const char *icmpidstr)
232 {
233  DetectIcmpIdData *iid = NULL;
234  SigMatch *sm = NULL;
235 
236  iid = DetectIcmpIdParse(icmpidstr);
237  if (iid == NULL) goto error;
238 
239  sm = SigMatchAlloc();
240  if (sm == NULL) goto error;
241 
242  sm->type = DETECT_ICMP_ID;
243  sm->ctx = (SigMatchCtx *)iid;
244 
247 
248  return 0;
249 
250 error:
251  if (iid != NULL) DetectIcmpIdFree(iid);
252  if (sm != NULL) SCFree(sm);
253  return -1;
254 
255 }
256 
257 /**
258  * \brief this function will free memory associated with DetectIcmpIdData
259  *
260  * \param ptr pointer to DetectIcmpIdData
261  */
262 void DetectIcmpIdFree (void *ptr)
263 {
264  DetectIcmpIdData *iid = (DetectIcmpIdData *)ptr;
265  SCFree(iid);
266 }
267 
268 /* prefilter code */
269 
270 static void
271 PrefilterPacketIcmpIdMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
272 {
273  const PrefilterPacketHeaderCtx *ctx = pectx;
274 
275  uint16_t pid;
276  if (GetIcmpId(p, &pid) == FALSE)
277  return;
278 
279  if (pid == ctx->v1.u16[0])
280  {
281  SCLogDebug("packet matches ICMP ID %u", ctx->v1.u16[0]);
282  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
283  }
284 }
285 
286 static void
287 PrefilterPacketIcmpIdSet(PrefilterPacketHeaderValue *v, void *smctx)
288 {
289  const DetectIcmpIdData *a = smctx;
290  v->u16[0] = a->id;
291 }
292 
293 static _Bool
294 PrefilterPacketIcmpIdCompare(PrefilterPacketHeaderValue v, void *smctx)
295 {
296  const DetectIcmpIdData *a = smctx;
297  if (v.u16[0] == a->id)
298  return TRUE;
299  return FALSE;
300 }
301 
302 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
303 {
304  return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ICMP_ID,
305  PrefilterPacketIcmpIdSet,
306  PrefilterPacketIcmpIdCompare,
307  PrefilterPacketIcmpIdMatch);
308 }
309 
310 static _Bool PrefilterIcmpIdIsPrefilterable(const Signature *s)
311 {
312  const SigMatch *sm;
313  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
314  switch (sm->type) {
315  case DETECT_ICMP_ID:
316  return TRUE;
317  }
318  }
319  return FALSE;
320 }
321 
322 #ifdef UNITTESTS
323 #include "detect-engine.h"
324 #include "detect-engine-mpm.h"
325 
326 /**
327  * \test DetectIcmpIdParseTest01 is a test for setting a valid icmp_id value
328  */
329 static int DetectIcmpIdParseTest01 (void)
330 {
331  DetectIcmpIdData *iid = NULL;
332  iid = DetectIcmpIdParse("300");
333  if (iid != NULL && iid->id == htons(300)) {
334  DetectIcmpIdFree(iid);
335  return 1;
336  }
337  return 0;
338 }
339 
340 /**
341  * \test DetectIcmpIdParseTest02 is a test for setting a valid icmp_id value
342  * with spaces all around
343  */
344 static int DetectIcmpIdParseTest02 (void)
345 {
346  DetectIcmpIdData *iid = NULL;
347  iid = DetectIcmpIdParse(" 300 ");
348  if (iid != NULL && iid->id == htons(300)) {
349  DetectIcmpIdFree(iid);
350  return 1;
351  }
352  return 0;
353 }
354 
355 /**
356  * \test DetectIcmpIdParseTest03 is a test for setting a valid icmp_id value
357  * with quotation marks
358  */
359 static int DetectIcmpIdParseTest03 (void)
360 {
361  DetectIcmpIdData *iid = NULL;
362  iid = DetectIcmpIdParse("\"300\"");
363  if (iid != NULL && iid->id == htons(300)) {
364  DetectIcmpIdFree(iid);
365  return 1;
366  }
367  return 0;
368 }
369 
370 /**
371  * \test DetectIcmpIdParseTest04 is a test for setting a valid icmp_id value
372  * with quotation marks and spaces all around
373  */
374 static int DetectIcmpIdParseTest04 (void)
375 {
376  DetectIcmpIdData *iid = NULL;
377  iid = DetectIcmpIdParse(" \" 300 \"");
378  if (iid != NULL && iid->id == htons(300)) {
379  DetectIcmpIdFree(iid);
380  return 1;
381  }
382  return 0;
383 }
384 
385 /**
386  * \test DetectIcmpIdParseTest05 is a test for setting an invalid icmp_id
387  * value with missing quotation marks
388  */
389 static int DetectIcmpIdParseTest05 (void)
390 {
391  DetectIcmpIdData *iid = NULL;
392  iid = DetectIcmpIdParse("\"300");
393  if (iid == NULL) {
394  DetectIcmpIdFree(iid);
395  return 1;
396  }
397  return 0;
398 }
399 
400 /**
401  * \test DetectIcmpIdMatchTest01 is a test for checking the working of
402  * icmp_id keyword by creating 2 rules and matching a crafted packet
403  * against them. Only the first one shall trigger.
404  */
405 static int DetectIcmpIdMatchTest01 (void)
406 {
407  int result = 0;
408  Packet *p = NULL;
409  Signature *s = NULL;
410  ThreadVars th_v;
411  DetectEngineThreadCtx *det_ctx = NULL;
412 
413  memset(&th_v, 0, sizeof(ThreadVars));
414 
415  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
416  p->icmpv4vars.id = htons(21781);
417 
419  if (de_ctx == NULL) {
420  goto end;
421  }
422 
423  de_ctx->flags |= DE_QUIET;
424 
425  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21781; sid:1;)");
426  if (s == NULL) {
427  goto end;
428  }
429 
430  s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21782; sid:2;)");
431  if (s == NULL) {
432  goto end;
433  }
434 
435  SigGroupBuild(de_ctx);
436  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
437 
438  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
439  if (PacketAlertCheck(p, 1) == 0) {
440  printf("sid 1 did not alert, but should have: ");
441  goto cleanup;
442  } else if (PacketAlertCheck(p, 2)) {
443  printf("sid 2 alerted, but should not have: ");
444  goto cleanup;
445  }
446 
447  result = 1;
448 
449 cleanup:
450  SigGroupCleanup(de_ctx);
451  SigCleanSignatures(de_ctx);
452 
453  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
454  DetectEngineCtxFree(de_ctx);
455 
456  UTHFreePackets(&p, 1);
457 end:
458  return result;
459 
460 }
461 
462 /**
463  * \test DetectIcmpIdMatchTest02 is a test for checking the working of
464  * icmp_id keyword by creating 1 rule and matching a crafted packet
465  * against them. The packet is an ICMP packet with no "id" field,
466  * therefore the rule should not trigger.
467  */
468 static int DetectIcmpIdMatchTest02 (void)
469 {
470  int result = 0;
471 
472  uint8_t raw_icmpv4[] = {
473  0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
474  0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
475  0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
476  0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
477  0x00, 0x14, 0x00, 0x00 };
478 
479  Packet *p = PacketGetFromAlloc();
480  if (unlikely(p == NULL))
481  return 0;
482  Signature *s = NULL;
483  DecodeThreadVars dtv;
484  ThreadVars th_v;
485  DetectEngineThreadCtx *det_ctx = NULL;
486  IPV4Hdr ip4h;
487 
488  memset(&ip4h, 0, sizeof(IPV4Hdr));
489  memset(&dtv, 0, sizeof(DecodeThreadVars));
490  memset(&th_v, 0, sizeof(ThreadVars));
491 
493 
494  p->src.addr_data32[0] = 0x01020304;
495  p->dst.addr_data32[0] = 0x04030201;
496 
497  ip4h.s_ip_src.s_addr = p->src.addr_data32[0];
498  ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];
499  p->ip4h = &ip4h;
500 
501  DecodeICMPV4(&th_v, &dtv, p, raw_icmpv4, sizeof(raw_icmpv4), NULL);
502 
504  if (de_ctx == NULL) {
505  goto end;
506  }
507 
508  de_ctx->flags |= DE_QUIET;
509 
510  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:0; sid:1;)");
511  if (s == NULL) {
512  goto end;
513  }
514 
515  SigGroupBuild(de_ctx);
516  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
517 
518  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
519  if (PacketAlertCheck(p, 1)) {
520  printf("sid 1 alerted, but should not have: ");
521  goto cleanup;
522  }
523 
524  result = 1;
525 
526 cleanup:
527  SigGroupCleanup(de_ctx);
528  SigCleanSignatures(de_ctx);
529 
530  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
531  DetectEngineCtxFree(de_ctx);
532 
533  FlowShutdown();
534 end:
535  SCFree(p);
536  return result;
537 }
538 #endif /* UNITTESTS */
539 
541 {
542 #ifdef UNITTESTS
543  UtRegisterTest("DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
544  UtRegisterTest("DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
545  UtRegisterTest("DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
546  UtRegisterTest("DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
547  UtRegisterTest("DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
548  UtRegisterTest("DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
549  UtRegisterTest("DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
550 #endif /* UNITTESTS */
551 }
552 
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
SignatureInitData * init_data
Definition: detect.h:563
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
#define SCLogDebug(...)
Definition: util-debug.h:335
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1152
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), _Bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint32_t flags
Definition: detect.h:496
_Bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1151
#define FALSE
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Signature * sig_list
Definition: detect.h:729
#define ICMPV6_GET_ID(p)
#define FLOW_QUIET
Definition: flow.h:37
Address dst
Definition: decode.h:411
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Container for matching data for a signature group.
Definition: detect.h:1298
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:228
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1163
#define ICMP6_ECHO_REQUEST
Definition: decode-icmpv6.h:43
Signature container.
Definition: detect.h:495
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
#define ICMPV4_GET_TYPE(p)
#define TRUE
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
struct SigMatch_ * next
Definition: detect.h:326
main detection engine ctx
Definition: detect.h:723
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Main ICMPv4 decoding function.
int ByteExtractStringUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:264
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define ICMP6_ECHO_REPLY
Definition: decode-icmpv6.h:44
#define DE_QUIET
Definition: detect.h:296
uint8_t flags
Definition: detect.h:724
void(* Free)(void *)
Definition: detect.h:1154
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define PKT_IS_ICMPV6(p)
Definition: decode.h:254
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
PrefilterRuleStore pmq
Definition: detect.h:1064
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct Signature_ * next
Definition: detect.h:566
uint8_t type
Definition: detect.h:323
const char * desc
Definition: detect.h:1165
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
struct SigMatch_ ** smlists
Definition: detect.h:489
IPV4Hdr * ip4h
Definition: decode.h:498
#define PARSE_REGEX
#define MAX_SUBSTRINGS
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
#define ICMPV4_GET_ID(p)
#define SCFree(a)
Definition: util-mem.h:228
PoolThreadReserved res
#define SCNtohs(x)
void DetectIcmpIdRegisterTests(void)
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:667
#define ICMPV6_GET_TYPE(p)
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
#define PKT_IS_ICMPV4(p)
Definition: decode.h:253
const char * url
Definition: detect.h:1166
#define DOC_URL
Definition: suricata.h:86
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1131
uint16_t id
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Per thread variable structure.
Definition: threadvars.h:57
#define DOC_VERSION
Definition: suricata.h:91
void DetectIcmpIdFree(void *)
this function will free memory associated with DetectIcmpIdData
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
ICMPV4Vars icmpv4vars
Definition: decode.h:513
void(* RegisterTests)(void)
Definition: detect.h:1155
a single match condition for a signature
Definition: detect.h:322
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:140
Address src
Definition: decode.h:410
DetectEngineCtx * DetectEngineCtxInit(void)
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:512