suricata
detect-icmp-id.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias Galvan <iglesiasg@gmail.com>
22  *
23  * Implements the icmp_id keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 
34 #include "detect-icmp-id.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
42 
43 static DetectParseRegex parse_regex;
44 
45 static int DetectIcmpIdMatch(DetectEngineThreadCtx *, Packet *,
46  const Signature *, const SigMatchCtx *);
47 static int DetectIcmpIdSetup(DetectEngineCtx *, Signature *, const char *);
48 #ifdef UNITTESTS
49 static void DetectIcmpIdRegisterTests(void);
50 #endif
51 void DetectIcmpIdFree(DetectEngineCtx *, void *);
52 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
53 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s);
54 
55 /**
56  * \brief Registration function for icode: icmp_id
57  */
59 {
60  sigmatch_table[DETECT_ICMP_ID].name = "icmp_id";
61  sigmatch_table[DETECT_ICMP_ID].desc = "check for a ICMP ID";
62  sigmatch_table[DETECT_ICMP_ID].url = "/rules/header-keywords.html#icmp-id";
63  sigmatch_table[DETECT_ICMP_ID].Match = DetectIcmpIdMatch;
64  sigmatch_table[DETECT_ICMP_ID].Setup = DetectIcmpIdSetup;
66 #ifdef UNITTESTS
67  sigmatch_table[DETECT_ICMP_ID].RegisterTests = DetectIcmpIdRegisterTests;
68 #endif
69  sigmatch_table[DETECT_ICMP_ID].SupportsPrefilter = PrefilterIcmpIdIsPrefilterable;
70  sigmatch_table[DETECT_ICMP_ID].SetupPrefilter = PrefilterSetupIcmpId;
71 
72  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
73 }
74 
75 static inline bool GetIcmpId(Packet *p, uint16_t *id)
76 {
77  if (PKT_IS_PSEUDOPKT(p))
78  return false;
79 
80  uint16_t pid;
81  if (PKT_IS_ICMPV4(p)) {
82  switch (ICMPV4_GET_TYPE(p)){
83  case ICMP_ECHOREPLY:
84  case ICMP_ECHO:
85  case ICMP_TIMESTAMP:
87  case ICMP_INFO_REQUEST:
88  case ICMP_INFO_REPLY:
89  case ICMP_ADDRESS:
90  case ICMP_ADDRESSREPLY:
91  SCLogDebug("ICMPV4_GET_ID(p) %"PRIu16" (network byte order), "
92  "%"PRIu16" (host byte order)", ICMPV4_GET_ID(p),
94 
95  pid = ICMPV4_GET_ID(p);
96  break;
97  default:
98  SCLogDebug("Packet has no id field");
99  return false;
100  }
101  } else if (PKT_IS_ICMPV6(p)) {
102  switch (ICMPV6_GET_TYPE(p)) {
103  case ICMP6_ECHO_REQUEST:
104  case ICMP6_ECHO_REPLY:
105  SCLogDebug("ICMPV6_GET_ID(p) %"PRIu16" (network byte order), "
106  "%"PRIu16" (host byte order)", ICMPV6_GET_ID(p),
107  SCNtohs(ICMPV6_GET_ID(p)));
108 
109  pid = ICMPV6_GET_ID(p);
110  break;
111  default:
112  SCLogDebug("Packet has no id field");
113  return false;
114  }
115  } else {
116  SCLogDebug("Packet not ICMPV4 nor ICMPV6");
117  return false;
118  }
119 
120  *id = pid;
121  return true;
122 }
123 
124 /**
125  * \brief This function is used to match icmp_id rule option set on a packet
126  *
127  * \param t pointer to thread vars
128  * \param det_ctx pointer to the pattern matcher thread
129  * \param p pointer to the current packet
130  * \param m pointer to the sigmatch that we will cast into DetectIcmpIdData
131  *
132  * \retval 0 no match
133  * \retval 1 match
134  */
135 static int DetectIcmpIdMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
136  const Signature *s, const SigMatchCtx *ctx)
137 {
138  uint16_t pid;
139 
140  if (!GetIcmpId(p, &pid))
141  return 0;
142 
143  const DetectIcmpIdData *iid = (const DetectIcmpIdData *)ctx;
144  if (pid == iid->id)
145  return 1;
146 
147  return 0;
148 }
149 
150 /**
151  * \brief This function is used to parse icmp_id option passed via icmp_id: keyword
152  *
153  * \param de_ctx Pointer to the detection engine context
154  * \param icmpidstr Pointer to the user provided icmp_id options
155  *
156  * \retval iid pointer to DetectIcmpIdData on success
157  * \retval NULL on failure
158  */
159 static DetectIcmpIdData *DetectIcmpIdParse (DetectEngineCtx *de_ctx, const char *icmpidstr)
160 {
161  DetectIcmpIdData *iid = NULL;
162  char *substr[3] = {NULL, NULL, NULL};
163  int ret = 0, res = 0;
164  size_t pcre2_len;
165 
166  ret = DetectParsePcreExec(&parse_regex, icmpidstr, 0, 0);
167  if (ret < 1 || ret > 4) {
168  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", icmpidstr);
169  goto error;
170  }
171 
172  int i;
173  const char *str_ptr;
174  for (i = 1; i < ret; i++) {
175  res = SC_Pcre2SubstringGet(parse_regex.match, i, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
176  if (res < 0) {
177  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
178  goto error;
179  }
180  substr[i-1] = (char *)str_ptr;
181  }
182 
183  iid = SCMalloc(sizeof(DetectIcmpIdData));
184  if (unlikely(iid == NULL))
185  goto error;
186  iid->id = 0;
187 
188  if (substr[0]!= NULL && strlen(substr[0]) != 0) {
189  if (substr[2] == NULL) {
190  SCLogError(SC_ERR_INVALID_ARGUMENT, "Missing close quote in input");
191  goto error;
192  }
193  } else {
194  if (substr[2] != NULL) {
195  SCLogError(SC_ERR_INVALID_ARGUMENT, "Missing open quote in input");
196  goto error;
197  }
198  }
199 
200  uint16_t id = 0;
201  if (StringParseUint16(&id, 10, 0, substr[1]) < 0) {
202  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp id %s is not "
203  "valid", substr[1]);
204  goto error;
205  }
206  iid->id = htons(id);
207 
208  for (i = 0; i < 3; i++) {
209  if (substr[i] != NULL)
210  pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
211  }
212  return iid;
213 
214 error:
215  for (i = 0; i < 3; i++) {
216  if (substr[i] != NULL)
217  pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
218  }
219  if (iid != NULL) DetectIcmpIdFree(de_ctx, iid);
220  return NULL;
221 
222 }
223 
224 /**
225  * \brief this function is used to add the parsed icmp_id data into the current signature
226  *
227  * \param de_ctx pointer to the Detection Engine Context
228  * \param s pointer to the Current Signature
229  * \param icmpidstr pointer to the user provided icmp_id option
230  *
231  * \retval 0 on Success
232  * \retval -1 on Failure
233  */
234 static int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, const char *icmpidstr)
235 {
236  DetectIcmpIdData *iid = NULL;
237  SigMatch *sm = NULL;
238 
239  iid = DetectIcmpIdParse(de_ctx, icmpidstr);
240  if (iid == NULL) goto error;
241 
242  sm = SigMatchAlloc();
243  if (sm == NULL) goto error;
244 
245  sm->type = DETECT_ICMP_ID;
246  sm->ctx = (SigMatchCtx *)iid;
247 
250 
251  return 0;
252 
253 error:
254  if (iid != NULL) DetectIcmpIdFree(de_ctx, iid);
255  if (sm != NULL) SCFree(sm);
256  return -1;
257 
258 }
259 
260 /**
261  * \brief this function will free memory associated with DetectIcmpIdData
262  *
263  * \param ptr pointer to DetectIcmpIdData
264  */
266 {
267  DetectIcmpIdData *iid = (DetectIcmpIdData *)ptr;
268  SCFree(iid);
269 }
270 
271 /* prefilter code */
272 
273 static void
274 PrefilterPacketIcmpIdMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
275 {
276  const PrefilterPacketHeaderCtx *ctx = pectx;
277 
278  uint16_t pid;
279  if (!GetIcmpId(p, &pid))
280  return;
281 
282  if (pid == ctx->v1.u16[0])
283  {
284  SCLogDebug("packet matches ICMP ID %u", ctx->v1.u16[0]);
285  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
286  }
287 }
288 
289 static void
290 PrefilterPacketIcmpIdSet(PrefilterPacketHeaderValue *v, void *smctx)
291 {
292  const DetectIcmpIdData *a = smctx;
293  v->u16[0] = a->id;
294 }
295 
296 static bool
297 PrefilterPacketIcmpIdCompare(PrefilterPacketHeaderValue v, void *smctx)
298 {
299  const DetectIcmpIdData *a = smctx;
300  if (v.u16[0] == a->id)
301  return true;
302  return false;
303 }
304 
305 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
306 {
308  PrefilterPacketIcmpIdSet,
309  PrefilterPacketIcmpIdCompare,
310  PrefilterPacketIcmpIdMatch);
311 }
312 
313 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s)
314 {
315  const SigMatch *sm;
316  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
317  switch (sm->type) {
318  case DETECT_ICMP_ID:
319  return true;
320  }
321  }
322  return false;
323 }
324 
325 #ifdef UNITTESTS
326 #include "detect-engine.h"
327 #include "detect-engine-mpm.h"
328 
329 /**
330  * \test DetectIcmpIdParseTest01 is a test for setting a valid icmp_id value
331  */
332 static int DetectIcmpIdParseTest01 (void)
333 {
334  DetectIcmpIdData *iid = NULL;
335  iid = DetectIcmpIdParse(NULL, "300");
336  if (iid != NULL && iid->id == htons(300)) {
337  DetectIcmpIdFree(NULL, iid);
338  return 1;
339  }
340  return 0;
341 }
342 
343 /**
344  * \test DetectIcmpIdParseTest02 is a test for setting a valid icmp_id value
345  * with spaces all around
346  */
347 static int DetectIcmpIdParseTest02 (void)
348 {
349  DetectIcmpIdData *iid = NULL;
350  iid = DetectIcmpIdParse(NULL, " 300 ");
351  if (iid != NULL && iid->id == htons(300)) {
352  DetectIcmpIdFree(NULL, iid);
353  return 1;
354  }
355  return 0;
356 }
357 
358 /**
359  * \test DetectIcmpIdParseTest03 is a test for setting a valid icmp_id value
360  * with quotation marks
361  */
362 static int DetectIcmpIdParseTest03 (void)
363 {
364  DetectIcmpIdData *iid = NULL;
365  iid = DetectIcmpIdParse(NULL, "\"300\"");
366  if (iid != NULL && iid->id == htons(300)) {
367  DetectIcmpIdFree(NULL, iid);
368  return 1;
369  }
370  return 0;
371 }
372 
373 /**
374  * \test DetectIcmpIdParseTest04 is a test for setting a valid icmp_id value
375  * with quotation marks and spaces all around
376  */
377 static int DetectIcmpIdParseTest04 (void)
378 {
379  DetectIcmpIdData *iid = NULL;
380  iid = DetectIcmpIdParse(NULL, " \" 300 \"");
381  if (iid != NULL && iid->id == htons(300)) {
382  DetectIcmpIdFree(NULL, iid);
383  return 1;
384  }
385  return 0;
386 }
387 
388 /**
389  * \test DetectIcmpIdParseTest05 is a test for setting an invalid icmp_id
390  * value with missing quotation marks
391  */
392 static int DetectIcmpIdParseTest05 (void)
393 {
394  DetectIcmpIdData *iid = NULL;
395  iid = DetectIcmpIdParse(NULL, "\"300");
396  if (iid == NULL) {
397  DetectIcmpIdFree(NULL, iid);
398  return 1;
399  }
400  return 0;
401 }
402 
403 /**
404  * \test DetectIcmpIdMatchTest01 is a test for checking the working of
405  * icmp_id keyword by creating 2 rules and matching a crafted packet
406  * against them. Only the first one shall trigger.
407  */
408 static int DetectIcmpIdMatchTest01 (void)
409 {
410  int result = 0;
411  Packet *p = NULL;
412  Signature *s = NULL;
413  ThreadVars th_v;
414  DetectEngineThreadCtx *det_ctx = NULL;
415 
416  memset(&th_v, 0, sizeof(ThreadVars));
417 
418  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
419  p->icmpv4vars.id = htons(21781);
420 
422  if (de_ctx == NULL) {
423  goto end;
424  }
425 
426  de_ctx->flags |= DE_QUIET;
427 
428  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21781; sid:1;)");
429  if (s == NULL) {
430  goto end;
431  }
432 
433  s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21782; sid:2;)");
434  if (s == NULL) {
435  goto end;
436  }
437 
439  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
440 
441  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
442  if (PacketAlertCheck(p, 1) == 0) {
443  printf("sid 1 did not alert, but should have: ");
444  goto cleanup;
445  } else if (PacketAlertCheck(p, 2)) {
446  printf("sid 2 alerted, but should not have: ");
447  goto cleanup;
448  }
449 
450  result = 1;
451 
452 cleanup:
455 
456  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
458 
459  UTHFreePackets(&p, 1);
460 end:
461  return result;
462 
463 }
464 
465 /**
466  * \test DetectIcmpIdMatchTest02 is a test for checking the working of
467  * icmp_id keyword by creating 1 rule and matching a crafted packet
468  * against them. The packet is an ICMP packet with no "id" field,
469  * therefore the rule should not trigger.
470  */
471 static int DetectIcmpIdMatchTest02 (void)
472 {
473  int result = 0;
474 
475  uint8_t raw_icmpv4[] = {
476  0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
477  0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
478  0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
479  0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
480  0x00, 0x14, 0x00, 0x00 };
481 
482  Packet *p = PacketGetFromAlloc();
483  if (unlikely(p == NULL))
484  return 0;
485  Signature *s = NULL;
487  ThreadVars th_v;
488  DetectEngineThreadCtx *det_ctx = NULL;
489  IPV4Hdr ip4h;
490 
491  memset(&ip4h, 0, sizeof(IPV4Hdr));
492  memset(&dtv, 0, sizeof(DecodeThreadVars));
493  memset(&th_v, 0, sizeof(ThreadVars));
494 
496 
497  p->src.addr_data32[0] = 0x01020304;
498  p->dst.addr_data32[0] = 0x04030201;
499 
500  ip4h.s_ip_src.s_addr = p->src.addr_data32[0];
501  ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];
502  p->ip4h = &ip4h;
503 
504  DecodeICMPV4(&th_v, &dtv, p, raw_icmpv4, sizeof(raw_icmpv4));
505 
507  if (de_ctx == NULL) {
508  goto end;
509  }
510 
511  de_ctx->flags |= DE_QUIET;
512 
513  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:0; sid:1;)");
514  if (s == NULL) {
515  goto end;
516  }
517 
519  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
520 
521  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
522  if (PacketAlertCheck(p, 1)) {
523  printf("sid 1 alerted, but should not have: ");
524  goto cleanup;
525  }
526 
527  result = 1;
528 
529 cleanup:
532 
533  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
535 
536  FlowShutdown();
537 end:
538  SCFree(p);
539  return result;
540 }
541 
542 static void DetectIcmpIdRegisterTests (void)
543 {
544  UtRegisterTest("DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
545  UtRegisterTest("DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
546  UtRegisterTest("DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
547  UtRegisterTest("DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
548  UtRegisterTest("DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
549  UtRegisterTest("DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
550  UtRegisterTest("DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
551 }
552 #endif /* UNITTESTS */
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
SigTableElmt_::url
const char * url
Definition: detect.h:1248
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1247
ICMP_INFO_REQUEST
#define ICMP_INFO_REQUEST
Definition: decode-icmpv4.h:66
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2475
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1235
DetectIcmpIdData_
Definition: detect-icmp-id.h:27
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1245
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1222
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1403
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2116
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1141
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:336
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-icmp-id.c:41
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
DE_QUIET
#define DE_QUIET
Definition: detect.h:288
ICMPV6_GET_ID
#define ICMPV6_GET_ID(p)
Definition: decode-icmpv6.h:110
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:338
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1785
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:45
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1230
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
ICMP6_ECHO_REQUEST
#define ICMP6_ECHO_REQUEST
Definition: decode-icmpv6.h:42
ICMP_ECHO
#define ICMP_ECHO
Definition: decode-icmpv4.h:45
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1233
Signature_::next
struct Signature_ * next
Definition: detect.h:614
ICMP_ADDRESSREPLY
#define ICMP_ADDRESSREPLY
Definition: decode-icmpv4.h:75
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:524
ICMP_ADDRESS
#define ICMP_ADDRESS
Definition: decode-icmpv4.h:72
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
ICMP6_ECHO_REPLY
#define ICMP6_ECHO_REPLY
Definition: decode-icmpv6.h:43
DetectEngineThreadCtx_
Definition: detect.h:1034
ICMPV4_GET_TYPE
#define ICMPV4_GET_TYPE(p)
Definition: decode-icmpv4.h:233
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2598
detect-engine-mpm.h
DetectIcmpIdRegister
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
Definition: detect-icmp-id.c:58
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:56
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:318
DETECT_ICMP_ID
@ DETECT_ICMP_ID
Definition: detect-engine-register.h:47
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:80
ICMPV4Vars_::id
uint16_t id
Definition: decode-icmpv4.h:184
SC_Pcre2SubstringGet
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2586
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:317
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:258
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2021
Signature_::flags
uint32_t flags
Definition: detect.h:541
Packet_
Definition: decode.h:434
detect-engine-build.h
ICMP_INFO_REPLY
#define ICMP_INFO_REPLY
Definition: decode-icmpv4.h:69
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:532
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1213
ICMP_ECHOREPLY
#define ICMP_ECHOREPLY
Definition: decode-icmpv4.h:33
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
DetectIcmpIdData_::id
uint16_t id
Definition: detect-icmp-id.h:28
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1953
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:32
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:309
IPV4Hdr_
Definition: decode-ipv4.h:71
ICMPV4_GET_ID
#define ICMPV4_GET_ID(p)
Definition: decode-icmpv4.h:243
Packet_::icmpv4vars
ICMPV4Vars icmpv4vars
Definition: decode.h:547
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3154
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:395
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3368
SigMatch_::type
uint16_t type
Definition: detect.h:315
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:671
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:257
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:176
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:664
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1232
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:314
DetectIcmpIdFree
void DetectIcmpIdFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpIdData
Definition: detect-icmp-id.c:265
ICMPV6_GET_TYPE
#define ICMPV6_GET_TYPE(p)
Definition: decode-icmpv6.h:101
ICMP_TIMESTAMPREPLY
#define ICMP_TIMESTAMPREPLY
Definition: decode-icmpv4.h:63
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
detect-icmp-id.h
Packet_::dst
Address dst
Definition: decode.h:439
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:40
ICMP_TIMESTAMP
#define ICMP_TIMESTAMP
Definition: decode-icmpv4.h:60
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
detect-engine-prefilter-common.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
Packet_::src
Address src
Definition: decode.h:438
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1237
DecodeICMPV4
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Main ICMPv4 decoding function.
Definition: decode-icmpv4.c:156
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:217
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:469