suricata
detect-icmp-id.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias Galvan <iglesiasg@gmail.com>
22  *
23  * Implements the icmp_id keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
32 #include "detect-engine-build.h"
33 #include "detect-engine-alert.h"
34 
35 #include "detect-icmp-id.h"
36 
37 #include "util-byte.h"
38 #include "util-unittest.h"
39 #include "util-unittest-helper.h"
40 #include "util-debug.h"
41 
42 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
43 
44 static DetectParseRegex parse_regex;
45 
46 static int DetectIcmpIdMatch(DetectEngineThreadCtx *, Packet *,
47  const Signature *, const SigMatchCtx *);
48 static int DetectIcmpIdSetup(DetectEngineCtx *, Signature *, const char *);
49 #ifdef UNITTESTS
50 static void DetectIcmpIdRegisterTests(void);
51 #endif
52 void DetectIcmpIdFree(DetectEngineCtx *, void *);
53 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
54 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s);
55 
56 /**
57  * \brief Registration function for icode: icmp_id
58  */
60 {
61  sigmatch_table[DETECT_ICMP_ID].name = "icmp_id";
62  sigmatch_table[DETECT_ICMP_ID].desc = "check for a ICMP ID";
63  sigmatch_table[DETECT_ICMP_ID].url = "/rules/header-keywords.html#icmp-id";
64  sigmatch_table[DETECT_ICMP_ID].Match = DetectIcmpIdMatch;
65  sigmatch_table[DETECT_ICMP_ID].Setup = DetectIcmpIdSetup;
67 #ifdef UNITTESTS
68  sigmatch_table[DETECT_ICMP_ID].RegisterTests = DetectIcmpIdRegisterTests;
69 #endif
70  sigmatch_table[DETECT_ICMP_ID].SupportsPrefilter = PrefilterIcmpIdIsPrefilterable;
71  sigmatch_table[DETECT_ICMP_ID].SetupPrefilter = PrefilterSetupIcmpId;
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 }
75 
76 static inline bool GetIcmpId(Packet *p, uint16_t *id)
77 {
78  if (PKT_IS_PSEUDOPKT(p))
79  return false;
80 
81  uint16_t pid;
82  if (PKT_IS_ICMPV4(p)) {
83  switch (ICMPV4_GET_TYPE(p)){
84  case ICMP_ECHOREPLY:
85  case ICMP_ECHO:
86  case ICMP_TIMESTAMP:
88  case ICMP_INFO_REQUEST:
89  case ICMP_INFO_REPLY:
90  case ICMP_ADDRESS:
91  case ICMP_ADDRESSREPLY:
92  SCLogDebug("ICMPV4_GET_ID(p) %"PRIu16" (network byte order), "
93  "%"PRIu16" (host byte order)", ICMPV4_GET_ID(p),
95 
96  pid = ICMPV4_GET_ID(p);
97  break;
98  default:
99  SCLogDebug("Packet has no id field");
100  return false;
101  }
102  } else if (PKT_IS_ICMPV6(p)) {
103  switch (ICMPV6_GET_TYPE(p)) {
104  case ICMP6_ECHO_REQUEST:
105  case ICMP6_ECHO_REPLY:
106  SCLogDebug("ICMPV6_GET_ID(p) %"PRIu16" (network byte order), "
107  "%"PRIu16" (host byte order)", ICMPV6_GET_ID(p),
108  SCNtohs(ICMPV6_GET_ID(p)));
109 
110  pid = ICMPV6_GET_ID(p);
111  break;
112  default:
113  SCLogDebug("Packet has no id field");
114  return false;
115  }
116  } else {
117  SCLogDebug("Packet not ICMPV4 nor ICMPV6");
118  return false;
119  }
120 
121  *id = pid;
122  return true;
123 }
124 
125 /**
126  * \brief This function is used to match icmp_id rule option set on a packet
127  *
128  * \param t pointer to thread vars
129  * \param det_ctx pointer to the pattern matcher thread
130  * \param p pointer to the current packet
131  * \param m pointer to the sigmatch that we will cast into DetectIcmpIdData
132  *
133  * \retval 0 no match
134  * \retval 1 match
135  */
136 static int DetectIcmpIdMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
137  const Signature *s, const SigMatchCtx *ctx)
138 {
139  uint16_t pid;
140 
141  if (!GetIcmpId(p, &pid))
142  return 0;
143 
144  const DetectIcmpIdData *iid = (const DetectIcmpIdData *)ctx;
145  if (pid == iid->id)
146  return 1;
147 
148  return 0;
149 }
150 
151 /**
152  * \brief This function is used to parse icmp_id option passed via icmp_id: keyword
153  *
154  * \param de_ctx Pointer to the detection engine context
155  * \param icmpidstr Pointer to the user provided icmp_id options
156  *
157  * \retval iid pointer to DetectIcmpIdData on success
158  * \retval NULL on failure
159  */
160 static DetectIcmpIdData *DetectIcmpIdParse (DetectEngineCtx *de_ctx, const char *icmpidstr)
161 {
162  DetectIcmpIdData *iid = NULL;
163  char *substr[3] = {NULL, NULL, NULL};
164  int res = 0;
165  size_t pcre2_len;
166 
167  pcre2_match_data *match = NULL;
168  int ret = DetectParsePcreExec(&parse_regex, &match, icmpidstr, 0, 0);
169  if (ret < 1 || ret > 4) {
170  SCLogError("Parse error %s", icmpidstr);
171  goto error;
172  }
173 
174  int i;
175  const char *str_ptr;
176  for (i = 1; i < ret; i++) {
177  res = SC_Pcre2SubstringGet(match, i, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
178  if (res < 0) {
179  SCLogError("pcre2_substring_get_bynumber failed");
180  goto error;
181  }
182  substr[i-1] = (char *)str_ptr;
183  }
184 
185  iid = SCMalloc(sizeof(DetectIcmpIdData));
186  if (unlikely(iid == NULL))
187  goto error;
188  iid->id = 0;
189 
190  if (substr[0]!= NULL && strlen(substr[0]) != 0) {
191  if (substr[2] == NULL) {
192  SCLogError("Missing close quote in input");
193  goto error;
194  }
195  } else {
196  if (substr[2] != NULL) {
197  SCLogError("Missing open quote in input");
198  goto error;
199  }
200  }
201 
202  uint16_t id = 0;
203  if (StringParseUint16(&id, 10, 0, substr[1]) < 0) {
204  SCLogError("specified icmp id %s is not "
205  "valid",
206  substr[1]);
207  goto error;
208  }
209  iid->id = htons(id);
210 
211  for (i = 0; i < 3; i++) {
212  if (substr[i] != NULL)
213  pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
214  }
215  pcre2_match_data_free(match);
216  return iid;
217 
218 error:
219  if (match) {
220  pcre2_match_data_free(match);
221  }
222  for (i = 0; i < 3; i++) {
223  if (substr[i] != NULL)
224  pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
225  }
226  if (iid != NULL) DetectIcmpIdFree(de_ctx, iid);
227  return NULL;
228 
229 }
230 
231 /**
232  * \brief this function is used to add the parsed icmp_id data into the current signature
233  *
234  * \param de_ctx pointer to the Detection Engine Context
235  * \param s pointer to the Current Signature
236  * \param icmpidstr pointer to the user provided icmp_id option
237  *
238  * \retval 0 on Success
239  * \retval -1 on Failure
240  */
241 static int DetectIcmpIdSetup (DetectEngineCtx *de_ctx, Signature *s, const char *icmpidstr)
242 {
243  DetectIcmpIdData *iid = NULL;
244  SigMatch *sm = NULL;
245 
246  iid = DetectIcmpIdParse(de_ctx, icmpidstr);
247  if (iid == NULL) goto error;
248 
249  sm = SigMatchAlloc();
250  if (sm == NULL) goto error;
251 
252  sm->type = DETECT_ICMP_ID;
253  sm->ctx = (SigMatchCtx *)iid;
254 
257 
258  return 0;
259 
260 error:
261  if (iid != NULL) DetectIcmpIdFree(de_ctx, iid);
262  if (sm != NULL) SCFree(sm);
263  return -1;
264 
265 }
266 
267 /**
268  * \brief this function will free memory associated with DetectIcmpIdData
269  *
270  * \param ptr pointer to DetectIcmpIdData
271  */
273 {
274  DetectIcmpIdData *iid = (DetectIcmpIdData *)ptr;
275  SCFree(iid);
276 }
277 
278 /* prefilter code */
279 
280 static void
281 PrefilterPacketIcmpIdMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
282 {
283  const PrefilterPacketHeaderCtx *ctx = pectx;
284 
285  uint16_t pid;
286  if (!GetIcmpId(p, &pid))
287  return;
288 
289  if (pid == ctx->v1.u16[0])
290  {
291  SCLogDebug("packet matches ICMP ID %u", ctx->v1.u16[0]);
292  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
293  }
294 }
295 
296 static void
297 PrefilterPacketIcmpIdSet(PrefilterPacketHeaderValue *v, void *smctx)
298 {
299  const DetectIcmpIdData *a = smctx;
300  v->u16[0] = a->id;
301 }
302 
303 static bool
304 PrefilterPacketIcmpIdCompare(PrefilterPacketHeaderValue v, void *smctx)
305 {
306  const DetectIcmpIdData *a = smctx;
307  if (v.u16[0] == a->id)
308  return true;
309  return false;
310 }
311 
312 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
313 {
315  PrefilterPacketIcmpIdSet,
316  PrefilterPacketIcmpIdCompare,
317  PrefilterPacketIcmpIdMatch);
318 }
319 
320 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s)
321 {
322  const SigMatch *sm;
323  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
324  switch (sm->type) {
325  case DETECT_ICMP_ID:
326  return true;
327  }
328  }
329  return false;
330 }
331 
332 #ifdef UNITTESTS
333 #include "detect-engine.h"
334 #include "detect-engine-mpm.h"
335 
336 /**
337  * \test DetectIcmpIdParseTest01 is a test for setting a valid icmp_id value
338  */
339 static int DetectIcmpIdParseTest01 (void)
340 {
341  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, "300");
342  FAIL_IF_NULL(iid);
343  FAIL_IF_NOT(iid->id == htons(300));
344  DetectIcmpIdFree(NULL, iid);
345  PASS;
346 }
347 
348 /**
349  * \test DetectIcmpIdParseTest02 is a test for setting a valid icmp_id value
350  * with spaces all around
351  */
352 static int DetectIcmpIdParseTest02 (void)
353 {
354  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, " 300 ");
355  FAIL_IF_NULL(iid);
356  FAIL_IF_NOT(iid->id == htons(300));
357  DetectIcmpIdFree(NULL, iid);
358  PASS;
359 }
360 
361 /**
362  * \test DetectIcmpIdParseTest03 is a test for setting a valid icmp_id value
363  * with quotation marks
364  */
365 static int DetectIcmpIdParseTest03 (void)
366 {
367  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, "\"300\"");
368  FAIL_IF_NULL(iid);
369  FAIL_IF_NOT(iid->id == htons(300));
370  DetectIcmpIdFree(NULL, iid);
371  PASS;
372 }
373 
374 /**
375  * \test DetectIcmpIdParseTest04 is a test for setting a valid icmp_id value
376  * with quotation marks and spaces all around
377  */
378 static int DetectIcmpIdParseTest04 (void)
379 {
380  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, " \" 300 \"");
381  FAIL_IF_NULL(iid);
382  FAIL_IF_NOT(iid->id == htons(300));
383  DetectIcmpIdFree(NULL, iid);
384  PASS;
385 }
386 
387 /**
388  * \test DetectIcmpIdParseTest05 is a test for setting an invalid icmp_id
389  * value with missing quotation marks
390  */
391 static int DetectIcmpIdParseTest05 (void)
392 {
393  DetectIcmpIdData *iid = DetectIcmpIdParse(NULL, "\"300");
394  FAIL_IF_NOT_NULL(iid);
395  PASS;
396 }
397 
398 /**
399  * \test DetectIcmpIdMatchTest01 is a test for checking the working of
400  * icmp_id keyword by creating 2 rules and matching a crafted packet
401  * against them. Only the first one shall trigger.
402  */
403 static int DetectIcmpIdMatchTest01 (void)
404 {
405  int result = 0;
406  Packet *p = NULL;
407  Signature *s = NULL;
408  ThreadVars th_v;
409  DetectEngineThreadCtx *det_ctx = NULL;
410 
411  memset(&th_v, 0, sizeof(ThreadVars));
412 
413  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
414  p->icmpv4vars.id = htons(21781);
415 
417  if (de_ctx == NULL) {
418  goto end;
419  }
420 
421  de_ctx->flags |= DE_QUIET;
422 
423  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21781; sid:1;)");
424  if (s == NULL) {
425  goto end;
426  }
427 
428  s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21782; sid:2;)");
429  if (s == NULL) {
430  goto end;
431  }
432 
434  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
435 
436  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
437  if (PacketAlertCheck(p, 1) == 0) {
438  printf("sid 1 did not alert, but should have: ");
439  goto cleanup;
440  } else if (PacketAlertCheck(p, 2)) {
441  printf("sid 2 alerted, but should not have: ");
442  goto cleanup;
443  }
444 
445  result = 1;
446 
447 cleanup:
450 
451  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
453 
454  UTHFreePackets(&p, 1);
455 end:
456  return result;
457 
458 }
459 
460 /**
461  * \test DetectIcmpIdMatchTest02 is a test for checking the working of
462  * icmp_id keyword by creating 1 rule and matching a crafted packet
463  * against them. The packet is an ICMP packet with no "id" field,
464  * therefore the rule should not trigger.
465  */
466 static int DetectIcmpIdMatchTest02 (void)
467 {
468  int result = 0;
469 
470  uint8_t raw_icmpv4[] = {
471  0x0b, 0x00, 0x8a, 0xdf, 0x00, 0x00, 0x00, 0x00,
472  0x45, 0x00, 0x00, 0x14, 0x25, 0x0c, 0x00, 0x00,
473  0xff, 0x11, 0x00, 0x00, 0x85, 0x64, 0xea, 0x5b,
474  0x51, 0xa6, 0xbb, 0x35, 0x59, 0x8a, 0x5a, 0xe2,
475  0x00, 0x14, 0x00, 0x00 };
476 
477  Packet *p = PacketGetFromAlloc();
478  if (unlikely(p == NULL))
479  return 0;
480  Signature *s = NULL;
482  ThreadVars th_v;
483  DetectEngineThreadCtx *det_ctx = NULL;
484  IPV4Hdr ip4h;
485 
486  memset(&ip4h, 0, sizeof(IPV4Hdr));
487  memset(&dtv, 0, sizeof(DecodeThreadVars));
488  memset(&th_v, 0, sizeof(ThreadVars));
489 
491 
492  p->src.addr_data32[0] = 0x01020304;
493  p->dst.addr_data32[0] = 0x04030201;
494 
495  ip4h.s_ip_src.s_addr = p->src.addr_data32[0];
496  ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];
497  p->ip4h = &ip4h;
498 
499  DecodeICMPV4(&th_v, &dtv, p, raw_icmpv4, sizeof(raw_icmpv4));
500 
502  if (de_ctx == NULL) {
503  goto end;
504  }
505 
506  de_ctx->flags |= DE_QUIET;
507 
508  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:0; sid:1;)");
509  if (s == NULL) {
510  goto end;
511  }
512 
514  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
515 
516  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
517  if (PacketAlertCheck(p, 1)) {
518  printf("sid 1 alerted, but should not have: ");
519  goto cleanup;
520  }
521 
522  result = 1;
523 
524 cleanup:
527 
528  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
530 
531  FlowShutdown();
532 end:
533  SCFree(p);
534  return result;
535 }
536 
537 static void DetectIcmpIdRegisterTests (void)
538 {
539  UtRegisterTest("DetectIcmpIdParseTest01", DetectIcmpIdParseTest01);
540  UtRegisterTest("DetectIcmpIdParseTest02", DetectIcmpIdParseTest02);
541  UtRegisterTest("DetectIcmpIdParseTest03", DetectIcmpIdParseTest03);
542  UtRegisterTest("DetectIcmpIdParseTest04", DetectIcmpIdParseTest04);
543  UtRegisterTest("DetectIcmpIdParseTest05", DetectIcmpIdParseTest05);
544  UtRegisterTest("DetectIcmpIdMatchTest01", DetectIcmpIdMatchTest01);
545  UtRegisterTest("DetectIcmpIdMatchTest02", DetectIcmpIdMatchTest02);
546 }
547 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1288
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:567
SigTableElmt_::desc
const char * desc
Definition: detect.h:1287
ICMP_INFO_REQUEST
#define ICMP_INFO_REQUEST
Definition: decode-icmpv4.h:66
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1275
DetectIcmpIdData_
Definition: detect-icmp-id.h:27
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1285
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1053
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1439
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1182
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:827
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-icmp-id.c:42
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
DE_QUIET
#define DE_QUIET
Definition: detect.h:315
ICMPV6_GET_ID
#define ICMPV6_GET_ID(p)
Definition: decode-icmpv6.h:110
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1824
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2629
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1270
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:25
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
ICMP6_ECHO_REQUEST
#define ICMP6_ECHO_REQUEST
Definition: decode-icmpv6.h:42
ICMP_ECHO
#define ICMP_ECHO
Definition: decode-icmpv4.h:45
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1273
Signature_::next
struct Signature_ * next
Definition: detect.h:657
ICMP_ADDRESSREPLY
#define ICMP_ADDRESSREPLY
Definition: decode-icmpv4.h:75
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:549
ICMP_ADDRESS
#define ICMP_ADDRESS
Definition: decode-icmpv4.h:72
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
ICMP6_ECHO_REPLY
#define ICMP6_ECHO_REPLY
Definition: decode-icmpv6.h:43
DetectEngineThreadCtx_
Definition: detect.h:1075
ICMPV4_GET_TYPE
#define ICMPV4_GET_TYPE(p)
Definition: decode-icmpv4.h:233
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2753
detect-engine-mpm.h
DetectIcmpIdRegister
void DetectIcmpIdRegister(void)
Registration function for icode: icmp_id.
Definition: detect-icmp-id.c:59
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:345
DETECT_ICMP_ID
@ DETECT_ICMP_ID
Definition: detect-engine-register.h:49
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:108
ICMPV4Vars_::id
uint16_t id
Definition: decode-icmpv4.h:184
SC_Pcre2SubstringGet
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2741
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2270
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:344
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:250
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2040
Signature_::flags
uint32_t flags
Definition: detect.h:583
Packet_
Definition: decode.h:430
detect-engine-build.h
ICMP_INFO_REPLY
#define ICMP_INFO_REPLY
Definition: decode-icmpv4.h:69
detect-engine-alert.h
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:535
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:654
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1253
ICMP_ECHOREPLY
#define ICMP_ECHOREPLY
Definition: decode-icmpv4.h:33
DetectIcmpIdData_::id
uint16_t id
Definition: detect-icmp-id.h:28
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1971
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:336
IPV4Hdr_
Definition: decode-ipv4.h:72
ICMPV4_GET_ID
#define ICMPV4_GET_ID(p)
Definition: decode-icmpv4.h:243
Packet_::icmpv4vars
ICMPV4Vars icmpv4vars
Definition: decode.h:550
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3308
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:409
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3522
SigMatch_::type
uint16_t type
Definition: detect.h:342
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:697
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:835
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:249
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:668
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1272
detect-parse.h
Signature_
Signature container.
Definition: detect.h:582
SigMatch_
a single match condition for a signature
Definition: detect.h:341
DetectIcmpIdFree
void DetectIcmpIdFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpIdData
Definition: detect-icmp-id.c:272
ICMPV6_GET_TYPE
#define ICMPV6_GET_TYPE(p)
Definition: decode-icmpv6.h:101
ICMP_TIMESTAMPREPLY
#define ICMP_TIMESTAMPREPLY
Definition: decode-icmpv4.h:63
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
detect-icmp-id.h
Packet_::dst
Address dst
Definition: decode.h:435
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:41
ICMP_TIMESTAMP
#define ICMP_TIMESTAMP
Definition: decode-icmpv4.h:60
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:23
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:829
detect-engine-prefilter-common.h
Packet_::src
Address src
Definition: decode.h:434
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1277
DecodeICMPV4
int DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Main ICMPv4 decoding function.
Definition: decode-icmpv4.c:156
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:242
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468