Go to the documentation of this file.
41 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
49 static void DetectIcmpSeqRegisterTests(
void);
53 static bool PrefilterIcmpSeqIsPrefilterable(
const Signature *s);
75 static inline bool GetIcmpSeq(
Packet *p, uint16_t *
seq)
87 case ICMP_TIMESTAMPREPLY:
88 case ICMP_INFO_REQUEST:
91 case ICMP_ADDRESSREPLY:
92 SCLogDebug(
"ICMPV4_GET_SEQ(p) %"PRIu16
" (network byte order), "
107 SCLogDebug(
"ICMPV6_GET_SEQ(p) %"PRIu16
" (network byte order), "
142 if (!GetIcmpSeq(p, &seqn))
146 if (seqn == iseq->
seq)
164 char *substr[3] = {NULL, NULL, NULL};
165 int ret = 0,
res = 0;
171 if (ret < 1 || ret > 4) {
176 for (i = 1; i < ret; i++) {
182 substr[i-1] = (
char *)str_ptr;
191 if (substr[0] != NULL && strlen(substr[0]) != 0) {
192 if (substr[2] == NULL) {
197 if (substr[2] != NULL) {
211 for (i = 0; i < 3; i++) {
212 if (substr[i] != NULL)
213 pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
219 for (i = 0; i < 3; i++) {
220 if (substr[i] != NULL)
221 pcre2_substring_free((PCRE2_UCHAR8 *)substr[i]);
243 iseq = DetectIcmpSeqParse(
de_ctx, icmpseqstr);
244 if (iseq == NULL)
goto error;
247 if (sm == NULL)
goto error;
258 if (sm != NULL)
SCFree(sm);
283 if (!GetIcmpSeq(p, &seqn))
286 if (seqn == ctx->
v1.
u16[0])
312 PrefilterPacketIcmpSeqSet,
313 PrefilterPacketIcmpSeqCompare,
314 PrefilterPacketIcmpSeqMatch);
317 static bool PrefilterIcmpSeqIsPrefilterable(
const Signature *s)
336 static int DetectIcmpSeqParseTest01 (
void)
339 iseq = DetectIcmpSeqParse(NULL,
"300");
340 if (iseq != NULL && htons(iseq->
seq) == 300) {
351 static int DetectIcmpSeqParseTest02 (
void)
354 iseq = DetectIcmpSeqParse(NULL,
" 300 ");
355 if (iseq != NULL && htons(iseq->
seq) == 300) {
365 static int DetectIcmpSeqParseTest03 (
void)
368 iseq = DetectIcmpSeqParse(NULL,
"badc");
381 static int DetectIcmpSeqMatchTest01 (
void)
389 memset(&th_v, 0,
sizeof(th_v));
406 s = s->
next =
SigInit(
de_ctx,
"alert icmp any any -> any any (icmp_seq:5000; sid:2;)");
416 printf(
"sid 1 did not alert, but should have: ");
419 printf(
"sid 2 alerted, but should not have: ");
437 static void DetectIcmpSeqRegisterTests (
void)
439 UtRegisterTest(
"DetectIcmpSeqParseTest01", DetectIcmpSeqParseTest01);
440 UtRegisterTest(
"DetectIcmpSeqParseTest02", DetectIcmpSeqParseTest02);
441 UtRegisterTest(
"DetectIcmpSeqParseTest03", DetectIcmpSeqParseTest03);
442 UtRegisterTest(
"DetectIcmpSeqMatchTest01", DetectIcmpSeqMatchTest01);
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define ICMPV6_GET_SEQ(p)
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
@ SC_ERR_PCRE_GET_SUBSTRING
void SigCleanSignatures(DetectEngineCtx *de_ctx)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define ICMP6_ECHO_REQUEST
#define ICMPV4_GET_SEQ(p)
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
#define ICMPV4_GET_TYPE(p)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Per thread variable structure.
void DetectIcmpSeqRegister(void)
Registration function for icmp_seq.
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
@ SC_ERR_INVALID_ARGUMENT
int SigGroupCleanup(DetectEngineCtx *de_ctx)
SignatureInitData * init_data
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
struct SigMatch_ ** smlists
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
bool(* SupportsPrefilter)(const Signature *s)
a single match condition for a signature
#define ICMPV6_GET_TYPE(p)
DetectEngineCtx * DetectEngineCtxInit(void)
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void DetectIcmpSeqFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIcmpSeqData
void(* RegisterTests)(void)
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.