suricata
detect-icmp-seq.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Breno Silva <breno.silva@gmail.com>
22  *
23  * Implements the icmp_seq keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 
34 #include "detect-icmp-seq.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 #define PARSE_REGEX "^\\s*(\"\\s*)?([0-9]+)(\\s*\")?\\s*$"
42 
43 static DetectParseRegex parse_regex;
44 
45 static int DetectIcmpSeqMatch(DetectEngineThreadCtx *, Packet *,
46  const Signature *, const SigMatchCtx *);
47 static int DetectIcmpSeqSetup(DetectEngineCtx *, Signature *, const char *);
49 void DetectIcmpSeqFree(void *);
50 static int PrefilterSetupIcmpSeq(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
51 static bool PrefilterIcmpSeqIsPrefilterable(const Signature *s);
52 
53 /**
54  * \brief Registration function for icmp_seq
55  */
57 {
58  sigmatch_table[DETECT_ICMP_SEQ].name = "icmp_seq";
59  sigmatch_table[DETECT_ICMP_SEQ].desc = "check for a ICMP sequence number";
60  sigmatch_table[DETECT_ICMP_SEQ].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#icmp-seq";
61  sigmatch_table[DETECT_ICMP_SEQ].Match = DetectIcmpSeqMatch;
62  sigmatch_table[DETECT_ICMP_SEQ].Setup = DetectIcmpSeqSetup;
65 
66  sigmatch_table[DETECT_ICMP_SEQ].SupportsPrefilter = PrefilterIcmpSeqIsPrefilterable;
67  sigmatch_table[DETECT_ICMP_SEQ].SetupPrefilter = PrefilterSetupIcmpSeq;
68 
69  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
70 }
71 
72 static inline bool GetIcmpSeq(Packet *p, uint16_t *seq)
73 {
74  uint16_t seqn;
75 
76  if (PKT_IS_PSEUDOPKT(p))
77  return FALSE;
78 
79  if (PKT_IS_ICMPV4(p)) {
80  switch (ICMPV4_GET_TYPE(p)){
81  case ICMP_ECHOREPLY:
82  case ICMP_ECHO:
83  case ICMP_TIMESTAMP:
84  case ICMP_TIMESTAMPREPLY:
85  case ICMP_INFO_REQUEST:
86  case ICMP_INFO_REPLY:
87  case ICMP_ADDRESS:
88  case ICMP_ADDRESSREPLY:
89  SCLogDebug("ICMPV4_GET_SEQ(p) %"PRIu16" (network byte order), "
90  "%"PRIu16" (host byte order)", ICMPV4_GET_SEQ(p),
92 
93  seqn = ICMPV4_GET_SEQ(p);
94  break;
95  default:
96  SCLogDebug("Packet has no seq field");
97  return FALSE;
98  }
99  } else if (PKT_IS_ICMPV6(p)) {
100 
101  switch (ICMPV6_GET_TYPE(p)) {
102  case ICMP6_ECHO_REQUEST:
103  case ICMP6_ECHO_REPLY:
104  SCLogDebug("ICMPV6_GET_SEQ(p) %"PRIu16" (network byte order), "
105  "%"PRIu16" (host byte order)", ICMPV6_GET_SEQ(p),
106  SCNtohs(ICMPV6_GET_SEQ(p)));
107 
108  seqn = ICMPV6_GET_SEQ(p);
109  break;
110  default:
111  SCLogDebug("Packet has no seq field");
112  return FALSE;
113  }
114  } else {
115  SCLogDebug("Packet not ICMPV4 nor ICMPV6");
116  return FALSE;
117  }
118 
119  *seq = seqn;
120  return TRUE;
121 }
122 
123 /**
124  * \brief This function is used to match icmp_seq rule option set on a packet
125  *
126  * \param t pointer to thread vars
127  * \param det_ctx pointer to the pattern matcher thread
128  * \param p pointer to the current packet
129  * \param m pointer to the sigmatch that we will cast into DetectIcmpSeqData
130  *
131  * \retval 0 no match
132  * \retval 1 match
133  */
134 static int DetectIcmpSeqMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
135  const Signature *s, const SigMatchCtx *ctx)
136 {
137  uint16_t seqn;
138 
139  if (GetIcmpSeq(p, &seqn) == FALSE)
140  return 0;
141 
142  const DetectIcmpSeqData *iseq = (const DetectIcmpSeqData *)ctx;
143  if (seqn == iseq->seq)
144  return 1;
145 
146  return 0;
147 }
148 
149 /**
150  * \brief This function is used to parse icmp_seq option passed via icmp_seq: keyword
151  *
152  * \param icmpseqstr Pointer to the user provided icmp_seq options
153  *
154  * \retval iseq pointer to DetectIcmpSeqData on success
155  * \retval NULL on failure
156  */
157 static DetectIcmpSeqData *DetectIcmpSeqParse (const char *icmpseqstr)
158 {
159  DetectIcmpSeqData *iseq = NULL;
160  char *substr[3] = {NULL, NULL, NULL};
161  int ret = 0, res = 0;
162  int ov[MAX_SUBSTRINGS];
163  int i;
164  const char *str_ptr;
165 
166  ret = DetectParsePcreExec(&parse_regex, icmpseqstr, 0, 0, ov, MAX_SUBSTRINGS);
167  if (ret < 1 || ret > 4) {
168  SCLogError(SC_ERR_PCRE_MATCH,"Parse error %s", icmpseqstr);
169  goto error;
170  }
171 
172  for (i = 1; i < ret; i++) {
173  res = pcre_get_substring((char *)icmpseqstr, ov, MAX_SUBSTRINGS, i, &str_ptr);
174  if (res < 0) {
175  SCLogError(SC_ERR_PCRE_GET_SUBSTRING,"pcre_get_substring failed");
176  goto error;
177  }
178  substr[i-1] = (char *)str_ptr;
179  }
180 
181  iseq = SCMalloc(sizeof(DetectIcmpSeqData));
182  if (unlikely(iseq == NULL))
183  goto error;
184 
185  iseq->seq = 0;
186 
187  if (substr[0] != NULL && strlen(substr[0]) != 0) {
188  if (substr[2] == NULL) {
189  SCLogError(SC_ERR_MISSING_QUOTE,"Missing quote in input");
190  goto error;
191  }
192  } else {
193  if (substr[2] != NULL) {
194  SCLogError(SC_ERR_MISSING_QUOTE,"Missing quote in input");
195  goto error;
196  }
197  }
198 
199  uint16_t seq = 0;
200  if (StringParseUint16(&seq, 10, 0, substr[1]) < 0) {
201  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp seq %s is not "
202  "valid", substr[1]);
203  goto error;
204  }
205  iseq->seq = htons(seq);
206 
207  for (i = 0; i < 3; i++) {
208  if (substr[i] != NULL) SCFree(substr[i]);
209  }
210 
211  return iseq;
212 
213 error:
214  for (i = 0; i < 3; i++) {
215  if (substr[i] != NULL) SCFree(substr[i]);
216  }
217  if (iseq != NULL) DetectIcmpSeqFree(iseq);
218  return NULL;
219 
220 }
221 
222 /**
223  * \brief this function is used to add the parsed icmp_seq data into the current signature
224  *
225  * \param de_ctx pointer to the Detection Engine Context
226  * \param s pointer to the Current Signature
227  * \param icmpseqstr pointer to the user provided icmp_seq option
228  *
229  * \retval 0 on Success
230  * \retval -1 on Failure
231  */
232 static int DetectIcmpSeqSetup (DetectEngineCtx *de_ctx, Signature *s, const char *icmpseqstr)
233 {
234  DetectIcmpSeqData *iseq = NULL;
235  SigMatch *sm = NULL;
236 
237  iseq = DetectIcmpSeqParse(icmpseqstr);
238  if (iseq == NULL) goto error;
239 
240  sm = SigMatchAlloc();
241  if (sm == NULL) goto error;
242 
243  sm->type = DETECT_ICMP_SEQ;
244  sm->ctx = (SigMatchCtx *)iseq;
245 
247 
248  return 0;
249 
250 error:
251  if (iseq != NULL) DetectIcmpSeqFree(iseq);
252  if (sm != NULL) SCFree(sm);
253  return -1;
254 
255 }
256 
257 /**
258  * \brief this function will free memory associated with DetectIcmpSeqData
259  *
260  * \param ptr pointer to DetectIcmpSeqData
261  */
262 void DetectIcmpSeqFree (void *ptr)
263 {
264  DetectIcmpSeqData *iseq = (DetectIcmpSeqData *)ptr;
265  SCFree(iseq);
266 }
267 
268 /* prefilter code */
269 
270 static void
271 PrefilterPacketIcmpSeqMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
272 {
273  const PrefilterPacketHeaderCtx *ctx = pectx;
274 
275  uint16_t seqn;
276 
277  if (GetIcmpSeq(p, &seqn) == FALSE)
278  return;
279 
280  if (seqn == ctx->v1.u16[0])
281  {
282  SCLogDebug("packet matches ICMP SEQ %u", ctx->v1.u16[0]);
283  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
284  }
285 }
286 
287 static void
288 PrefilterPacketIcmpSeqSet(PrefilterPacketHeaderValue *v, void *smctx)
289 {
290  const DetectIcmpSeqData *a = smctx;
291  v->u16[0] = a->seq;
292 }
293 
294 static bool
295 PrefilterPacketIcmpSeqCompare(PrefilterPacketHeaderValue v, void *smctx)
296 {
297  const DetectIcmpSeqData *a = smctx;
298  if (v.u16[0] == a->seq)
299  return TRUE;
300  return FALSE;
301 }
302 
303 static int PrefilterSetupIcmpSeq(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
304 {
306  PrefilterPacketIcmpSeqSet,
307  PrefilterPacketIcmpSeqCompare,
308  PrefilterPacketIcmpSeqMatch);
309 }
310 
311 static bool PrefilterIcmpSeqIsPrefilterable(const Signature *s)
312 {
313  const SigMatch *sm;
314  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
315  switch (sm->type) {
316  case DETECT_ICMP_SEQ:
317  return TRUE;
318  }
319  }
320  return FALSE;
321 }
322 
323 #ifdef UNITTESTS
324 #include "detect-engine.h"
325 #include "detect-engine-mpm.h"
326 
327 /**
328  * \test DetectIcmpSeqParseTest01 is a test for setting a valid icmp_seq value
329  */
330 static int DetectIcmpSeqParseTest01 (void)
331 {
332  DetectIcmpSeqData *iseq = NULL;
333  iseq = DetectIcmpSeqParse("300");
334  if (iseq != NULL && htons(iseq->seq) == 300) {
335  DetectIcmpSeqFree(iseq);
336  return 1;
337  }
338  return 0;
339 }
340 
341 /**
342  * \test DetectIcmpSeqParseTest02 is a test for setting a valid icmp_seq value
343  * with spaces all around
344  */
345 static int DetectIcmpSeqParseTest02 (void)
346 {
347  DetectIcmpSeqData *iseq = NULL;
348  iseq = DetectIcmpSeqParse(" 300 ");
349  if (iseq != NULL && htons(iseq->seq) == 300) {
350  DetectIcmpSeqFree(iseq);
351  return 1;
352  }
353  return 0;
354 }
355 
356 /**
357  * \test DetectIcmpSeqParseTest03 is a test for setting an invalid icmp_seq value
358  */
359 static int DetectIcmpSeqParseTest03 (void)
360 {
361  DetectIcmpSeqData *iseq = NULL;
362  iseq = DetectIcmpSeqParse("badc");
363  if (iseq != NULL) {
364  DetectIcmpSeqFree(iseq);
365  return 0;
366  }
367  return 1;
368 }
369 
370 /**
371  * \test DetectIcmpSeqMatchTest01 is a test for checking the working of
372  * icmp_seq keyword by creating 2 rules and matching a crafted packet
373  * against them. Only the first one shall trigger.
374  */
375 static int DetectIcmpSeqMatchTest01 (void)
376 {
377  int result = 0;
378  Packet *p = NULL;
379  Signature *s = NULL;
380  ThreadVars th_v;
381  DetectEngineThreadCtx *det_ctx = NULL;
382 
383  memset(&th_v, 0, sizeof(th_v));
384 
385  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
386  p->icmpv4vars.seq = htons(2216);
387 
389  if (de_ctx == NULL) {
390  goto end;
391  }
392 
393  de_ctx->flags |= DE_QUIET;
394 
395  s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_seq:2216; sid:1;)");
396  if (s == NULL) {
397  goto end;
398  }
399 
400  s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_seq:5000; sid:2;)");
401  if (s == NULL) {
402  goto end;
403  }
404 
406  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
407 
408  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
409  if (PacketAlertCheck(p, 1) == 0) {
410  printf("sid 1 did not alert, but should have: ");
411  goto cleanup;
412  } else if (PacketAlertCheck(p, 2)) {
413  printf("sid 2 alerted, but should not have: ");
414  goto cleanup;
415  }
416 
417  result = 1;
418 
419 cleanup:
422 
423  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
425 
426  UTHFreePackets(&p, 1);
427 end:
428  return result;
429 
430 }
431 #endif /* UNITTESTS */
432 
434 {
435 #ifdef UNITTESTS
436  UtRegisterTest("DetectIcmpSeqParseTest01", DetectIcmpSeqParseTest01);
437  UtRegisterTest("DetectIcmpSeqParseTest02", DetectIcmpSeqParseTest02);
438  UtRegisterTest("DetectIcmpSeqParseTest03", DetectIcmpSeqParseTest03);
439  UtRegisterTest("DetectIcmpSeqMatchTest01", DetectIcmpSeqMatchTest01);
440 #endif /* UNITTESTS */
441 }
442 
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1204
detect-engine.h
StringParseUint16
int StringParseUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:324
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-icmp-seq.c:41
SigTableElmt_::name
const char * name
Definition: detect.h:1201
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1115
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1337
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
seq
uint32_t seq
Definition: stream-tcp-private.h:62
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
ICMPV6_GET_SEQ
#define ICMPV6_GET_SEQ(p)
Definition: decode-icmpv6.h:113
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1103
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:41
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2030
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1192
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:40
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
DetectIcmpSeqRegisterTests
void DetectIcmpSeqRegisterTests(void)
Definition: detect-icmp-seq.c:433
PrefilterPacketHeaderValue::u16
uint16_t u16[8]
Definition: detect-engine-prefilter-common.h:23
util-unittest.h
util-unittest-helper.h
ICMP6_ECHO_REQUEST
#define ICMP6_ECHO_REQUEST
Definition: decode-icmpv6.h:43
ICMPV4_GET_SEQ
#define ICMPV4_GET_SEQ(p)
Definition: decode-icmpv4.h:227
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1190
Signature_::next
struct Signature_ * next
Definition: detect.h:594
DetectIcmpSeqFree
void DetectIcmpSeqFree(void *)
this function will free memory associated with DetectIcmpSeqData
Definition: detect-icmp-seq.c:262
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:33
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
ICMP6_ECHO_REPLY
#define ICMP6_ECHO_REPLY
Definition: decode-icmpv6.h:44
DetectEngineThreadCtx_
Definition: detect.h:1004
ICMPV4_GET_TYPE
#define ICMPV4_GET_TYPE(p)
Definition: decode-icmpv4.h:215
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2440
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:322
DetectIcmpSeqRegister
void DetectIcmpSeqRegister(void)
Registration function for icmp_seq.
Definition: detect-icmp-seq.c:56
DetectIcmpSeqData_
Definition: detect-icmp-seq.h:27
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:257
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1665
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
FALSE
#define FALSE
Definition: suricata-common.h:34
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
Packet_
Definition: decode.h:408
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:591
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1171
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:516
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:319
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:34
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
DetectIcmpSeqData_::seq
uint16_t seq
Definition: detect-icmp-seq.h:28
Packet_::icmpv4vars
ICMPV4Vars icmpv4vars
Definition: decode.h:516
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2726
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:375
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2934
DETECT_ICMP_SEQ
@ DETECT_ICMP_SEQ
Definition: detect-engine-register.h:48
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DOC_URL
#define DOC_URL
Definition: suricata.h:86
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:407
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:256
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1189
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
ICMPV6_GET_TYPE
#define ICMPV6_GET_TYPE(p)
Definition: decode-icmpv6.h:102
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1985
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:21
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
detect-engine-prefilter-common.h
ICMPV4Vars_::seq
uint16_t seq
Definition: decode-icmpv4.h:187
SC_ERR_MISSING_QUOTE
@ SC_ERR_MISSING_QUOTE
Definition: util-error.h:150
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
detect-icmp-seq.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:393