suricata
detect-icode.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias <iglesiasg@gmail.com>
22  *
23  * Implements icode keyword support
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 
34 #include "detect-icode.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 /**
42  *\brief Regex for parsing our icode options
43  */
44 #define PARSE_REGEX "^\\s*(<|>)?\\s*([0-9]+)\\s*(?:<>\\s*([0-9]+))?\\s*$"
45 
46 static DetectParseRegex parse_regex;
47 
48 static int DetectICodeMatch(DetectEngineThreadCtx *, Packet *,
49  const Signature *, const SigMatchCtx *);
50 static int DetectICodeSetup(DetectEngineCtx *, Signature *, const char *);
51 void DetectICodeRegisterTests(void);
52 void DetectICodeFree(DetectEngineCtx *, void *);
53 
54 static int PrefilterSetupICode(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
55 static bool PrefilterICodeIsPrefilterable(const Signature *s);
56 
57 /**
58  * \brief Registration function for icode: keyword
59  */
61 {
62  sigmatch_table[DETECT_ICODE].name = "icode";
63  sigmatch_table[DETECT_ICODE].desc = "match on specific ICMP id-value";
64  sigmatch_table[DETECT_ICODE].url = "/rules/header-keywords.html#icode";
65  sigmatch_table[DETECT_ICODE].Match = DetectICodeMatch;
66  sigmatch_table[DETECT_ICODE].Setup = DetectICodeSetup;
69 
70  sigmatch_table[DETECT_ICODE].SupportsPrefilter = PrefilterICodeIsPrefilterable;
71  sigmatch_table[DETECT_ICODE].SetupPrefilter = PrefilterSetupICode;
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 }
75 
76 #define DETECT_ICODE_EQ PREFILTER_U8HASH_MODE_EQ /**< "equal" operator */
77 #define DETECT_ICODE_LT PREFILTER_U8HASH_MODE_LT /**< "less than" operator */
78 #define DETECT_ICODE_GT PREFILTER_U8HASH_MODE_GT /**< "greater than" operator */
79 #define DETECT_ICODE_RN PREFILTER_U8HASH_MODE_RA /**< "range" operator */
80 
81 typedef struct DetectICodeData_ {
82  uint8_t code1;
83  uint8_t code2;
84 
85  uint8_t mode;
87 
88 static inline int ICodeMatch(const uint8_t pcode, const uint8_t mode,
89  const uint8_t dcode1, const uint8_t dcode2)
90 {
91  switch (mode) {
92  case DETECT_ICODE_EQ:
93  return (pcode == dcode1) ? 1 : 0;
94 
95  case DETECT_ICODE_LT:
96  return (pcode < dcode1) ? 1 : 0;
97 
98  case DETECT_ICODE_GT:
99  return (pcode > dcode1) ? 1 : 0;
100 
101  case DETECT_ICODE_RN:
102  return (pcode > dcode1 && pcode < dcode2) ? 1 : 0;
103  }
104  return 0;
105 }
106 
107 /**
108  * \brief This function is used to match icode rule option set on a packet with those passed via icode:
109  *
110  * \param t pointer to thread vars
111  * \param det_ctx pointer to the pattern matcher thread
112  * \param p pointer to the current packet
113  * \param m pointer to the sigmatch that we will cast into DetectICodeData
114  *
115  * \retval 0 no match
116  * \retval 1 match
117  */
118 static int DetectICodeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
119  const Signature *s, const SigMatchCtx *ctx)
120 {
121  if (PKT_IS_PSEUDOPKT(p))
122  return 0;
123 
124  uint8_t picode;
125  if (PKT_IS_ICMPV4(p)) {
126  picode = ICMPV4_GET_CODE(p);
127  } else if (PKT_IS_ICMPV6(p)) {
128  picode = ICMPV6_GET_CODE(p);
129  } else {
130  /* Packet not ICMPv4 nor ICMPv6 */
131  return 0;
132  }
133 
134  const DetectICodeData *icd = (const DetectICodeData *)ctx;
135  return ICodeMatch(picode, icd->mode, icd->code1, icd->code2);
136 }
137 
138 /**
139  * \brief This function is used to parse icode options passed via icode: keyword
140  *
141  * \param de_ctx Pointer to the detection engine context
142  * \param icodestr Pointer to the user provided icode options
143  *
144  * \retval icd pointer to DetectICodeData on success
145  * \retval NULL on failure
146  */
147 static DetectICodeData *DetectICodeParse(DetectEngineCtx *de_ctx, const char *icodestr)
148 {
149  DetectICodeData *icd = NULL;
150  char *args[3] = {NULL, NULL, NULL};
151  int ret = 0, res = 0;
152  int ov[MAX_SUBSTRINGS];
153 
154  ret = DetectParsePcreExec(&parse_regex, icodestr, 0, 0, ov, MAX_SUBSTRINGS);
155  if (ret < 1 || ret > 4) {
156  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, icodestr);
157  goto error;
158  }
159 
160  int i;
161  const char *str_ptr;
162  for (i = 1; i < ret; i++) {
163  res = pcre_get_substring((char *)icodestr, ov, MAX_SUBSTRINGS, i, &str_ptr);
164  if (res < 0) {
165  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
166  goto error;
167  }
168  args[i-1] = (char *)str_ptr;
169  }
170 
171  icd = SCMalloc(sizeof(DetectICodeData));
172  if (unlikely(icd == NULL))
173  goto error;
174  icd->code1 = 0;
175  icd->code2 = 0;
176  icd->mode = 0;
177 
178  /* we have either "<" or ">" */
179  if (args[0] != NULL && strlen(args[0]) != 0) {
180  /* we have a third part ("<> y"), therefore it's invalid */
181  if (args[2] != NULL) {
182  SCLogError(SC_ERR_INVALID_VALUE, "icode: invalid value");
183  goto error;
184  }
185  /* we have only a comparison ("<", ">") */
186  if (StringParseUint8(&icd->code1, 10, 0, args[1]) < 0) {
187  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
188  "valid", args[1]);
189  goto error;
190  }
191  if ((strcmp(args[0], ">")) == 0) icd->mode = DETECT_ICODE_GT;
192  else icd->mode = DETECT_ICODE_LT;
193  } else { /* no "<", ">" */
194  /* we have a range ("<>") */
195  if (args[2] != NULL) {
196  icd->mode = (uint8_t) DETECT_ICODE_RN;
197  if (StringParseUint8(&icd->code1, 10, 0, args[1]) < 0) {
198  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
199  "valid", args[1]);
200  goto error;
201  }
202  if (StringParseUint8(&icd->code2, 10, 0, args[2]) < 0) {
203  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
204  "valid", args[2]);
205  goto error;
206  }
207  /* we check that the first given value in the range is less than
208  the second, otherwise we swap them */
209  if (icd->code1 > icd->code2) {
210  uint8_t temp = icd->code1;
211  icd->code1 = icd->code2;
212  icd->code2 = temp;
213  }
214  } else { /* we have an equality */
215  icd->mode = DETECT_ICODE_EQ;
216  if (StringParseUint8(&icd->code1, 10, 0, args[1]) < 0) {
217  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
218  "valid", args[1]);
219  goto error;
220  }
221  }
222  }
223 
224  for (i = 0; i < (ret-1); i++) {
225  if (args[i] != NULL)
226  SCFree(args[i]);
227  }
228  return icd;
229 
230 error:
231  for (i = 0; i < (ret-1) && i < 3; i++) {
232  if (args[i] != NULL)
233  SCFree(args[i]);
234  }
235  if (icd != NULL)
236  DetectICodeFree(de_ctx, icd);
237  return NULL;
238 }
239 
240 /**
241  * \brief this function is used to add the parsed icode data into the current signature
242  *
243  * \param de_ctx pointer to the Detection Engine Context
244  * \param s pointer to the Current Signature
245  * \param icodestr pointer to the user provided icode options
246  *
247  * \retval 0 on Success
248  * \retval -1 on Failure
249  */
250 static int DetectICodeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *icodestr)
251 {
252 
253  DetectICodeData *icd = NULL;
254  SigMatch *sm = NULL;
255 
256  icd = DetectICodeParse(NULL, icodestr);
257  if (icd == NULL) goto error;
258 
259  sm = SigMatchAlloc();
260  if (sm == NULL) goto error;
261 
262  sm->type = DETECT_ICODE;
263  sm->ctx = (SigMatchCtx *)icd;
264 
267 
268  return 0;
269 
270 error:
271  if (icd != NULL) DetectICodeFree(de_ctx, icd);
272  if (sm != NULL) SCFree(sm);
273  return -1;
274 }
275 
276 /**
277  * \brief this function will free memory associated with DetectICodeData
278  *
279  * \param ptr pointer to DetectICodeData
280  */
282 {
283  DetectICodeData *icd = (DetectICodeData *)ptr;
284  SCFree(icd);
285 }
286 
287 /* prefilter code */
288 
289 static void PrefilterPacketICodeMatch(DetectEngineThreadCtx *det_ctx,
290  Packet *p, const void *pectx)
291 {
292  if (PKT_IS_PSEUDOPKT(p)) {
293  SCReturn;
294  }
295 
296  uint8_t picode;
297  if (PKT_IS_ICMPV4(p)) {
298  picode = ICMPV4_GET_CODE(p);
299  } else if (PKT_IS_ICMPV6(p)) {
300  picode = ICMPV6_GET_CODE(p);
301  } else {
302  /* Packet not ICMPv4 nor ICMPv6 */
303  return;
304  }
305 
306  const PrefilterPacketU8HashCtx *h = pectx;
307  const SigsArray *sa = h->array[picode];
308  if (sa) {
309  PrefilterAddSids(&det_ctx->pmq, sa->sigs, sa->cnt);
310  }
311 }
312 
313 static void
314 PrefilterPacketICodeSet(PrefilterPacketHeaderValue *v, void *smctx)
315 {
316  const DetectICodeData *a = smctx;
317  v->u8[0] = a->mode;
318  v->u8[1] = a->code1;
319  v->u8[2] = a->code2;
320 }
321 
322 static bool
323 PrefilterPacketICodeCompare(PrefilterPacketHeaderValue v, void *smctx)
324 {
325  const DetectICodeData *a = smctx;
326  if (v.u8[0] == a->mode &&
327  v.u8[1] == a->code1 &&
328  v.u8[2] == a->code2)
329  return TRUE;
330  return FALSE;
331 }
332 
333 static int PrefilterSetupICode(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
334 {
336  PrefilterPacketICodeSet,
337  PrefilterPacketICodeCompare,
338  PrefilterPacketICodeMatch);
339 }
340 
341 static bool PrefilterICodeIsPrefilterable(const Signature *s)
342 {
343  const SigMatch *sm;
344  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
345  switch (sm->type) {
346  case DETECT_ICODE:
347  return TRUE;
348  }
349  }
350  return FALSE;
351 }
352 
353 #ifdef UNITTESTS
354 #include "detect-engine.h"
355 #include "detect-engine-mpm.h"
356 
357 /**
358  * \test DetectICodeParseTest01 is a test for setting a valid icode value
359  */
360 static int DetectICodeParseTest01(void)
361 {
362  DetectICodeData *icd = NULL;
363  int result = 0;
364  icd = DetectICodeParse(NULL, "8");
365  if (icd != NULL) {
366  if (icd->code1 == 8 && icd->mode == DETECT_ICODE_EQ)
367  result = 1;
368  DetectICodeFree(NULL, icd);
369  }
370  return result;
371 }
372 
373 /**
374  * \test DetectICodeParseTest02 is a test for setting a valid icode value
375  * with ">" operator
376  */
377 static int DetectICodeParseTest02(void)
378 {
379  DetectICodeData *icd = NULL;
380  int result = 0;
381  icd = DetectICodeParse(NULL, ">8");
382  if (icd != NULL) {
383  if (icd->code1 == 8 && icd->mode == DETECT_ICODE_GT)
384  result = 1;
385  DetectICodeFree(NULL, icd);
386  }
387  return result;
388 }
389 
390 /**
391  * \test DetectICodeParseTest03 is a test for setting a valid icode value
392  * with "<" operator
393  */
394 static int DetectICodeParseTest03(void)
395 {
396  DetectICodeData *icd = NULL;
397  int result = 0;
398  icd = DetectICodeParse(NULL, "<8");
399  if (icd != NULL) {
400  if (icd->code1 == 8 && icd->mode == DETECT_ICODE_LT)
401  result = 1;
402  DetectICodeFree(NULL, icd);
403  }
404  return result;
405 }
406 
407 /**
408  * \test DetectICodeParseTest04 is a test for setting a valid icode value
409  * with "<>" operator
410  */
411 static int DetectICodeParseTest04(void)
412 {
413  DetectICodeData *icd = NULL;
414  int result = 0;
415  icd = DetectICodeParse(NULL, "8<>20");
416  if (icd != NULL) {
417  if (icd->code1 == 8 && icd->code2 == 20 && icd->mode == DETECT_ICODE_RN)
418  result = 1;
419  DetectICodeFree(NULL, icd);
420  }
421  return result;
422 }
423 
424 /**
425  * \test DetectICodeParseTest05 is a test for setting a valid icode value
426  * with spaces all around
427  */
428 static int DetectICodeParseTest05(void)
429 {
430  DetectICodeData *icd = NULL;
431  int result = 0;
432  icd = DetectICodeParse(NULL, " 8 ");
433  if (icd != NULL) {
434  if (icd->code1 == 8 && icd->mode == DETECT_ICODE_EQ)
435  result = 1;
436  DetectICodeFree(NULL, icd);
437  }
438  return result;
439 }
440 
441 /**
442  * \test DetectICodeParseTest06 is a test for setting a valid icode value
443  * with ">" operator and spaces all around
444  */
445 static int DetectICodeParseTest06(void)
446 {
447  DetectICodeData *icd = NULL;
448  int result = 0;
449  icd = DetectICodeParse(NULL, " > 8 ");
450  if (icd != NULL) {
451  if (icd->code1 == 8 && icd->mode == DETECT_ICODE_GT)
452  result = 1;
453  DetectICodeFree(NULL, icd);
454  }
455  return result;
456 }
457 
458 /**
459  * \test DetectICodeParseTest07 is a test for setting a valid icode value
460  * with "<>" operator and spaces all around
461  */
462 static int DetectICodeParseTest07(void)
463 {
464  DetectICodeData *icd = NULL;
465  int result = 0;
466  icd = DetectICodeParse(NULL, " 8 <> 20 ");
467  if (icd != NULL) {
468  if (icd->code1 == 8 && icd->code2 == 20 && icd->mode == DETECT_ICODE_RN)
469  result = 1;
470  DetectICodeFree(NULL, icd);
471  }
472  return result;
473 }
474 
475 /**
476  * \test DetectICodeParseTest08 is a test for setting an invalid icode value
477  */
478 static int DetectICodeParseTest08(void)
479 {
480  DetectICodeData *icd = NULL;
481  icd = DetectICodeParse(NULL, "> 8 <> 20");
482  if (icd == NULL)
483  return 1;
484  DetectICodeFree(NULL, icd);
485  return 0;
486 }
487 
488 /**
489  * \test DetectICodeMatchTest01 is a test for checking the working of icode
490  * keyword by creating 5 rules and matching a crafted packet against
491  * them. 4 out of 5 rules shall trigger.
492  */
493 static int DetectICodeMatchTest01(void)
494 {
495 
496  Packet *p = NULL;
497  Signature *s = NULL;
498  ThreadVars th_v;
499  DetectEngineThreadCtx *det_ctx;
500  int result = 0;
501 
502  memset(&th_v, 0, sizeof(th_v));
503 
504  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
505 
506  p->icmpv4h->code = 10;
507 
509  if (de_ctx == NULL) {
510  goto end;
511  }
512 
513  de_ctx->flags |= DE_QUIET;
514 
515  s = de_ctx->sig_list = SigInit(de_ctx,"alert icmp any any -> any any (icode:10; sid:1;)");
516  if (s == NULL) {
517  goto end;
518  }
519 
520  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:<15; sid:2;)");
521  if (s == NULL) {
522  goto end;
523  }
524 
525  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:>20; sid:3;)");
526  if (s == NULL) {
527  goto end;
528  }
529 
530  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:8<>20; sid:4;)");
531  if (s == NULL) {
532  goto end;
533  }
534 
535  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:20<>8; sid:5;)");
536  if (s == NULL) {
537  goto end;
538  }
539 
541  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
542 
543  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
544  if (PacketAlertCheck(p, 1) == 0) {
545  SCLogDebug("sid 1 did not alert, but should have");
546  goto cleanup;
547  } else if (PacketAlertCheck(p, 2) == 0) {
548  SCLogDebug("sid 2 did not alert, but should have");
549  goto cleanup;
550  } else if (PacketAlertCheck(p, 3)) {
551  SCLogDebug("sid 3 alerted, but should not have");
552  goto cleanup;
553  } else if (PacketAlertCheck(p, 4) == 0) {
554  SCLogDebug("sid 4 did not alert, but should have");
555  goto cleanup;
556  } else if (PacketAlertCheck(p, 5) == 0) {
557  SCLogDebug("sid 5 did not alert, but should have");
558  goto cleanup;
559  }
560 
561  result = 1;
562 
563 cleanup:
566 
567  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
569 
570  UTHFreePackets(&p, 1);
571 end:
572  return result;
573 }
574 
575 #endif /* UNITTESTS */
576 
577 /**
578  * \brief this function registers unit tests for DetectICode
579  */
581 {
582 #ifdef UNITTESTS
583  UtRegisterTest("DetectICodeParseTest01", DetectICodeParseTest01);
584  UtRegisterTest("DetectICodeParseTest02", DetectICodeParseTest02);
585  UtRegisterTest("DetectICodeParseTest03", DetectICodeParseTest03);
586  UtRegisterTest("DetectICodeParseTest04", DetectICodeParseTest04);
587  UtRegisterTest("DetectICodeParseTest05", DetectICodeParseTest05);
588  UtRegisterTest("DetectICodeParseTest06", DetectICodeParseTest06);
589  UtRegisterTest("DetectICodeParseTest07", DetectICodeParseTest07);
590  UtRegisterTest("DetectICodeParseTest08", DetectICodeParseTest08);
591  UtRegisterTest("DetectICodeMatchTest01", DetectICodeMatchTest01);
592 #endif /* UNITTESTS */
593 }
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1212
DETECT_ICODE_EQ
#define DETECT_ICODE_EQ
Definition: detect-icode.c:76
detect-engine.h
ICMPV4_GET_CODE
#define ICMPV4_GET_CODE(p)
Definition: decode-icmpv4.h:217
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
SigTableElmt_::name
const char * name
Definition: detect.h:1209
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1125
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1345
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectICodeData_::code2
uint8_t code2
Definition: detect-icode.c:83
PrefilterPacketU8HashCtx_::array
SigsArray * array[256]
Definition: detect-engine-prefilter-common.h:51
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2033
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1110
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:22
ICMPV6_GET_CODE
#define ICMPV6_GET_CODE(p)
Definition: decode-icmpv6.h:104
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
DETECT_ICODE_GT
#define DETECT_ICODE_GT
Definition: detect-icode.c:78
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DETECT_ICODE_LT
#define DETECT_ICODE_LT
Definition: detect-icode.c:77
DetectICodeRegisterTests
void DetectICodeRegisterTests(void)
this function registers unit tests for DetectICode
Definition: detect-icode.c:580
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
util-unittest.h
util-unittest-helper.h
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1198
Signature_::next
struct Signature_ * next
Definition: detect.h:599
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectICodeRegister
void DetectICodeRegister(void)
Registration function for icode: keyword.
Definition: detect-icode.c:60
DetectEngineThreadCtx_
Definition: detect.h:1009
DETECT_ICODE
@ DETECT_ICODE
Definition: detect-engine-register.h:46
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2470
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:323
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:259
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1949
FALSE
#define FALSE
Definition: suricata-common.h:34
SCReturn
#define SCReturn
Definition: util-debug.h:302
Signature_::flags
uint32_t flags
Definition: detect.h:528
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2400
Packet_
Definition: decode.h:411
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:521
DetectICodeData_::mode
uint8_t mode
Definition: detect-icode.c:85
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
SigsArray_::sigs
SigIntId * sigs
Definition: detect-engine-prefilter-common.h:45
DetectICodeFree
void DetectICodeFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectICodeData
Definition: detect-icode.c:281
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3001
SigsArray_
Definition: detect-engine-prefilter-common.h:44
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SigsArray_::cnt
uint32_t cnt
Definition: detect-engine-prefilter-common.h:46
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:531
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:258
DetectICodeData_::code1
uint8_t code1
Definition: detect-icode.c:82
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1197
detect-parse.h
detect-icode.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our icode options.
Definition: detect-icode.c:44
DetectICodeData
struct DetectICodeData_ DetectICodeData
StringParseUint8
int StringParseUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:359
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
PrefilterPacketU8HashCtx_
Definition: detect-engine-prefilter-common.h:50
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:21
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
detect-engine-prefilter-common.h
PrefilterSetupPacketHeaderU8Hash
int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:396
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
DETECT_ICODE_RN
#define DETECT_ICODE_RN
Definition: detect-icode.c:79
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
DetectICodeData_
Definition: detect-icode.c:81
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467