suricata
detect-icode.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias <iglesiasg@gmail.com>
22  *
23  * Implements icode keyword support
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 
34 #include "detect-icode.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 /**
42  *\brief Regex for parsing our icode options
43  */
44 #define PARSE_REGEX "^\\s*(<|>)?\\s*([0-9]+)\\s*(?:<>\\s*([0-9]+))?\\s*$"
45 
46 static DetectParseRegex parse_regex;
47 
48 static int DetectICodeMatch(DetectEngineThreadCtx *, Packet *,
49  const Signature *, const SigMatchCtx *);
50 static int DetectICodeSetup(DetectEngineCtx *, Signature *, const char *);
51 #ifdef UNITTESTS
52 static void DetectICodeRegisterTests(void);
53 #endif
54 void DetectICodeFree(DetectEngineCtx *, void *);
55 
56 static int PrefilterSetupICode(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
57 static bool PrefilterICodeIsPrefilterable(const Signature *s);
58 
59 /**
60  * \brief Registration function for icode: keyword
61  */
63 {
64  sigmatch_table[DETECT_ICODE].name = "icode";
65  sigmatch_table[DETECT_ICODE].desc = "match on specific ICMP id-value";
66  sigmatch_table[DETECT_ICODE].url = "/rules/header-keywords.html#icode";
67  sigmatch_table[DETECT_ICODE].Match = DetectICodeMatch;
68  sigmatch_table[DETECT_ICODE].Setup = DetectICodeSetup;
70 #ifdef UNITTESTS
71  sigmatch_table[DETECT_ICODE].RegisterTests = DetectICodeRegisterTests;
72 #endif
73  sigmatch_table[DETECT_ICODE].SupportsPrefilter = PrefilterICodeIsPrefilterable;
74  sigmatch_table[DETECT_ICODE].SetupPrefilter = PrefilterSetupICode;
75 
76  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
77 }
78 
79 #define DETECT_ICODE_EQ PREFILTER_U8HASH_MODE_EQ /**< "equal" operator */
80 #define DETECT_ICODE_LT PREFILTER_U8HASH_MODE_LT /**< "less than" operator */
81 #define DETECT_ICODE_GT PREFILTER_U8HASH_MODE_GT /**< "greater than" operator */
82 #define DETECT_ICODE_RN PREFILTER_U8HASH_MODE_RA /**< "range" operator */
83 
84 typedef struct DetectICodeData_ {
85  uint8_t code1;
86  uint8_t code2;
87 
88  uint8_t mode;
90 
91 static inline int ICodeMatch(const uint8_t pcode, const uint8_t mode,
92  const uint8_t dcode1, const uint8_t dcode2)
93 {
94  switch (mode) {
95  case DETECT_ICODE_EQ:
96  return (pcode == dcode1) ? 1 : 0;
97 
98  case DETECT_ICODE_LT:
99  return (pcode < dcode1) ? 1 : 0;
100 
101  case DETECT_ICODE_GT:
102  return (pcode > dcode1) ? 1 : 0;
103 
104  case DETECT_ICODE_RN:
105  return (pcode > dcode1 && pcode < dcode2) ? 1 : 0;
106  }
107  return 0;
108 }
109 
110 /**
111  * \brief This function is used to match icode rule option set on a packet with those passed via icode:
112  *
113  * \param t pointer to thread vars
114  * \param det_ctx pointer to the pattern matcher thread
115  * \param p pointer to the current packet
116  * \param m pointer to the sigmatch that we will cast into DetectICodeData
117  *
118  * \retval 0 no match
119  * \retval 1 match
120  */
121 static int DetectICodeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
122  const Signature *s, const SigMatchCtx *ctx)
123 {
124  if (PKT_IS_PSEUDOPKT(p))
125  return 0;
126 
127  uint8_t picode;
128  if (PKT_IS_ICMPV4(p)) {
129  picode = ICMPV4_GET_CODE(p);
130  } else if (PKT_IS_ICMPV6(p)) {
131  picode = ICMPV6_GET_CODE(p);
132  } else {
133  /* Packet not ICMPv4 nor ICMPv6 */
134  return 0;
135  }
136 
137  const DetectICodeData *icd = (const DetectICodeData *)ctx;
138  return ICodeMatch(picode, icd->mode, icd->code1, icd->code2);
139 }
140 
141 /**
142  * \brief This function is used to parse icode options passed via icode: keyword
143  *
144  * \param de_ctx Pointer to the detection engine context
145  * \param icodestr Pointer to the user provided icode options
146  *
147  * \retval icd pointer to DetectICodeData on success
148  * \retval NULL on failure
149  */
150 static DetectICodeData *DetectICodeParse(DetectEngineCtx *de_ctx, const char *icodestr)
151 {
152  DetectICodeData *icd = NULL;
153  char *args[3] = {NULL, NULL, NULL};
154  int ret = 0, res = 0;
155  int ov[MAX_SUBSTRINGS];
156 
157  ret = DetectParsePcreExec(&parse_regex, icodestr, 0, 0, ov, MAX_SUBSTRINGS);
158  if (ret < 1 || ret > 4) {
159  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, icodestr);
160  goto error;
161  }
162 
163  int i;
164  const char *str_ptr;
165  for (i = 1; i < ret; i++) {
166  res = pcre_get_substring((char *)icodestr, ov, MAX_SUBSTRINGS, i, &str_ptr);
167  if (res < 0) {
168  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
169  goto error;
170  }
171  args[i-1] = (char *)str_ptr;
172  }
173 
174  icd = SCMalloc(sizeof(DetectICodeData));
175  if (unlikely(icd == NULL))
176  goto error;
177  icd->code1 = 0;
178  icd->code2 = 0;
179  icd->mode = 0;
180 
181  /* we have either "<" or ">" */
182  if (args[0] != NULL && strlen(args[0]) != 0) {
183  /* we have a third part ("<> y"), therefore it's invalid */
184  if (args[2] != NULL) {
185  SCLogError(SC_ERR_INVALID_VALUE, "icode: invalid value");
186  goto error;
187  }
188  /* we have only a comparison ("<", ">") */
189  if (StringParseUint8(&icd->code1, 10, 0, args[1]) < 0) {
190  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
191  "valid", args[1]);
192  goto error;
193  }
194  if ((strcmp(args[0], ">")) == 0) icd->mode = DETECT_ICODE_GT;
195  else icd->mode = DETECT_ICODE_LT;
196  } else { /* no "<", ">" */
197  /* we have a range ("<>") */
198  if (args[2] != NULL) {
199  icd->mode = (uint8_t) DETECT_ICODE_RN;
200  if (StringParseUint8(&icd->code1, 10, 0, args[1]) < 0) {
201  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
202  "valid", args[1]);
203  goto error;
204  }
205  if (StringParseUint8(&icd->code2, 10, 0, args[2]) < 0) {
206  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
207  "valid", args[2]);
208  goto error;
209  }
210  /* we check that the first given value in the range is less than
211  the second, otherwise we swap them */
212  if (icd->code1 > icd->code2) {
213  uint8_t temp = icd->code1;
214  icd->code1 = icd->code2;
215  icd->code2 = temp;
216  }
217  } else { /* we have an equality */
218  icd->mode = DETECT_ICODE_EQ;
219  if (StringParseUint8(&icd->code1, 10, 0, args[1]) < 0) {
220  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp code %s is not "
221  "valid", args[1]);
222  goto error;
223  }
224  }
225  }
226 
227  for (i = 0; i < (ret-1); i++) {
228  if (args[i] != NULL)
229  SCFree(args[i]);
230  }
231  return icd;
232 
233 error:
234  for (i = 0; i < (ret-1) && i < 3; i++) {
235  if (args[i] != NULL)
236  SCFree(args[i]);
237  }
238  if (icd != NULL)
239  DetectICodeFree(de_ctx, icd);
240  return NULL;
241 }
242 
243 /**
244  * \brief this function is used to add the parsed icode data into the current signature
245  *
246  * \param de_ctx pointer to the Detection Engine Context
247  * \param s pointer to the Current Signature
248  * \param icodestr pointer to the user provided icode options
249  *
250  * \retval 0 on Success
251  * \retval -1 on Failure
252  */
253 static int DetectICodeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *icodestr)
254 {
255 
256  DetectICodeData *icd = NULL;
257  SigMatch *sm = NULL;
258 
259  icd = DetectICodeParse(NULL, icodestr);
260  if (icd == NULL) goto error;
261 
262  sm = SigMatchAlloc();
263  if (sm == NULL) goto error;
264 
265  sm->type = DETECT_ICODE;
266  sm->ctx = (SigMatchCtx *)icd;
267 
270 
271  return 0;
272 
273 error:
274  if (icd != NULL) DetectICodeFree(de_ctx, icd);
275  if (sm != NULL) SCFree(sm);
276  return -1;
277 }
278 
279 /**
280  * \brief this function will free memory associated with DetectICodeData
281  *
282  * \param ptr pointer to DetectICodeData
283  */
285 {
286  DetectICodeData *icd = (DetectICodeData *)ptr;
287  SCFree(icd);
288 }
289 
290 /* prefilter code */
291 
292 static void PrefilterPacketICodeMatch(DetectEngineThreadCtx *det_ctx,
293  Packet *p, const void *pectx)
294 {
295  if (PKT_IS_PSEUDOPKT(p)) {
296  SCReturn;
297  }
298 
299  uint8_t picode;
300  if (PKT_IS_ICMPV4(p)) {
301  picode = ICMPV4_GET_CODE(p);
302  } else if (PKT_IS_ICMPV6(p)) {
303  picode = ICMPV6_GET_CODE(p);
304  } else {
305  /* Packet not ICMPv4 nor ICMPv6 */
306  return;
307  }
308 
309  const PrefilterPacketU8HashCtx *h = pectx;
310  const SigsArray *sa = h->array[picode];
311  if (sa) {
312  PrefilterAddSids(&det_ctx->pmq, sa->sigs, sa->cnt);
313  }
314 }
315 
316 static void
317 PrefilterPacketICodeSet(PrefilterPacketHeaderValue *v, void *smctx)
318 {
319  const DetectICodeData *a = smctx;
320  v->u8[0] = a->mode;
321  v->u8[1] = a->code1;
322  v->u8[2] = a->code2;
323 }
324 
325 static bool
326 PrefilterPacketICodeCompare(PrefilterPacketHeaderValue v, void *smctx)
327 {
328  const DetectICodeData *a = smctx;
329  if (v.u8[0] == a->mode &&
330  v.u8[1] == a->code1 &&
331  v.u8[2] == a->code2)
332  return TRUE;
333  return FALSE;
334 }
335 
336 static int PrefilterSetupICode(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
337 {
339  PrefilterPacketICodeSet,
340  PrefilterPacketICodeCompare,
341  PrefilterPacketICodeMatch);
342 }
343 
344 static bool PrefilterICodeIsPrefilterable(const Signature *s)
345 {
346  const SigMatch *sm;
347  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
348  switch (sm->type) {
349  case DETECT_ICODE:
350  return TRUE;
351  }
352  }
353  return FALSE;
354 }
355 
356 #ifdef UNITTESTS
357 #include "detect-engine.h"
358 #include "detect-engine-mpm.h"
359 
360 /**
361  * \test DetectICodeParseTest01 is a test for setting a valid icode value
362  */
363 static int DetectICodeParseTest01(void)
364 {
365  DetectICodeData *icd = NULL;
366  int result = 0;
367  icd = DetectICodeParse(NULL, "8");
368  if (icd != NULL) {
369  if (icd->code1 == 8 && icd->mode == DETECT_ICODE_EQ)
370  result = 1;
371  DetectICodeFree(NULL, icd);
372  }
373  return result;
374 }
375 
376 /**
377  * \test DetectICodeParseTest02 is a test for setting a valid icode value
378  * with ">" operator
379  */
380 static int DetectICodeParseTest02(void)
381 {
382  DetectICodeData *icd = NULL;
383  int result = 0;
384  icd = DetectICodeParse(NULL, ">8");
385  if (icd != NULL) {
386  if (icd->code1 == 8 && icd->mode == DETECT_ICODE_GT)
387  result = 1;
388  DetectICodeFree(NULL, icd);
389  }
390  return result;
391 }
392 
393 /**
394  * \test DetectICodeParseTest03 is a test for setting a valid icode value
395  * with "<" operator
396  */
397 static int DetectICodeParseTest03(void)
398 {
399  DetectICodeData *icd = NULL;
400  int result = 0;
401  icd = DetectICodeParse(NULL, "<8");
402  if (icd != NULL) {
403  if (icd->code1 == 8 && icd->mode == DETECT_ICODE_LT)
404  result = 1;
405  DetectICodeFree(NULL, icd);
406  }
407  return result;
408 }
409 
410 /**
411  * \test DetectICodeParseTest04 is a test for setting a valid icode value
412  * with "<>" operator
413  */
414 static int DetectICodeParseTest04(void)
415 {
416  DetectICodeData *icd = NULL;
417  int result = 0;
418  icd = DetectICodeParse(NULL, "8<>20");
419  if (icd != NULL) {
420  if (icd->code1 == 8 && icd->code2 == 20 && icd->mode == DETECT_ICODE_RN)
421  result = 1;
422  DetectICodeFree(NULL, icd);
423  }
424  return result;
425 }
426 
427 /**
428  * \test DetectICodeParseTest05 is a test for setting a valid icode value
429  * with spaces all around
430  */
431 static int DetectICodeParseTest05(void)
432 {
433  DetectICodeData *icd = NULL;
434  int result = 0;
435  icd = DetectICodeParse(NULL, " 8 ");
436  if (icd != NULL) {
437  if (icd->code1 == 8 && icd->mode == DETECT_ICODE_EQ)
438  result = 1;
439  DetectICodeFree(NULL, icd);
440  }
441  return result;
442 }
443 
444 /**
445  * \test DetectICodeParseTest06 is a test for setting a valid icode value
446  * with ">" operator and spaces all around
447  */
448 static int DetectICodeParseTest06(void)
449 {
450  DetectICodeData *icd = NULL;
451  int result = 0;
452  icd = DetectICodeParse(NULL, " > 8 ");
453  if (icd != NULL) {
454  if (icd->code1 == 8 && icd->mode == DETECT_ICODE_GT)
455  result = 1;
456  DetectICodeFree(NULL, icd);
457  }
458  return result;
459 }
460 
461 /**
462  * \test DetectICodeParseTest07 is a test for setting a valid icode value
463  * with "<>" operator and spaces all around
464  */
465 static int DetectICodeParseTest07(void)
466 {
467  DetectICodeData *icd = NULL;
468  int result = 0;
469  icd = DetectICodeParse(NULL, " 8 <> 20 ");
470  if (icd != NULL) {
471  if (icd->code1 == 8 && icd->code2 == 20 && icd->mode == DETECT_ICODE_RN)
472  result = 1;
473  DetectICodeFree(NULL, icd);
474  }
475  return result;
476 }
477 
478 /**
479  * \test DetectICodeParseTest08 is a test for setting an invalid icode value
480  */
481 static int DetectICodeParseTest08(void)
482 {
483  DetectICodeData *icd = NULL;
484  icd = DetectICodeParse(NULL, "> 8 <> 20");
485  if (icd == NULL)
486  return 1;
487  DetectICodeFree(NULL, icd);
488  return 0;
489 }
490 
491 /**
492  * \test DetectICodeMatchTest01 is a test for checking the working of icode
493  * keyword by creating 5 rules and matching a crafted packet against
494  * them. 4 out of 5 rules shall trigger.
495  */
496 static int DetectICodeMatchTest01(void)
497 {
498 
499  Packet *p = NULL;
500  Signature *s = NULL;
501  ThreadVars th_v;
502  DetectEngineThreadCtx *det_ctx;
503  int result = 0;
504 
505  memset(&th_v, 0, sizeof(th_v));
506 
507  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
508 
509  p->icmpv4h->code = 10;
510 
512  if (de_ctx == NULL) {
513  goto end;
514  }
515 
516  de_ctx->flags |= DE_QUIET;
517 
518  s = de_ctx->sig_list = SigInit(de_ctx,"alert icmp any any -> any any (icode:10; sid:1;)");
519  if (s == NULL) {
520  goto end;
521  }
522 
523  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:<15; sid:2;)");
524  if (s == NULL) {
525  goto end;
526  }
527 
528  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:>20; sid:3;)");
529  if (s == NULL) {
530  goto end;
531  }
532 
533  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:8<>20; sid:4;)");
534  if (s == NULL) {
535  goto end;
536  }
537 
538  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (icode:20<>8; sid:5;)");
539  if (s == NULL) {
540  goto end;
541  }
542 
544  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
545 
546  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
547  if (PacketAlertCheck(p, 1) == 0) {
548  SCLogDebug("sid 1 did not alert, but should have");
549  goto cleanup;
550  } else if (PacketAlertCheck(p, 2) == 0) {
551  SCLogDebug("sid 2 did not alert, but should have");
552  goto cleanup;
553  } else if (PacketAlertCheck(p, 3)) {
554  SCLogDebug("sid 3 alerted, but should not have");
555  goto cleanup;
556  } else if (PacketAlertCheck(p, 4) == 0) {
557  SCLogDebug("sid 4 did not alert, but should have");
558  goto cleanup;
559  } else if (PacketAlertCheck(p, 5) == 0) {
560  SCLogDebug("sid 5 did not alert, but should have");
561  goto cleanup;
562  }
563 
564  result = 1;
565 
566 cleanup:
569 
570  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
572 
573  UTHFreePackets(&p, 1);
574 end:
575  return result;
576 }
577 
578 /**
579  * \brief this function registers unit tests for DetectICode
580  */
581 void DetectICodeRegisterTests(void)
582 {
583  UtRegisterTest("DetectICodeParseTest01", DetectICodeParseTest01);
584  UtRegisterTest("DetectICodeParseTest02", DetectICodeParseTest02);
585  UtRegisterTest("DetectICodeParseTest03", DetectICodeParseTest03);
586  UtRegisterTest("DetectICodeParseTest04", DetectICodeParseTest04);
587  UtRegisterTest("DetectICodeParseTest05", DetectICodeParseTest05);
588  UtRegisterTest("DetectICodeParseTest06", DetectICodeParseTest06);
589  UtRegisterTest("DetectICodeParseTest07", DetectICodeParseTest07);
590  UtRegisterTest("DetectICodeParseTest08", DetectICodeParseTest08);
591  UtRegisterTest("DetectICodeMatchTest01", DetectICodeMatchTest01);
592 }
593 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DETECT_ICODE_EQ
#define DETECT_ICODE_EQ
Definition: detect-icode.c:79
detect-engine.h
ICMPV4_GET_CODE
#define ICMPV4_GET_CODE(p)
Definition: decode-icmpv4.h:217
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
SigTableElmt_::name
const char * name
Definition: detect.h:1211
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1147
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1347
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectICodeData_::code2
uint8_t code2
Definition: detect-icode.c:86
PrefilterPacketU8HashCtx_::array
SigsArray * array[256]
Definition: detect-engine-prefilter-common.h:51
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1111
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:22
ICMPV6_GET_CODE
#define ICMPV6_GET_CODE(p)
Definition: decode-icmpv6.h:104
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
DETECT_ICODE_GT
#define DETECT_ICODE_GT
Definition: detect-icode.c:81
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DETECT_ICODE_LT
#define DETECT_ICODE_LT
Definition: detect-icode.c:80
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
util-unittest.h
util-unittest-helper.h
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1199
Signature_::next
struct Signature_ * next
Definition: detect.h:600
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectICodeRegister
void DetectICodeRegister(void)
Registration function for icode: keyword.
Definition: detect-icode.c:62
DetectEngineThreadCtx_
Definition: detect.h:1010
DETECT_ICODE
@ DETECT_ICODE
Definition: detect-engine-register.h:46
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:324
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:262
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
FALSE
#define FALSE
Definition: suricata-common.h:34
SCReturn
#define SCReturn
Definition: util-debug.h:302
Signature_::flags
uint32_t flags
Definition: detect.h:529
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
Packet_
Definition: decode.h:414
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:597
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:522
DetectICodeData_::mode
uint8_t mode
Definition: detect-icode.c:88
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
SigsArray_::sigs
SigIntId * sigs
Definition: detect-engine-prefilter-common.h:45
DetectICodeFree
void DetectICodeFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectICodeData
Definition: detect-icode.c:284
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
SigsArray_
Definition: detect-engine-prefilter-common.h:44
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SigsArray_::cnt
uint32_t cnt
Definition: detect-engine-prefilter-common.h:46
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:537
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:261
DetectICodeData_::code1
uint8_t code1
Definition: detect-icode.c:85
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1198
detect-parse.h
detect-icode.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our icode options.
Definition: detect-icode.c:44
DetectICodeData
struct DetectICodeData_ DetectICodeData
StringParseUint8
int StringParseUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:359
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
PrefilterPacketU8HashCtx_
Definition: detect-engine-prefilter-common.h:50
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:21
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
detect-engine-prefilter-common.h
PrefilterSetupPacketHeaderU8Hash
int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:396
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
DETECT_ICODE_RN
#define DETECT_ICODE_RN
Definition: detect-icode.c:82
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
DetectICodeData_
Definition: detect-icode.c:84
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468