suricata
detect-iprep.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the iprep keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-bit.h"
32 #include "flow-util.h"
33 #include "detect-iprep.h"
34 #include "util-spm.h"
35 
36 #include "app-layer-parser.h"
37 
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
42 #include "detect-engine-uint.h"
43 #include "detect-engine-build.h"
44 
45 #include "util-debug.h"
46 #include "util-byte.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "util-fmemopen.h"
50 #include "util-validate.h"
51 
52 #include "reputation.h"
53 #include "host.h"
54 
55 static int DetectIPRepMatch (DetectEngineThreadCtx *, Packet *,
56  const Signature *, const SigMatchCtx *);
57 static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *);
58 void DetectIPRepFree (DetectEngineCtx *, void *);
59 #ifdef UNITTESTS
60 static void IPRepRegisterTests(void);
61 #endif
62 
63 void DetectIPRepRegister (void)
64 {
65  sigmatch_table[DETECT_IPREP].name = "iprep";
66  sigmatch_table[DETECT_IPREP].desc = "match on the IP reputation information for a host";
67  sigmatch_table[DETECT_IPREP].url = "/rules/ip-reputation-rules.html#iprep";
68  sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch;
69  sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup;
70  sigmatch_table[DETECT_IPREP].Free = DetectIPRepFree;
71 #ifdef UNITTESTS
72  sigmatch_table[DETECT_IPREP].RegisterTests = IPRepRegisterTests;
73 #endif
74  /* this is compatible to ip-only signatures */
75  sigmatch_table[DETECT_IPREP].flags |= SIGMATCH_IPONLY_COMPAT;
76 }
77 
78 static inline int8_t GetRep(const SReputation *r, const uint8_t cat, const uint32_t version)
79 {
80  /* allow higher versions as this happens during
81  * rule reload */
82  if (r != NULL && r->version >= version) {
83  return r->rep[cat];
84  }
85  return -1;
86 }
87 
88 /** \returns: -2 no host, -1 no rep entry, 0-127 rep values */
89 static int8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version)
90 {
91  if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) {
92  return -2;
93  } else if (p->host_src != NULL) {
94  Host *h = (Host *)p->host_src;
95  HostLock(h);
96  /* use_cnt: 1 for having iprep, 1 for packet ref */
97  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);
98  int8_t val = GetRep(h->iprep, cat, version);
99  HostUnlock(h);
100  return val;
101  } else {
102  Host *h = HostLookupHostFromHash(&(p->src));
103  p->flags |= PKT_HOST_SRC_LOOKED_UP;
104  if (h == NULL)
105  return -2;
106  HostReference(&p->host_src, h);
107  /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,
108  * 1 for HostReference to packet */
109  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);
110  int8_t val = GetRep(h->iprep, cat, version);
111  HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */
112  return val;
113  }
114 }
115 
116 static int8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version)
117 {
118  if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) {
119  return -2;
120  } else if (p->host_dst != NULL) {
121  Host *h = (Host *)p->host_dst;
122  HostLock(h);
123  /* use_cnt: 1 for having iprep, 1 for packet ref */
124  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);
125  int8_t val = GetRep(h->iprep, cat, version);
126  HostUnlock(h);
127  return val;
128  } else {
129  Host *h = HostLookupHostFromHash(&(p->dst));
130  p->flags |= PKT_HOST_DST_LOOKED_UP;
131  if (h == NULL)
132  return -2;
133  HostReference(&p->host_dst, h);
134  /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,
135  * 1 for HostReference to packet */
136  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);
137  int8_t val = GetRep(h->iprep, cat, version);
138  HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */
139  return val;
140  }
141 }
142 
143 /*
144  * returns 0: no match
145  * 1: match
146  * -1: error
147  */
148 static int DetectIPRepMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
149  const Signature *s, const SigMatchCtx *ctx)
150 {
151  const DetectIPRepData *rd = (const DetectIPRepData *)ctx;
152  if (rd == NULL)
153  return 0;
154 
155  uint32_t version = det_ctx->de_ctx->srep_version;
156  int8_t val = 0;
157 
158  SCLogDebug("rd->cmd %u", rd->cmd);
159  switch (rd->cmd) {
160  case IPRepCmdAny:
161  if (!rd->isnotset) {
162  val = GetHostRepSrc(p, rd->cat, version);
163  if (val < 0)
164  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
165  if (val >= 0) {
166  if (DetectU8Match((uint8_t)val, &rd->du8))
167  return 1;
168  }
169  val = GetHostRepDst(p, rd->cat, version);
170  if (val < 0)
171  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
172  if (val >= 0) {
173  return DetectU8Match((uint8_t)val, &rd->du8);
174  }
175  } else {
176  /* isnotset for any */
177 
178  val = GetHostRepSrc(p, rd->cat, version);
179  if (val < 0)
180  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
181  if (val < 0) {
182  return 1;
183  }
184  val = GetHostRepDst(p, rd->cat, version);
185  if (val < 0)
186  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
187  if (val < 0) {
188  return 1;
189  }
190  /* both have a value, so none 'isnotset' */
191  return 0;
192  }
193  break;
194 
195  case IPRepCmdSrc:
196  val = GetHostRepSrc(p, rd->cat, version);
197  SCLogDebug("checking src -- val %d (looking for cat %u, val %u)", val, rd->cat,
198  rd->du8.arg1);
199  if (val < 0)
200  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
201  if (val >= 0) {
202  return DetectU8Match((uint8_t)val, &rd->du8);
203  }
204  /* implied: no value found */
205  if (rd->isnotset) {
206  return 1;
207  }
208  break;
209 
210  case IPRepCmdDst:
211  SCLogDebug("checking dst");
212  val = GetHostRepDst(p, rd->cat, version);
213  if (val < 0)
214  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
215  if (val >= 0) {
216  return DetectU8Match((uint8_t)val, &rd->du8);
217  }
218  /* implied: no value found */
219  if (rd->isnotset) {
220  return 1;
221  }
222  break;
223 
224  case IPRepCmdBoth:
225  if (!rd->isnotset) {
226  val = GetHostRepSrc(p, rd->cat, version);
227  if (val < 0)
228  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
229  if (val < 0 || DetectU8Match((uint8_t)val, &rd->du8) == 0)
230  return 0;
231  val = GetHostRepDst(p, rd->cat, version);
232  if (val < 0)
233  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
234  if (val >= 0) {
235  return DetectU8Match((uint8_t)val, &rd->du8);
236  }
237  } else {
238  val = GetHostRepSrc(p, rd->cat, version);
239  if (val >= 0)
240  return 0;
241  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
242  if (val >= 0)
243  return 0;
244  val = GetHostRepDst(p, rd->cat, version);
245  if (val >= 0)
246  return 0;
247  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
248  if (val >= 0)
249  return 0;
250  return 1;
251  }
252  break;
253  }
254 
255  return 0;
256 }
257 
258 int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
259 {
260  DetectIPRepData *cd = SCDetectIPRepParse(rawstr);
261  if (cd == NULL) {
262  SCLogError("\"%s\" is not a valid setting for iprep", rawstr);
263  goto error;
264  }
265 
266  SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->du8.mode, cd->du8.arg1);
267 
268  /* Okay so far so good, lets get this into a SigMatch
269  * and put it in the Signature. */
270 
271  if (SCSigMatchAppendSMToList(
272  de_ctx, s, DETECT_IPREP, (SigMatchCtx *)cd, DETECT_SM_LIST_MATCH) == NULL) {
273  goto error;
274  }
275 
276  return 0;
277 
278 error:
279  if (cd != NULL)
280  DetectIPRepFree(de_ctx, cd);
281  return -1;
282 }
283 
284 void DetectIPRepFree (DetectEngineCtx *de_ctx, void *ptr)
285 {
286  DetectIPRepData *fd = (DetectIPRepData *)ptr;
287  if (fd == NULL)
288  return;
289 
290  SCDetectIPRepFree(fd);
291 }
292 
293 #ifdef UNITTESTS
294 #include "packet.h"
295 #include "action-globals.h"
296 
297 static FILE *DetectIPRepGenerateCategoriesDummy(void)
298 {
299  FILE *fd = NULL;
300  const char *buffer = "1,BadHosts,Know bad hosts";
301 
302  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
303  if (fd == NULL)
304  SCLogDebug("Error with SCFmemopen()");
305 
306  return fd;
307 }
308 
309 static FILE *DetectIPRepGenerateCategoriesDummy2(void)
310 {
311  FILE *fd = NULL;
312  const char *buffer =
313  "1,BadHosts,Know bad hosts\n"
314  "2,GoodHosts,Know good hosts\n";
315 
316  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
317  if (fd == NULL)
318  SCLogDebug("Error with SCFmemopen()");
319 
320  return fd;
321 }
322 
323 static FILE *DetectIPRepGenerateNetworksDummy(void)
324 {
325  FILE *fd = NULL;
326  const char *buffer = "10.0.0.0/24,1,20";
327 
328  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
329  if (fd == NULL)
330  SCLogDebug("Error with SCFmemopen()");
331 
332  return fd;
333 }
334 
335 static FILE *DetectIPRepGenerateNetworksDummy2(void)
336 {
337  FILE *fd = NULL;
338  const char *buffer =
339  "0.0.0.0/0,1,10\n"
340  "192.168.0.0/16,2,127";
341 
342  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
343  if (fd == NULL)
344  SCLogDebug("Error with SCFmemopen()");
345 
346  return fd;
347 }
348 
349 static int DetectIPRepTest01(void)
350 {
351  ThreadVars th_v;
352  DetectEngineThreadCtx *det_ctx = NULL;
353  Signature *sig = NULL;
354  FILE *fd = NULL;
355  int r = 0;
356  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
357  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
358 
359  HostInitConfig(HOST_QUIET);
360  memset(&th_v, 0, sizeof(th_v));
361 
362  FAIL_IF_NULL(de_ctx);
363  FAIL_IF_NULL(p);
364 
365  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
366  de_ctx->flags |= DE_QUIET;
367 
368  SRepInit(de_ctx);
369  SRepResetVersion();
370 
371  fd = DetectIPRepGenerateCategoriesDummy();
372  r = SRepLoadCatFileFromFD(fd);
373  FAIL_IF(r < 0);
374 
375  fd = DetectIPRepGenerateNetworksDummy();
376  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
377  FAIL_IF(r < 0);
378 
379  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
380  "badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)");
381  FAIL_IF_NULL(sig);
382 
383  SigGroupBuild(de_ctx);
384  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
385 
386  p->alerts.cnt = 0;
387  p->action = 0;
388  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
389 
390  FAIL_IF(p->alerts.cnt != 1);
391  FAIL_IF(PacketTestAction(p, ACTION_DROP));
392 
393  UTHFreePacket(p);
394 
395  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
396  DetectEngineCtxFree(de_ctx);
397 
398  HostShutdown();
399  PASS;
400 }
401 
402 static int DetectIPRepTest02(void)
403 {
404  ThreadVars th_v;
405  DetectEngineThreadCtx *det_ctx = NULL;
406  Signature *sig = NULL;
407  FILE *fd = NULL;
408  int r = 0;
409  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
410  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
411 
412  HostInitConfig(HOST_QUIET);
413  memset(&th_v, 0, sizeof(th_v));
414 
415  FAIL_IF_NULL(de_ctx);
416  FAIL_IF_NULL(p);
417 
418  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
419  de_ctx->flags |= DE_QUIET;
420 
421  SRepInit(de_ctx);
422  SRepResetVersion();
423 
424  fd = DetectIPRepGenerateCategoriesDummy();
425  r = SRepLoadCatFileFromFD(fd);
426  FAIL_IF(r < 0);
427 
428  fd = DetectIPRepGenerateNetworksDummy();
429  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
430  FAIL_IF(r < 0);
431 
432  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
433  "badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)");
434  FAIL_IF_NULL(sig);
435 
436  SigGroupBuild(de_ctx);
437  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
438 
439  p->alerts.cnt = 0;
440  p->action = 0;
441  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
442  FAIL_IF(p->alerts.cnt != 1);
443  FAIL_IF(PacketTestAction(p, ACTION_DROP));
444 
445  UTHFreePacket(p);
446 
447  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
448  DetectEngineCtxFree(de_ctx);
449 
450  HostShutdown();
451  PASS;
452 }
453 
454 static int DetectIPRepTest03(void)
455 {
456  ThreadVars th_v;
457  DetectEngineThreadCtx *det_ctx = NULL;
458  Signature *sig = NULL;
459  FILE *fd = NULL;
460  int r = 0;
461  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
462  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
463 
464  HostInitConfig(HOST_QUIET);
465  memset(&th_v, 0, sizeof(th_v));
466 
467  FAIL_IF_NULL(de_ctx);
468  FAIL_IF_NULL(p);
469 
470  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
471  de_ctx->flags |= DE_QUIET;
472 
473  SRepInit(de_ctx);
474  SRepResetVersion();
475 
476  fd = DetectIPRepGenerateCategoriesDummy();
477  r = SRepLoadCatFileFromFD(fd);
478  FAIL_IF(r < 0);
479 
480  fd = DetectIPRepGenerateNetworksDummy();
481  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
482  FAIL_IF(r < 0);
483 
484  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
485  "badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)");
486  FAIL_IF_NULL(sig);
487 
488  SigGroupBuild(de_ctx);
489  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
490 
491  p->alerts.cnt = 0;
492  p->action = 0;
493  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
494  FAIL_IF(p->alerts.cnt != 1);
495  FAIL_IF(PacketTestAction(p, ACTION_DROP));
496 
497  UTHFreePacket(p);
498 
499  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
500  DetectEngineCtxFree(de_ctx);
501 
502  HostShutdown();
503  PASS;
504 }
505 
506 static int DetectIPRepTest04(void)
507 {
508  ThreadVars th_v;
509  DetectEngineThreadCtx *det_ctx = NULL;
510  Signature *sig = NULL;
511  FILE *fd = NULL;
512  int r = 0;
513  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
514  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
515 
516  HostInitConfig(HOST_QUIET);
517  memset(&th_v, 0, sizeof(th_v));
518 
519  FAIL_IF_NULL(de_ctx);
520  FAIL_IF_NULL(p);
521 
522  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
523  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
524  de_ctx->flags |= DE_QUIET;
525 
526  SRepInit(de_ctx);
527  SRepResetVersion();
528 
529  fd = DetectIPRepGenerateCategoriesDummy();
530  r = SRepLoadCatFileFromFD(fd);
531  FAIL_IF(r < 0);
532 
533  fd = DetectIPRepGenerateNetworksDummy();
534  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
535  FAIL_IF(r < 0);
536 
537  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
538  "badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)");
539  FAIL_IF_NULL(sig);
540 
541  SigGroupBuild(de_ctx);
542  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
543 
544  p->alerts.cnt = 0;
545  p->action = 0;
546  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
547  FAIL_IF(p->alerts.cnt != 1);
548  FAIL_IF(PacketTestAction(p, ACTION_DROP));
549 
550  UTHFreePacket(p);
551 
552  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
553  DetectEngineCtxFree(de_ctx);
554 
555  HostShutdown();
556  PASS;
557 }
558 
559 static int DetectIPRepTest05(void)
560 {
561  ThreadVars th_v;
562  DetectEngineThreadCtx *det_ctx = NULL;
563  Signature *sig = NULL;
564  FILE *fd = NULL;
565  int r = 0;
566  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
567  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
568 
569  HostInitConfig(HOST_QUIET);
570  memset(&th_v, 0, sizeof(th_v));
571 
572  FAIL_IF_NULL(de_ctx);
573  FAIL_IF_NULL(p);
574 
575  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
576  de_ctx->flags |= DE_QUIET;
577 
578  SRepInit(de_ctx);
579  SRepResetVersion();
580 
581  fd = DetectIPRepGenerateCategoriesDummy();
582  r = SRepLoadCatFileFromFD(fd);
583  FAIL_IF(r < 0);
584 
585  fd = DetectIPRepGenerateNetworksDummy();
586  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
587  FAIL_IF(r < 0);
588 
589  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
590  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
591  FAIL_IF_NULL(sig);
592 
593  SigGroupBuild(de_ctx);
594  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
595 
596  p->alerts.cnt = 0;
597  p->action = 0;
598  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
599  FAIL_IF(p->alerts.cnt != 0);
600  FAIL_IF(PacketTestAction(p, ACTION_DROP));
601 
602  UTHFreePacket(p);
603 
604  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
605  DetectEngineCtxFree(de_ctx);
606 
607  HostShutdown();
608  PASS;
609 }
610 
611 static int DetectIPRepTest06(void)
612 {
613  ThreadVars th_v;
614  DetectEngineThreadCtx *det_ctx = NULL;
615  Signature *sig = NULL;
616  FILE *fd = NULL;
617  int r = 0;
618  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
619  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
620 
621  HostInitConfig(HOST_QUIET);
622  memset(&th_v, 0, sizeof(th_v));
623 
624  FAIL_IF_NULL(de_ctx);
625  FAIL_IF_NULL(p);
626 
627  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
628  de_ctx->flags |= DE_QUIET;
629 
630  SRepInit(de_ctx);
631  SRepResetVersion();
632 
633  fd = DetectIPRepGenerateCategoriesDummy();
634  r = SRepLoadCatFileFromFD(fd);
635  FAIL_IF(r < 0);
636 
637  fd = DetectIPRepGenerateNetworksDummy2();
638  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
639  FAIL_IF(r < 0);
640 
641  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
642  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
643  FAIL_IF_NULL(sig);
644 
645  SigGroupBuild(de_ctx);
646  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
647 
648  p->alerts.cnt = 0;
649  p->action = 0;
650  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
651  FAIL_IF(p->alerts.cnt != 1);
652  FAIL_IF(PacketTestAction(p, ACTION_DROP));
653 
654  UTHFreePacket(p);
655 
656  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
657  DetectEngineCtxFree(de_ctx);
658 
659  HostShutdown();
660  PASS;
661 }
662 
663 static int DetectIPRepTest07(void)
664 {
665  ThreadVars th_v;
666  DetectEngineThreadCtx *det_ctx = NULL;
667  Signature *sig = NULL;
668  FILE *fd = NULL;
669  int r = 0;
670  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
671  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
672 
673  HostInitConfig(HOST_QUIET);
674  memset(&th_v, 0, sizeof(th_v));
675 
676  FAIL_IF_NULL(de_ctx);
677  FAIL_IF_NULL(p);
678 
679  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
680  de_ctx->flags |= DE_QUIET;
681 
682  SRepInit(de_ctx);
683  SRepResetVersion();
684 
685  fd = DetectIPRepGenerateCategoriesDummy();
686  r = SRepLoadCatFileFromFD(fd);
687  FAIL_IF(r < 0);
688 
689  fd = DetectIPRepGenerateNetworksDummy2();
690  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
691  FAIL_IF(r < 0);
692 
693  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
694  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
695  FAIL_IF_NULL(sig);
696 
697  SigGroupBuild(de_ctx);
698  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
699 
700  p->alerts.cnt = 0;
701  p->action = 0;
702  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
703  FAIL_IF(p->alerts.cnt != 1);
704  FAIL_IF(PacketTestAction(p, ACTION_DROP));
705 
706  UTHFreePacket(p);
707 
708  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
709  DetectEngineCtxFree(de_ctx);
710 
711  HostShutdown();
712  PASS;
713 }
714 
715 static int DetectIPRepTest08(void)
716 {
717  ThreadVars th_v;
718  DetectEngineThreadCtx *det_ctx = NULL;
719  Signature *sig = NULL;
720  FILE *fd = NULL;
721  int r = 0;
722  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
723  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
724 
725  HostInitConfig(HOST_QUIET);
726  memset(&th_v, 0, sizeof(th_v));
727 
728  FAIL_IF_NULL(de_ctx);
729  FAIL_IF_NULL(p);
730 
731  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
732  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
733  de_ctx->flags |= DE_QUIET;
734 
735  SRepInit(de_ctx);
736  SRepResetVersion();
737 
738  fd = DetectIPRepGenerateCategoriesDummy();
739  r = SRepLoadCatFileFromFD(fd);
740  FAIL_IF(r < 0);
741 
742  fd = DetectIPRepGenerateNetworksDummy();
743  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
744  FAIL_IF(r < 0);
745 
746  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
747  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
748  FAIL_IF_NULL(sig);
749 
750  SigGroupBuild(de_ctx);
751  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
752 
753  p->alerts.cnt = 0;
754  p->action = 0;
755  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
756  FAIL_IF(p->alerts.cnt != 0);
757  FAIL_IF(PacketTestAction(p, ACTION_DROP));
758 
759  UTHFreePacket(p);
760 
761  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
762  DetectEngineCtxFree(de_ctx);
763 
764  HostShutdown();
765  PASS;
766 }
767 
768 static int DetectIPRepTest09(void)
769 {
770  ThreadVars th_v;
771  DetectEngineThreadCtx *det_ctx = NULL;
772  Signature *sig = NULL;
773  FILE *fd = NULL;
774  int r = 0;
775  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
776  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
777 
778  HostInitConfig(HOST_QUIET);
779  memset(&th_v, 0, sizeof(th_v));
780 
781  FAIL_IF_NULL(de_ctx);
782  FAIL_IF_NULL(p);
783 
784  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
785  p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
786  de_ctx->flags |= DE_QUIET;
787 
788  SRepInit(de_ctx);
789  SRepResetVersion();
790 
791  fd = DetectIPRepGenerateCategoriesDummy2();
792  r = SRepLoadCatFileFromFD(fd);
793  FAIL_IF(r < 0);
794 
795  fd = DetectIPRepGenerateNetworksDummy2();
796  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
797  FAIL_IF(r < 0);
798 
799  sig = DetectEngineAppendSig(de_ctx,
800  "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)");
801  FAIL_IF_NULL(sig);
802 
803  SigGroupBuild(de_ctx);
804  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
805 
806  p->alerts.cnt = 0;
807  p->action = 0;
808  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
809  FAIL_IF(p->alerts.cnt != 1);
810  FAIL_IF(PacketTestAction(p, ACTION_DROP));
811 
812  UTHFreePacket(p);
813 
814  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
815  DetectEngineCtxFree(de_ctx);
816 
817  HostShutdown();
818  PASS;
819 }
820 
821 static FILE *DetectIPRepGenerateNetworksDummy3(void)
822 {
823  FILE *fd = NULL;
824  const char *buffer = "192.168.0.0/16,1,127"; // BadHosts
825 
826  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
827  if (fd == NULL)
828  SCLogDebug("Error with SCFmemopen()");
829 
830  return fd;
831 }
832 
833 static int DetectIPRepTest10(void)
834 {
835  ThreadVars th_v;
836  DetectEngineThreadCtx *det_ctx = NULL;
837  Signature *sig = NULL;
838  FILE *fd = NULL;
839  int r = 0;
840  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
841  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
842 
843  HostInitConfig(HOST_QUIET);
844  memset(&th_v, 0, sizeof(th_v));
845 
846  FAIL_IF_NULL(de_ctx);
847  FAIL_IF_NULL(p);
848 
849  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
850  p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
851  de_ctx->flags |= DE_QUIET;
852 
853  SRepInit(de_ctx);
854  SRepResetVersion();
855 
856  fd = DetectIPRepGenerateCategoriesDummy2();
857  r = SRepLoadCatFileFromFD(fd);
858  FAIL_IF(r < 0);
859 
860  fd = DetectIPRepGenerateNetworksDummy3();
861  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
862  FAIL_IF(r < 0);
863 
864  sig = DetectEngineAppendSig(de_ctx,
865  "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,isset; sid:1; rev:1;)");
866  FAIL_IF_NULL(sig);
867 
868  SigGroupBuild(de_ctx);
869  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
870 
871  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
872  FAIL_IF_NOT(p->alerts.cnt == 1);
873 
874  UTHFreePacket(p);
875 
876  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
877  DetectEngineCtxFree(de_ctx);
878 
879  HostShutdown();
880  PASS;
881 }
882 
883 static int DetectIPRepTest11(void)
884 {
885  ThreadVars th_v;
886  DetectEngineThreadCtx *det_ctx = NULL;
887  Signature *sig = NULL;
888  FILE *fd = NULL;
889  int r = 0;
890  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
891  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
892 
893  HostInitConfig(HOST_QUIET);
894  memset(&th_v, 0, sizeof(th_v));
895 
896  FAIL_IF_NULL(de_ctx);
897  FAIL_IF_NULL(p);
898 
899  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
900  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
901  de_ctx->flags |= DE_QUIET;
902 
903  SRepInit(de_ctx);
904  SRepResetVersion();
905 
906  fd = DetectIPRepGenerateCategoriesDummy2();
907  r = SRepLoadCatFileFromFD(fd);
908  FAIL_IF(r < 0);
909 
910  fd = DetectIPRepGenerateNetworksDummy3();
911  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
912  FAIL_IF(r < 0);
913 
914  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"test\"; "
915  "iprep:src,BadHosts,isnotset; sid:1; rev:1;)");
916  FAIL_IF_NULL(sig);
917 
918  SigGroupBuild(de_ctx);
919  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
920 
921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
922  FAIL_IF_NOT(p->alerts.cnt == 1);
923 
924  UTHFreePacket(p);
925 
926  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
927  DetectEngineCtxFree(de_ctx);
928 
929  HostShutdown();
930  PASS;
931 }
932 
933 /**
934  * \brief this function registers unit tests for IPRep
935  */
936 void IPRepRegisterTests(void)
937 {
938  UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01);
939  UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02);
940  UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03);
941  UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04);
942  UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05);
943  UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06);
944  UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07);
945  UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08);
946  UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09);
947  UtRegisterTest("DetectIPRepTest10 -- isset", DetectIPRepTest10);
948  UtRegisterTest("DetectIPRepTest11 -- isnotset", DetectIPRepTest11);
949 }
950 #endif /* UNITTESTS */
util-byte.h
detect-engine-uint.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1462
HostUnlock
void HostUnlock(Host *h)
Definition: host.c:472
SReputation_
Definition: reputation.h:41
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HOST_DST_LOOKED_UP
#define PKT_HOST_DST_LOOKED_UP
Definition: decode.h:1287
SigTableElmt_::desc
const char * desc
Definition: detect.h:1461
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
util-fmemopen.h
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1446
SReputation_::rep
uint8_t rep[SREP_MAX_CATS]
Definition: reputation.h:43
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1459
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:622
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:275
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:544
Packet_::action
uint8_t action
Definition: decode.h:609
threads.h
HostRelease
void HostRelease(Host *h)
Definition: host.c:461
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1450
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:148
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2641
flow-bit.h
DetectEngineCtx_::srep_version
uint32_t srep_version
Definition: detect.h:945
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2420
SCFmemopen
#define SCFmemopen
Definition: util-fmemopen.h:52
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:623
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3437
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1441
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
detect-iprep.h
DetectEngineThreadCtx_
Definition: detect.h:1244
DetectEngineCtx_::srepCIDR_ctx
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:948
SRepLoadCatFileFromFD
int SRepLoadCatFileFromFD(FILE *fp)
Definition: reputation.c:357
PKT_HOST_SRC_LOOKED_UP
#define PKT_HOST_SRC_LOOKED_UP
Definition: decode.h:1286
detect-engine-mpm.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3372
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:467
Packet_
Definition: decode.h:501
detect-engine-build.h
HostReference
#define HostReference(dst_h_ptr, h)
Definition: host.h:117
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1421
reputation.h
SRepLoadFileFromFD
int SRepLoadFileFromFD(SRepCIDRTree *cidr_ctx, FILE *fp)
Definition: reputation.c:423
DetectIPRepFree
void DetectIPRepFree(DetectEngineCtx *, void *)
Definition: detect-iprep.c:284
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2204
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
Host_::iprep
void * iprep
Definition: host.h:69
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectUintData_u8 *du8)
Definition: detect-engine-uint.c:71
SRepCIDRGetIPRepSrc
int8_t SRepCIDRGetIPRepSrc(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:135
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
packet.h
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3608
util-spm.h
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
version
uint8_t version
Definition: decode-gre.h:1
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:296
SReputation_::version
uint32_t version
Definition: reputation.h:42
util-validate.h
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:267
SRepInit
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
Definition: reputation.c:566
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
SRepCIDRGetIPRepDst
int8_t SRepCIDRGetIPRepDst(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:147
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
SRepResetVersion
void SRepResetVersion(void)
Definition: reputation.c:64
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2602
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:585
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1364
Packet_::dst
Address dst
Definition: decode.h:506
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
flow.h
DetectIPRepRegister
void DetectIPRepRegister(void)
Definition: detect-iprep.c:63
Host_
Definition: host.h:58
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1653
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Packet_::src
Address src
Definition: decode.h:505
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1448
DETECT_IPREP
@ DETECT_IPREP
Definition: detect-engine-register.h:244