suricata
detect-iprep.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the iprep keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-bit.h"
32 #include "flow-util.h"
33 #include "detect-iprep.h"
34 #include "util-spm.h"
35 
36 #include "app-layer-parser.h"
37 
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
42 #include "detect-engine-uint.h"
43 #include "detect-engine-build.h"
44 
45 #include "util-debug.h"
46 #include "util-byte.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "util-fmemopen.h"
50 #include "util-validate.h"
51 
52 #include "reputation.h"
53 #include "host.h"
54 
55 static int DetectIPRepMatch (DetectEngineThreadCtx *, Packet *,
56  const Signature *, const SigMatchCtx *);
57 static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *);
58 void DetectIPRepFree (DetectEngineCtx *, void *);
59 #ifdef UNITTESTS
60 static void IPRepRegisterTests(void);
61 #endif
62 
64 {
65  sigmatch_table[DETECT_IPREP].name = "iprep";
66  sigmatch_table[DETECT_IPREP].desc = "match on the IP reputation information for a host";
67  sigmatch_table[DETECT_IPREP].url = "/rules/ip-reputation-rules.html#iprep";
68  sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch;
69  sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup;
71 #ifdef UNITTESTS
72  sigmatch_table[DETECT_IPREP].RegisterTests = IPRepRegisterTests;
73 #endif
74  /* this is compatible to ip-only signatures */
76 }
77 
78 static inline uint8_t GetRep(const SReputation *r, const uint8_t cat, const uint32_t version)
79 {
80  /* allow higher versions as this happens during
81  * rule reload */
82  if (r != NULL && r->version >= version) {
83  return r->rep[cat];
84  }
85  return 0;
86 }
87 
88 static uint8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version)
89 {
90  if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) {
91  return 0;
92  } else if (p->host_src != NULL) {
93  Host *h = (Host *)p->host_src;
94  HostLock(h);
95  /* use_cnt: 1 for having iprep, 1 for packet ref */
96  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);
97  uint8_t val = GetRep(h->iprep, cat, version);
98  HostUnlock(h);
99  return val;
100  } else {
101  Host *h = HostLookupHostFromHash(&(p->src));
103  if (h == NULL)
104  return 0;
105  HostReference(&p->host_src, h);
106  /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,
107  * 1 for HostReference to packet */
108  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);
109  uint8_t val = GetRep(h->iprep, cat, version);
110  HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */
111  return val;
112  }
113 }
114 
115 static uint8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version)
116 {
117  if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) {
118  return 0;
119  } else if (p->host_dst != NULL) {
120  Host *h = (Host *)p->host_dst;
121  HostLock(h);
122  /* use_cnt: 1 for having iprep, 1 for packet ref */
123  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);
124  uint8_t val = GetRep(h->iprep, cat, version);
125  HostUnlock(h);
126  return val;
127  } else {
128  Host *h = HostLookupHostFromHash(&(p->dst));
130  if (h == NULL)
131  return 0;
132  HostReference(&p->host_dst, h);
133  /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,
134  * 1 for HostReference to packet */
135  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);
136  uint8_t val = GetRep(h->iprep, cat, version);
137  HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */
138  return val;
139  }
140 }
141 
142 /*
143  * returns 0: no match
144  * 1: match
145  * -1: error
146  */
147 static int DetectIPRepMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
148  const Signature *s, const SigMatchCtx *ctx)
149 {
150  const DetectIPRepData *rd = (const DetectIPRepData *)ctx;
151  if (rd == NULL)
152  return 0;
153 
154  uint32_t version = det_ctx->de_ctx->srep_version;
155  uint8_t val = 0;
156 
157  SCLogDebug("rd->cmd %u", rd->cmd);
158  switch(rd->cmd) {
159  case IPRepCmdAny:
160  val = GetHostRepSrc(p, rd->cat, version);
161  if (val == 0)
162  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
163  if (val > 0) {
164  if (DetectU8Match(val, &rd->du8))
165  return 1;
166  }
167  val = GetHostRepDst(p, rd->cat, version);
168  if (val == 0)
169  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
170  if (val > 0) {
171  return DetectU8Match(val, &rd->du8);
172  }
173  break;
174 
175  case IPRepCmdSrc:
176  val = GetHostRepSrc(p, rd->cat, version);
177  SCLogDebug("checking src -- val %u (looking for cat %u, val %u)", val, rd->cat,
178  rd->du8.arg1);
179  if (val == 0)
180  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
181  if (val > 0) {
182  return DetectU8Match(val, &rd->du8);
183  }
184  break;
185 
186  case IPRepCmdDst:
187  SCLogDebug("checking dst");
188  val = GetHostRepDst(p, rd->cat, version);
189  if (val == 0)
190  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
191  if (val > 0) {
192  return DetectU8Match(val, &rd->du8);
193  }
194  break;
195 
196  case IPRepCmdBoth:
197  val = GetHostRepSrc(p, rd->cat, version);
198  if (val == 0)
199  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
200  if (val == 0 || DetectU8Match(val, &rd->du8) == 0)
201  return 0;
202  val = GetHostRepDst(p, rd->cat, version);
203  if (val == 0)
204  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
205  if (val > 0) {
206  return DetectU8Match(val, &rd->du8);
207  }
208  break;
209  }
210 
211  return 0;
212 }
213 
214 int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
215 {
216  SigMatch *sm = NULL;
217 
218  DetectIPRepData *cd = rs_detect_iprep_parse(rawstr);
219  if (cd == NULL) {
220  SCLogError(SC_ERR_UNKNOWN_VALUE, "\"%s\" is not a valid setting for iprep", rawstr);
221  goto error;
222  }
223 
224  SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->du8.mode, cd->du8.arg1);
225 
226  /* Okay so far so good, lets get this into a SigMatch
227  * and put it in the Signature. */
228  sm = SigMatchAlloc();
229  if (sm == NULL)
230  goto error;
231 
232  sm->type = DETECT_IPREP;
233  sm->ctx = (SigMatchCtx *)cd;
234 
236 
237  return 0;
238 
239 error:
240  if (cd != NULL)
241  DetectIPRepFree(de_ctx, cd);
242  if (sm != NULL)
243  SCFree(sm);
244  return -1;
245 }
246 
248 {
249  DetectIPRepData *fd = (DetectIPRepData *)ptr;
250 
251  if (fd == NULL)
252  return;
253 
254  rs_detect_iprep_free(fd);
255 }
256 
257 #ifdef UNITTESTS
258 #include "packet.h"
259 #include "action-globals.h"
260 
261 static FILE *DetectIPRepGenerateCategoriesDummy(void)
262 {
263  FILE *fd = NULL;
264  const char *buffer = "1,BadHosts,Know bad hosts";
265 
266  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
267  if (fd == NULL)
268  SCLogDebug("Error with SCFmemopen()");
269 
270  return fd;
271 }
272 
273 static FILE *DetectIPRepGenerateCategoriesDummy2(void)
274 {
275  FILE *fd = NULL;
276  const char *buffer =
277  "1,BadHosts,Know bad hosts\n"
278  "2,GoodHosts,Know good hosts\n";
279 
280  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
281  if (fd == NULL)
282  SCLogDebug("Error with SCFmemopen()");
283 
284  return fd;
285 }
286 
287 static FILE *DetectIPRepGenerateNetworksDummy(void)
288 {
289  FILE *fd = NULL;
290  const char *buffer = "10.0.0.0/24,1,20";
291 
292  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
293  if (fd == NULL)
294  SCLogDebug("Error with SCFmemopen()");
295 
296  return fd;
297 }
298 
299 static FILE *DetectIPRepGenerateNetworksDummy2(void)
300 {
301  FILE *fd = NULL;
302  const char *buffer =
303  "0.0.0.0/0,1,10\n"
304  "192.168.0.0/16,2,127";
305 
306  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
307  if (fd == NULL)
308  SCLogDebug("Error with SCFmemopen()");
309 
310  return fd;
311 }
312 
313 static int DetectIPRepTest01(void)
314 {
315  ThreadVars th_v;
316  DetectEngineThreadCtx *det_ctx = NULL;
317  Signature *sig = NULL;
318  FILE *fd = NULL;
319  int r = 0;
320  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
322 
324  memset(&th_v, 0, sizeof(th_v));
325 
327  FAIL_IF_NULL(p);
328 
329  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
330  de_ctx->flags |= DE_QUIET;
331 
332  SRepInit(de_ctx);
334 
335  fd = DetectIPRepGenerateCategoriesDummy();
336  r = SRepLoadCatFileFromFD(fd);
337  FAIL_IF(r < 0);
338 
339  fd = DetectIPRepGenerateNetworksDummy();
341  FAIL_IF(r < 0);
342 
343  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
344  "badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)");
345  FAIL_IF_NULL(sig);
346 
348  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
349 
350  p->alerts.cnt = 0;
351  p->action = 0;
352  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
353 
354  FAIL_IF(p->alerts.cnt != 1);
355  FAIL_IF(PacketTestAction(p, ACTION_DROP));
356 
357  UTHFreePacket(p);
358 
359  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
361 
362  HostShutdown();
363  PASS;
364 }
365 
366 static int DetectIPRepTest02(void)
367 {
368  ThreadVars th_v;
369  DetectEngineThreadCtx *det_ctx = NULL;
370  Signature *sig = NULL;
371  FILE *fd = NULL;
372  int r = 0;
373  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
375 
377  memset(&th_v, 0, sizeof(th_v));
378 
380  FAIL_IF_NULL(p);
381 
382  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
383  de_ctx->flags |= DE_QUIET;
384 
385  SRepInit(de_ctx);
387 
388  fd = DetectIPRepGenerateCategoriesDummy();
389  r = SRepLoadCatFileFromFD(fd);
390  FAIL_IF(r < 0);
391 
392  fd = DetectIPRepGenerateNetworksDummy();
394  FAIL_IF(r < 0);
395 
396  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
397  "badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)");
398  FAIL_IF_NULL(sig);
399 
401  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
402 
403  p->alerts.cnt = 0;
404  p->action = 0;
405  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
406  FAIL_IF(p->alerts.cnt != 1);
407  FAIL_IF(PacketTestAction(p, ACTION_DROP));
408 
409  UTHFreePacket(p);
410 
411  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
413 
414  HostShutdown();
415  PASS;
416 }
417 
418 static int DetectIPRepTest03(void)
419 {
420  ThreadVars th_v;
421  DetectEngineThreadCtx *det_ctx = NULL;
422  Signature *sig = NULL;
423  FILE *fd = NULL;
424  int r = 0;
425  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
427 
429  memset(&th_v, 0, sizeof(th_v));
430 
432  FAIL_IF_NULL(p);
433 
434  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
435  de_ctx->flags |= DE_QUIET;
436 
437  SRepInit(de_ctx);
439 
440  fd = DetectIPRepGenerateCategoriesDummy();
441  r = SRepLoadCatFileFromFD(fd);
442  FAIL_IF(r < 0);
443 
444  fd = DetectIPRepGenerateNetworksDummy();
446  FAIL_IF(r < 0);
447 
448  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
449  "badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)");
450  FAIL_IF_NULL(sig);
451 
453  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
454 
455  p->alerts.cnt = 0;
456  p->action = 0;
457  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
458  FAIL_IF(p->alerts.cnt != 1);
459  FAIL_IF(PacketTestAction(p, ACTION_DROP));
460 
461  UTHFreePacket(p);
462 
463  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
465 
466  HostShutdown();
467  PASS;
468 }
469 
470 static int DetectIPRepTest04(void)
471 {
472  ThreadVars th_v;
473  DetectEngineThreadCtx *det_ctx = NULL;
474  Signature *sig = NULL;
475  FILE *fd = NULL;
476  int r = 0;
477  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
479 
481  memset(&th_v, 0, sizeof(th_v));
482 
484  FAIL_IF_NULL(p);
485 
486  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
487  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
488  de_ctx->flags |= DE_QUIET;
489 
490  SRepInit(de_ctx);
492 
493  fd = DetectIPRepGenerateCategoriesDummy();
494  r = SRepLoadCatFileFromFD(fd);
495  FAIL_IF(r < 0);
496 
497  fd = DetectIPRepGenerateNetworksDummy();
499  FAIL_IF(r < 0);
500 
501  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
502  "badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)");
503  FAIL_IF_NULL(sig);
504 
506  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
507 
508  p->alerts.cnt = 0;
509  p->action = 0;
510  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
511  FAIL_IF(p->alerts.cnt != 1);
512  FAIL_IF(PacketTestAction(p, ACTION_DROP));
513 
514  UTHFreePacket(p);
515 
516  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
518 
519  HostShutdown();
520  PASS;
521 }
522 
523 static int DetectIPRepTest05(void)
524 {
525  ThreadVars th_v;
526  DetectEngineThreadCtx *det_ctx = NULL;
527  Signature *sig = NULL;
528  FILE *fd = NULL;
529  int r = 0;
530  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
532 
534  memset(&th_v, 0, sizeof(th_v));
535 
537  FAIL_IF_NULL(p);
538 
539  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
540  de_ctx->flags |= DE_QUIET;
541 
542  SRepInit(de_ctx);
544 
545  fd = DetectIPRepGenerateCategoriesDummy();
546  r = SRepLoadCatFileFromFD(fd);
547  FAIL_IF(r < 0);
548 
549  fd = DetectIPRepGenerateNetworksDummy();
551  FAIL_IF(r < 0);
552 
553  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
554  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
555  FAIL_IF_NULL(sig);
556 
558  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
559 
560  p->alerts.cnt = 0;
561  p->action = 0;
562  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
563  FAIL_IF(p->alerts.cnt != 0);
564  FAIL_IF(PacketTestAction(p, ACTION_DROP));
565 
566  UTHFreePacket(p);
567 
568  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
570 
571  HostShutdown();
572  PASS;
573 }
574 
575 static int DetectIPRepTest06(void)
576 {
577  ThreadVars th_v;
578  DetectEngineThreadCtx *det_ctx = NULL;
579  Signature *sig = NULL;
580  FILE *fd = NULL;
581  int r = 0;
582  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
584 
586  memset(&th_v, 0, sizeof(th_v));
587 
589  FAIL_IF_NULL(p);
590 
591  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
592  de_ctx->flags |= DE_QUIET;
593 
594  SRepInit(de_ctx);
596 
597  fd = DetectIPRepGenerateCategoriesDummy();
598  r = SRepLoadCatFileFromFD(fd);
599  FAIL_IF(r < 0);
600 
601  fd = DetectIPRepGenerateNetworksDummy2();
603  FAIL_IF(r < 0);
604 
605  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
606  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
607  FAIL_IF_NULL(sig);
608 
610  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
611 
612  p->alerts.cnt = 0;
613  p->action = 0;
614  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
615  FAIL_IF(p->alerts.cnt != 1);
616  FAIL_IF(PacketTestAction(p, ACTION_DROP));
617 
618  UTHFreePacket(p);
619 
620  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
622 
623  HostShutdown();
624  PASS;
625 }
626 
627 static int DetectIPRepTest07(void)
628 {
629  ThreadVars th_v;
630  DetectEngineThreadCtx *det_ctx = NULL;
631  Signature *sig = NULL;
632  FILE *fd = NULL;
633  int r = 0;
634  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
636 
638  memset(&th_v, 0, sizeof(th_v));
639 
641  FAIL_IF_NULL(p);
642 
643  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
644  de_ctx->flags |= DE_QUIET;
645 
646  SRepInit(de_ctx);
648 
649  fd = DetectIPRepGenerateCategoriesDummy();
650  r = SRepLoadCatFileFromFD(fd);
651  FAIL_IF(r < 0);
652 
653  fd = DetectIPRepGenerateNetworksDummy2();
655  FAIL_IF(r < 0);
656 
657  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
658  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
659  FAIL_IF_NULL(sig);
660 
662  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
663 
664  p->alerts.cnt = 0;
665  p->action = 0;
666  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
667  FAIL_IF(p->alerts.cnt != 1);
668  FAIL_IF(PacketTestAction(p, ACTION_DROP));
669 
670  UTHFreePacket(p);
671 
672  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
674 
675  HostShutdown();
676  PASS;
677 }
678 
679 static int DetectIPRepTest08(void)
680 {
681  ThreadVars th_v;
682  DetectEngineThreadCtx *det_ctx = NULL;
683  Signature *sig = NULL;
684  FILE *fd = NULL;
685  int r = 0;
686  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
688 
690  memset(&th_v, 0, sizeof(th_v));
691 
693  FAIL_IF_NULL(p);
694 
695  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
696  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
697  de_ctx->flags |= DE_QUIET;
698 
699  SRepInit(de_ctx);
701 
702  fd = DetectIPRepGenerateCategoriesDummy();
703  r = SRepLoadCatFileFromFD(fd);
704  FAIL_IF(r < 0);
705 
706  fd = DetectIPRepGenerateNetworksDummy();
708  FAIL_IF(r < 0);
709 
710  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
711  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
712  FAIL_IF_NULL(sig);
713 
715  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
716 
717  p->alerts.cnt = 0;
718  p->action = 0;
719  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
720  FAIL_IF(p->alerts.cnt != 0);
721  FAIL_IF(PacketTestAction(p, ACTION_DROP));
722 
723  UTHFreePacket(p);
724 
725  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
727 
728  HostShutdown();
729  PASS;
730 }
731 
732 static int DetectIPRepTest09(void)
733 {
734  ThreadVars th_v;
735  DetectEngineThreadCtx *det_ctx = NULL;
736  Signature *sig = NULL;
737  FILE *fd = NULL;
738  int r = 0;
739  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
741 
743  memset(&th_v, 0, sizeof(th_v));
744 
746  FAIL_IF_NULL(p);
747 
748  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
749  p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
750  de_ctx->flags |= DE_QUIET;
751 
752  SRepInit(de_ctx);
754 
755  fd = DetectIPRepGenerateCategoriesDummy2();
756  r = SRepLoadCatFileFromFD(fd);
757  FAIL_IF(r < 0);
758 
759  fd = DetectIPRepGenerateNetworksDummy2();
761  FAIL_IF(r < 0);
762 
764  "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)");
765  FAIL_IF_NULL(sig);
766 
768  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
769 
770  p->alerts.cnt = 0;
771  p->action = 0;
772  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
773  FAIL_IF(p->alerts.cnt != 1);
774  FAIL_IF(PacketTestAction(p, ACTION_DROP));
775 
776  UTHFreePacket(p);
777 
778  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
780 
781  HostShutdown();
782  PASS;
783 }
784 
785 /**
786  * \brief this function registers unit tests for IPRep
787  */
788 void IPRepRegisterTests(void)
789 {
790  UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01);
791  UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02);
792  UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03);
793  UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04);
794  UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05);
795  UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06);
796  UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07);
797  UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08);
798  UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09);
799 }
800 #endif /* UNITTESTS */
util-byte.h
detect-engine-uint.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1238
HostUnlock
void HostUnlock(Host *h)
Definition: host.c:488
SReputation_
Definition: reputation.h:40
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HOST_DST_LOOKED_UP
#define PKT_HOST_DST_LOOKED_UP
Definition: decode.h:1017
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
util-fmemopen.h
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1225
SReputation_::rep
uint8_t rep[SREP_MAX_CATS]
Definition: reputation.h:42
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1235
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:584
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:286
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:460
Packet_::action
uint8_t action
Definition: decode.h:571
threads.h
HostRelease
void HostRelease(Host *h)
Definition: host.c:477
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1229
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:134
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
flow-bit.h
DetectEngineCtx_::srep_version
uint32_t srep_version
Definition: detect.h:794
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:339
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1788
SCFmemopen
#define SCFmemopen
Definition: util-fmemopen.h:52
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:585
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:582
util-unittest.h
util-unittest-helper.h
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-iprep.h
DetectEngineThreadCtx_
Definition: detect.h:1024
DetectEngineCtx_::srepCIDR_ctx
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:797
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
SRepLoadCatFileFromFD
int SRepLoadCatFileFromFD(FILE *fp)
Definition: reputation.c:369
PKT_HOST_SRC_LOOKED_UP
#define PKT_HOST_SRC_LOOKED_UP
Definition: decode.h:1016
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:483
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
Packet_
Definition: decode.h:425
detect-engine-build.h
HostReference
#define HostReference(dst_h_ptr, h)
Definition: host.h:117
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1203
reputation.h
SRepLoadFileFromFD
int SRepLoadFileFromFD(SRepCIDRTree *cidr_ctx, FILE *fp)
Definition: reputation.c:436
DetectIPRepFree
void DetectIPRepFree(DetectEngineCtx *, void *)
Definition: detect-iprep.c:247
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:238
SRepCIDRGetIPRepDst
uint8_t SRepCIDRGetIPRepDst(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:159
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
Host_::iprep
void * iprep
Definition: host.h:69
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectUintData_u8 *du8)
Definition: detect-engine-uint.c:71
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3154
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3368
SigMatch_::type
uint16_t type
Definition: detect.h:314
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
util-spm.h
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
version
uint8_t version
Definition: decode-gre.h:1
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:306
SReputation_::version
uint32_t version
Definition: reputation.h:41
util-validate.h
SRepInit
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
Definition: reputation.c:581
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:487
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
SRepResetVersion
void SRepResetVersion(void)
Definition: reputation.c:62
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:601
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1156
Packet_::dst
Address dst
Definition: decode.h:430
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:175
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:785
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:376
flow.h
DetectIPRepRegister
void DetectIPRepRegister(void)
Definition: detect-iprep.c:63
Host_
Definition: host.h:58
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1423
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:352
SRepCIDRGetIPRepSrc
uint8_t SRepCIDRGetIPRepSrc(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:147
Packet_::src
Address src
Definition: decode.h:429
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227
DETECT_IPREP
@ DETECT_IPREP
Definition: detect-engine-register.h:221