suricata
detect-iprep.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the iprep keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-bit.h"
32 #include "flow-util.h"
33 #include "detect-iprep.h"
34 #include "util-spm.h"
35 
36 #include "app-layer-parser.h"
37 
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
42 
43 #include "util-debug.h"
44 #include "util-byte.h"
45 #include "util-unittest.h"
46 #include "util-unittest-helper.h"
47 #include "util-fmemopen.h"
48 
49 #include "reputation.h"
50 #include "host.h"
51 
52 #define PARSE_REGEX "\\s*(any|src|dst|both)\\s*,\\s*([A-Za-z0-9\\-\\_]+)\\s*,\\s*(\\<|\\>|\\=)\\s*,\\s*([0-9]+)\\s*"
53 static DetectParseRegex parse_regex;
54 
55 static int DetectIPRepMatch (DetectEngineThreadCtx *, Packet *,
56  const Signature *, const SigMatchCtx *);
57 static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *);
58 void DetectIPRepFree (DetectEngineCtx *, void *);
59 #ifdef UNITTESTS
60 static void IPRepRegisterTests(void);
61 #endif
62 
64 {
65  sigmatch_table[DETECT_IPREP].name = "iprep";
66  sigmatch_table[DETECT_IPREP].desc = "match on the IP reputation information for a host";
67  sigmatch_table[DETECT_IPREP].url = "/rules/ip-reputation-rules.html#iprep";
68  sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch;
69  sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup;
71 #ifdef UNITTESTS
72  sigmatch_table[DETECT_IPREP].RegisterTests = IPRepRegisterTests;
73 #endif
74  /* this is compatible to ip-only signatures */
76 
77  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
78 }
79 
80 static uint8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version)
81 {
82  uint8_t val = 0;
83  Host *h = NULL;
84 
85  if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) {
86  return 0;
87  } else if (p->host_src != NULL) {
88  h = (Host *)p->host_src;
89  HostLock(h);
90  } else {
91  h = HostLookupHostFromHash(&(p->src));
92 
94 
95  if (h == NULL)
96  return 0;
97 
98  HostReference(&p->host_src, h);
99  }
100 
101  if (h->iprep == NULL) {
102  HostRelease(h);
103  return 0;
104  }
105 
106  SReputation *r = (SReputation *)h->iprep;
107 
108  /* allow higher versions as this happens during
109  * rule reload */
110  if (r->version >= version)
111  val = r->rep[cat];
112  else
113  SCLogDebug("version mismatch %u != %u", r->version, version);
114 
115  HostRelease(h);
116  return val;
117 }
118 
119 static uint8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version)
120 {
121  uint8_t val = 0;
122  Host *h = NULL;
123 
124  if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) {
125  return 0;
126  } else if (p->host_dst != NULL) {
127  h = (Host *)p->host_dst;
128  HostLock(h);
129  } else {
130  h = HostLookupHostFromHash(&(p->dst));
131 
133 
134  if (h == NULL) {
135  return 0;
136  }
137 
138  HostReference(&p->host_dst, h);
139  }
140 
141  if (h->iprep == NULL) {
142  HostRelease(h);
143  return 0;
144  }
145 
146  SReputation *r = (SReputation *)h->iprep;
147 
148  /* allow higher versions as this happens during
149  * rule reload */
150  if (r->version >= version)
151  val = r->rep[cat];
152  else
153  SCLogDebug("version mismatch %u != %u", r->version, version);
154 
155  HostRelease(h);
156  return val;
157 }
158 
159 static inline int RepMatch(uint8_t op, uint8_t val1, uint8_t val2)
160 {
161  if (op == DETECT_IPREP_OP_GT && val1 > val2) {
162  return 1;
163  } else if (op == DETECT_IPREP_OP_LT && val1 < val2) {
164  return 1;
165  } else if (op == DETECT_IPREP_OP_EQ && val1 == val2) {
166  return 1;
167  }
168  return 0;
169 }
170 
171 /*
172  * returns 0: no match
173  * 1: match
174  * -1: error
175  */
176 static int DetectIPRepMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
177  const Signature *s, const SigMatchCtx *ctx)
178 {
179  const DetectIPRepData *rd = (const DetectIPRepData *)ctx;
180  if (rd == NULL)
181  return 0;
182 
183  uint32_t version = det_ctx->de_ctx->srep_version;
184  uint8_t val = 0;
185 
186  SCLogDebug("rd->cmd %u", rd->cmd);
187  switch(rd->cmd) {
189  val = GetHostRepSrc(p, rd->cat, version);
190  if (val == 0)
191  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
192  if (val > 0) {
193  if (RepMatch(rd->op, val, rd->val) == 1)
194  return 1;
195  }
196  val = GetHostRepDst(p, rd->cat, version);
197  if (val == 0)
198  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
199  if (val > 0) {
200  return RepMatch(rd->op, val, rd->val);
201  }
202  break;
203 
205  val = GetHostRepSrc(p, rd->cat, version);
206  SCLogDebug("checking src -- val %u (looking for cat %u, val %u)", val, rd->cat, rd->val);
207  if (val == 0)
208  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
209  if (val > 0) {
210  return RepMatch(rd->op, val, rd->val);
211  }
212  break;
213 
215  SCLogDebug("checking dst");
216  val = GetHostRepDst(p, rd->cat, version);
217  if (val == 0)
218  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
219  if (val > 0) {
220  return RepMatch(rd->op, val, rd->val);
221  }
222  break;
223 
225  val = GetHostRepSrc(p, rd->cat, version);
226  if (val == 0)
227  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
228  if (val == 0 || RepMatch(rd->op, val, rd->val) == 0)
229  return 0;
230  val = GetHostRepDst(p, rd->cat, version);
231  if (val == 0)
232  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
233  if (val > 0) {
234  return RepMatch(rd->op, val, rd->val);
235  }
236  break;
237  }
238 
239  return 0;
240 }
241 
242 int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
243 {
244  DetectIPRepData *cd = NULL;
245  SigMatch *sm = NULL;
246  char *cmd_str = NULL, *name = NULL, *op_str = NULL, *value = NULL;
247  uint8_t cmd = 0;
248  int ret = 0, res = 0;
249  int ov[MAX_SUBSTRINGS];
250 
251  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
252  if (ret != 5) {
253  SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for iprep", rawstr);
254  return -1;
255  }
256 
257  const char *str_ptr;
258  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
259  if (res < 0) {
260  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
261  return -1;
262  }
263  cmd_str = (char *)str_ptr;
264 
265  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
266  if (res < 0) {
267  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
268  goto error;
269  }
270  name = (char *)str_ptr;
271 
272  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
273  if (res < 0) {
274  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
275  goto error;
276  }
277  op_str = (char *)str_ptr;
278 
279  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4, &str_ptr);
280  if (res < 0) {
281  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
282  goto error;
283  }
284  value = (char *)str_ptr;
285 
286  if (strcmp(cmd_str,"any") == 0) {
287  cmd = DETECT_IPREP_CMD_ANY;
288  } else if (strcmp(cmd_str,"both") == 0) {
289  cmd = DETECT_IPREP_CMD_BOTH;
290  } else if (strcmp(cmd_str,"src") == 0) {
291  cmd = DETECT_IPREP_CMD_SRC;
292  } else if (strcmp(cmd_str,"dst") == 0) {
293  cmd = DETECT_IPREP_CMD_DST;
294  } else {
295  SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: iprep \"%s\" is not supported.", cmd_str);
296  goto error;
297  }
298 
299  //SCLogInfo("category %s", name);
300  uint8_t cat = SRepCatGetByShortname(name);
301  if (cat == 0) {
302  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown iprep category \"%s\"", name);
303  goto error;
304  }
305 
306  uint8_t op = 0;
307  uint8_t val = 0;
308 
309  if (op_str == NULL || strlen(op_str) != 1) {
310  goto error;
311  }
312 
313  switch(op_str[0]) {
314  case '<':
315  op = DETECT_IPREP_OP_LT;
316  break;
317  case '>':
318  op = DETECT_IPREP_OP_GT;
319  break;
320  case '=':
321  op = DETECT_IPREP_OP_EQ;
322  break;
323  default:
324  goto error;
325  break;
326  }
327 
328  if (value != NULL && strlen(value) > 0) {
329  if (StringParseU8RangeCheck(&val, 10, 0, (const char *)value, 0, 127) < 0)
330  goto error;
331  }
332 
333  cd = SCMalloc(sizeof(DetectIPRepData));
334  if (unlikely(cd == NULL))
335  goto error;
336 
337  cd->cmd = cmd;
338  cd->cat = cat;
339  cd->op = op;
340  cd->val = val;
341  SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->op, cd->val);
342 
343  pcre_free_substring(name);
344  name = NULL;
345  pcre_free_substring(cmd_str);
346  cmd_str = NULL;
347  pcre_free_substring(op_str);
348  op_str = NULL;
349  pcre_free_substring(value);
350  value = NULL;
351 
352  /* Okay so far so good, lets get this into a SigMatch
353  * and put it in the Signature. */
354  sm = SigMatchAlloc();
355  if (sm == NULL)
356  goto error;
357 
358  sm->type = DETECT_IPREP;
359  sm->ctx = (SigMatchCtx *)cd;
360 
362 
363  return 0;
364 
365 error:
366  if (name != NULL)
367  pcre_free_substring(name);
368  if (cmd_str != NULL)
369  pcre_free_substring(cmd_str);
370  if (op_str != NULL)
371  pcre_free_substring(op_str);
372  if (value != NULL)
373  pcre_free_substring(value);
374  if (cd != NULL)
375  SCFree(cd);
376  if (sm != NULL)
377  SCFree(sm);
378  return -1;
379 }
380 
382 {
383  DetectIPRepData *fd = (DetectIPRepData *)ptr;
384 
385  if (fd == NULL)
386  return;
387 
388  SCFree(fd);
389 }
390 
391 #ifdef UNITTESTS
392 static FILE *DetectIPRepGenerateCategoriesDummy(void)
393 {
394  FILE *fd = NULL;
395  const char *buffer = "1,BadHosts,Know bad hosts";
396 
397  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
398  if (fd == NULL)
399  SCLogDebug("Error with SCFmemopen()");
400 
401  return fd;
402 }
403 
404 static FILE *DetectIPRepGenerateCategoriesDummy2(void)
405 {
406  FILE *fd = NULL;
407  const char *buffer =
408  "1,BadHosts,Know bad hosts\n"
409  "2,GoodHosts,Know good hosts\n";
410 
411  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
412  if (fd == NULL)
413  SCLogDebug("Error with SCFmemopen()");
414 
415  return fd;
416 }
417 
418 static FILE *DetectIPRepGenerateNetworksDummy(void)
419 {
420  FILE *fd = NULL;
421  const char *buffer = "10.0.0.0/24,1,20";
422 
423  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
424  if (fd == NULL)
425  SCLogDebug("Error with SCFmemopen()");
426 
427  return fd;
428 }
429 
430 static FILE *DetectIPRepGenerateNetworksDummy2(void)
431 {
432  FILE *fd = NULL;
433  const char *buffer =
434  "0.0.0.0/0,1,10\n"
435  "192.168.0.0/16,2,127";
436 
437  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
438  if (fd == NULL)
439  SCLogDebug("Error with SCFmemopen()");
440 
441  return fd;
442 }
443 
444 static int DetectIPRepTest01(void)
445 {
446  ThreadVars th_v;
447  DetectEngineThreadCtx *det_ctx = NULL;
448  Signature *sig = NULL;
449  FILE *fd = NULL;
450  int result = 0, r = 0;
451  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
453 
455  memset(&th_v, 0, sizeof(th_v));
456 
457  if (de_ctx == NULL || p == NULL)
458  goto end;
459 
460  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
461  de_ctx->flags |= DE_QUIET;
462 
463  SRepInit(de_ctx);
465 
466  fd = DetectIPRepGenerateCategoriesDummy();
467  r = SRepLoadCatFileFromFD(fd);
468  if (r < 0) {
469  goto end;
470  }
471 
472  fd = DetectIPRepGenerateNetworksDummy();
474  if (r < 0) {
475  goto end;
476  }
477 
478  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)");
479  if (sig == NULL) {
480  goto end;
481  }
482 
484  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
485 
486  p->alerts.cnt = 0;
487  p->action = 0;
488  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
489  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
490  goto end;
491  }
492 
493  result = 1;
494 end:
495  UTHFreePacket(p);
498 
499  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
501 
502  HostShutdown();
503  return result;
504 }
505 
506 static int DetectIPRepTest02(void)
507 {
508  ThreadVars th_v;
509  DetectEngineThreadCtx *det_ctx = NULL;
510  Signature *sig = NULL;
511  FILE *fd = NULL;
512  int result = 0, r = 0;
513  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
515 
517  memset(&th_v, 0, sizeof(th_v));
518 
519  if (de_ctx == NULL || p == NULL)
520  goto end;
521 
522  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
523  de_ctx->flags |= DE_QUIET;
524 
525  SRepInit(de_ctx);
527 
528  fd = DetectIPRepGenerateCategoriesDummy();
529  r = SRepLoadCatFileFromFD(fd);
530  if (r < 0) {
531  goto end;
532  }
533 
534  fd = DetectIPRepGenerateNetworksDummy();
536  if (r < 0) {
537  goto end;
538  }
539 
540  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)");
541  if (sig == NULL) {
542  goto end;
543  }
544 
546  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
547 
548  p->alerts.cnt = 0;
549  p->action = 0;
550  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
551  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
552  goto end;
553  }
554 
555  result = 1;
556 end:
557  UTHFreePacket(p);
560 
561  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
563 
564  HostShutdown();
565  return result;
566 }
567 
568 static int DetectIPRepTest03(void)
569 {
570  ThreadVars th_v;
571  DetectEngineThreadCtx *det_ctx = NULL;
572  Signature *sig = NULL;
573  FILE *fd = NULL;
574  int result = 0, r = 0;
575  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
577 
579  memset(&th_v, 0, sizeof(th_v));
580 
581  if (de_ctx == NULL || p == NULL)
582  goto end;
583 
584  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
585  de_ctx->flags |= DE_QUIET;
586 
587  SRepInit(de_ctx);
589 
590  fd = DetectIPRepGenerateCategoriesDummy();
591  r = SRepLoadCatFileFromFD(fd);
592  if (r < 0) {
593  goto end;
594  }
595 
596  fd = DetectIPRepGenerateNetworksDummy();
598  if (r < 0) {
599  goto end;
600  }
601 
602  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)");
603  if (sig == NULL) {
604  goto end;
605  }
606 
608  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
609 
610  p->alerts.cnt = 0;
611  p->action = 0;
612  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
613  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
614  goto end;
615  }
616 
617  result = 1;
618 end:
619  UTHFreePacket(p);
622 
623  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
625 
626  HostShutdown();
627  return result;
628 }
629 
630 static int DetectIPRepTest04(void)
631 {
632  ThreadVars th_v;
633  DetectEngineThreadCtx *det_ctx = NULL;
634  Signature *sig = NULL;
635  FILE *fd = NULL;
636  int result = 0, r = 0;
637  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
639 
641  memset(&th_v, 0, sizeof(th_v));
642 
643  if (de_ctx == NULL || p == NULL)
644  goto end;
645 
646  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
647  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
648  de_ctx->flags |= DE_QUIET;
649 
650  SRepInit(de_ctx);
652 
653  fd = DetectIPRepGenerateCategoriesDummy();
654  r = SRepLoadCatFileFromFD(fd);
655  if (r < 0) {
656  goto end;
657  }
658 
659  fd = DetectIPRepGenerateNetworksDummy();
661  if (r < 0) {
662  goto end;
663  }
664 
665  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)");
666  if (sig == NULL) {
667  goto end;
668  }
669 
671  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
672 
673  p->alerts.cnt = 0;
674  p->action = 0;
675  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
676  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
677  goto end;
678  }
679 
680  result = 1;
681 end:
682  UTHFreePacket(p);
685 
686  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
688 
689  HostShutdown();
690  return result;
691 }
692 
693 static int DetectIPRepTest05(void)
694 {
695  ThreadVars th_v;
696  DetectEngineThreadCtx *det_ctx = NULL;
697  Signature *sig = NULL;
698  FILE *fd = NULL;
699  int result = 0, r = 0;
700  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
702 
704  memset(&th_v, 0, sizeof(th_v));
705 
706  if (de_ctx == NULL || p == NULL)
707  goto end;
708 
709  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
710  de_ctx->flags |= DE_QUIET;
711 
712  SRepInit(de_ctx);
714 
715  fd = DetectIPRepGenerateCategoriesDummy();
716  r = SRepLoadCatFileFromFD(fd);
717  if (r < 0) {
718  goto end;
719  }
720 
721  fd = DetectIPRepGenerateNetworksDummy();
723  if (r < 0) {
724  goto end;
725  }
726 
727  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
728  if (sig == NULL) {
729  goto end;
730  }
731 
733  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
734 
735  p->alerts.cnt = 0;
736  p->action = 0;
737  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
738  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
739  goto end;
740  }
741 
742  result = 1;
743 end:
744  UTHFreePacket(p);
747 
748  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
750 
751  HostShutdown();
752  return result == 0;
753 }
754 
755 static int DetectIPRepTest06(void)
756 {
757  ThreadVars th_v;
758  DetectEngineThreadCtx *det_ctx = NULL;
759  Signature *sig = NULL;
760  FILE *fd = NULL;
761  int result = 0, r = 0;
762  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
764 
766  memset(&th_v, 0, sizeof(th_v));
767 
768  if (de_ctx == NULL || p == NULL)
769  goto end;
770 
771  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
772  de_ctx->flags |= DE_QUIET;
773 
774  SRepInit(de_ctx);
776 
777  fd = DetectIPRepGenerateCategoriesDummy();
778  r = SRepLoadCatFileFromFD(fd);
779  if (r < 0) {
780  goto end;
781  }
782 
783  fd = DetectIPRepGenerateNetworksDummy();
785  if (r < 0) {
786  goto end;
787  }
788 
789  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
790  if (sig == NULL) {
791  goto end;
792  }
793 
795  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
796 
797  p->alerts.cnt = 0;
798  p->action = 0;
799  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
800  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
801  goto end;
802  }
803 
804  result = 1;
805 end:
806  UTHFreePacket(p);
809 
810  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
812 
813  HostShutdown();
814  return result == 0;
815 }
816 
817 static int DetectIPRepTest07(void)
818 {
819  ThreadVars th_v;
820  DetectEngineThreadCtx *det_ctx = NULL;
821  Signature *sig = NULL;
822  FILE *fd = NULL;
823  int result = 0, r = 0;
824  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
826 
828  memset(&th_v, 0, sizeof(th_v));
829 
830  if (de_ctx == NULL || p == NULL)
831  goto end;
832 
833  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
834  de_ctx->flags |= DE_QUIET;
835 
836  SRepInit(de_ctx);
838 
839  fd = DetectIPRepGenerateCategoriesDummy();
840  r = SRepLoadCatFileFromFD(fd);
841  if (r < 0) {
842  goto end;
843  }
844 
845  fd = DetectIPRepGenerateNetworksDummy();
847  if (r < 0) {
848  goto end;
849  }
850 
851  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
852  if (sig == NULL) {
853  goto end;
854  }
855 
857  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
858 
859  p->alerts.cnt = 0;
860  p->action = 0;
861  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
862  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
863  goto end;
864  }
865 
866  result = 1;
867 end:
868  UTHFreePacket(p);
871 
872  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
874 
875  HostShutdown();
876  return result == 0;
877 }
878 
879 static int DetectIPRepTest08(void)
880 {
881  ThreadVars th_v;
882  DetectEngineThreadCtx *det_ctx = NULL;
883  Signature *sig = NULL;
884  FILE *fd = NULL;
885  int result = 0, r = 0;
886  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
888 
890  memset(&th_v, 0, sizeof(th_v));
891 
892  if (de_ctx == NULL || p == NULL)
893  goto end;
894 
895  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
896  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
897  de_ctx->flags |= DE_QUIET;
898 
899  SRepInit(de_ctx);
901 
902  fd = DetectIPRepGenerateCategoriesDummy();
903  r = SRepLoadCatFileFromFD(fd);
904  if (r < 0) {
905  goto end;
906  }
907 
908  fd = DetectIPRepGenerateNetworksDummy();
910  if (r < 0) {
911  goto end;
912  }
913 
914  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
915  if (sig == NULL) {
916  goto end;
917  }
918 
920  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
921 
922  p->alerts.cnt = 0;
923  p->action = 0;
924  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
925  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
926  goto end;
927  }
928 
929  result = 1;
930 end:
931  UTHFreePacket(p);
934 
935  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
937 
938  HostShutdown();
939  return result == 0;
940 }
941 
942 static int DetectIPRepTest09(void)
943 {
944  ThreadVars th_v;
945  DetectEngineThreadCtx *det_ctx = NULL;
946  Signature *sig = NULL;
947  FILE *fd = NULL;
948  int result = 0, r = 0;
949  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
951 
953  memset(&th_v, 0, sizeof(th_v));
954 
955  if (de_ctx == NULL || p == NULL)
956  goto end;
957 
958  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
959  p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
960  de_ctx->flags |= DE_QUIET;
961 
962  SRepInit(de_ctx);
964 
965  fd = DetectIPRepGenerateCategoriesDummy2();
966  r = SRepLoadCatFileFromFD(fd);
967  if (r < 0) {
968  goto end;
969  }
970 
971  fd = DetectIPRepGenerateNetworksDummy2();
973  if (r < 0) {
974  goto end;
975  }
976 
977  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)");
978  if (sig == NULL) {
979  goto end;
980  }
981 
983  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
984 
985  p->alerts.cnt = 0;
986  p->action = 0;
987  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
988  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
989  goto end;
990  }
991 
992  result = 1;
993 end:
994  UTHFreePacket(p);
997 
998  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1000 
1001  HostShutdown();
1002  return result;
1003 }
1004 
1005 /**
1006  * \brief this function registers unit tests for IPRep
1007  */
1008 void IPRepRegisterTests(void)
1009 {
1010  UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01);
1011  UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02);
1012  UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03);
1013  UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04);
1014  UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05);
1015  UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06);
1016  UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07);
1017  UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08);
1018  UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09);
1019 }
1020 #endif /* UNITTESTS */
util-byte.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
SReputation_
Definition: reputation.h:39
detect-engine.h
DetectIPRepData_
Definition: detect-iprep.h:36
DETECT_IPREP_CMD_SRC
#define DETECT_IPREP_CMD_SRC
Definition: detect-iprep.h:29
PKT_HOST_DST_LOOKED_UP
#define PKT_HOST_DST_LOOKED_UP
Definition: decode.h:1122
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
util-fmemopen.h
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
SReputation_::rep
uint8_t rep[SREP_MAX_CATS]
Definition: reputation.h:41
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
SRepCatGetByShortname
uint8_t SRepCatGetByShortname(char *shortname)
Definition: reputation.c:336
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:566
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:299
Packet_::flags
uint32_t flags
Definition: decode.h:449
Packet_::action
uint8_t action
Definition: decode.h:553
threads.h
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:173
HostRelease
void HostRelease(Host *h)
Definition: host.c:474
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:132
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
DETECT_IPREP_CMD_ANY
#define DETECT_IPREP_CMD_ANY
Definition: detect-iprep.h:27
flow-bit.h
DetectEngineCtx_::srep_version
uint32_t srep_version
Definition: detect.h:777
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SCFmemopen
#define SCFmemopen
Definition: util-fmemopen.h:52
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:567
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:564
util-unittest.h
util-unittest-helper.h
DETECT_IPREP_OP_EQ
#define DETECT_IPREP_OP_EQ
Definition: detect-iprep.h:34
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-iprep.h
DetectEngineThreadCtx_
Definition: detect.h:1010
StringParseU8RangeCheck
int StringParseU8RangeCheck(uint8_t *res, int base, uint16_t len, const char *str, uint8_t min, uint8_t max)
Definition: util-byte.c:457
DetectEngineCtx_::srepCIDR_ctx
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:780
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
DETECT_IPREP_CMD_DST
#define DETECT_IPREP_CMD_DST
Definition: detect-iprep.h:30
SRepLoadCatFileFromFD
int SRepLoadCatFileFromFD(FILE *fp)
Definition: reputation.c:364
PKT_HOST_SRC_LOOKED_UP
#define PKT_HOST_SRC_LOOKED_UP
Definition: decode.h:1121
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
detect-engine-mpm.h
DetectIPRepData_::op
int8_t op
Definition: detect-iprep.h:39
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-iprep.c:52
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:480
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
DetectIPRepData_::val
uint8_t val
Definition: detect-iprep.h:40
Packet_
Definition: decode.h:414
HostReference
#define HostReference(dst_h_ptr, h)
Definition: host.h:117
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
reputation.h
DETECT_IPREP_OP_LT
#define DETECT_IPREP_OP_LT
Definition: detect-iprep.h:32
SRepLoadFileFromFD
int SRepLoadFileFromFD(SRepCIDRTree *cidr_ctx, FILE *fp)
Definition: reputation.c:431
DetectIPRepFree
void DetectIPRepFree(DetectEngineCtx *, void *)
Definition: detect-iprep.c:381
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DetectIPRepData_::cat
int8_t cat
Definition: detect-iprep.h:38
SRepCIDRGetIPRepDst
uint8_t SRepCIDRGetIPRepDst(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:158
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
Host_::iprep
void * iprep
Definition: host.h:69
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
util-spm.h
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
version
uint8_t version
Definition: decode-gre.h:1
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:305
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
SReputation_::version
uint32_t version
Definition: reputation.h:40
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SRepInit
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
Definition: reputation.c:575
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
DETECT_IPREP_OP_GT
#define DETECT_IPREP_OP_GT
Definition: detect-iprep.h:33
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
SRepResetVersion
void SRepResetVersion(void)
Definition: reputation.c:61
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:598
DETECT_IPREP_CMD_BOTH
#define DETECT_IPREP_CMD_BOTH
Definition: detect-iprep.h:28
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1136
Packet_::dst
Address dst
Definition: decode.h:419
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
flow.h
DetectIPRepRegister
void DetectIPRepRegister(void)
Definition: detect-iprep.c:63
Host_
Definition: host.h:58
DetectIPRepData_::cmd
uint8_t cmd
Definition: detect-iprep.h:37
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1382
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SRepCIDRGetIPRepSrc
uint8_t SRepCIDRGetIPRepSrc(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:146
Packet_::src
Address src
Definition: decode.h:418
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:870
DETECT_IPREP
@ DETECT_IPREP
Definition: detect-engine-register.h:211