suricata
detect-iprep.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the iprep keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-bit.h"
32 #include "flow-util.h"
33 #include "detect-iprep.h"
34 #include "util-spm.h"
35 
36 #include "app-layer-parser.h"
37 
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
42 #include "detect-engine-uint.h"
43 #include "detect-engine-build.h"
44 
45 #include "util-debug.h"
46 #include "util-byte.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "util-fmemopen.h"
50 #include "util-validate.h"
51 
52 #include "reputation.h"
53 #include "host.h"
54 
55 static int DetectIPRepMatch (DetectEngineThreadCtx *, Packet *,
56  const Signature *, const SigMatchCtx *);
57 static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *);
58 void DetectIPRepFree (DetectEngineCtx *, void *);
59 #ifdef UNITTESTS
60 static void IPRepRegisterTests(void);
61 #endif
62 
63 void DetectIPRepRegister (void)
64 {
65  sigmatch_table[DETECT_IPREP].name = "iprep";
66  sigmatch_table[DETECT_IPREP].desc = "match on the IP reputation information for a host";
67  sigmatch_table[DETECT_IPREP].url = "/rules/ip-reputation-rules.html#iprep";
68  sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch;
69  sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup;
70  sigmatch_table[DETECT_IPREP].Free = DetectIPRepFree;
71 #ifdef UNITTESTS
72  sigmatch_table[DETECT_IPREP].RegisterTests = IPRepRegisterTests;
73 #endif
74  /* this is compatible to ip-only signatures */
75  sigmatch_table[DETECT_IPREP].flags |= SIGMATCH_IPONLY_COMPAT;
76 }
77 
78 static inline int8_t GetRep(const SReputation *r, const uint8_t cat, const uint32_t version)
79 {
80  /* allow higher versions as this happens during
81  * rule reload */
82  if (r != NULL && r->version >= version) {
83  return r->rep[cat];
84  }
85  return -1;
86 }
87 
88 /** \returns: -2 no host, -1 no rep entry, 0-127 rep values */
89 static int8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version)
90 {
91  if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) {
92  return -2;
93  } else if (p->host_src != NULL) {
94  Host *h = (Host *)p->host_src;
95  HostLock(h);
96  /* use_cnt: 1 for having iprep, 1 for packet ref */
97  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);
98  int8_t val = GetRep(h->iprep, cat, version);
99  HostUnlock(h);
100  return val;
101  } else {
102  Host *h = HostLookupHostFromHash(&(p->src));
103  p->flags |= PKT_HOST_SRC_LOOKED_UP;
104  if (h == NULL)
105  return -2;
106  HostReference(&p->host_src, h);
107  /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,
108  * 1 for HostReference to packet */
109  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);
110  int8_t val = GetRep(h->iprep, cat, version);
111  HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */
112  return val;
113  }
114 }
115 
116 static int8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version)
117 {
118  if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) {
119  return -2;
120  } else if (p->host_dst != NULL) {
121  Host *h = (Host *)p->host_dst;
122  HostLock(h);
123  /* use_cnt: 1 for having iprep, 1 for packet ref */
124  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);
125  int8_t val = GetRep(h->iprep, cat, version);
126  HostUnlock(h);
127  return val;
128  } else {
129  Host *h = HostLookupHostFromHash(&(p->dst));
130  p->flags |= PKT_HOST_DST_LOOKED_UP;
131  if (h == NULL)
132  return -2;
133  HostReference(&p->host_dst, h);
134  /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,
135  * 1 for HostReference to packet */
136  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);
137  int8_t val = GetRep(h->iprep, cat, version);
138  HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */
139  return val;
140  }
141 }
142 
143 /*
144  * returns 0: no match
145  * 1: match
146  * -1: error
147  */
148 static int DetectIPRepMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
149  const Signature *s, const SigMatchCtx *ctx)
150 {
151  const DetectIPRepData *rd = (const DetectIPRepData *)ctx;
152  if (rd == NULL)
153  return 0;
154 
155  uint32_t version = det_ctx->de_ctx->srep_version;
156  int8_t val = 0;
157 
158  SCLogDebug("rd->cmd %u", rd->cmd);
159  switch (rd->cmd) {
160  case IPRepCmdAny:
161  if (!rd->isnotset) {
162  val = GetHostRepSrc(p, rd->cat, version);
163  if (val < 0)
164  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
165  if (val >= 0) {
166  if (DetectU8Match((uint8_t)val, &rd->du8))
167  return 1;
168  }
169  val = GetHostRepDst(p, rd->cat, version);
170  if (val < 0)
171  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
172  if (val >= 0) {
173  return DetectU8Match((uint8_t)val, &rd->du8);
174  }
175  } else {
176  /* isnotset for any */
177 
178  val = GetHostRepSrc(p, rd->cat, version);
179  if (val < 0)
180  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
181  if (val < 0) {
182  return 1;
183  }
184  val = GetHostRepDst(p, rd->cat, version);
185  if (val < 0)
186  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
187  if (val < 0) {
188  return 1;
189  }
190  /* both have a value, so none 'isnotset' */
191  return 0;
192  }
193  break;
194 
195  case IPRepCmdSrc:
196  val = GetHostRepSrc(p, rd->cat, version);
197  SCLogDebug("checking src -- val %d (looking for cat %u, val %u)", val, rd->cat,
198  rd->du8.arg1);
199  if (val < 0)
200  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
201  if (val >= 0) {
202  return DetectU8Match((uint8_t)val, &rd->du8);
203  }
204  /* implied: no value found */
205  if (rd->isnotset) {
206  return 1;
207  }
208  break;
209 
210  case IPRepCmdDst:
211  SCLogDebug("checking dst");
212  val = GetHostRepDst(p, rd->cat, version);
213  if (val < 0)
214  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
215  if (val >= 0) {
216  return DetectU8Match((uint8_t)val, &rd->du8);
217  }
218  /* implied: no value found */
219  if (rd->isnotset) {
220  return 1;
221  }
222  break;
223 
224  case IPRepCmdBoth:
225  if (!rd->isnotset) {
226  val = GetHostRepSrc(p, rd->cat, version);
227  if (val < 0)
228  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
229  if (val < 0 || DetectU8Match((uint8_t)val, &rd->du8) == 0)
230  return 0;
231  val = GetHostRepDst(p, rd->cat, version);
232  if (val < 0)
233  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
234  if (val >= 0) {
235  return DetectU8Match((uint8_t)val, &rd->du8);
236  }
237  } else {
238  val = GetHostRepSrc(p, rd->cat, version);
239  if (val >= 0)
240  return 0;
241  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
242  if (val >= 0)
243  return 0;
244  val = GetHostRepDst(p, rd->cat, version);
245  if (val >= 0)
246  return 0;
247  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
248  if (val >= 0)
249  return 0;
250  return 1;
251  }
252  break;
253  }
254 
255  return 0;
256 }
257 
258 int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
259 {
260  DetectIPRepData *cd = SCDetectIPRepParse(rawstr);
261  if (cd == NULL) {
262  SCLogError("\"%s\" is not a valid setting for iprep", rawstr);
263  goto error;
264  }
265 
266  SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->du8.mode, cd->du8.arg1);
267 
268  /* Okay so far so good, lets get this into a SigMatch
269  * and put it in the Signature. */
270 
271  if (SCSigMatchAppendSMToList(
272  de_ctx, s, DETECT_IPREP, (SigMatchCtx *)cd, DETECT_SM_LIST_MATCH) == NULL) {
273  goto error;
274  }
275 
276  return 0;
277 
278 error:
279  if (cd != NULL)
280  DetectIPRepFree(de_ctx, cd);
281  return -1;
282 }
283 
284 void DetectIPRepFree (DetectEngineCtx *de_ctx, void *ptr)
285 {
286  DetectIPRepData *fd = (DetectIPRepData *)ptr;
287  if (fd == NULL)
288  return;
289 
290  SCDetectIPRepFree(fd);
291 }
292 
293 #ifdef UNITTESTS
294 #include "packet.h"
295 #include "action-globals.h"
296 
297 static FILE *DetectIPRepGenerateCategoriesDummy(void)
298 {
299  FILE *fd = NULL;
300  const char *buffer = "1,BadHosts,Know bad hosts";
301 
302  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
303  if (fd == NULL)
304  SCLogDebug("Error with SCFmemopen()");
305 
306  return fd;
307 }
308 
309 static FILE *DetectIPRepGenerateCategoriesDummy2(void)
310 {
311  FILE *fd = NULL;
312  const char *buffer =
313  "1,BadHosts,Know bad hosts\n"
314  "2,GoodHosts,Know good hosts\n";
315 
316  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
317  if (fd == NULL)
318  SCLogDebug("Error with SCFmemopen()");
319 
320  return fd;
321 }
322 
323 static FILE *DetectIPRepGenerateNetworksDummy(void)
324 {
325  FILE *fd = NULL;
326  const char *buffer = "10.0.0.0/24,1,20";
327 
328  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
329  if (fd == NULL)
330  SCLogDebug("Error with SCFmemopen()");
331 
332  return fd;
333 }
334 
335 static FILE *DetectIPRepGenerateNetworksDummy2(void)
336 {
337  FILE *fd = NULL;
338  const char *buffer =
339  "0.0.0.0/0,1,10\n"
340  "192.168.0.0/16,2,127";
341 
342  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
343  if (fd == NULL)
344  SCLogDebug("Error with SCFmemopen()");
345 
346  return fd;
347 }
348 
349 static int DetectIPRepTest01(void)
350 {
351  ThreadVars th_v;
352  DetectEngineThreadCtx *det_ctx = NULL;
353  Signature *sig = NULL;
354  FILE *fd = NULL;
355  int r = 0;
356  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
357  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
358 
359  HostInitConfig(HOST_QUIET);
360  memset(&th_v, 0, sizeof(th_v));
361 
362  FAIL_IF_NULL(de_ctx);
363  FAIL_IF_NULL(p);
364 
365  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
366  de_ctx->flags |= DE_QUIET;
367  SRepResetVersion();
368 
369  fd = DetectIPRepGenerateCategoriesDummy();
370  r = SRepLoadCatFileFromFD(fd);
371  FAIL_IF(r < 0);
372 
373  fd = DetectIPRepGenerateNetworksDummy();
374  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
375  FAIL_IF(r < 0);
376 
377  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
378  "badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)");
379  FAIL_IF_NULL(sig);
380 
381  SigGroupBuild(de_ctx);
382  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
383 
384  p->alerts.cnt = 0;
385  p->action = 0;
386  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
387 
388  FAIL_IF(p->alerts.cnt != 1);
389  FAIL_IF(PacketTestAction(p, ACTION_DROP));
390 
391  UTHFreePacket(p);
392 
393  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
394  DetectEngineCtxFree(de_ctx);
395  HostShutdown();
396  StatsThreadCleanup(&th_v);
397  PASS;
398 }
399 
400 static int DetectIPRepTest02(void)
401 {
402  ThreadVars th_v;
403  DetectEngineThreadCtx *det_ctx = NULL;
404  Signature *sig = NULL;
405  FILE *fd = NULL;
406  int r = 0;
407  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
408  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
409 
410  HostInitConfig(HOST_QUIET);
411  memset(&th_v, 0, sizeof(th_v));
412 
413  FAIL_IF_NULL(de_ctx);
414  FAIL_IF_NULL(p);
415 
416  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
417  de_ctx->flags |= DE_QUIET;
418  SRepResetVersion();
419 
420  fd = DetectIPRepGenerateCategoriesDummy();
421  r = SRepLoadCatFileFromFD(fd);
422  FAIL_IF(r < 0);
423 
424  fd = DetectIPRepGenerateNetworksDummy();
425  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
426  FAIL_IF(r < 0);
427 
428  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
429  "badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)");
430  FAIL_IF_NULL(sig);
431 
432  SigGroupBuild(de_ctx);
433  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
434 
435  p->alerts.cnt = 0;
436  p->action = 0;
437  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
438  FAIL_IF(p->alerts.cnt != 1);
439  FAIL_IF(PacketTestAction(p, ACTION_DROP));
440 
441  UTHFreePacket(p);
442 
443  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
444  DetectEngineCtxFree(de_ctx);
445 
446  HostShutdown();
447  StatsThreadCleanup(&th_v);
448  PASS;
449 }
450 
451 static int DetectIPRepTest03(void)
452 {
453  ThreadVars th_v;
454  DetectEngineThreadCtx *det_ctx = NULL;
455  Signature *sig = NULL;
456  FILE *fd = NULL;
457  int r = 0;
458  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
459  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
460 
461  HostInitConfig(HOST_QUIET);
462  memset(&th_v, 0, sizeof(th_v));
463 
464  FAIL_IF_NULL(de_ctx);
465  FAIL_IF_NULL(p);
466 
467  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
468  de_ctx->flags |= DE_QUIET;
469  SRepResetVersion();
470 
471  fd = DetectIPRepGenerateCategoriesDummy();
472  r = SRepLoadCatFileFromFD(fd);
473  FAIL_IF(r < 0);
474 
475  fd = DetectIPRepGenerateNetworksDummy();
476  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
477  FAIL_IF(r < 0);
478 
479  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
480  "badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)");
481  FAIL_IF_NULL(sig);
482 
483  SigGroupBuild(de_ctx);
484  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
485 
486  p->alerts.cnt = 0;
487  p->action = 0;
488  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
489  FAIL_IF(p->alerts.cnt != 1);
490  FAIL_IF(PacketTestAction(p, ACTION_DROP));
491 
492  UTHFreePacket(p);
493 
494  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
495  DetectEngineCtxFree(de_ctx);
496 
497  HostShutdown();
498  StatsThreadCleanup(&th_v);
499  PASS;
500 }
501 
502 static int DetectIPRepTest04(void)
503 {
504  ThreadVars th_v;
505  DetectEngineThreadCtx *det_ctx = NULL;
506  Signature *sig = NULL;
507  FILE *fd = NULL;
508  int r = 0;
509  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
510  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
511 
512  HostInitConfig(HOST_QUIET);
513  memset(&th_v, 0, sizeof(th_v));
514 
515  FAIL_IF_NULL(de_ctx);
516  FAIL_IF_NULL(p);
517 
518  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
519  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
520  de_ctx->flags |= DE_QUIET;
521  SRepResetVersion();
522 
523  fd = DetectIPRepGenerateCategoriesDummy();
524  r = SRepLoadCatFileFromFD(fd);
525  FAIL_IF(r < 0);
526 
527  fd = DetectIPRepGenerateNetworksDummy();
528  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
529  FAIL_IF(r < 0);
530 
531  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
532  "badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)");
533  FAIL_IF_NULL(sig);
534 
535  SigGroupBuild(de_ctx);
536  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
537 
538  p->alerts.cnt = 0;
539  p->action = 0;
540  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
541  FAIL_IF(p->alerts.cnt != 1);
542  FAIL_IF(PacketTestAction(p, ACTION_DROP));
543 
544  UTHFreePacket(p);
545 
546  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
547  DetectEngineCtxFree(de_ctx);
548 
549  HostShutdown();
550  StatsThreadCleanup(&th_v);
551  PASS;
552 }
553 
554 static int DetectIPRepTest05(void)
555 {
556  ThreadVars th_v;
557  DetectEngineThreadCtx *det_ctx = NULL;
558  Signature *sig = NULL;
559  FILE *fd = NULL;
560  int r = 0;
561  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
562  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
563 
564  HostInitConfig(HOST_QUIET);
565  memset(&th_v, 0, sizeof(th_v));
566 
567  FAIL_IF_NULL(de_ctx);
568  FAIL_IF_NULL(p);
569 
570  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
571  de_ctx->flags |= DE_QUIET;
572  SRepResetVersion();
573 
574  fd = DetectIPRepGenerateCategoriesDummy();
575  r = SRepLoadCatFileFromFD(fd);
576  FAIL_IF(r < 0);
577 
578  fd = DetectIPRepGenerateNetworksDummy();
579  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
580  FAIL_IF(r < 0);
581 
582  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
583  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
584  FAIL_IF_NULL(sig);
585 
586  SigGroupBuild(de_ctx);
587  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
588 
589  p->alerts.cnt = 0;
590  p->action = 0;
591  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
592  FAIL_IF(p->alerts.cnt != 0);
593  FAIL_IF(PacketTestAction(p, ACTION_DROP));
594 
595  UTHFreePacket(p);
596 
597  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
598  DetectEngineCtxFree(de_ctx);
599 
600  HostShutdown();
601  StatsThreadCleanup(&th_v);
602  PASS;
603 }
604 
605 static int DetectIPRepTest06(void)
606 {
607  ThreadVars th_v;
608  DetectEngineThreadCtx *det_ctx = NULL;
609  Signature *sig = NULL;
610  FILE *fd = NULL;
611  int r = 0;
612  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
613  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
614 
615  HostInitConfig(HOST_QUIET);
616  memset(&th_v, 0, sizeof(th_v));
617 
618  FAIL_IF_NULL(de_ctx);
619  FAIL_IF_NULL(p);
620 
621  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
622  de_ctx->flags |= DE_QUIET;
623  SRepResetVersion();
624 
625  fd = DetectIPRepGenerateCategoriesDummy();
626  r = SRepLoadCatFileFromFD(fd);
627  FAIL_IF(r < 0);
628 
629  fd = DetectIPRepGenerateNetworksDummy2();
630  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
631  FAIL_IF(r < 0);
632 
633  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
634  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
635  FAIL_IF_NULL(sig);
636 
637  SigGroupBuild(de_ctx);
638  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
639 
640  p->alerts.cnt = 0;
641  p->action = 0;
642  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
643  FAIL_IF(p->alerts.cnt != 1);
644  FAIL_IF(PacketTestAction(p, ACTION_DROP));
645 
646  UTHFreePacket(p);
647 
648  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
649  DetectEngineCtxFree(de_ctx);
650 
651  HostShutdown();
652  StatsThreadCleanup(&th_v);
653  PASS;
654 }
655 
656 static int DetectIPRepTest07(void)
657 {
658  ThreadVars th_v;
659  DetectEngineThreadCtx *det_ctx = NULL;
660  Signature *sig = NULL;
661  FILE *fd = NULL;
662  int r = 0;
663  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
664  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
665 
666  HostInitConfig(HOST_QUIET);
667  memset(&th_v, 0, sizeof(th_v));
668 
669  FAIL_IF_NULL(de_ctx);
670  FAIL_IF_NULL(p);
671 
672  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
673  de_ctx->flags |= DE_QUIET;
674  SRepResetVersion();
675 
676  fd = DetectIPRepGenerateCategoriesDummy();
677  r = SRepLoadCatFileFromFD(fd);
678  FAIL_IF(r < 0);
679 
680  fd = DetectIPRepGenerateNetworksDummy2();
681  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
682  FAIL_IF(r < 0);
683 
684  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
685  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
686  FAIL_IF_NULL(sig);
687 
688  SigGroupBuild(de_ctx);
689  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
690 
691  p->alerts.cnt = 0;
692  p->action = 0;
693  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
694  FAIL_IF(p->alerts.cnt != 1);
695  FAIL_IF(PacketTestAction(p, ACTION_DROP));
696 
697  UTHFreePacket(p);
698 
699  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
700  DetectEngineCtxFree(de_ctx);
701 
702  HostShutdown();
703  StatsThreadCleanup(&th_v);
704  PASS;
705 }
706 
707 static int DetectIPRepTest08(void)
708 {
709  ThreadVars th_v;
710  DetectEngineThreadCtx *det_ctx = NULL;
711  Signature *sig = NULL;
712  FILE *fd = NULL;
713  int r = 0;
714  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
715  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
716 
717  HostInitConfig(HOST_QUIET);
718  memset(&th_v, 0, sizeof(th_v));
719 
720  FAIL_IF_NULL(de_ctx);
721  FAIL_IF_NULL(p);
722 
723  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
724  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
725  de_ctx->flags |= DE_QUIET;
726  SRepResetVersion();
727 
728  fd = DetectIPRepGenerateCategoriesDummy();
729  r = SRepLoadCatFileFromFD(fd);
730  FAIL_IF(r < 0);
731 
732  fd = DetectIPRepGenerateNetworksDummy();
733  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
734  FAIL_IF(r < 0);
735 
736  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
737  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
738  FAIL_IF_NULL(sig);
739 
740  SigGroupBuild(de_ctx);
741  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
742 
743  p->alerts.cnt = 0;
744  p->action = 0;
745  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
746  FAIL_IF(p->alerts.cnt != 0);
747  FAIL_IF(PacketTestAction(p, ACTION_DROP));
748 
749  UTHFreePacket(p);
750 
751  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
752  DetectEngineCtxFree(de_ctx);
753 
754  HostShutdown();
755  StatsThreadCleanup(&th_v);
756  PASS;
757 }
758 
759 static int DetectIPRepTest09(void)
760 {
761  ThreadVars th_v;
762  DetectEngineThreadCtx *det_ctx = NULL;
763  Signature *sig = NULL;
764  FILE *fd = NULL;
765  int r = 0;
766  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
767  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
768 
769  HostInitConfig(HOST_QUIET);
770  memset(&th_v, 0, sizeof(th_v));
771 
772  FAIL_IF_NULL(de_ctx);
773  FAIL_IF_NULL(p);
774 
775  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
776  p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
777  de_ctx->flags |= DE_QUIET;
778  SRepResetVersion();
779 
780  fd = DetectIPRepGenerateCategoriesDummy2();
781  r = SRepLoadCatFileFromFD(fd);
782  FAIL_IF(r < 0);
783 
784  fd = DetectIPRepGenerateNetworksDummy2();
785  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
786  FAIL_IF(r < 0);
787 
788  sig = DetectEngineAppendSig(de_ctx,
789  "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)");
790  FAIL_IF_NULL(sig);
791 
792  SigGroupBuild(de_ctx);
793  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
794 
795  p->alerts.cnt = 0;
796  p->action = 0;
797  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
798  FAIL_IF(p->alerts.cnt != 1);
799  FAIL_IF(PacketTestAction(p, ACTION_DROP));
800 
801  UTHFreePacket(p);
802 
803  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
804  DetectEngineCtxFree(de_ctx);
805 
806  HostShutdown();
807  StatsThreadCleanup(&th_v);
808  PASS;
809 }
810 
811 static FILE *DetectIPRepGenerateNetworksDummy3(void)
812 {
813  FILE *fd = NULL;
814  const char *buffer = "192.168.0.0/16,1,127"; // BadHosts
815 
816  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
817  if (fd == NULL)
818  SCLogDebug("Error with SCFmemopen()");
819 
820  return fd;
821 }
822 
823 static int DetectIPRepTest10(void)
824 {
825  ThreadVars th_v;
826  DetectEngineThreadCtx *det_ctx = NULL;
827  Signature *sig = NULL;
828  FILE *fd = NULL;
829  int r = 0;
830  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
831  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
832 
833  HostInitConfig(HOST_QUIET);
834  memset(&th_v, 0, sizeof(th_v));
835 
836  FAIL_IF_NULL(de_ctx);
837  FAIL_IF_NULL(p);
838 
839  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
840  p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
841  de_ctx->flags |= DE_QUIET;
842  SRepResetVersion();
843 
844  fd = DetectIPRepGenerateCategoriesDummy2();
845  r = SRepLoadCatFileFromFD(fd);
846  FAIL_IF(r < 0);
847 
848  fd = DetectIPRepGenerateNetworksDummy3();
849  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
850  FAIL_IF(r < 0);
851 
852  sig = DetectEngineAppendSig(de_ctx,
853  "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,isset; sid:1; rev:1;)");
854  FAIL_IF_NULL(sig);
855 
856  SigGroupBuild(de_ctx);
857  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
858 
859  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
860  FAIL_IF_NOT(p->alerts.cnt == 1);
861 
862  UTHFreePacket(p);
863 
864  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
865  DetectEngineCtxFree(de_ctx);
866 
867  HostShutdown();
868  StatsThreadCleanup(&th_v);
869  PASS;
870 }
871 
872 static int DetectIPRepTest11(void)
873 {
874  ThreadVars th_v;
875  DetectEngineThreadCtx *det_ctx = NULL;
876  Signature *sig = NULL;
877  FILE *fd = NULL;
878  int r = 0;
879  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
880  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
881 
882  HostInitConfig(HOST_QUIET);
883  memset(&th_v, 0, sizeof(th_v));
884 
885  FAIL_IF_NULL(de_ctx);
886  FAIL_IF_NULL(p);
887 
888  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
889  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
890  de_ctx->flags |= DE_QUIET;
891  SRepResetVersion();
892 
893  fd = DetectIPRepGenerateCategoriesDummy2();
894  r = SRepLoadCatFileFromFD(fd);
895  FAIL_IF(r < 0);
896 
897  fd = DetectIPRepGenerateNetworksDummy3();
898  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
899  FAIL_IF(r < 0);
900 
901  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"test\"; "
902  "iprep:src,BadHosts,isnotset; sid:1; rev:1;)");
903  FAIL_IF_NULL(sig);
904 
905  SigGroupBuild(de_ctx);
906  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
907 
908  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
909  FAIL_IF_NOT(p->alerts.cnt == 1);
910 
911  UTHFreePacket(p);
912 
913  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
914  DetectEngineCtxFree(de_ctx);
915 
916  HostShutdown();
917  StatsThreadCleanup(&th_v);
918  PASS;
919 }
920 
921 /**
922  * \brief this function registers unit tests for IPRep
923  */
924 void IPRepRegisterTests(void)
925 {
926  UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01);
927  UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02);
928  UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03);
929  UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04);
930  UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05);
931  UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06);
932  UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07);
933  UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08);
934  UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09);
935  UtRegisterTest("DetectIPRepTest10 -- isset", DetectIPRepTest10);
936  UtRegisterTest("DetectIPRepTest11 -- isnotset", DetectIPRepTest11);
937 }
938 #endif /* UNITTESTS */
util-byte.h
detect-engine-uint.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1460
HostUnlock
void HostUnlock(Host *h)
Definition: host.c:472
SReputation_
Definition: reputation.h:41
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HOST_DST_LOOKED_UP
#define PKT_HOST_DST_LOOKED_UP
Definition: decode.h:1289
SigTableElmt_::desc
const char * desc
Definition: detect.h:1459
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
util-fmemopen.h
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1444
SReputation_::rep
uint8_t rep[SREP_MAX_CATS]
Definition: reputation.h:43
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1457
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:622
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1448
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:287
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:544
Packet_::action
uint8_t action
Definition: decode.h:609
threads.h
HostRelease
void HostRelease(Host *h)
Definition: host.c:461
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:148
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
flow-bit.h
DetectEngineCtx_::srep_version
uint32_t srep_version
Definition: detect.h:945
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
SCFmemopen
#define SCFmemopen
Definition: util-fmemopen.h:52
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:623
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1439
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:620
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
detect-iprep.h
DetectEngineThreadCtx_
Definition: detect.h:1244
DetectEngineCtx_::srepCIDR_ctx
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:948
SRepLoadCatFileFromFD
int SRepLoadCatFileFromFD(FILE *fp)
Definition: reputation.c:357
PKT_HOST_SRC_LOOKED_UP
#define PKT_HOST_SRC_LOOKED_UP
Definition: decode.h:1288
detect-engine-mpm.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:467
Packet_
Definition: decode.h:501
detect-engine-build.h
HostReference
#define HostReference(dst_h_ptr, h)
Definition: host.h:117
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1419
reputation.h
SRepLoadFileFromFD
int SRepLoadFileFromFD(SRepCIDRTree *cidr_ctx, FILE *fp)
Definition: reputation.c:423
DetectIPRepFree
void DetectIPRepFree(DetectEngineCtx *, void *)
Definition: detect-iprep.c:284
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
Host_::iprep
void * iprep
Definition: host.h:69
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectUintData_u8 *du8)
Definition: detect-engine-uint.c:71
SRepCIDRGetIPRepSrc
int8_t SRepCIDRGetIPRepSrc(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:135
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
packet.h
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3596
util-spm.h
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
version
uint8_t version
Definition: decode-gre.h:1
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:296
SReputation_::version
uint32_t version
Definition: reputation.h:42
util-validate.h
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:271
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
SRepCIDRGetIPRepDst
int8_t SRepCIDRGetIPRepDst(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:147
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
SRepResetVersion
void SRepResetVersion(void)
Definition: reputation.c:64
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:585
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1362
Packet_::dst
Address dst
Definition: decode.h:506
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
flow.h
DetectIPRepRegister
void DetectIPRepRegister(void)
Definition: detect-iprep.c:63
Host_
Definition: host.h:58
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1651
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Packet_::src
Address src
Definition: decode.h:505
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1446
DETECT_IPREP
@ DETECT_IPREP
Definition: detect-engine-register.h:243