suricata
detect-iprep.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the iprep keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-bit.h"
32 #include "flow-util.h"
33 #include "detect-iprep.h"
34 #include "util-spm.h"
35 
36 #include "app-layer-parser.h"
37 
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
42 #include "detect-engine-uint.h"
43 #include "detect-engine-build.h"
44 
45 #include "util-debug.h"
46 #include "util-byte.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "util-fmemopen.h"
50 #include "util-validate.h"
51 
52 #include "reputation.h"
53 #include "host.h"
54 
55 static int DetectIPRepMatch (DetectEngineThreadCtx *, Packet *,
56  const Signature *, const SigMatchCtx *);
57 static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *);
58 void DetectIPRepFree (DetectEngineCtx *, void *);
59 #ifdef UNITTESTS
60 static void IPRepRegisterTests(void);
61 #endif
62 
64 {
65  sigmatch_table[DETECT_IPREP].name = "iprep";
66  sigmatch_table[DETECT_IPREP].desc = "match on the IP reputation information for a host";
67  sigmatch_table[DETECT_IPREP].url = "/rules/ip-reputation-rules.html#iprep";
68  sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch;
69  sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup;
71 #ifdef UNITTESTS
72  sigmatch_table[DETECT_IPREP].RegisterTests = IPRepRegisterTests;
73 #endif
74  /* this is compatible to ip-only signatures */
76 }
77 
78 static inline uint8_t GetRep(const SReputation *r, const uint8_t cat, const uint32_t version)
79 {
80  /* allow higher versions as this happens during
81  * rule reload */
82  if (r != NULL && r->version >= version) {
83  return r->rep[cat];
84  }
85  return 0;
86 }
87 
88 static uint8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version)
89 {
90  if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) {
91  return 0;
92  } else if (p->host_src != NULL) {
93  Host *h = (Host *)p->host_src;
94  HostLock(h);
95  /* use_cnt: 1 for having iprep, 1 for packet ref */
96  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);
97  uint8_t val = GetRep(h->iprep, cat, version);
98  HostUnlock(h);
99  return val;
100  } else {
101  Host *h = HostLookupHostFromHash(&(p->src));
103  if (h == NULL)
104  return 0;
105  HostReference(&p->host_src, h);
106  /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,
107  * 1 for HostReference to packet */
108  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);
109  uint8_t val = GetRep(h->iprep, cat, version);
110  HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */
111  return val;
112  }
113 }
114 
115 static uint8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version)
116 {
117  if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) {
118  return 0;
119  } else if (p->host_dst != NULL) {
120  Host *h = (Host *)p->host_dst;
121  HostLock(h);
122  /* use_cnt: 1 for having iprep, 1 for packet ref */
123  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);
124  uint8_t val = GetRep(h->iprep, cat, version);
125  HostUnlock(h);
126  return val;
127  } else {
128  Host *h = HostLookupHostFromHash(&(p->dst));
130  if (h == NULL)
131  return 0;
132  HostReference(&p->host_dst, h);
133  /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,
134  * 1 for HostReference to packet */
135  DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);
136  uint8_t val = GetRep(h->iprep, cat, version);
137  HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */
138  return val;
139  }
140 }
141 
142 /*
143  * returns 0: no match
144  * 1: match
145  * -1: error
146  */
147 static int DetectIPRepMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
148  const Signature *s, const SigMatchCtx *ctx)
149 {
150  const DetectIPRepData *rd = (const DetectIPRepData *)ctx;
151  if (rd == NULL)
152  return 0;
153 
154  uint32_t version = det_ctx->de_ctx->srep_version;
155  uint8_t val = 0;
156 
157  SCLogDebug("rd->cmd %u", rd->cmd);
158  switch(rd->cmd) {
159  case IPRepCmdAny:
160  val = GetHostRepSrc(p, rd->cat, version);
161  if (val == 0)
162  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
163  if (val > 0) {
164  if (DetectU8Match(val, &rd->du8))
165  return 1;
166  }
167  val = GetHostRepDst(p, rd->cat, version);
168  if (val == 0)
169  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
170  if (val > 0) {
171  return DetectU8Match(val, &rd->du8);
172  }
173  break;
174 
175  case IPRepCmdSrc:
176  val = GetHostRepSrc(p, rd->cat, version);
177  SCLogDebug("checking src -- val %u (looking for cat %u, val %u)", val, rd->cat,
178  rd->du8.arg1);
179  if (val == 0)
180  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
181  if (val > 0) {
182  return DetectU8Match(val, &rd->du8);
183  }
184  break;
185 
186  case IPRepCmdDst:
187  SCLogDebug("checking dst");
188  val = GetHostRepDst(p, rd->cat, version);
189  if (val == 0)
190  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
191  if (val > 0) {
192  return DetectU8Match(val, &rd->du8);
193  }
194  break;
195 
196  case IPRepCmdBoth:
197  val = GetHostRepSrc(p, rd->cat, version);
198  if (val == 0)
199  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
200  if (val == 0 || DetectU8Match(val, &rd->du8) == 0)
201  return 0;
202  val = GetHostRepDst(p, rd->cat, version);
203  if (val == 0)
204  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
205  if (val > 0) {
206  return DetectU8Match(val, &rd->du8);
207  }
208  break;
209  }
210 
211  return 0;
212 }
213 
214 int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
215 {
216 
217  DetectIPRepData *cd = rs_detect_iprep_parse(rawstr);
218  if (cd == NULL) {
219  SCLogError("\"%s\" is not a valid setting for iprep", rawstr);
220  goto error;
221  }
222 
223  SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->du8.mode, cd->du8.arg1);
224 
225  /* Okay so far so good, lets get this into a SigMatch
226  * and put it in the Signature. */
227 
229  NULL) {
230  goto error;
231  }
232 
233  return 0;
234 
235 error:
236  if (cd != NULL)
237  DetectIPRepFree(de_ctx, cd);
238  return -1;
239 }
240 
242 {
243  DetectIPRepData *fd = (DetectIPRepData *)ptr;
244 
245  if (fd == NULL)
246  return;
247 
248  rs_detect_iprep_free(fd);
249 }
250 
251 #ifdef UNITTESTS
252 #include "packet.h"
253 #include "action-globals.h"
254 
255 static FILE *DetectIPRepGenerateCategoriesDummy(void)
256 {
257  FILE *fd = NULL;
258  const char *buffer = "1,BadHosts,Know bad hosts";
259 
260  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
261  if (fd == NULL)
262  SCLogDebug("Error with SCFmemopen()");
263 
264  return fd;
265 }
266 
267 static FILE *DetectIPRepGenerateCategoriesDummy2(void)
268 {
269  FILE *fd = NULL;
270  const char *buffer =
271  "1,BadHosts,Know bad hosts\n"
272  "2,GoodHosts,Know good hosts\n";
273 
274  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
275  if (fd == NULL)
276  SCLogDebug("Error with SCFmemopen()");
277 
278  return fd;
279 }
280 
281 static FILE *DetectIPRepGenerateNetworksDummy(void)
282 {
283  FILE *fd = NULL;
284  const char *buffer = "10.0.0.0/24,1,20";
285 
286  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
287  if (fd == NULL)
288  SCLogDebug("Error with SCFmemopen()");
289 
290  return fd;
291 }
292 
293 static FILE *DetectIPRepGenerateNetworksDummy2(void)
294 {
295  FILE *fd = NULL;
296  const char *buffer =
297  "0.0.0.0/0,1,10\n"
298  "192.168.0.0/16,2,127";
299 
300  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
301  if (fd == NULL)
302  SCLogDebug("Error with SCFmemopen()");
303 
304  return fd;
305 }
306 
307 static int DetectIPRepTest01(void)
308 {
309  ThreadVars th_v;
310  DetectEngineThreadCtx *det_ctx = NULL;
311  Signature *sig = NULL;
312  FILE *fd = NULL;
313  int r = 0;
314  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
316 
318  memset(&th_v, 0, sizeof(th_v));
319 
321  FAIL_IF_NULL(p);
322 
323  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
324  de_ctx->flags |= DE_QUIET;
325 
326  SRepInit(de_ctx);
328 
329  fd = DetectIPRepGenerateCategoriesDummy();
330  r = SRepLoadCatFileFromFD(fd);
331  FAIL_IF(r < 0);
332 
333  fd = DetectIPRepGenerateNetworksDummy();
335  FAIL_IF(r < 0);
336 
337  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
338  "badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)");
339  FAIL_IF_NULL(sig);
340 
342  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
343 
344  p->alerts.cnt = 0;
345  p->action = 0;
346  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
347 
348  FAIL_IF(p->alerts.cnt != 1);
349  FAIL_IF(PacketTestAction(p, ACTION_DROP));
350 
351  UTHFreePacket(p);
352 
353  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
355 
356  HostShutdown();
357  PASS;
358 }
359 
360 static int DetectIPRepTest02(void)
361 {
362  ThreadVars th_v;
363  DetectEngineThreadCtx *det_ctx = NULL;
364  Signature *sig = NULL;
365  FILE *fd = NULL;
366  int r = 0;
367  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
369 
371  memset(&th_v, 0, sizeof(th_v));
372 
374  FAIL_IF_NULL(p);
375 
376  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
377  de_ctx->flags |= DE_QUIET;
378 
379  SRepInit(de_ctx);
381 
382  fd = DetectIPRepGenerateCategoriesDummy();
383  r = SRepLoadCatFileFromFD(fd);
384  FAIL_IF(r < 0);
385 
386  fd = DetectIPRepGenerateNetworksDummy();
388  FAIL_IF(r < 0);
389 
390  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
391  "badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)");
392  FAIL_IF_NULL(sig);
393 
395  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
396 
397  p->alerts.cnt = 0;
398  p->action = 0;
399  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
400  FAIL_IF(p->alerts.cnt != 1);
401  FAIL_IF(PacketTestAction(p, ACTION_DROP));
402 
403  UTHFreePacket(p);
404 
405  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
407 
408  HostShutdown();
409  PASS;
410 }
411 
412 static int DetectIPRepTest03(void)
413 {
414  ThreadVars th_v;
415  DetectEngineThreadCtx *det_ctx = NULL;
416  Signature *sig = NULL;
417  FILE *fd = NULL;
418  int r = 0;
419  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
421 
423  memset(&th_v, 0, sizeof(th_v));
424 
426  FAIL_IF_NULL(p);
427 
428  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
429  de_ctx->flags |= DE_QUIET;
430 
431  SRepInit(de_ctx);
433 
434  fd = DetectIPRepGenerateCategoriesDummy();
435  r = SRepLoadCatFileFromFD(fd);
436  FAIL_IF(r < 0);
437 
438  fd = DetectIPRepGenerateNetworksDummy();
440  FAIL_IF(r < 0);
441 
442  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
443  "badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)");
444  FAIL_IF_NULL(sig);
445 
447  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
448 
449  p->alerts.cnt = 0;
450  p->action = 0;
451  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
452  FAIL_IF(p->alerts.cnt != 1);
453  FAIL_IF(PacketTestAction(p, ACTION_DROP));
454 
455  UTHFreePacket(p);
456 
457  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
459 
460  HostShutdown();
461  PASS;
462 }
463 
464 static int DetectIPRepTest04(void)
465 {
466  ThreadVars th_v;
467  DetectEngineThreadCtx *det_ctx = NULL;
468  Signature *sig = NULL;
469  FILE *fd = NULL;
470  int r = 0;
471  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
473 
475  memset(&th_v, 0, sizeof(th_v));
476 
478  FAIL_IF_NULL(p);
479 
480  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
481  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
482  de_ctx->flags |= DE_QUIET;
483 
484  SRepInit(de_ctx);
486 
487  fd = DetectIPRepGenerateCategoriesDummy();
488  r = SRepLoadCatFileFromFD(fd);
489  FAIL_IF(r < 0);
490 
491  fd = DetectIPRepGenerateNetworksDummy();
493  FAIL_IF(r < 0);
494 
495  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
496  "badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)");
497  FAIL_IF_NULL(sig);
498 
500  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
501 
502  p->alerts.cnt = 0;
503  p->action = 0;
504  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
505  FAIL_IF(p->alerts.cnt != 1);
506  FAIL_IF(PacketTestAction(p, ACTION_DROP));
507 
508  UTHFreePacket(p);
509 
510  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
512 
513  HostShutdown();
514  PASS;
515 }
516 
517 static int DetectIPRepTest05(void)
518 {
519  ThreadVars th_v;
520  DetectEngineThreadCtx *det_ctx = NULL;
521  Signature *sig = NULL;
522  FILE *fd = NULL;
523  int r = 0;
524  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
526 
528  memset(&th_v, 0, sizeof(th_v));
529 
531  FAIL_IF_NULL(p);
532 
533  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
534  de_ctx->flags |= DE_QUIET;
535 
536  SRepInit(de_ctx);
538 
539  fd = DetectIPRepGenerateCategoriesDummy();
540  r = SRepLoadCatFileFromFD(fd);
541  FAIL_IF(r < 0);
542 
543  fd = DetectIPRepGenerateNetworksDummy();
545  FAIL_IF(r < 0);
546 
547  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
548  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
549  FAIL_IF_NULL(sig);
550 
552  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
553 
554  p->alerts.cnt = 0;
555  p->action = 0;
556  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
557  FAIL_IF(p->alerts.cnt != 0);
558  FAIL_IF(PacketTestAction(p, ACTION_DROP));
559 
560  UTHFreePacket(p);
561 
562  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
564 
565  HostShutdown();
566  PASS;
567 }
568 
569 static int DetectIPRepTest06(void)
570 {
571  ThreadVars th_v;
572  DetectEngineThreadCtx *det_ctx = NULL;
573  Signature *sig = NULL;
574  FILE *fd = NULL;
575  int r = 0;
576  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
578 
580  memset(&th_v, 0, sizeof(th_v));
581 
583  FAIL_IF_NULL(p);
584 
585  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
586  de_ctx->flags |= DE_QUIET;
587 
588  SRepInit(de_ctx);
590 
591  fd = DetectIPRepGenerateCategoriesDummy();
592  r = SRepLoadCatFileFromFD(fd);
593  FAIL_IF(r < 0);
594 
595  fd = DetectIPRepGenerateNetworksDummy2();
597  FAIL_IF(r < 0);
598 
599  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
600  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
601  FAIL_IF_NULL(sig);
602 
604  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
605 
606  p->alerts.cnt = 0;
607  p->action = 0;
608  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
609  FAIL_IF(p->alerts.cnt != 1);
610  FAIL_IF(PacketTestAction(p, ACTION_DROP));
611 
612  UTHFreePacket(p);
613 
614  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
616 
617  HostShutdown();
618  PASS;
619 }
620 
621 static int DetectIPRepTest07(void)
622 {
623  ThreadVars th_v;
624  DetectEngineThreadCtx *det_ctx = NULL;
625  Signature *sig = NULL;
626  FILE *fd = NULL;
627  int r = 0;
628  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
630 
632  memset(&th_v, 0, sizeof(th_v));
633 
635  FAIL_IF_NULL(p);
636 
637  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
638  de_ctx->flags |= DE_QUIET;
639 
640  SRepInit(de_ctx);
642 
643  fd = DetectIPRepGenerateCategoriesDummy();
644  r = SRepLoadCatFileFromFD(fd);
645  FAIL_IF(r < 0);
646 
647  fd = DetectIPRepGenerateNetworksDummy2();
649  FAIL_IF(r < 0);
650 
651  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
652  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
653  FAIL_IF_NULL(sig);
654 
656  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
657 
658  p->alerts.cnt = 0;
659  p->action = 0;
660  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
661  FAIL_IF(p->alerts.cnt != 1);
662  FAIL_IF(PacketTestAction(p, ACTION_DROP));
663 
664  UTHFreePacket(p);
665 
666  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
668 
669  HostShutdown();
670  PASS;
671 }
672 
673 static int DetectIPRepTest08(void)
674 {
675  ThreadVars th_v;
676  DetectEngineThreadCtx *det_ctx = NULL;
677  Signature *sig = NULL;
678  FILE *fd = NULL;
679  int r = 0;
680  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
682 
684  memset(&th_v, 0, sizeof(th_v));
685 
687  FAIL_IF_NULL(p);
688 
689  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
690  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
691  de_ctx->flags |= DE_QUIET;
692 
693  SRepInit(de_ctx);
695 
696  fd = DetectIPRepGenerateCategoriesDummy();
697  r = SRepLoadCatFileFromFD(fd);
698  FAIL_IF(r < 0);
699 
700  fd = DetectIPRepGenerateNetworksDummy();
702  FAIL_IF(r < 0);
703 
704  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
705  "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
706  FAIL_IF_NULL(sig);
707 
709  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
710 
711  p->alerts.cnt = 0;
712  p->action = 0;
713  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
714  FAIL_IF(p->alerts.cnt != 0);
715  FAIL_IF(PacketTestAction(p, ACTION_DROP));
716 
717  UTHFreePacket(p);
718 
719  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
721 
722  HostShutdown();
723  PASS;
724 }
725 
726 static int DetectIPRepTest09(void)
727 {
728  ThreadVars th_v;
729  DetectEngineThreadCtx *det_ctx = NULL;
730  Signature *sig = NULL;
731  FILE *fd = NULL;
732  int r = 0;
733  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
735 
737  memset(&th_v, 0, sizeof(th_v));
738 
740  FAIL_IF_NULL(p);
741 
742  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
743  p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
744  de_ctx->flags |= DE_QUIET;
745 
746  SRepInit(de_ctx);
748 
749  fd = DetectIPRepGenerateCategoriesDummy2();
750  r = SRepLoadCatFileFromFD(fd);
751  FAIL_IF(r < 0);
752 
753  fd = DetectIPRepGenerateNetworksDummy2();
755  FAIL_IF(r < 0);
756 
758  "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)");
759  FAIL_IF_NULL(sig);
760 
762  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
763 
764  p->alerts.cnt = 0;
765  p->action = 0;
766  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
767  FAIL_IF(p->alerts.cnt != 1);
768  FAIL_IF(PacketTestAction(p, ACTION_DROP));
769 
770  UTHFreePacket(p);
771 
772  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
774 
775  HostShutdown();
776  PASS;
777 }
778 
779 /**
780  * \brief this function registers unit tests for IPRep
781  */
782 void IPRepRegisterTests(void)
783 {
784  UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01);
785  UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02);
786  UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03);
787  UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04);
788  UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05);
789  UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06);
790  UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07);
791  UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08);
792  UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09);
793 }
794 #endif /* UNITTESTS */
util-byte.h
detect-engine-uint.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1296
HostUnlock
void HostUnlock(Host *h)
Definition: host.c:478
SReputation_
Definition: reputation.h:40
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HOST_DST_LOOKED_UP
#define PKT_HOST_DST_LOOKED_UP
Definition: decode.h:1043
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
util-fmemopen.h
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1283
SReputation_::rep
uint8_t rep[SREP_MAX_CATS]
Definition: reputation.h:42
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1293
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:603
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:290
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:474
Packet_::action
uint8_t action
Definition: decode.h:590
threads.h
HostRelease
void HostRelease(Host *h)
Definition: host.c:467
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1287
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:134
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
flow-bit.h
DetectEngineCtx_::srep_version
uint32_t srep_version
Definition: detect.h:848
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1884
SCFmemopen
#define SCFmemopen
Definition: util-fmemopen.h:52
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:604
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:601
util-unittest.h
util-unittest-helper.h
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-iprep.h
DetectEngineThreadCtx_
Definition: detect.h:1092
DetectEngineCtx_::srepCIDR_ctx
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:851
SRepLoadCatFileFromFD
int SRepLoadCatFileFromFD(FILE *fp)
Definition: reputation.c:371
PKT_HOST_SRC_LOOKED_UP
#define PKT_HOST_SRC_LOOKED_UP
Definition: decode.h:1042
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:111
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:473
Packet_
Definition: decode.h:437
detect-engine-build.h
HostReference
#define HostReference(dst_h_ptr, h)
Definition: host.h:117
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1261
reputation.h
SRepLoadFileFromFD
int SRepLoadFileFromFD(SRepCIDRTree *cidr_ctx, FILE *fp)
Definition: reputation.c:438
DetectIPRepFree
void DetectIPRepFree(DetectEngineCtx *, void *)
Definition: detect-iprep.c:241
SRepCIDRGetIPRepDst
uint8_t SRepCIDRGetIPRepDst(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:160
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:342
Host_::iprep
void * iprep
Definition: host.h:69
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectUintData_u8 *du8)
Definition: detect-engine-uint.c:71
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
util-spm.h
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
version
uint8_t version
Definition: decode-gre.h:1
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:299
SReputation_::version
uint32_t version
Definition: reputation.h:41
util-validate.h
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SRepInit
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
Definition: reputation.c:581
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
detect-parse.h
Signature_
Signature container.
Definition: detect.h:593
SRepResetVersion
void SRepResetVersion(void)
Definition: reputation.c:62
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:591
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1216
Packet_::dst
Address dst
Definition: decode.h:442
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
flow.h
DetectIPRepRegister
void DetectIPRepRegister(void)
Definition: detect-iprep.c:63
Host_
Definition: host.h:58
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1475
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:103
SRepCIDRGetIPRepSrc
uint8_t SRepCIDRGetIPRepSrc(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:148
Packet_::src
Address src
Definition: decode.h:441
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
DETECT_IPREP
@ DETECT_IPREP
Definition: detect-engine-register.h:229