suricata
detect-iprep.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the iprep keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-bit.h"
32 #include "flow-util.h"
33 #include "detect-iprep.h"
34 #include "util-spm.h"
35 
36 #include "app-layer-parser.h"
37 
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
42 
43 #include "util-debug.h"
44 #include "util-byte.h"
45 #include "util-unittest.h"
46 #include "util-unittest-helper.h"
47 #include "util-fmemopen.h"
48 
49 #include "reputation.h"
50 #include "host.h"
51 
52 #define PARSE_REGEX "\\s*(any|src|dst|both)\\s*,\\s*([A-Za-z0-9\\-\\_]+)\\s*,\\s*(\\<|\\>|\\=)\\s*,\\s*([0-9]+)\\s*"
53 static DetectParseRegex parse_regex;
54 
55 static int DetectIPRepMatch (DetectEngineThreadCtx *, Packet *,
56  const Signature *, const SigMatchCtx *);
57 static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *);
58 void DetectIPRepFree (DetectEngineCtx *, void *);
59 void IPRepRegisterTests(void);
60 
62 {
63  sigmatch_table[DETECT_IPREP].name = "iprep";
64  sigmatch_table[DETECT_IPREP].desc = "match on the IP reputation information for a host";
65  sigmatch_table[DETECT_IPREP].url = "/rules/ip-reputation-rules.html#iprep";
66  sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch;
67  sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup;
70  /* this is compatible to ip-only signatures */
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 }
75 
76 static uint8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version)
77 {
78  uint8_t val = 0;
79  Host *h = NULL;
80 
81  if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) {
82  return 0;
83  } else if (p->host_src != NULL) {
84  h = (Host *)p->host_src;
85  HostLock(h);
86  } else {
87  h = HostLookupHostFromHash(&(p->src));
88 
90 
91  if (h == NULL)
92  return 0;
93 
94  HostReference(&p->host_src, h);
95  }
96 
97  if (h->iprep == NULL) {
98  HostRelease(h);
99  return 0;
100  }
101 
102  SReputation *r = (SReputation *)h->iprep;
103 
104  /* allow higher versions as this happens during
105  * rule reload */
106  if (r->version >= version)
107  val = r->rep[cat];
108  else
109  SCLogDebug("version mismatch %u != %u", r->version, version);
110 
111  HostRelease(h);
112  return val;
113 }
114 
115 static uint8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version)
116 {
117  uint8_t val = 0;
118  Host *h = NULL;
119 
120  if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) {
121  return 0;
122  } else if (p->host_dst != NULL) {
123  h = (Host *)p->host_dst;
124  HostLock(h);
125  } else {
126  h = HostLookupHostFromHash(&(p->dst));
127 
129 
130  if (h == NULL) {
131  return 0;
132  }
133 
134  HostReference(&p->host_dst, h);
135  }
136 
137  if (h->iprep == NULL) {
138  HostRelease(h);
139  return 0;
140  }
141 
142  SReputation *r = (SReputation *)h->iprep;
143 
144  /* allow higher versions as this happens during
145  * rule reload */
146  if (r->version >= version)
147  val = r->rep[cat];
148  else
149  SCLogDebug("version mismatch %u != %u", r->version, version);
150 
151  HostRelease(h);
152  return val;
153 }
154 
155 static inline int RepMatch(uint8_t op, uint8_t val1, uint8_t val2)
156 {
157  if (op == DETECT_IPREP_OP_GT && val1 > val2) {
158  return 1;
159  } else if (op == DETECT_IPREP_OP_LT && val1 < val2) {
160  return 1;
161  } else if (op == DETECT_IPREP_OP_EQ && val1 == val2) {
162  return 1;
163  }
164  return 0;
165 }
166 
167 /*
168  * returns 0: no match
169  * 1: match
170  * -1: error
171  */
172 static int DetectIPRepMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
173  const Signature *s, const SigMatchCtx *ctx)
174 {
175  const DetectIPRepData *rd = (const DetectIPRepData *)ctx;
176  if (rd == NULL)
177  return 0;
178 
179  uint32_t version = det_ctx->de_ctx->srep_version;
180  uint8_t val = 0;
181 
182  SCLogDebug("rd->cmd %u", rd->cmd);
183  switch(rd->cmd) {
185  val = GetHostRepSrc(p, rd->cat, version);
186  if (val == 0)
187  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
188  if (val > 0) {
189  if (RepMatch(rd->op, val, rd->val) == 1)
190  return 1;
191  }
192  val = GetHostRepDst(p, rd->cat, version);
193  if (val == 0)
194  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
195  if (val > 0) {
196  return RepMatch(rd->op, val, rd->val);
197  }
198  break;
199 
201  val = GetHostRepSrc(p, rd->cat, version);
202  SCLogDebug("checking src -- val %u (looking for cat %u, val %u)", val, rd->cat, rd->val);
203  if (val == 0)
204  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
205  if (val > 0) {
206  return RepMatch(rd->op, val, rd->val);
207  }
208  break;
209 
211  SCLogDebug("checking dst");
212  val = GetHostRepDst(p, rd->cat, version);
213  if (val == 0)
214  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
215  if (val > 0) {
216  return RepMatch(rd->op, val, rd->val);
217  }
218  break;
219 
221  val = GetHostRepSrc(p, rd->cat, version);
222  if (val == 0)
223  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
224  if (val == 0 || RepMatch(rd->op, val, rd->val) == 0)
225  return 0;
226  val = GetHostRepDst(p, rd->cat, version);
227  if (val == 0)
228  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
229  if (val > 0) {
230  return RepMatch(rd->op, val, rd->val);
231  }
232  break;
233  }
234 
235  return 0;
236 }
237 
238 int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
239 {
240  DetectIPRepData *cd = NULL;
241  SigMatch *sm = NULL;
242  char *cmd_str = NULL, *name = NULL, *op_str = NULL, *value = NULL;
243  uint8_t cmd = 0;
244  int ret = 0, res = 0;
245  int ov[MAX_SUBSTRINGS];
246 
247  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
248  if (ret != 5) {
249  SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for iprep", rawstr);
250  return -1;
251  }
252 
253  const char *str_ptr;
254  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
255  if (res < 0) {
256  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
257  return -1;
258  }
259  cmd_str = (char *)str_ptr;
260 
261  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
262  if (res < 0) {
263  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
264  goto error;
265  }
266  name = (char *)str_ptr;
267 
268  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
269  if (res < 0) {
270  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
271  goto error;
272  }
273  op_str = (char *)str_ptr;
274 
275  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4, &str_ptr);
276  if (res < 0) {
277  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
278  goto error;
279  }
280  value = (char *)str_ptr;
281 
282  if (strcmp(cmd_str,"any") == 0) {
283  cmd = DETECT_IPREP_CMD_ANY;
284  } else if (strcmp(cmd_str,"both") == 0) {
285  cmd = DETECT_IPREP_CMD_BOTH;
286  } else if (strcmp(cmd_str,"src") == 0) {
287  cmd = DETECT_IPREP_CMD_SRC;
288  } else if (strcmp(cmd_str,"dst") == 0) {
289  cmd = DETECT_IPREP_CMD_DST;
290  } else {
291  SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: iprep \"%s\" is not supported.", cmd_str);
292  goto error;
293  }
294 
295  //SCLogInfo("category %s", name);
296  uint8_t cat = SRepCatGetByShortname(name);
297  if (cat == 0) {
298  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown iprep category \"%s\"", name);
299  goto error;
300  }
301 
302  uint8_t op = 0;
303  uint8_t val = 0;
304 
305  if (op_str == NULL || strlen(op_str) != 1) {
306  goto error;
307  }
308 
309  switch(op_str[0]) {
310  case '<':
311  op = DETECT_IPREP_OP_LT;
312  break;
313  case '>':
314  op = DETECT_IPREP_OP_GT;
315  break;
316  case '=':
317  op = DETECT_IPREP_OP_EQ;
318  break;
319  default:
320  goto error;
321  break;
322  }
323 
324  if (value != NULL && strlen(value) > 0) {
325  if (StringParseU8RangeCheck(&val, 10, 0, (const char *)value, 0, 127) < 0)
326  goto error;
327  }
328 
329  cd = SCMalloc(sizeof(DetectIPRepData));
330  if (unlikely(cd == NULL))
331  goto error;
332 
333  cd->cmd = cmd;
334  cd->cat = cat;
335  cd->op = op;
336  cd->val = val;
337  SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->op, cd->val);
338 
339  pcre_free_substring(name);
340  name = NULL;
341  pcre_free_substring(cmd_str);
342  cmd_str = NULL;
343  pcre_free_substring(op_str);
344  op_str = NULL;
345  pcre_free_substring(value);
346  value = NULL;
347 
348  /* Okay so far so good, lets get this into a SigMatch
349  * and put it in the Signature. */
350  sm = SigMatchAlloc();
351  if (sm == NULL)
352  goto error;
353 
354  sm->type = DETECT_IPREP;
355  sm->ctx = (SigMatchCtx *)cd;
356 
358 
359  return 0;
360 
361 error:
362  if (name != NULL)
363  pcre_free_substring(name);
364  if (cmd_str != NULL)
365  pcre_free_substring(cmd_str);
366  if (op_str != NULL)
367  pcre_free_substring(op_str);
368  if (value != NULL)
369  pcre_free_substring(value);
370  if (cd != NULL)
371  SCFree(cd);
372  if (sm != NULL)
373  SCFree(sm);
374  return -1;
375 }
376 
378 {
379  DetectIPRepData *fd = (DetectIPRepData *)ptr;
380 
381  if (fd == NULL)
382  return;
383 
384  SCFree(fd);
385 }
386 
387 #ifdef UNITTESTS
388 static FILE *DetectIPRepGenerateCategoriesDummy(void)
389 {
390  FILE *fd = NULL;
391  const char *buffer = "1,BadHosts,Know bad hosts";
392 
393  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
394  if (fd == NULL)
395  SCLogDebug("Error with SCFmemopen()");
396 
397  return fd;
398 }
399 
400 static FILE *DetectIPRepGenerateCategoriesDummy2(void)
401 {
402  FILE *fd = NULL;
403  const char *buffer =
404  "1,BadHosts,Know bad hosts\n"
405  "2,GoodHosts,Know good hosts\n";
406 
407  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
408  if (fd == NULL)
409  SCLogDebug("Error with SCFmemopen()");
410 
411  return fd;
412 }
413 
414 static FILE *DetectIPRepGenerateNetworksDummy(void)
415 {
416  FILE *fd = NULL;
417  const char *buffer = "10.0.0.0/24,1,20";
418 
419  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
420  if (fd == NULL)
421  SCLogDebug("Error with SCFmemopen()");
422 
423  return fd;
424 }
425 
426 static FILE *DetectIPRepGenerateNetworksDummy2(void)
427 {
428  FILE *fd = NULL;
429  const char *buffer =
430  "0.0.0.0/0,1,10\n"
431  "192.168.0.0/16,2,127";
432 
433  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
434  if (fd == NULL)
435  SCLogDebug("Error with SCFmemopen()");
436 
437  return fd;
438 }
439 
440 static int DetectIPRepTest01(void)
441 {
442  ThreadVars th_v;
443  DetectEngineThreadCtx *det_ctx = NULL;
444  Signature *sig = NULL;
445  FILE *fd = NULL;
446  int result = 0, r = 0;
447  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
449 
451  memset(&th_v, 0, sizeof(th_v));
452 
453  if (de_ctx == NULL || p == NULL)
454  goto end;
455 
456  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
457  de_ctx->flags |= DE_QUIET;
458 
459  SRepInit(de_ctx);
461 
462  fd = DetectIPRepGenerateCategoriesDummy();
463  r = SRepLoadCatFileFromFD(fd);
464  if (r < 0) {
465  goto end;
466  }
467 
468  fd = DetectIPRepGenerateNetworksDummy();
470  if (r < 0) {
471  goto end;
472  }
473 
474  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)");
475  if (sig == NULL) {
476  goto end;
477  }
478 
480  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
481 
482  p->alerts.cnt = 0;
483  p->action = 0;
484  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
485  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
486  goto end;
487  }
488 
489  result = 1;
490 end:
491  UTHFreePacket(p);
494 
495  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
497 
498  HostShutdown();
499  return result;
500 }
501 
502 static int DetectIPRepTest02(void)
503 {
504  ThreadVars th_v;
505  DetectEngineThreadCtx *det_ctx = NULL;
506  Signature *sig = NULL;
507  FILE *fd = NULL;
508  int result = 0, r = 0;
509  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
511 
513  memset(&th_v, 0, sizeof(th_v));
514 
515  if (de_ctx == NULL || p == NULL)
516  goto end;
517 
518  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
519  de_ctx->flags |= DE_QUIET;
520 
521  SRepInit(de_ctx);
523 
524  fd = DetectIPRepGenerateCategoriesDummy();
525  r = SRepLoadCatFileFromFD(fd);
526  if (r < 0) {
527  goto end;
528  }
529 
530  fd = DetectIPRepGenerateNetworksDummy();
532  if (r < 0) {
533  goto end;
534  }
535 
536  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)");
537  if (sig == NULL) {
538  goto end;
539  }
540 
542  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
543 
544  p->alerts.cnt = 0;
545  p->action = 0;
546  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
547  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
548  goto end;
549  }
550 
551  result = 1;
552 end:
553  UTHFreePacket(p);
556 
557  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
559 
560  HostShutdown();
561  return result;
562 }
563 
564 static int DetectIPRepTest03(void)
565 {
566  ThreadVars th_v;
567  DetectEngineThreadCtx *det_ctx = NULL;
568  Signature *sig = NULL;
569  FILE *fd = NULL;
570  int result = 0, r = 0;
571  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
573 
575  memset(&th_v, 0, sizeof(th_v));
576 
577  if (de_ctx == NULL || p == NULL)
578  goto end;
579 
580  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
581  de_ctx->flags |= DE_QUIET;
582 
583  SRepInit(de_ctx);
585 
586  fd = DetectIPRepGenerateCategoriesDummy();
587  r = SRepLoadCatFileFromFD(fd);
588  if (r < 0) {
589  goto end;
590  }
591 
592  fd = DetectIPRepGenerateNetworksDummy();
594  if (r < 0) {
595  goto end;
596  }
597 
598  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)");
599  if (sig == NULL) {
600  goto end;
601  }
602 
604  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
605 
606  p->alerts.cnt = 0;
607  p->action = 0;
608  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
609  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
610  goto end;
611  }
612 
613  result = 1;
614 end:
615  UTHFreePacket(p);
618 
619  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
621 
622  HostShutdown();
623  return result;
624 }
625 
626 static int DetectIPRepTest04(void)
627 {
628  ThreadVars th_v;
629  DetectEngineThreadCtx *det_ctx = NULL;
630  Signature *sig = NULL;
631  FILE *fd = NULL;
632  int result = 0, r = 0;
633  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
635 
637  memset(&th_v, 0, sizeof(th_v));
638 
639  if (de_ctx == NULL || p == NULL)
640  goto end;
641 
642  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
643  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
644  de_ctx->flags |= DE_QUIET;
645 
646  SRepInit(de_ctx);
648 
649  fd = DetectIPRepGenerateCategoriesDummy();
650  r = SRepLoadCatFileFromFD(fd);
651  if (r < 0) {
652  goto end;
653  }
654 
655  fd = DetectIPRepGenerateNetworksDummy();
657  if (r < 0) {
658  goto end;
659  }
660 
661  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)");
662  if (sig == NULL) {
663  goto end;
664  }
665 
667  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
668 
669  p->alerts.cnt = 0;
670  p->action = 0;
671  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
672  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
673  goto end;
674  }
675 
676  result = 1;
677 end:
678  UTHFreePacket(p);
681 
682  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
684 
685  HostShutdown();
686  return result;
687 }
688 
689 static int DetectIPRepTest05(void)
690 {
691  ThreadVars th_v;
692  DetectEngineThreadCtx *det_ctx = NULL;
693  Signature *sig = NULL;
694  FILE *fd = NULL;
695  int result = 0, r = 0;
696  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
698 
700  memset(&th_v, 0, sizeof(th_v));
701 
702  if (de_ctx == NULL || p == NULL)
703  goto end;
704 
705  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
706  de_ctx->flags |= DE_QUIET;
707 
708  SRepInit(de_ctx);
710 
711  fd = DetectIPRepGenerateCategoriesDummy();
712  r = SRepLoadCatFileFromFD(fd);
713  if (r < 0) {
714  goto end;
715  }
716 
717  fd = DetectIPRepGenerateNetworksDummy();
719  if (r < 0) {
720  goto end;
721  }
722 
723  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
724  if (sig == NULL) {
725  goto end;
726  }
727 
729  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
730 
731  p->alerts.cnt = 0;
732  p->action = 0;
733  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
734  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
735  goto end;
736  }
737 
738  result = 1;
739 end:
740  UTHFreePacket(p);
743 
744  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
746 
747  HostShutdown();
748  return result == 0;
749 }
750 
751 static int DetectIPRepTest06(void)
752 {
753  ThreadVars th_v;
754  DetectEngineThreadCtx *det_ctx = NULL;
755  Signature *sig = NULL;
756  FILE *fd = NULL;
757  int result = 0, r = 0;
758  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
760 
762  memset(&th_v, 0, sizeof(th_v));
763 
764  if (de_ctx == NULL || p == NULL)
765  goto end;
766 
767  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
768  de_ctx->flags |= DE_QUIET;
769 
770  SRepInit(de_ctx);
772 
773  fd = DetectIPRepGenerateCategoriesDummy();
774  r = SRepLoadCatFileFromFD(fd);
775  if (r < 0) {
776  goto end;
777  }
778 
779  fd = DetectIPRepGenerateNetworksDummy();
781  if (r < 0) {
782  goto end;
783  }
784 
785  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
786  if (sig == NULL) {
787  goto end;
788  }
789 
791  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
792 
793  p->alerts.cnt = 0;
794  p->action = 0;
795  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
796  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
797  goto end;
798  }
799 
800  result = 1;
801 end:
802  UTHFreePacket(p);
805 
806  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
808 
809  HostShutdown();
810  return result == 0;
811 }
812 
813 static int DetectIPRepTest07(void)
814 {
815  ThreadVars th_v;
816  DetectEngineThreadCtx *det_ctx = NULL;
817  Signature *sig = NULL;
818  FILE *fd = NULL;
819  int result = 0, r = 0;
820  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
822 
824  memset(&th_v, 0, sizeof(th_v));
825 
826  if (de_ctx == NULL || p == NULL)
827  goto end;
828 
829  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
830  de_ctx->flags |= DE_QUIET;
831 
832  SRepInit(de_ctx);
834 
835  fd = DetectIPRepGenerateCategoriesDummy();
836  r = SRepLoadCatFileFromFD(fd);
837  if (r < 0) {
838  goto end;
839  }
840 
841  fd = DetectIPRepGenerateNetworksDummy();
843  if (r < 0) {
844  goto end;
845  }
846 
847  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
848  if (sig == NULL) {
849  goto end;
850  }
851 
853  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
854 
855  p->alerts.cnt = 0;
856  p->action = 0;
857  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
858  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
859  goto end;
860  }
861 
862  result = 1;
863 end:
864  UTHFreePacket(p);
867 
868  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
870 
871  HostShutdown();
872  return result == 0;
873 }
874 
875 static int DetectIPRepTest08(void)
876 {
877  ThreadVars th_v;
878  DetectEngineThreadCtx *det_ctx = NULL;
879  Signature *sig = NULL;
880  FILE *fd = NULL;
881  int result = 0, r = 0;
882  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
884 
886  memset(&th_v, 0, sizeof(th_v));
887 
888  if (de_ctx == NULL || p == NULL)
889  goto end;
890 
891  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
892  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
893  de_ctx->flags |= DE_QUIET;
894 
895  SRepInit(de_ctx);
897 
898  fd = DetectIPRepGenerateCategoriesDummy();
899  r = SRepLoadCatFileFromFD(fd);
900  if (r < 0) {
901  goto end;
902  }
903 
904  fd = DetectIPRepGenerateNetworksDummy();
906  if (r < 0) {
907  goto end;
908  }
909 
910  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
911  if (sig == NULL) {
912  goto end;
913  }
914 
916  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
917 
918  p->alerts.cnt = 0;
919  p->action = 0;
920  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
921  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
922  goto end;
923  }
924 
925  result = 1;
926 end:
927  UTHFreePacket(p);
930 
931  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
933 
934  HostShutdown();
935  return result == 0;
936 }
937 
938 static int DetectIPRepTest09(void)
939 {
940  ThreadVars th_v;
941  DetectEngineThreadCtx *det_ctx = NULL;
942  Signature *sig = NULL;
943  FILE *fd = NULL;
944  int result = 0, r = 0;
945  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
947 
949  memset(&th_v, 0, sizeof(th_v));
950 
951  if (de_ctx == NULL || p == NULL)
952  goto end;
953 
954  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
955  p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
956  de_ctx->flags |= DE_QUIET;
957 
958  SRepInit(de_ctx);
960 
961  fd = DetectIPRepGenerateCategoriesDummy2();
962  r = SRepLoadCatFileFromFD(fd);
963  if (r < 0) {
964  goto end;
965  }
966 
967  fd = DetectIPRepGenerateNetworksDummy2();
969  if (r < 0) {
970  goto end;
971  }
972 
973  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)");
974  if (sig == NULL) {
975  goto end;
976  }
977 
979  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
980 
981  p->alerts.cnt = 0;
982  p->action = 0;
983  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
984  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
985  goto end;
986  }
987 
988  result = 1;
989 end:
990  UTHFreePacket(p);
993 
994  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
996 
997  HostShutdown();
998  return result;
999 }
1000 #endif /* UNITTESTS */
1001 
1002 /**
1003  * \brief this function registers unit tests for IPRep
1004  */
1006 {
1007 #ifdef UNITTESTS
1008  UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01);
1009  UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02);
1010  UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03);
1011  UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04);
1012  UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05);
1013  UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06);
1014  UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07);
1015  UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08);
1016  UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09);
1017 #endif /* UNITTESTS */
1018 }
util-byte.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1212
SReputation_
Definition: reputation.h:39
detect-engine.h
DetectIPRepData_
Definition: detect-iprep.h:36
DETECT_IPREP_CMD_SRC
#define DETECT_IPREP_CMD_SRC
Definition: detect-iprep.h:29
PKT_HOST_DST_LOOKED_UP
#define PKT_HOST_DST_LOOKED_UP
Definition: decode.h:1100
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
util-fmemopen.h
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
SReputation_::rep
uint8_t rep[SREP_MAX_CATS]
Definition: reputation.h:41
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1209
SRepCatGetByShortname
uint8_t SRepCatGetByShortname(char *shortname)
Definition: reputation.c:336
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
Packet_::host_src
struct Host_ * host_src
Definition: decode.h:560
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:296
Packet_::flags
uint32_t flags
Definition: decode.h:446
Packet_::action
uint8_t action
Definition: decode.h:547
threads.h
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2035
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:173
HostRelease
void HostRelease(Host *h)
Definition: host.c:474
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1203
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:131
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2092
DETECT_IPREP_CMD_ANY
#define DETECT_IPREP_CMD_ANY
Definition: detect-iprep.h:27
flow-bit.h
DetectEngineCtx_::srep_version
uint32_t srep_version
Definition: detect.h:776
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SCFmemopen
#define SCFmemopen
Definition: util-fmemopen.h:52
Packet_::host_dst
struct Host_ * host_dst
Definition: decode.h:561
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:558
util-unittest.h
util-unittest-helper.h
DETECT_IPREP_OP_EQ
#define DETECT_IPREP_OP_EQ
Definition: detect-iprep.h:34
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
detect-iprep.h
DetectEngineThreadCtx_
Definition: detect.h:1009
StringParseU8RangeCheck
int StringParseU8RangeCheck(uint8_t *res, int base, uint16_t len, const char *str, uint8_t min, uint8_t max)
Definition: util-byte.c:457
DetectEngineCtx_::srepCIDR_ctx
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:779
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
IPRepRegisterTests
void IPRepRegisterTests(void)
this function registers unit tests for IPRep
Definition: detect-iprep.c:1005
DETECT_IPREP_CMD_DST
#define DETECT_IPREP_CMD_DST
Definition: detect-iprep.h:30
SRepLoadCatFileFromFD
int SRepLoadCatFileFromFD(FILE *fp)
Definition: reputation.c:364
PKT_HOST_SRC_LOOKED_UP
#define PKT_HOST_SRC_LOOKED_UP
Definition: decode.h:1099
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2472
detect-engine-mpm.h
DetectIPRepData_::op
int8_t op
Definition: detect-iprep.h:39
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-iprep.c:52
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
app-layer-parser.h
HostLock
void HostLock(Host *h)
Definition: host.c:480
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1943
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2402
DetectIPRepData_::val
uint8_t val
Definition: detect-iprep.h:40
Packet_
Definition: decode.h:411
HostReference
#define HostReference(dst_h_ptr, h)
Definition: host.h:117
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
reputation.h
DETECT_IPREP_OP_LT
#define DETECT_IPREP_OP_LT
Definition: detect-iprep.h:32
SRepLoadFileFromFD
int SRepLoadFileFromFD(SRepCIDRTree *cidr_ctx, FILE *fp)
Definition: reputation.c:431
DetectIPRepFree
void DetectIPRepFree(DetectEngineCtx *, void *)
Definition: detect-iprep.c:377
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DetectIPRepData_::cat
int8_t cat
Definition: detect-iprep.h:38
SRepCIDRGetIPRepDst
uint8_t SRepCIDRGetIPRepDst(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:158
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
Host_::iprep
void * iprep
Definition: host.h:69
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2796
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3004
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
util-spm.h
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
version
uint8_t version
Definition: decode-gre.h:1
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:305
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
SReputation_::version
uint32_t version
Definition: reputation.h:40
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SRepInit
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
Definition: reputation.c:575
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:484
DETECT_IPREP_OP_GT
#define DETECT_IPREP_OP_GT
Definition: detect-iprep.h:33
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
SRepResetVersion
void SRepResetVersion(void)
Definition: reputation.c:61
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2047
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:598
DETECT_IPREP_CMD_BOTH
#define DETECT_IPREP_CMD_BOTH
Definition: detect-iprep.h:28
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1135
Packet_::dst
Address dst
Definition: decode.h:416
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
flow.h
DetectIPRepRegister
void DetectIPRepRegister(void)
Definition: detect-iprep.c:61
Host_
Definition: host.h:58
DetectIPRepData_::cmd
uint8_t cmd
Definition: detect-iprep.h:37
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1380
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SRepCIDRGetIPRepSrc
uint8_t SRepCIDRGetIPRepSrc(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:146
Packet_::src
Address src
Definition: decode.h:415
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:850
DETECT_IPREP
@ DETECT_IPREP
Definition: detect-engine-register.h:202