detect-iprep_8c_source.html

/* Copyright (C) 2012-2021 Open Information Security Foundation

 *

 * You can copy, redistribute or modify this Program under the terms of

 * the GNU General Public License version 2 as published by the Free

 * Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * version 2 along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 */


/**

 * \file

 *

 *  \author Victor Julien <victor@inliniac.net>

 *

 * Implements the iprep keyword

 */


#include "suricata-common.h"

#include "decode.h"

#include "detect.h"

#include "threads.h"

#include "flow.h"

#include "flow-bit.h"

#include "flow-util.h"

#include "detect-iprep.h"

#include "util-spm.h"


#include "app-layer-parser.h"


#include "detect-parse.h"

#include "detect-engine.h"

#include "detect-engine-mpm.h"

#include "detect-engine-state.h"

#include "detect-engine-uint.h"

#include "detect-engine-build.h"


#include "util-debug.h"

#include "util-byte.h"

#include "util-unittest.h"

#include "util-unittest-helper.h"

#include "util-fmemopen.h"

#include "util-validate.h"


#include "reputation.h"

#include "host.h"


static int DetectIPRepMatch (DetectEngineThreadCtx *, Packet *,

        const Signature *, const SigMatchCtx *);

static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *);

void DetectIPRepFree (DetectEngineCtx *, void *);

#ifdef UNITTESTS

static void IPRepRegisterTests(void);

#endif


void DetectIPRepRegister (void)

{

    sigmatch_table[DETECT_IPREP].name = "iprep";

    sigmatch_table[DETECT_IPREP].desc = "match on the IP reputation information for a host";

    sigmatch_table[DETECT_IPREP].url = "/rules/ip-reputation-rules.html#iprep";

    sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch;

    sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup;

    sigmatch_table[DETECT_IPREP].Free  = DetectIPRepFree;

#ifdef UNITTESTS

    sigmatch_table[DETECT_IPREP].RegisterTests = IPRepRegisterTests;

#endif

    /* this is compatible to ip-only signatures */

    sigmatch_table[DETECT_IPREP].flags |= SIGMATCH_IPONLY_COMPAT;

}


static inline uint8_t GetRep(const SReputation *r, const uint8_t cat, const uint32_t version)

{

    /* allow higher versions as this happens during

     * rule reload */

    if (r != NULL && r->version >= version) {

        return r->rep[cat];

    }

    return 0;

}


static uint8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version)

{

    if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) {

        return 0;

    } else if (p->host_src != NULL) {

        Host *h = (Host *)p->host_src;

        HostLock(h);

        /* use_cnt: 1 for having iprep, 1 for packet ref */

        DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);

        uint8_t val = GetRep(h->iprep, cat, version);

        HostUnlock(h);

        return val;

    } else {

        Host *h = HostLookupHostFromHash(&(p->src));

        p->flags |= PKT_HOST_SRC_LOOKED_UP;

        if (h == NULL)

            return 0;

        HostReference(&p->host_src, h);

        /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,

         * 1 for HostReference to packet */

        DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);

        uint8_t val = GetRep(h->iprep, cat, version);

        HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */

        return val;

    }

}


static uint8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version)

{

    if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) {

        return 0;

    } else if (p->host_dst != NULL) {

        Host *h = (Host *)p->host_dst;

        HostLock(h);

        /* use_cnt: 1 for having iprep, 1 for packet ref */

        DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);

        uint8_t val = GetRep(h->iprep, cat, version);

        HostUnlock(h);

        return val;

    } else {

        Host *h = HostLookupHostFromHash(&(p->dst));

        p->flags |= PKT_HOST_DST_LOOKED_UP;

        if (h == NULL)

            return 0;

        HostReference(&p->host_dst, h);

        /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,

         * 1 for HostReference to packet */

        DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);

        uint8_t val = GetRep(h->iprep, cat, version);

        HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */

        return val;

    }

}


/*

 * returns 0: no match

 *         1: match

 *        -1: error

 */

static int DetectIPRepMatch (DetectEngineThreadCtx *det_ctx, Packet *p,

        const Signature *s, const SigMatchCtx *ctx)

{

    const DetectIPRepData *rd = (const DetectIPRepData *)ctx;

    if (rd == NULL)

        return 0;


    uint32_t version = det_ctx->de_ctx->srep_version;

    uint8_t val = 0;


    SCLogDebug("rd->cmd %u", rd->cmd);

    switch(rd->cmd) {

        case IPRepCmdAny:

            val = GetHostRepSrc(p, rd->cat, version);

            if (val == 0)

                val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);

            if (val > 0) {

                if (DetectU8Match(val, &rd->du8))

                    return 1;

            }

            val = GetHostRepDst(p, rd->cat, version);

            if (val == 0)

                val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);

            if (val > 0) {

                return DetectU8Match(val, &rd->du8);

            }

            break;


        case IPRepCmdSrc:

            val = GetHostRepSrc(p, rd->cat, version);

            SCLogDebug("checking src -- val %u (looking for cat %u, val %u)", val, rd->cat,

                    rd->du8.arg1);

            if (val == 0)

                val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);

            if (val > 0) {

                return DetectU8Match(val, &rd->du8);

            }

            break;


        case IPRepCmdDst:

            SCLogDebug("checking dst");

            val = GetHostRepDst(p, rd->cat, version);

            if (val == 0)

                val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);

            if (val > 0) {

                return DetectU8Match(val, &rd->du8);

            }

            break;


        case IPRepCmdBoth:

            val = GetHostRepSrc(p, rd->cat, version);

            if (val == 0)

                val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);

            if (val == 0 || DetectU8Match(val, &rd->du8) == 0)

                return 0;

            val = GetHostRepDst(p, rd->cat, version);

            if (val == 0)

                val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);

            if (val > 0) {

                return DetectU8Match(val, &rd->du8);

            }

            break;

    }


    return 0;

}


int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)

{

    SigMatch *sm = NULL;


    DetectIPRepData *cd = rs_detect_iprep_parse(rawstr);

    if (cd == NULL) {

        SCLogError("\"%s\" is not a valid setting for iprep", rawstr);

        goto error;

    }


    SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->du8.mode, cd->du8.arg1);


    /* Okay so far so good, lets get this into a SigMatch

     * and put it in the Signature. */

    sm = SigMatchAlloc();

    if (sm == NULL)

        goto error;


    sm->type = DETECT_IPREP;

    sm->ctx = (SigMatchCtx *)cd;


    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);


    return 0;


error:

    if (cd != NULL)

        DetectIPRepFree(de_ctx, cd);

    if (sm != NULL)

        SCFree(sm);

    return -1;

}


void DetectIPRepFree (DetectEngineCtx *de_ctx, void *ptr)

{

    DetectIPRepData *fd = (DetectIPRepData *)ptr;


    if (fd == NULL)

        return;


    rs_detect_iprep_free(fd);

}


#ifdef UNITTESTS

#include "packet.h"

#include "action-globals.h"


static FILE *DetectIPRepGenerateCategoriesDummy(void)

{

    FILE *fd = NULL;

    const char *buffer = "1,BadHosts,Know bad hosts";


    fd = SCFmemopen((void *)buffer, strlen(buffer), "r");

    if (fd == NULL)

        SCLogDebug("Error with SCFmemopen()");


    return fd;

}


static FILE *DetectIPRepGenerateCategoriesDummy2(void)

{

    FILE *fd = NULL;

    const char *buffer =

        "1,BadHosts,Know bad hosts\n"

        "2,GoodHosts,Know good hosts\n";


    fd = SCFmemopen((void *)buffer, strlen(buffer), "r");

    if (fd == NULL)

        SCLogDebug("Error with SCFmemopen()");


    return fd;

}


static FILE *DetectIPRepGenerateNetworksDummy(void)

{

    FILE *fd = NULL;

    const char *buffer = "10.0.0.0/24,1,20";


    fd = SCFmemopen((void *)buffer, strlen(buffer), "r");

    if (fd == NULL)

        SCLogDebug("Error with SCFmemopen()");


    return fd;

}


static FILE *DetectIPRepGenerateNetworksDummy2(void)

{

    FILE *fd = NULL;

    const char *buffer =

        "0.0.0.0/0,1,10\n"

        "192.168.0.0/16,2,127";


    fd = SCFmemopen((void *)buffer, strlen(buffer), "r");

    if (fd == NULL)

        SCLogDebug("Error with SCFmemopen()");


    return fd;

}


static int DetectIPRepTest01(void)

{

    ThreadVars th_v;

    DetectEngineThreadCtx *det_ctx = NULL;

    Signature *sig = NULL;

    FILE *fd = NULL;

    int r = 0;

    Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();


    HostInitConfig(HOST_QUIET);

    memset(&th_v, 0, sizeof(th_v));


    FAIL_IF_NULL(de_ctx);

    FAIL_IF_NULL(p);


    p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");

    de_ctx->flags |= DE_QUIET;


    SRepInit(de_ctx);

    SRepResetVersion();


    fd = DetectIPRepGenerateCategoriesDummy();

    r = SRepLoadCatFileFromFD(fd);

    FAIL_IF(r < 0);


    fd = DetectIPRepGenerateNetworksDummy();

    r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);

    FAIL_IF(r < 0);


    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "

                                        "badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)");

    FAIL_IF_NULL(sig);


    SigGroupBuild(de_ctx);

    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);


    p->alerts.cnt = 0;

    p->action = 0;

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);


    FAIL_IF(p->alerts.cnt != 1);

    FAIL_IF(PacketTestAction(p, ACTION_DROP));


    UTHFreePacket(p);


    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);

    DetectEngineCtxFree(de_ctx);


    HostShutdown();

    PASS;

}


static int DetectIPRepTest02(void)

{

    ThreadVars th_v;

    DetectEngineThreadCtx *det_ctx = NULL;

    Signature *sig = NULL;

    FILE *fd = NULL;

    int r = 0;

    Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();


    HostInitConfig(HOST_QUIET);

    memset(&th_v, 0, sizeof(th_v));


    FAIL_IF_NULL(de_ctx);

    FAIL_IF_NULL(p);


    p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");

    de_ctx->flags |= DE_QUIET;


    SRepInit(de_ctx);

    SRepResetVersion();


    fd = DetectIPRepGenerateCategoriesDummy();

    r = SRepLoadCatFileFromFD(fd);

    FAIL_IF(r < 0);


    fd = DetectIPRepGenerateNetworksDummy();

    r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);

    FAIL_IF(r < 0);


    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "

                                        "badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)");

    FAIL_IF_NULL(sig);


    SigGroupBuild(de_ctx);

    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);


    p->alerts.cnt = 0;

    p->action = 0;

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);

    FAIL_IF(p->alerts.cnt != 1);

    FAIL_IF(PacketTestAction(p, ACTION_DROP));


    UTHFreePacket(p);


    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);

    DetectEngineCtxFree(de_ctx);


    HostShutdown();

    PASS;

}


static int DetectIPRepTest03(void)

{

    ThreadVars th_v;

    DetectEngineThreadCtx *det_ctx = NULL;

    Signature *sig = NULL;

    FILE *fd = NULL;

    int r = 0;

    Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();


    HostInitConfig(HOST_QUIET);

    memset(&th_v, 0, sizeof(th_v));


    FAIL_IF_NULL(de_ctx);

    FAIL_IF_NULL(p);


    p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");

    de_ctx->flags |= DE_QUIET;


    SRepInit(de_ctx);

    SRepResetVersion();


    fd = DetectIPRepGenerateCategoriesDummy();

    r = SRepLoadCatFileFromFD(fd);

    FAIL_IF(r < 0);


    fd = DetectIPRepGenerateNetworksDummy();

    r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);

    FAIL_IF(r < 0);


    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "

                                        "badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)");

    FAIL_IF_NULL(sig);


    SigGroupBuild(de_ctx);

    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);


    p->alerts.cnt = 0;

    p->action = 0;

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);

    FAIL_IF(p->alerts.cnt != 1);

    FAIL_IF(PacketTestAction(p, ACTION_DROP));


    UTHFreePacket(p);


    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);

    DetectEngineCtxFree(de_ctx);


    HostShutdown();

    PASS;

}


static int DetectIPRepTest04(void)

{

    ThreadVars th_v;

    DetectEngineThreadCtx *det_ctx = NULL;

    Signature *sig = NULL;

    FILE *fd = NULL;

    int r = 0;

    Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();


    HostInitConfig(HOST_QUIET);

    memset(&th_v, 0, sizeof(th_v));


    FAIL_IF_NULL(de_ctx);

    FAIL_IF_NULL(p);


    p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");

    p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");

    de_ctx->flags |= DE_QUIET;


    SRepInit(de_ctx);

    SRepResetVersion();


    fd = DetectIPRepGenerateCategoriesDummy();

    r = SRepLoadCatFileFromFD(fd);

    FAIL_IF(r < 0);


    fd = DetectIPRepGenerateNetworksDummy();

    r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);

    FAIL_IF(r < 0);


    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "

                                        "badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)");

    FAIL_IF_NULL(sig);


    SigGroupBuild(de_ctx);

    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);


    p->alerts.cnt = 0;

    p->action = 0;

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);

    FAIL_IF(p->alerts.cnt != 1);

    FAIL_IF(PacketTestAction(p, ACTION_DROP));


    UTHFreePacket(p);


    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);

    DetectEngineCtxFree(de_ctx);


    HostShutdown();

    PASS;

}


static int DetectIPRepTest05(void)

{

    ThreadVars th_v;

    DetectEngineThreadCtx *det_ctx = NULL;

    Signature *sig = NULL;

    FILE *fd = NULL;

    int r = 0;

    Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();


    HostInitConfig(HOST_QUIET);

    memset(&th_v, 0, sizeof(th_v));


    FAIL_IF_NULL(de_ctx);

    FAIL_IF_NULL(p);


    p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");

    de_ctx->flags |= DE_QUIET;


    SRepInit(de_ctx);

    SRepResetVersion();


    fd = DetectIPRepGenerateCategoriesDummy();

    r = SRepLoadCatFileFromFD(fd);

    FAIL_IF(r < 0);


    fd = DetectIPRepGenerateNetworksDummy();

    r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);

    FAIL_IF(r < 0);


    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "

                                        "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");

    FAIL_IF_NULL(sig);


    SigGroupBuild(de_ctx);

    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);


    p->alerts.cnt = 0;

    p->action = 0;

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);

    FAIL_IF(p->alerts.cnt != 0);

    FAIL_IF(PacketTestAction(p, ACTION_DROP));


    UTHFreePacket(p);


    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);

    DetectEngineCtxFree(de_ctx);


    HostShutdown();

    PASS;

}


static int DetectIPRepTest06(void)

{

    ThreadVars th_v;

    DetectEngineThreadCtx *det_ctx = NULL;

    Signature *sig = NULL;

    FILE *fd = NULL;

    int r = 0;

    Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();


    HostInitConfig(HOST_QUIET);

    memset(&th_v, 0, sizeof(th_v));


    FAIL_IF_NULL(de_ctx);

    FAIL_IF_NULL(p);


    p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");

    de_ctx->flags |= DE_QUIET;


    SRepInit(de_ctx);

    SRepResetVersion();


    fd = DetectIPRepGenerateCategoriesDummy();

    r = SRepLoadCatFileFromFD(fd);

    FAIL_IF(r < 0);


    fd = DetectIPRepGenerateNetworksDummy2();

    r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);

    FAIL_IF(r < 0);


    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "

                                        "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");

    FAIL_IF_NULL(sig);


    SigGroupBuild(de_ctx);

    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);


    p->alerts.cnt = 0;

    p->action = 0;

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);

    FAIL_IF(p->alerts.cnt != 1);

    FAIL_IF(PacketTestAction(p, ACTION_DROP));


    UTHFreePacket(p);


    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);

    DetectEngineCtxFree(de_ctx);


    HostShutdown();

    PASS;

}


static int DetectIPRepTest07(void)

{

    ThreadVars th_v;

    DetectEngineThreadCtx *det_ctx = NULL;

    Signature *sig = NULL;

    FILE *fd = NULL;

    int r = 0;

    Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();


    HostInitConfig(HOST_QUIET);

    memset(&th_v, 0, sizeof(th_v));


    FAIL_IF_NULL(de_ctx);

    FAIL_IF_NULL(p);


    p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");

    de_ctx->flags |= DE_QUIET;


    SRepInit(de_ctx);

    SRepResetVersion();


    fd = DetectIPRepGenerateCategoriesDummy();

    r = SRepLoadCatFileFromFD(fd);

    FAIL_IF(r < 0);


    fd = DetectIPRepGenerateNetworksDummy2();

    r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);

    FAIL_IF(r < 0);


    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "

                                        "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");

    FAIL_IF_NULL(sig);


    SigGroupBuild(de_ctx);

    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);


    p->alerts.cnt = 0;

    p->action = 0;

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);

    FAIL_IF(p->alerts.cnt != 1);

    FAIL_IF(PacketTestAction(p, ACTION_DROP));


    UTHFreePacket(p);


    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);

    DetectEngineCtxFree(de_ctx);


    HostShutdown();

    PASS;

}


static int DetectIPRepTest08(void)

{

    ThreadVars th_v;

    DetectEngineThreadCtx *det_ctx = NULL;

    Signature *sig = NULL;

    FILE *fd = NULL;

    int r = 0;

    Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();


    HostInitConfig(HOST_QUIET);

    memset(&th_v, 0, sizeof(th_v));


    FAIL_IF_NULL(de_ctx);

    FAIL_IF_NULL(p);


    p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");

    p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");

    de_ctx->flags |= DE_QUIET;


    SRepInit(de_ctx);

    SRepResetVersion();


    fd = DetectIPRepGenerateCategoriesDummy();

    r = SRepLoadCatFileFromFD(fd);

    FAIL_IF(r < 0);


    fd = DetectIPRepGenerateNetworksDummy();

    r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);

    FAIL_IF(r < 0);


    sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "

                                        "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");

    FAIL_IF_NULL(sig);


    SigGroupBuild(de_ctx);

    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);


    p->alerts.cnt = 0;

    p->action = 0;

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);

    FAIL_IF(p->alerts.cnt != 0);

    FAIL_IF(PacketTestAction(p, ACTION_DROP));


    UTHFreePacket(p);


    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);

    DetectEngineCtxFree(de_ctx);


    HostShutdown();

    PASS;

}


static int DetectIPRepTest09(void)

{

    ThreadVars th_v;

    DetectEngineThreadCtx *det_ctx = NULL;

    Signature *sig = NULL;

    FILE *fd = NULL;

    int r = 0;

    Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();


    HostInitConfig(HOST_QUIET);

    memset(&th_v, 0, sizeof(th_v));


    FAIL_IF_NULL(de_ctx);

    FAIL_IF_NULL(p);


    p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");

    p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");

    de_ctx->flags |= DE_QUIET;


    SRepInit(de_ctx);

    SRepResetVersion();


    fd = DetectIPRepGenerateCategoriesDummy2();

    r = SRepLoadCatFileFromFD(fd);

    FAIL_IF(r < 0);


    fd = DetectIPRepGenerateNetworksDummy2();

    r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);

    FAIL_IF(r < 0);


    sig = DetectEngineAppendSig(de_ctx,

            "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)");

    FAIL_IF_NULL(sig);


    SigGroupBuild(de_ctx);

    DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);


    p->alerts.cnt = 0;

    p->action = 0;

    SigMatchSignatures(&th_v, de_ctx, det_ctx, p);

    FAIL_IF(p->alerts.cnt != 1);

    FAIL_IF(PacketTestAction(p, ACTION_DROP));


    UTHFreePacket(p);


    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);

    DetectEngineCtxFree(de_ctx);


    HostShutdown();

    PASS;

}


/**

 * \brief this function registers unit tests for IPRep

 */

void IPRepRegisterTests(void)

{

    UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01);

    UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02);

    UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03);

    UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04);

    UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05);

    UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06);

    UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07);

    UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08);

    UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09);

}

#endif /* UNITTESTS */