suricata
detect-iprep.c
Go to the documentation of this file.
1 /* Copyright (C) 2012 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the iprep keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-bit.h"
32 #include "flow-util.h"
33 #include "detect-iprep.h"
34 #include "util-spm.h"
35 
36 #include "app-layer-parser.h"
37 
38 #include "detect-parse.h"
39 #include "detect-engine.h"
40 #include "detect-engine-mpm.h"
41 #include "detect-engine-state.h"
42 
43 #include "util-debug.h"
44 #include "util-unittest.h"
45 #include "util-unittest-helper.h"
46 #include "util-fmemopen.h"
47 
48 #include "reputation.h"
49 #include "host.h"
50 
51 #define PARSE_REGEX "\\s*(any|src|dst|both)\\s*,\\s*([A-Za-z0-9\\-\\_]+)\\s*,\\s*(\\<|\\>|\\=)\\s*,\\s*([0-9]+)\\s*"
52 static pcre *parse_regex;
53 static pcre_extra *parse_regex_study;
54 
55 static int DetectIPRepMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *,
56  const Signature *, const SigMatchCtx *);
57 static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *);
58 void DetectIPRepFree (void *);
59 void IPRepRegisterTests(void);
60 
62 {
63  sigmatch_table[DETECT_IPREP].name = "iprep";
64  sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch;
65  sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup;
68  /* this is compatible to ip-only signatures */
70 
71  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
72 }
73 
74 static uint8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version)
75 {
76  uint8_t val = 0;
77  Host *h = NULL;
78 
79  if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) {
80  return 0;
81  } else if (p->host_src != NULL) {
82  h = (Host *)p->host_src;
83  HostLock(h);
84  } else {
85  h = HostLookupHostFromHash(&(p->src));
86 
88 
89  if (h == NULL)
90  return 0;
91 
92  HostReference(&p->host_src, h);
93  }
94 
95  if (h->iprep == NULL) {
96  HostRelease(h);
97  return 0;
98  }
99 
100  SReputation *r = (SReputation *)h->iprep;
101 
102  /* allow higher versions as this happens during
103  * rule reload */
104  if (r->version >= version)
105  val = r->rep[cat];
106  else
107  SCLogDebug("version mismatch %u != %u", r->version, version);
108 
109  HostRelease(h);
110  return val;
111 }
112 
113 static uint8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version)
114 {
115  uint8_t val = 0;
116  Host *h = NULL;
117 
118  if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) {
119  return 0;
120  } else if (p->host_dst != NULL) {
121  h = (Host *)p->host_dst;
122  HostLock(h);
123  } else {
124  h = HostLookupHostFromHash(&(p->dst));
125 
127 
128  if (h == NULL) {
129  return 0;
130  }
131 
132  HostReference(&p->host_dst, h);
133  }
134 
135  if (h->iprep == NULL) {
136  HostRelease(h);
137  return 0;
138  }
139 
140  SReputation *r = (SReputation *)h->iprep;
141 
142  /* allow higher versions as this happens during
143  * rule reload */
144  if (r->version >= version)
145  val = r->rep[cat];
146  else
147  SCLogDebug("version mismatch %u != %u", r->version, version);
148 
149  HostRelease(h);
150  return val;
151 }
152 
153 static inline int RepMatch(uint8_t op, uint8_t val1, uint8_t val2)
154 {
155  if (op == DETECT_IPREP_OP_GT && val1 > val2) {
156  return 1;
157  } else if (op == DETECT_IPREP_OP_LT && val1 < val2) {
158  return 1;
159  } else if (op == DETECT_IPREP_OP_EQ && val1 == val2) {
160  return 1;
161  }
162  return 0;
163 }
164 
165 /*
166  * returns 0: no match
167  * 1: match
168  * -1: error
169  */
170 static int DetectIPRepMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
171  const Signature *s, const SigMatchCtx *ctx)
172 {
173  const DetectIPRepData *rd = (const DetectIPRepData *)ctx;
174  if (rd == NULL)
175  return 0;
176 
177  uint32_t version = det_ctx->de_ctx->srep_version;
178  uint8_t val = 0;
179 
180  SCLogDebug("rd->cmd %u", rd->cmd);
181  switch(rd->cmd) {
183  val = GetHostRepSrc(p, rd->cat, version);
184  if (val == 0)
185  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
186  if (val > 0) {
187  if (RepMatch(rd->op, val, rd->val) == 1)
188  return 1;
189  }
190  val = GetHostRepDst(p, rd->cat, version);
191  if (val == 0)
192  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
193  if (val > 0) {
194  return RepMatch(rd->op, val, rd->val);
195  }
196  break;
197 
199  val = GetHostRepSrc(p, rd->cat, version);
200  SCLogDebug("checking src -- val %u (looking for cat %u, val %u)", val, rd->cat, rd->val);
201  if (val == 0)
202  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
203  if (val > 0) {
204  return RepMatch(rd->op, val, rd->val);
205  }
206  break;
207 
209  SCLogDebug("checking dst");
210  val = GetHostRepDst(p, rd->cat, version);
211  if (val == 0)
212  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
213  if (val > 0) {
214  return RepMatch(rd->op, val, rd->val);
215  }
216  break;
217 
219  val = GetHostRepSrc(p, rd->cat, version);
220  if (val == 0)
221  val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
222  if (val == 0 || RepMatch(rd->op, val, rd->val) == 0)
223  return 0;
224  val = GetHostRepDst(p, rd->cat, version);
225  if (val == 0)
226  val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
227  if (val > 0) {
228  return RepMatch(rd->op, val, rd->val);
229  }
230  break;
231  }
232 
233  return 0;
234 }
235 
236 int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
237 {
238  DetectIPRepData *cd = NULL;
239  SigMatch *sm = NULL;
240  char *cmd_str = NULL, *name = NULL, *op_str = NULL, *value = NULL;
241  uint8_t cmd = 0;
242 #define MAX_SUBSTRINGS 30
243  int ret = 0, res = 0;
244  int ov[MAX_SUBSTRINGS];
245 
246  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
247  if (ret != 5) {
248  SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for iprep", rawstr);
249  return -1;
250  }
251 
252  const char *str_ptr;
253  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
254  if (res < 0) {
255  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
256  return -1;
257  }
258  cmd_str = (char *)str_ptr;
259 
260  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
261  if (res < 0) {
262  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
263  goto error;
264  }
265  name = (char *)str_ptr;
266 
267  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
268  if (res < 0) {
269  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
270  goto error;
271  }
272  op_str = (char *)str_ptr;
273 
274  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4, &str_ptr);
275  if (res < 0) {
276  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
277  goto error;
278  }
279  value = (char *)str_ptr;
280 
281  if (strcmp(cmd_str,"any") == 0) {
282  cmd = DETECT_IPREP_CMD_ANY;
283  } else if (strcmp(cmd_str,"both") == 0) {
284  cmd = DETECT_IPREP_CMD_BOTH;
285  } else if (strcmp(cmd_str,"src") == 0) {
286  cmd = DETECT_IPREP_CMD_SRC;
287  } else if (strcmp(cmd_str,"dst") == 0) {
288  cmd = DETECT_IPREP_CMD_DST;
289  } else {
290  SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: iprep \"%s\" is not supported.", cmd_str);
291  goto error;
292  }
293 
294  //SCLogInfo("category %s", name);
295  uint8_t cat = SRepCatGetByShortname(name);
296  if (cat == 0) {
297  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown iprep category \"%s\"", name);
298  goto error;
299  }
300 
301  uint8_t op = 0;
302  uint8_t val = 0;
303 
304  if (op_str == NULL || strlen(op_str) != 1) {
305  goto error;
306  }
307 
308  switch(op_str[0]) {
309  case '<':
310  op = DETECT_IPREP_OP_LT;
311  break;
312  case '>':
313  op = DETECT_IPREP_OP_GT;
314  break;
315  case '=':
316  op = DETECT_IPREP_OP_EQ;
317  break;
318  default:
319  goto error;
320  break;
321  }
322 
323  if (value != NULL && strlen(value) > 0) {
324  int ival = atoi(value);
325  if (ival < 0 || ival > 127)
326  goto error;
327  val = (uint8_t)ival;
328  }
329 
330  cd = SCMalloc(sizeof(DetectIPRepData));
331  if (unlikely(cd == NULL))
332  goto error;
333 
334  cd->cmd = cmd;
335  cd->cat = cat;
336  cd->op = op;
337  cd->val = val;
338  SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->op, cd->val);
339 
340  pcre_free_substring(name);
341  name = NULL;
342  pcre_free_substring(cmd_str);
343  cmd_str = NULL;
344  pcre_free_substring(op_str);
345  op_str = NULL;
346  pcre_free_substring(value);
347  value = NULL;
348 
349  /* Okay so far so good, lets get this into a SigMatch
350  * and put it in the Signature. */
351  sm = SigMatchAlloc();
352  if (sm == NULL)
353  goto error;
354 
355  sm->type = DETECT_IPREP;
356  sm->ctx = (SigMatchCtx *)cd;
357 
359 
360  return 0;
361 
362 error:
363  if (name != NULL)
364  pcre_free_substring(name);
365  if (cmd_str != NULL)
366  pcre_free_substring(cmd_str);
367  if (op_str != NULL)
368  pcre_free_substring(op_str);
369  if (value != NULL)
370  pcre_free_substring(value);
371  if (cd != NULL)
372  SCFree(cd);
373  if (sm != NULL)
374  SCFree(sm);
375  return -1;
376 }
377 
378 void DetectIPRepFree (void *ptr)
379 {
380  DetectIPRepData *fd = (DetectIPRepData *)ptr;
381 
382  if (fd == NULL)
383  return;
384 
385  SCFree(fd);
386 }
387 
388 #ifdef UNITTESTS
389 static FILE *DetectIPRepGenerateCategoriesDummy(void)
390 {
391  FILE *fd = NULL;
392  const char *buffer = "1,BadHosts,Know bad hosts";
393 
394  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
395  if (fd == NULL)
396  SCLogDebug("Error with SCFmemopen()");
397 
398  return fd;
399 }
400 
401 static FILE *DetectIPRepGenerateCategoriesDummy2(void)
402 {
403  FILE *fd = NULL;
404  const char *buffer =
405  "1,BadHosts,Know bad hosts\n"
406  "2,GoodHosts,Know good hosts\n";
407 
408  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
409  if (fd == NULL)
410  SCLogDebug("Error with SCFmemopen()");
411 
412  return fd;
413 }
414 
415 static FILE *DetectIPRepGenerateNetworksDummy(void)
416 {
417  FILE *fd = NULL;
418  const char *buffer = "10.0.0.0/24,1,20";
419 
420  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
421  if (fd == NULL)
422  SCLogDebug("Error with SCFmemopen()");
423 
424  return fd;
425 }
426 
427 static FILE *DetectIPRepGenerateNetworksDummy2(void)
428 {
429  FILE *fd = NULL;
430  const char *buffer =
431  "0.0.0.0/0,1,10\n"
432  "192.168.0.0/16,2,127";
433 
434  fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
435  if (fd == NULL)
436  SCLogDebug("Error with SCFmemopen()");
437 
438  return fd;
439 }
440 
441 static int DetectIPRepTest01(void)
442 {
443  ThreadVars th_v;
444  DetectEngineThreadCtx *det_ctx = NULL;
445  Signature *sig = NULL;
446  FILE *fd = NULL;
447  int result = 0, r = 0;
448  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
450 
452  memset(&th_v, 0, sizeof(th_v));
453 
454  if (de_ctx == NULL || p == NULL)
455  goto end;
456 
457  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
458  de_ctx->flags |= DE_QUIET;
459 
460  SRepInit(de_ctx);
462 
463  fd = DetectIPRepGenerateCategoriesDummy();
464  r = SRepLoadCatFileFromFD(fd);
465  if (r < 0) {
466  goto end;
467  }
468 
469  fd = DetectIPRepGenerateNetworksDummy();
470  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
471  if (r < 0) {
472  goto end;
473  }
474 
475  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)");
476  if (sig == NULL) {
477  goto end;
478  }
479 
480  SigGroupBuild(de_ctx);
481  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
482 
483  p->alerts.cnt = 0;
484  p->action = 0;
485  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
486  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
487  goto end;
488  }
489 
490  result = 1;
491 end:
492  UTHFreePacket(p);
493  SigGroupCleanup(de_ctx);
494  SigCleanSignatures(de_ctx);
495 
496  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
497  DetectEngineCtxFree(de_ctx);
498 
499  HostShutdown();
500  return result;
501 }
502 
503 static int DetectIPRepTest02(void)
504 {
505  ThreadVars th_v;
506  DetectEngineThreadCtx *det_ctx = NULL;
507  Signature *sig = NULL;
508  FILE *fd = NULL;
509  int result = 0, r = 0;
510  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
512 
514  memset(&th_v, 0, sizeof(th_v));
515 
516  if (de_ctx == NULL || p == NULL)
517  goto end;
518 
519  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
520  de_ctx->flags |= DE_QUIET;
521 
522  SRepInit(de_ctx);
524 
525  fd = DetectIPRepGenerateCategoriesDummy();
526  r = SRepLoadCatFileFromFD(fd);
527  if (r < 0) {
528  goto end;
529  }
530 
531  fd = DetectIPRepGenerateNetworksDummy();
532  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
533  if (r < 0) {
534  goto end;
535  }
536 
537  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)");
538  if (sig == NULL) {
539  goto end;
540  }
541 
542  SigGroupBuild(de_ctx);
543  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
544 
545  p->alerts.cnt = 0;
546  p->action = 0;
547  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
548  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
549  goto end;
550  }
551 
552  result = 1;
553 end:
554  UTHFreePacket(p);
555  SigGroupCleanup(de_ctx);
556  SigCleanSignatures(de_ctx);
557 
558  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
559  DetectEngineCtxFree(de_ctx);
560 
561  HostShutdown();
562  return result;
563 }
564 
565 static int DetectIPRepTest03(void)
566 {
567  ThreadVars th_v;
568  DetectEngineThreadCtx *det_ctx = NULL;
569  Signature *sig = NULL;
570  FILE *fd = NULL;
571  int result = 0, r = 0;
572  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
574 
576  memset(&th_v, 0, sizeof(th_v));
577 
578  if (de_ctx == NULL || p == NULL)
579  goto end;
580 
581  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
582  de_ctx->flags |= DE_QUIET;
583 
584  SRepInit(de_ctx);
586 
587  fd = DetectIPRepGenerateCategoriesDummy();
588  r = SRepLoadCatFileFromFD(fd);
589  if (r < 0) {
590  goto end;
591  }
592 
593  fd = DetectIPRepGenerateNetworksDummy();
594  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
595  if (r < 0) {
596  goto end;
597  }
598 
599  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)");
600  if (sig == NULL) {
601  goto end;
602  }
603 
604  SigGroupBuild(de_ctx);
605  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
606 
607  p->alerts.cnt = 0;
608  p->action = 0;
609  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
610  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
611  goto end;
612  }
613 
614  result = 1;
615 end:
616  UTHFreePacket(p);
617  SigGroupCleanup(de_ctx);
618  SigCleanSignatures(de_ctx);
619 
620  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
621  DetectEngineCtxFree(de_ctx);
622 
623  HostShutdown();
624  return result;
625 }
626 
627 static int DetectIPRepTest04(void)
628 {
629  ThreadVars th_v;
630  DetectEngineThreadCtx *det_ctx = NULL;
631  Signature *sig = NULL;
632  FILE *fd = NULL;
633  int result = 0, r = 0;
634  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
636 
638  memset(&th_v, 0, sizeof(th_v));
639 
640  if (de_ctx == NULL || p == NULL)
641  goto end;
642 
643  p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
644  p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
645  de_ctx->flags |= DE_QUIET;
646 
647  SRepInit(de_ctx);
649 
650  fd = DetectIPRepGenerateCategoriesDummy();
651  r = SRepLoadCatFileFromFD(fd);
652  if (r < 0) {
653  goto end;
654  }
655 
656  fd = DetectIPRepGenerateNetworksDummy();
657  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
658  if (r < 0) {
659  goto end;
660  }
661 
662  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)");
663  if (sig == NULL) {
664  goto end;
665  }
666 
667  SigGroupBuild(de_ctx);
668  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
669 
670  p->alerts.cnt = 0;
671  p->action = 0;
672  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
673  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
674  goto end;
675  }
676 
677  result = 1;
678 end:
679  UTHFreePacket(p);
680  SigGroupCleanup(de_ctx);
681  SigCleanSignatures(de_ctx);
682 
683  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
684  DetectEngineCtxFree(de_ctx);
685 
686  HostShutdown();
687  return result;
688 }
689 
690 static int DetectIPRepTest05(void)
691 {
692  ThreadVars th_v;
693  DetectEngineThreadCtx *det_ctx = NULL;
694  Signature *sig = NULL;
695  FILE *fd = NULL;
696  int result = 0, r = 0;
697  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
699 
701  memset(&th_v, 0, sizeof(th_v));
702 
703  if (de_ctx == NULL || p == NULL)
704  goto end;
705 
706  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
707  de_ctx->flags |= DE_QUIET;
708 
709  SRepInit(de_ctx);
711 
712  fd = DetectIPRepGenerateCategoriesDummy();
713  r = SRepLoadCatFileFromFD(fd);
714  if (r < 0) {
715  goto end;
716  }
717 
718  fd = DetectIPRepGenerateNetworksDummy();
719  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
720  if (r < 0) {
721  goto end;
722  }
723 
724  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
725  if (sig == NULL) {
726  goto end;
727  }
728 
729  SigGroupBuild(de_ctx);
730  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
731 
732  p->alerts.cnt = 0;
733  p->action = 0;
734  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
735  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
736  goto end;
737  }
738 
739  result = 1;
740 end:
741  UTHFreePacket(p);
742  SigGroupCleanup(de_ctx);
743  SigCleanSignatures(de_ctx);
744 
745  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
746  DetectEngineCtxFree(de_ctx);
747 
748  HostShutdown();
749  return result == 0;
750 }
751 
752 static int DetectIPRepTest06(void)
753 {
754  ThreadVars th_v;
755  DetectEngineThreadCtx *det_ctx = NULL;
756  Signature *sig = NULL;
757  FILE *fd = NULL;
758  int result = 0, r = 0;
759  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
761 
763  memset(&th_v, 0, sizeof(th_v));
764 
765  if (de_ctx == NULL || p == NULL)
766  goto end;
767 
768  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
769  de_ctx->flags |= DE_QUIET;
770 
771  SRepInit(de_ctx);
773 
774  fd = DetectIPRepGenerateCategoriesDummy();
775  r = SRepLoadCatFileFromFD(fd);
776  if (r < 0) {
777  goto end;
778  }
779 
780  fd = DetectIPRepGenerateNetworksDummy();
781  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
782  if (r < 0) {
783  goto end;
784  }
785 
786  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
787  if (sig == NULL) {
788  goto end;
789  }
790 
791  SigGroupBuild(de_ctx);
792  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
793 
794  p->alerts.cnt = 0;
795  p->action = 0;
796  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
797  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
798  goto end;
799  }
800 
801  result = 1;
802 end:
803  UTHFreePacket(p);
804  SigGroupCleanup(de_ctx);
805  SigCleanSignatures(de_ctx);
806 
807  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
808  DetectEngineCtxFree(de_ctx);
809 
810  HostShutdown();
811  return result == 0;
812 }
813 
814 static int DetectIPRepTest07(void)
815 {
816  ThreadVars th_v;
817  DetectEngineThreadCtx *det_ctx = NULL;
818  Signature *sig = NULL;
819  FILE *fd = NULL;
820  int result = 0, r = 0;
821  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
823 
825  memset(&th_v, 0, sizeof(th_v));
826 
827  if (de_ctx == NULL || p == NULL)
828  goto end;
829 
830  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
831  de_ctx->flags |= DE_QUIET;
832 
833  SRepInit(de_ctx);
835 
836  fd = DetectIPRepGenerateCategoriesDummy();
837  r = SRepLoadCatFileFromFD(fd);
838  if (r < 0) {
839  goto end;
840  }
841 
842  fd = DetectIPRepGenerateNetworksDummy();
843  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
844  if (r < 0) {
845  goto end;
846  }
847 
848  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
849  if (sig == NULL) {
850  goto end;
851  }
852 
853  SigGroupBuild(de_ctx);
854  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
855 
856  p->alerts.cnt = 0;
857  p->action = 0;
858  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
859  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
860  goto end;
861  }
862 
863  result = 1;
864 end:
865  UTHFreePacket(p);
866  SigGroupCleanup(de_ctx);
867  SigCleanSignatures(de_ctx);
868 
869  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
870  DetectEngineCtxFree(de_ctx);
871 
872  HostShutdown();
873  return result == 0;
874 }
875 
876 static int DetectIPRepTest08(void)
877 {
878  ThreadVars th_v;
879  DetectEngineThreadCtx *det_ctx = NULL;
880  Signature *sig = NULL;
881  FILE *fd = NULL;
882  int result = 0, r = 0;
883  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
885 
887  memset(&th_v, 0, sizeof(th_v));
888 
889  if (de_ctx == NULL || p == NULL)
890  goto end;
891 
892  p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
893  p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
894  de_ctx->flags |= DE_QUIET;
895 
896  SRepInit(de_ctx);
898 
899  fd = DetectIPRepGenerateCategoriesDummy();
900  r = SRepLoadCatFileFromFD(fd);
901  if (r < 0) {
902  goto end;
903  }
904 
905  fd = DetectIPRepGenerateNetworksDummy();
906  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
907  if (r < 0) {
908  goto end;
909  }
910 
911  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
912  if (sig == NULL) {
913  goto end;
914  }
915 
916  SigGroupBuild(de_ctx);
917  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
918 
919  p->alerts.cnt = 0;
920  p->action = 0;
921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
922  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
923  goto end;
924  }
925 
926  result = 1;
927 end:
928  UTHFreePacket(p);
929  SigGroupCleanup(de_ctx);
930  SigCleanSignatures(de_ctx);
931 
932  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
933  DetectEngineCtxFree(de_ctx);
934 
935  HostShutdown();
936  return result == 0;
937 }
938 
939 static int DetectIPRepTest09(void)
940 {
941  ThreadVars th_v;
942  DetectEngineThreadCtx *det_ctx = NULL;
943  Signature *sig = NULL;
944  FILE *fd = NULL;
945  int result = 0, r = 0;
946  Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
948 
950  memset(&th_v, 0, sizeof(th_v));
951 
952  if (de_ctx == NULL || p == NULL)
953  goto end;
954 
955  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
956  p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
957  de_ctx->flags |= DE_QUIET;
958 
959  SRepInit(de_ctx);
961 
962  fd = DetectIPRepGenerateCategoriesDummy2();
963  r = SRepLoadCatFileFromFD(fd);
964  if (r < 0) {
965  goto end;
966  }
967 
968  fd = DetectIPRepGenerateNetworksDummy2();
969  r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
970  if (r < 0) {
971  goto end;
972  }
973 
974  sig = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)");
975  if (sig == NULL) {
976  goto end;
977  }
978 
979  SigGroupBuild(de_ctx);
980  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
981 
982  p->alerts.cnt = 0;
983  p->action = 0;
984  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
985  if (p->alerts.cnt != 1 || PACKET_TEST_ACTION(p, ACTION_DROP)) {
986  goto end;
987  }
988 
989  result = 1;
990 end:
991  UTHFreePacket(p);
992  SigGroupCleanup(de_ctx);
993  SigCleanSignatures(de_ctx);
994 
995  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
996  DetectEngineCtxFree(de_ctx);
997 
998  HostShutdown();
999  return result;
1000 }
1001 #endif /* UNITTESTS */
1002 
1003 /**
1004  * \brief this function registers unit tests for IPRep
1005  */
1007 {
1008 #ifdef UNITTESTS
1009  UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01);
1010  UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02);
1011  UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03);
1012  UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04);
1013  UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05);
1014  UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06);
1015  UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07);
1016  UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08);
1017  UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09);
1018 #endif /* UNITTESTS */
1019 }
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:300
#define PKT_HOST_DST_LOOKED_UP
Definition: decode.h:1105
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
Definition: reputation.c:579
void HostRelease(Host *h)
Definition: host.c:475
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
#define SCLogDebug(...)
Definition: util-debug.h:335
#define HOST_QUIET
Definition: host.h:93
void IPRepRegisterTests(void)
this function registers unit tests for IPRep
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:860
#define DETECT_IPREP_OP_LT
Definition: detect-iprep.h:32
#define SCFmemopen
Definition: util-fmemopen.h:52
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Signature * sig_list
Definition: detect.h:729
uint8_t SRepCIDRGetIPRepSrc(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:146
#define DETECT_IPREP_CMD_BOTH
Definition: detect-iprep.h:28
Address dst
Definition: decode.h:411
void SigCleanSignatures(DetectEngineCtx *de_ctx)
uint32_t srep_version
Definition: detect.h:733
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1163
Signature container.
Definition: detect.h:495
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:317
struct Host_ * host_src
Definition: decode.h:557
main detection engine ctx
Definition: detect.h:723
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:168
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define DE_QUIET
Definition: detect.h:296
void DetectIPRepRegister(void)
Definition: detect-iprep.c:61
uint8_t rep[SREP_MAX_CATS]
Definition: reputation.h:41
#define DETECT_IPREP_CMD_SRC
Definition: detect-iprep.h:29
uint8_t flags
Definition: detect.h:724
#define DETECT_IPREP_OP_GT
Definition: detect-iprep.h:33
Data structures and function prototypes for keeping state for the detection engine.
void(* Free)(void *)
Definition: detect.h:1154
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
int SRepLoadFileFromFD(SRepCIDRTree *cidr_ctx, FILE *fp)
Definition: reputation.c:435
struct Host_ * host_dst
Definition: decode.h:558
uint32_t version
Definition: reputation.h:40
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:323
#define PKT_HOST_SRC_LOOKED_UP
Definition: decode.h:1104
#define DETECT_IPREP_CMD_ANY
Definition: detect-iprep.h:27
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
int SRepLoadCatFileFromFD(FILE *fp)
Definition: reputation.c:368
SigMatchCtx * ctx
Definition: detect.h:325
#define SCMalloc(a)
Definition: util-mem.h:166
DetectEngineCtx * de_ctx
Definition: detect.h:1089
void * iprep
Definition: host.h:69
uint8_t version
Definition: decode-gre.h:405
#define SCFree(a)
Definition: util-mem.h:228
PoolThreadReserved res
Definition: host.h:58
void DetectIPRepFree(void *)
Definition: detect-iprep.c:378
SRepCIDRTree * srepCIDR_ctx
Definition: detect.h:736
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define HostReference(dst_h_ptr, h)
Definition: host.h:117
#define MAX_SUBSTRINGS
PacketAlerts alerts
Definition: decode.h:555
#define DETECT_IPREP_OP_EQ
Definition: detect-iprep.h:34
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1333
uint8_t SRepCIDRGetIPRepDst(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:158
uint8_t SRepCatGetByShortname(char *shortname)
Definition: reputation.c:340
uint16_t cnt
Definition: decode.h:291
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Per thread variable structure.
Definition: threadvars.h:57
#define ACTION_DROP
uint32_t flags
Definition: decode.h:441
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:599
void SRepResetVersion(void)
Definition: reputation.c:60
uint16_t flags
Definition: detect.h:1157
#define PARSE_REGEX
Definition: detect-iprep.c:51
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void(* RegisterTests)(void)
Definition: detect.h:1155
a single match condition for a signature
Definition: detect.h:322
#define DETECT_IPREP_CMD_DST
Definition: detect-iprep.h:30
Address src
Definition: decode.h:410
void HostLock(Host *h)
Definition: host.c:481
DetectEngineCtx * DetectEngineCtxInit(void)
uint8_t action
Definition: decode.h:544