suricata
detect-itype.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias <iglesiasg@gmail.com>
22  *
23  * Implements itype keyword support
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 
34 #include "detect-itype.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 /**
42  *\brief Regex for parsing our itype options
43  */
44 #define PARSE_REGEX "^\\s*(<|>)?\\s*([0-9]+)\\s*(?:<>\\s*([0-9]+))?\\s*$"
45 
46 static DetectParseRegex parse_regex;
47 
48 static int DetectITypeMatch(DetectEngineThreadCtx *, Packet *,
49  const Signature *, const SigMatchCtx *);
50 static int DetectITypeSetup(DetectEngineCtx *, Signature *, const char *);
51 void DetectITypeRegisterTests(void);
52 void DetectITypeFree(DetectEngineCtx *, void *);
53 
54 static int PrefilterSetupIType(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
55 static bool PrefilterITypeIsPrefilterable(const Signature *s);
56 
57 /**
58  * \brief Registration function for itype: keyword
59  */
61 {
62  sigmatch_table[DETECT_ITYPE].name = "itype";
63  sigmatch_table[DETECT_ITYPE].desc = "match on a specific ICMP type";
64  sigmatch_table[DETECT_ITYPE].url = "/rules/header-keywords.html#itype";
65  sigmatch_table[DETECT_ITYPE].Match = DetectITypeMatch;
66  sigmatch_table[DETECT_ITYPE].Setup = DetectITypeSetup;
69 
70  sigmatch_table[DETECT_ITYPE].SupportsPrefilter = PrefilterITypeIsPrefilterable;
71  sigmatch_table[DETECT_ITYPE].SetupPrefilter = PrefilterSetupIType;
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 }
75 
76 #define DETECT_ITYPE_EQ PREFILTER_U8HASH_MODE_EQ /**< "equal" operator */
77 #define DETECT_ITYPE_LT PREFILTER_U8HASH_MODE_LT /**< "less than" operator */
78 #define DETECT_ITYPE_GT PREFILTER_U8HASH_MODE_GT /**< "greater than" operator */
79 #define DETECT_ITYPE_RN PREFILTER_U8HASH_MODE_RA /**< "range" operator */
80 
81 typedef struct DetectITypeData_ {
82  uint8_t type1;
83  uint8_t type2;
84 
85  uint8_t mode;
87 
88 static inline int ITypeMatch(const uint8_t ptype, const uint8_t mode,
89  const uint8_t dtype1, const uint8_t dtype2)
90 {
91  switch (mode) {
92  case DETECT_ITYPE_EQ:
93  return (ptype == dtype1) ? 1 : 0;
94 
95  case DETECT_ITYPE_LT:
96  return (ptype < dtype1) ? 1 : 0;
97 
98  case DETECT_ITYPE_GT:
99  return (ptype > dtype1) ? 1 : 0;
100 
101  case DETECT_ITYPE_RN:
102  return (ptype > dtype1 && ptype < dtype2) ? 1 : 0;
103  }
104  return 0;
105 }
106 
107 /**
108  * \brief This function is used to match itype rule option set on a packet with those passed via itype:
109  *
110  * \param t pointer to thread vars
111  * \param det_ctx pointer to the pattern matcher thread
112  * \param p pointer to the current packet
113  * \param m pointer to the sigmatch that we will cast into DetectITypeData
114  *
115  * \retval 0 no match
116  * \retval 1 match
117  */
118 static int DetectITypeMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
119  const Signature *s, const SigMatchCtx *ctx)
120 {
121  if (PKT_IS_PSEUDOPKT(p))
122  return 0;
123 
124  uint8_t pitype;
125  if (PKT_IS_ICMPV4(p)) {
126  pitype = ICMPV4_GET_TYPE(p);
127  } else if (PKT_IS_ICMPV6(p)) {
128  pitype = ICMPV6_GET_TYPE(p);
129  } else {
130  /* Packet not ICMPv4 nor ICMPv6 */
131  return 0;
132  }
133 
134  const DetectITypeData *itd = (const DetectITypeData *)ctx;
135  return ITypeMatch(pitype, itd->mode, itd->type1, itd->type2);
136 }
137 
138 /**
139  * \brief This function is used to parse itype options passed via itype: keyword
140  *
141  * \param de_ctx Pointer to the detection engine context
142  * \param itypestr Pointer to the user provided itype options
143  *
144  * \retval itd pointer to DetectITypeData on success
145  * \retval NULL on failure
146  */
147 static DetectITypeData *DetectITypeParse(DetectEngineCtx *de_ctx, const char *itypestr)
148 {
149  DetectITypeData *itd = NULL;
150  char *args[3] = {NULL, NULL, NULL};
151  int ret = 0, res = 0;
152  int ov[MAX_SUBSTRINGS];
153 
154  ret = DetectParsePcreExec(&parse_regex, itypestr, 0, 0, ov, MAX_SUBSTRINGS);
155  if (ret < 1 || ret > 4) {
156  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, itypestr);
157  goto error;
158  }
159 
160  int i;
161  const char *str_ptr;
162  for (i = 1; i < ret; i++) {
163  res = pcre_get_substring((char *)itypestr, ov, MAX_SUBSTRINGS, i, &str_ptr);
164  if (res < 0) {
165  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
166  goto error;
167  }
168  args[i-1] = (char *)str_ptr;
169  }
170 
171  itd = SCMalloc(sizeof(DetectITypeData));
172  if (unlikely(itd == NULL))
173  goto error;
174  itd->type1 = 0;
175  itd->type2 = 0;
176  itd->mode = 0;
177 
178  /* we have either "<" or ">" */
179  if (args[0] != NULL && strlen(args[0]) != 0) {
180  /* we have a third part ("<> y"), therefore it's invalid */
181  if (args[2] != NULL) {
182  SCLogError(SC_ERR_INVALID_VALUE, "itype: invalid value");
183  goto error;
184  }
185  /* we have only a comparison ("<", ">") */
186  if (StringParseUint8(&itd->type1, 10, 0, args[1]) < 0) {
187  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp type %s is not "
188  "valid", args[1]);
189  goto error;
190  }
191  if ((strcmp(args[0], ">")) == 0) itd->mode = DETECT_ITYPE_GT;
192  else itd->mode = DETECT_ITYPE_LT;
193  } else { /* no "<", ">" */
194  /* we have a range ("<>") */
195  if (args[2] != NULL) {
196  itd->mode = (uint8_t) DETECT_ITYPE_RN;
197  if (StringParseUint8(&itd->type1, 10, 0, args[1]) < 0) {
198  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp type %s is not "
199  "valid", args[1]);
200  goto error;
201  }
202  if (StringParseUint8(&itd->type2, 10, 0, args[2]) < 0) {
203  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp type %s is not "
204  "valid", args[2]);
205  goto error;
206  }
207  /* we check that the first given value in the range is less than
208  the second, otherwise we swap them */
209  if (itd->type1 > itd->type2) {
210  uint8_t temp = itd->type1;
211  itd->type1 = itd->type2;
212  itd->type2 = temp;
213  }
214  } else { /* we have an equality */
215  itd->mode = DETECT_ITYPE_EQ;
216  if (StringParseUint8(&itd->type1, 10, 0, args[1]) < 0) {
217  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp type %s is not "
218  "valid", args[1]);
219  goto error;
220  }
221  }
222  }
223 
224  for (i = 0; i < (ret-1); i++) {
225  if (args[i] != NULL)
226  SCFree(args[i]);
227  }
228  return itd;
229 
230 error:
231  for (i = 0; i < (ret-1) && i < 3; i++) {
232  if (args[i] != NULL)
233  SCFree(args[i]);
234  }
235  if (itd != NULL)
236  DetectITypeFree(de_ctx, itd);
237  return NULL;
238 }
239 
240 /**
241  * \brief this function is used to add the parsed itype data into the current signature
242  *
243  * \param de_ctx pointer to the Detection Engine Context
244  * \param s pointer to the Current Signature
245  * \param itypestr pointer to the user provided itype options
246  *
247  * \retval 0 on Success
248  * \retval -1 on Failure
249  */
250 static int DetectITypeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *itypestr)
251 {
252 
253  DetectITypeData *itd = NULL;
254  SigMatch *sm = NULL;
255 
256  itd = DetectITypeParse(de_ctx, itypestr);
257  if (itd == NULL) goto error;
258 
259  sm = SigMatchAlloc();
260  if (sm == NULL) goto error;
261 
262  sm->type = DETECT_ITYPE;
263  sm->ctx = (SigMatchCtx *)itd;
264 
267 
268  return 0;
269 
270 error:
271  if (itd != NULL) DetectITypeFree(de_ctx, itd);
272  if (sm != NULL) SCFree(sm);
273  return -1;
274 }
275 
276 /**
277  * \brief this function will free memory associated with DetectITypeData
278  *
279  * \param ptr pointer to DetectITypeData
280  */
282 {
283  DetectITypeData *itd = (DetectITypeData *)ptr;
284  SCFree(itd);
285 }
286 
287 /* prefilter code
288  *
289  * Prefilter uses the U8Hash logic, where we setup a 256 entry array
290  * for each ICMP type. Each array element has the list of signatures
291  * that need to be inspected. */
292 
293 static void PrefilterPacketITypeMatch(DetectEngineThreadCtx *det_ctx,
294  Packet *p, const void *pectx)
295 {
296  if (PKT_IS_PSEUDOPKT(p)) {
297  SCReturn;
298  }
299 
300  uint8_t pitype;
301  if (PKT_IS_ICMPV4(p)) {
302  pitype = ICMPV4_GET_TYPE(p);
303  } else if (PKT_IS_ICMPV6(p)) {
304  pitype = ICMPV6_GET_TYPE(p);
305  } else {
306  /* Packet not ICMPv4 nor ICMPv6 */
307  return;
308  }
309 
310  const PrefilterPacketU8HashCtx *h = pectx;
311  const SigsArray *sa = h->array[pitype];
312  if (sa) {
313  PrefilterAddSids(&det_ctx->pmq, sa->sigs, sa->cnt);
314  }
315 }
316 
317 static void
318 PrefilterPacketITypeSet(PrefilterPacketHeaderValue *v, void *smctx)
319 {
320  const DetectITypeData *a = smctx;
321  v->u8[0] = a->mode;
322  v->u8[1] = a->type1;
323  v->u8[2] = a->type2;
324 }
325 
326 static bool
327 PrefilterPacketITypeCompare(PrefilterPacketHeaderValue v, void *smctx)
328 {
329  const DetectITypeData *a = smctx;
330  if (v.u8[0] == a->mode &&
331  v.u8[1] == a->type1 &&
332  v.u8[2] == a->type2)
333  return TRUE;
334  return FALSE;
335 }
336 
337 static int PrefilterSetupIType(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
338 {
340  PrefilterPacketITypeSet,
341  PrefilterPacketITypeCompare,
342  PrefilterPacketITypeMatch);
343 }
344 
345 static bool PrefilterITypeIsPrefilterable(const Signature *s)
346 {
347  const SigMatch *sm;
348  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
349  switch (sm->type) {
350  case DETECT_ITYPE:
351  return TRUE;
352  }
353  }
354  return FALSE;
355 }
356 
357 #ifdef UNITTESTS
358 
359 #include "detect-engine.h"
360 #include "detect-engine-mpm.h"
361 
362 /**
363  * \test DetectITypeParseTest01 is a test for setting a valid itype value
364  */
365 static int DetectITypeParseTest01(void)
366 {
367  DetectITypeData *itd = NULL;
368  int result = 0;
369  itd = DetectITypeParse(NULL, "8");
370  if (itd != NULL) {
371  if (itd->type1 == 8 && itd->mode == DETECT_ITYPE_EQ)
372  result = 1;
373  DetectITypeFree(NULL, itd);
374  }
375  return result;
376 }
377 
378 /**
379  * \test DetectITypeParseTest02 is a test for setting a valid itype value
380  * with ">" operator
381  */
382 static int DetectITypeParseTest02(void)
383 {
384 DetectITypeData *itd = NULL;
385  int result = 0;
386  itd = DetectITypeParse(NULL, ">8");
387  if (itd != NULL) {
388  if (itd->type1 == 8 && itd->mode == DETECT_ITYPE_GT)
389  result = 1;
390  DetectITypeFree(NULL, itd);
391  }
392  return result;
393 }
394 
395 /**
396  * \test DetectITypeParseTest03 is a test for setting a valid itype value
397  * with "<" operator
398  */
399 static int DetectITypeParseTest03(void)
400 {
401  DetectITypeData *itd = NULL;
402  int result = 0;
403  itd = DetectITypeParse(NULL, "<8");
404  if (itd != NULL) {
405  if (itd->type1 == 8 && itd->mode == DETECT_ITYPE_LT)
406  result = 1;
407  DetectITypeFree(NULL, itd);
408  }
409  return result;
410 }
411 
412 /**
413  * \test DetectITypeParseTest04 is a test for setting a valid itype value
414  * with "<>" operator
415  */
416 static int DetectITypeParseTest04(void)
417 {
418 DetectITypeData *itd = NULL;
419  int result = 0;
420  itd = DetectITypeParse(NULL, "8<>20");
421  if (itd != NULL) {
422  if (itd->type1 == 8 && itd->type2 == 20 && itd->mode == DETECT_ITYPE_RN)
423  result = 1;
424  DetectITypeFree(NULL, itd);
425  }
426  return result;
427 }
428 
429 /**
430  * \test DetectITypeParseTest05 is a test for setting a valid itype value
431  * with spaces all around
432  */
433 static int DetectITypeParseTest05(void)
434 {
435 DetectITypeData *itd = NULL;
436  int result = 0;
437  itd = DetectITypeParse(NULL, " 8 ");
438  if (itd != NULL) {
439  if (itd->type1 == 8 && itd->mode == DETECT_ITYPE_EQ)
440  result = 1;
441  DetectITypeFree(NULL, itd);
442  }
443  return result;
444 }
445 
446 /**
447  * \test DetectITypeParseTest06 is a test for setting a valid itype value
448  * with ">" operator and spaces all around
449  */
450 static int DetectITypeParseTest06(void)
451 {
452 DetectITypeData *itd = NULL;
453  int result = 0;
454  itd = DetectITypeParse(NULL, " > 8 ");
455  if (itd != NULL) {
456  if (itd->type1 == 8 && itd->mode == DETECT_ITYPE_GT)
457  result = 1;
458  DetectITypeFree(NULL, itd);
459  }
460  return result;
461 }
462 
463 /**
464  * \test DetectITypeParseTest07 is a test for setting a valid itype value
465  * with "<>" operator and spaces all around
466  */
467 static int DetectITypeParseTest07(void)
468 {
469 DetectITypeData *itd = NULL;
470  int result = 0;
471  itd = DetectITypeParse(NULL, " 8 <> 20 ");
472  if (itd != NULL) {
473  if (itd->type1 == 8 && itd->type2 == 20 && itd->mode == DETECT_ITYPE_RN)
474  result = 1;
475  DetectITypeFree(NULL, itd);
476  }
477  return result;
478 }
479 
480 /**
481  * \test DetectITypeParseTest08 is a test for setting an invalid itype value
482  */
483 static int DetectITypeParseTest08(void)
484 {
485  DetectITypeData *itd = NULL;
486  itd = DetectITypeParse(NULL, "> 8 <> 20");
487  if (itd == NULL)
488  return 1;
489  DetectITypeFree(NULL, itd);
490  return 0;
491 }
492 
493 /**
494  * \test DetectITypeMatchTest01 is a test for checking the working of itype
495  * keyword by creating 5 rules and matching a crafted packet against
496  * them. 4 out of 5 rules shall trigger.
497  */
498 static int DetectITypeMatchTest01(void)
499 {
500 
501  Packet *p = NULL;
502  Signature *s = NULL;
503  ThreadVars th_v;
504  DetectEngineThreadCtx *det_ctx;
505  int result = 0;
506 
507  memset(&th_v, 0, sizeof(th_v));
508 
509  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
510  p->icmpv4h->type = 10;
511 
513  if (de_ctx == NULL) {
514  goto end;
515  }
516 
517  de_ctx->flags |= DE_QUIET;
518 
519  s = de_ctx->sig_list = SigInit(de_ctx,"alert icmp any any -> any any (itype:10; sid:1;)");
520  if (s == NULL) {
521  goto end;
522  }
523 
524  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (itype:<15; sid:2;)");
525  if (s == NULL) {
526  goto end;
527  }
528 
529  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (itype:>20; sid:3;)");
530  if (s == NULL) {
531  goto end;
532  }
533 
534  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (itype:8<>20; sid:4;)");
535  if (s == NULL) {
536  goto end;
537  }
538 
539  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (itype:20<>8; sid:5;)");
540  if (s == NULL) {
541  goto end;
542  }
543 
544 
546  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
547 
548  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
549  if (PacketAlertCheck(p, 1) == 0) {
550  SCLogDebug("sid 1 did not alert, but should have");
551  goto cleanup;
552  } else if (PacketAlertCheck(p, 2) == 0) {
553  SCLogDebug("sid 2 did not alert, but should have");
554  goto cleanup;
555  } else if (PacketAlertCheck(p, 3)) {
556  SCLogDebug("sid 3 alerted, but should not have");
557  goto cleanup;
558  } else if (PacketAlertCheck(p, 4) == 0) {
559  SCLogDebug("sid 4 did not alert, but should have");
560  goto cleanup;
561  } else if (PacketAlertCheck(p, 5) == 0) {
562  SCLogDebug("sid 5 did not alert, but should have");
563  goto cleanup;
564  }
565 
566  result = 1;
567 
568 cleanup:
571 
572  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
574 
575  UTHFreePackets(&p, 1);
576 end:
577  return result;
578 }
579 
580 
581 #endif /* UNITTESTS */
582 
583 /**
584  * \brief this function registers unit tests for DetectIType
585  */
587 {
588 #ifdef UNITTESTS
589  UtRegisterTest("DetectITypeParseTest01", DetectITypeParseTest01);
590  UtRegisterTest("DetectITypeParseTest02", DetectITypeParseTest02);
591  UtRegisterTest("DetectITypeParseTest03", DetectITypeParseTest03);
592  UtRegisterTest("DetectITypeParseTest04", DetectITypeParseTest04);
593  UtRegisterTest("DetectITypeParseTest05", DetectITypeParseTest05);
594  UtRegisterTest("DetectITypeParseTest06", DetectITypeParseTest06);
595  UtRegisterTest("DetectITypeParseTest07", DetectITypeParseTest07);
596  UtRegisterTest("DetectITypeParseTest08", DetectITypeParseTest08);
597  UtRegisterTest("DetectITypeMatchTest01", DetectITypeMatchTest01);
598 #endif /* UNITTESTS */
599 }
util-byte.h
DetectITypeRegister
void DetectITypeRegister(void)
Registration function for itype: keyword.
Definition: detect-itype.c:60
DetectITypeFree
void DetectITypeFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectITypeData
Definition: detect-itype.c:281
SigTableElmt_::url
const char * url
Definition: detect.h:1212
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
DETECT_ITYPE_LT
#define DETECT_ITYPE_LT
Definition: detect-itype.c:77
DETECT_ITYPE_RN
#define DETECT_ITYPE_RN
Definition: detect-itype.c:79
SigTableElmt_::name
const char * name
Definition: detect.h:1209
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1125
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1345
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
PrefilterPacketU8HashCtx_::array
SigsArray * array[256]
Definition: detect-engine-prefilter-common.h:51
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DetectITypeData_::type2
uint8_t type2
Definition: detect-itype.c:83
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2033
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1110
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:22
DetectITypeData_::type1
uint8_t type1
Definition: detect-itype.c:82
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
DETECT_ITYPE
@ DETECT_ITYPE
Definition: detect-engine-register.h:45
util-unittest.h
util-unittest-helper.h
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our itype options.
Definition: detect-itype.c:44
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1198
Signature_::next
struct Signature_ * next
Definition: detect.h:599
DetectITypeData
struct DetectITypeData_ DetectITypeData
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
ICMPV4_GET_TYPE
#define ICMPV4_GET_TYPE(p)
Definition: decode-icmpv4.h:215
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2456
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:323
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
detect-itype.h
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
PKT_IS_ICMPV6
#define PKT_IS_ICMPV6(p)
Definition: decode.h:259
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
FALSE
#define FALSE
Definition: suricata-common.h:34
SCReturn
#define SCReturn
Definition: util-debug.h:302
Signature_::flags
uint32_t flags
Definition: detect.h:528
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2388
Packet_
Definition: decode.h:411
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:521
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
SigsArray_::sigs
SigIntId * sigs
Definition: detect-engine-prefilter-common.h:45
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3001
SigsArray_
Definition: detect-engine-prefilter-common.h:44
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SigsArray_::cnt
uint32_t cnt
Definition: detect-engine-prefilter-common.h:46
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
DetectITypeData_::mode
uint8_t mode
Definition: detect-itype.c:85
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:531
PKT_IS_ICMPV4
#define PKT_IS_ICMPV4(p)
Definition: decode.h:258
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_ITYPE_GT
#define DETECT_ITYPE_GT
Definition: detect-itype.c:78
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1197
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
ICMPV6_GET_TYPE
#define ICMPV6_GET_TYPE(p)
Definition: decode-icmpv6.h:102
DetectITypeRegisterTests
void DetectITypeRegisterTests(void)
this function registers unit tests for DetectIType
Definition: detect-itype.c:586
StringParseUint8
int StringParseUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:359
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
PrefilterPacketU8HashCtx_
Definition: detect-engine-prefilter-common.h:50
PrefilterPacketHeaderValue
Definition: detect-engine-prefilter-common.h:21
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
detect-engine-prefilter-common.h
PrefilterSetupPacketHeaderU8Hash
int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:396
DETECT_ITYPE_EQ
#define DETECT_ITYPE_EQ
Definition: detect-itype.c:76
DetectITypeData_
Definition: detect-itype.c:81
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467