suricata
detect-itype.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gerardo Iglesias <iglesiasg@gmail.com>
22  *
23  * Implements itype keyword support
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 
34 #include "detect-itype.h"
35 
36 #include "util-byte.h"
37 #include "util-unittest.h"
38 #include "util-unittest-helper.h"
39 #include "util-debug.h"
40 
41 /**
42  *\brief Regex for parsing our itype options
43  */
44 #define PARSE_REGEX "^\\s*(<|>)?\\s*([0-9]+)\\s*(?:<>\\s*([0-9]+))?\\s*$"
45 
46 static pcre *parse_regex;
47 static pcre_extra *parse_regex_study;
48 
49 static int DetectITypeMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *,
50  const Signature *, const SigMatchCtx *);
51 static int DetectITypeSetup(DetectEngineCtx *, Signature *, const char *);
52 void DetectITypeRegisterTests(void);
53 void DetectITypeFree(void *);
54 
55 static int PrefilterSetupIType(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
56 static _Bool PrefilterITypeIsPrefilterable(const Signature *s);
57 
58 /**
59  * \brief Registration function for itype: keyword
60  */
62 {
63  sigmatch_table[DETECT_ITYPE].name = "itype";
64  sigmatch_table[DETECT_ITYPE].desc = "matching on a specific ICMP type";
65  sigmatch_table[DETECT_ITYPE].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#itype";
66  sigmatch_table[DETECT_ITYPE].Match = DetectITypeMatch;
67  sigmatch_table[DETECT_ITYPE].Setup = DetectITypeSetup;
70 
71  sigmatch_table[DETECT_ITYPE].SupportsPrefilter = PrefilterITypeIsPrefilterable;
72  sigmatch_table[DETECT_ITYPE].SetupPrefilter = PrefilterSetupIType;
73 
74  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
75 }
76 
77 #define DETECT_ITYPE_EQ PREFILTER_U8HASH_MODE_EQ /**< "equal" operator */
78 #define DETECT_ITYPE_LT PREFILTER_U8HASH_MODE_LT /**< "less than" operator */
79 #define DETECT_ITYPE_GT PREFILTER_U8HASH_MODE_GT /**< "greater than" operator */
80 #define DETECT_ITYPE_RN PREFILTER_U8HASH_MODE_RA /**< "range" operator */
81 
82 typedef struct DetectITypeData_ {
83  uint8_t type1;
84  uint8_t type2;
85 
86  uint8_t mode;
88 
89 static inline int ITypeMatch(const uint8_t ptype, const uint8_t mode,
90  const uint8_t dtype1, const uint8_t dtype2)
91 {
92  switch (mode) {
93  case DETECT_ITYPE_EQ:
94  return (ptype == dtype1) ? 1 : 0;
95 
96  case DETECT_ITYPE_LT:
97  return (ptype < dtype1) ? 1 : 0;
98 
99  case DETECT_ITYPE_GT:
100  return (ptype > dtype1) ? 1 : 0;
101 
102  case DETECT_ITYPE_RN:
103  return (ptype > dtype1 && ptype < dtype2) ? 1 : 0;
104  }
105  return 0;
106 }
107 
108 /**
109  * \brief This function is used to match itype rule option set on a packet with those passed via itype:
110  *
111  * \param t pointer to thread vars
112  * \param det_ctx pointer to the pattern matcher thread
113  * \param p pointer to the current packet
114  * \param m pointer to the sigmatch that we will cast into DetectITypeData
115  *
116  * \retval 0 no match
117  * \retval 1 match
118  */
119 static int DetectITypeMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p,
120  const Signature *s, const SigMatchCtx *ctx)
121 {
122  if (PKT_IS_PSEUDOPKT(p))
123  return 0;
124 
125  uint8_t pitype;
126  if (PKT_IS_ICMPV4(p)) {
127  pitype = ICMPV4_GET_TYPE(p);
128  } else if (PKT_IS_ICMPV6(p)) {
129  pitype = ICMPV6_GET_TYPE(p);
130  } else {
131  /* Packet not ICMPv4 nor ICMPv6 */
132  return 0;
133  }
134 
135  const DetectITypeData *itd = (const DetectITypeData *)ctx;
136  return ITypeMatch(pitype, itd->mode, itd->type1, itd->type2);
137 }
138 
139 /**
140  * \brief This function is used to parse itype options passed via itype: keyword
141  *
142  * \param itypestr Pointer to the user provided itype options
143  *
144  * \retval itd pointer to DetectITypeData on success
145  * \retval NULL on failure
146  */
147 static DetectITypeData *DetectITypeParse(const char *itypestr)
148 {
149  DetectITypeData *itd = NULL;
150  char *args[3] = {NULL, NULL, NULL};
151 #define MAX_SUBSTRINGS 30
152  int ret = 0, res = 0;
153  int ov[MAX_SUBSTRINGS];
154 
155  ret = pcre_exec(parse_regex, parse_regex_study, itypestr, strlen(itypestr), 0, 0, ov, MAX_SUBSTRINGS);
156  if (ret < 1 || ret > 4) {
157  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, itypestr);
158  goto error;
159  }
160 
161  int i;
162  const char *str_ptr;
163  for (i = 1; i < ret; i++) {
164  res = pcre_get_substring((char *)itypestr, ov, MAX_SUBSTRINGS, i, &str_ptr);
165  if (res < 0) {
166  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
167  goto error;
168  }
169  args[i-1] = (char *)str_ptr;
170  }
171 
172  itd = SCMalloc(sizeof(DetectITypeData));
173  if (unlikely(itd == NULL))
174  goto error;
175  itd->type1 = 0;
176  itd->type2 = 0;
177  itd->mode = 0;
178 
179  /* we have either "<" or ">" */
180  if (args[0] != NULL && strlen(args[0]) != 0) {
181  /* we have a third part ("<> y"), therefore it's invalid */
182  if (args[2] != NULL) {
183  SCLogError(SC_ERR_INVALID_VALUE, "itype: invalid value");
184  goto error;
185  }
186  /* we have only a comparison ("<", ">") */
187  if (ByteExtractStringUint8(&itd->type1, 10, 0, args[1]) < 0) {
188  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp type %s is not "
189  "valid", args[1]);
190  goto error;
191  }
192  if ((strcmp(args[0], ">")) == 0) itd->mode = DETECT_ITYPE_GT;
193  else itd->mode = DETECT_ITYPE_LT;
194  } else { /* no "<", ">" */
195  /* we have a range ("<>") */
196  if (args[2] != NULL) {
197  itd->mode = (uint8_t) DETECT_ITYPE_RN;
198  if (ByteExtractStringUint8(&itd->type1, 10, 0, args[1]) < 0) {
199  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp type %s is not "
200  "valid", args[1]);
201  goto error;
202  }
203  if (ByteExtractStringUint8(&itd->type2, 10, 0, args[2]) < 0) {
204  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp type %s is not "
205  "valid", args[2]);
206  goto error;
207  }
208  /* we check that the first given value in the range is less than
209  the second, otherwise we swap them */
210  if (itd->type1 > itd->type2) {
211  uint8_t temp = itd->type1;
212  itd->type1 = itd->type2;
213  itd->type2 = temp;
214  }
215  } else { /* we have an equality */
216  itd->mode = DETECT_ITYPE_EQ;
217  if (ByteExtractStringUint8(&itd->type1, 10, 0, args[1]) < 0) {
218  SCLogError(SC_ERR_INVALID_ARGUMENT, "specified icmp type %s is not "
219  "valid", args[1]);
220  goto error;
221  }
222  }
223  }
224 
225  for (i = 0; i < (ret-1); i++) {
226  if (args[i] != NULL)
227  SCFree(args[i]);
228  }
229  return itd;
230 
231 error:
232  for (i = 0; i < (ret-1) && i < 3; i++) {
233  if (args[i] != NULL)
234  SCFree(args[i]);
235  }
236  if (itd != NULL)
237  DetectITypeFree(itd);
238  return NULL;
239 }
240 
241 /**
242  * \brief this function is used to add the parsed itype data into the current signature
243  *
244  * \param de_ctx pointer to the Detection Engine Context
245  * \param s pointer to the Current Signature
246  * \param itypestr pointer to the user provided itype options
247  *
248  * \retval 0 on Success
249  * \retval -1 on Failure
250  */
251 static int DetectITypeSetup(DetectEngineCtx *de_ctx, Signature *s, const char *itypestr)
252 {
253 
254  DetectITypeData *itd = NULL;
255  SigMatch *sm = NULL;
256 
257  itd = DetectITypeParse(itypestr);
258  if (itd == NULL) goto error;
259 
260  sm = SigMatchAlloc();
261  if (sm == NULL) goto error;
262 
263  sm->type = DETECT_ITYPE;
264  sm->ctx = (SigMatchCtx *)itd;
265 
268 
269  return 0;
270 
271 error:
272  if (itd != NULL) DetectITypeFree(itd);
273  if (sm != NULL) SCFree(sm);
274  return -1;
275 }
276 
277 /**
278  * \brief this function will free memory associated with DetectITypeData
279  *
280  * \param ptr pointer to DetectITypeData
281  */
282 void DetectITypeFree(void *ptr)
283 {
284  DetectITypeData *itd = (DetectITypeData *)ptr;
285  SCFree(itd);
286 }
287 
288 /* prefilter code
289  *
290  * Prefilter uses the U8Hash logic, where we setup a 256 entry array
291  * for each ICMP type. Each array element has the list of signatures
292  * that need to be inspected. */
293 
294 static void PrefilterPacketITypeMatch(DetectEngineThreadCtx *det_ctx,
295  Packet *p, const void *pectx)
296 {
297  if (PKT_IS_PSEUDOPKT(p)) {
298  SCReturn;
299  }
300 
301  uint8_t pitype;
302  if (PKT_IS_ICMPV4(p)) {
303  pitype = ICMPV4_GET_TYPE(p);
304  } else if (PKT_IS_ICMPV6(p)) {
305  pitype = ICMPV6_GET_TYPE(p);
306  } else {
307  /* Packet not ICMPv4 nor ICMPv6 */
308  return;
309  }
310 
311  const PrefilterPacketU8HashCtx *h = pectx;
312  const SigsArray *sa = h->array[pitype];
313  if (sa) {
314  PrefilterAddSids(&det_ctx->pmq, sa->sigs, sa->cnt);
315  }
316 }
317 
318 static void
319 PrefilterPacketITypeSet(PrefilterPacketHeaderValue *v, void *smctx)
320 {
321  const DetectITypeData *a = smctx;
322  v->u8[0] = a->mode;
323  v->u8[1] = a->type1;
324  v->u8[2] = a->type2;
325 }
326 
327 static _Bool
328 PrefilterPacketITypeCompare(PrefilterPacketHeaderValue v, void *smctx)
329 {
330  const DetectITypeData *a = smctx;
331  if (v.u8[0] == a->mode &&
332  v.u8[1] == a->type1 &&
333  v.u8[2] == a->type2)
334  return TRUE;
335  return FALSE;
336 }
337 
338 static int PrefilterSetupIType(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
339 {
341  PrefilterPacketITypeSet,
342  PrefilterPacketITypeCompare,
343  PrefilterPacketITypeMatch);
344 }
345 
346 static _Bool PrefilterITypeIsPrefilterable(const Signature *s)
347 {
348  const SigMatch *sm;
349  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
350  switch (sm->type) {
351  case DETECT_ITYPE:
352  return TRUE;
353  }
354  }
355  return FALSE;
356 }
357 
358 #ifdef UNITTESTS
359 
360 #include "detect-engine.h"
361 #include "detect-engine-mpm.h"
362 
363 /**
364  * \test DetectITypeParseTest01 is a test for setting a valid itype value
365  */
366 static int DetectITypeParseTest01(void)
367 {
368  DetectITypeData *itd = NULL;
369  int result = 0;
370  itd = DetectITypeParse("8");
371  if (itd != NULL) {
372  if (itd->type1 == 8 && itd->mode == DETECT_ITYPE_EQ)
373  result = 1;
374  DetectITypeFree(itd);
375  }
376  return result;
377 }
378 
379 /**
380  * \test DetectITypeParseTest02 is a test for setting a valid itype value
381  * with ">" operator
382  */
383 static int DetectITypeParseTest02(void)
384 {
385 DetectITypeData *itd = NULL;
386  int result = 0;
387  itd = DetectITypeParse(">8");
388  if (itd != NULL) {
389  if (itd->type1 == 8 && itd->mode == DETECT_ITYPE_GT)
390  result = 1;
391  DetectITypeFree(itd);
392  }
393  return result;
394 }
395 
396 /**
397  * \test DetectITypeParseTest03 is a test for setting a valid itype value
398  * with "<" operator
399  */
400 static int DetectITypeParseTest03(void)
401 {
402  DetectITypeData *itd = NULL;
403  int result = 0;
404  itd = DetectITypeParse("<8");
405  if (itd != NULL) {
406  if (itd->type1 == 8 && itd->mode == DETECT_ITYPE_LT)
407  result = 1;
408  DetectITypeFree(itd);
409  }
410  return result;
411 }
412 
413 /**
414  * \test DetectITypeParseTest04 is a test for setting a valid itype value
415  * with "<>" operator
416  */
417 static int DetectITypeParseTest04(void)
418 {
419 DetectITypeData *itd = NULL;
420  int result = 0;
421  itd = DetectITypeParse("8<>20");
422  if (itd != NULL) {
423  if (itd->type1 == 8 && itd->type2 == 20 && itd->mode == DETECT_ITYPE_RN)
424  result = 1;
425  DetectITypeFree(itd);
426  }
427  return result;
428 }
429 
430 /**
431  * \test DetectITypeParseTest05 is a test for setting a valid itype value
432  * with spaces all around
433  */
434 static int DetectITypeParseTest05(void)
435 {
436 DetectITypeData *itd = NULL;
437  int result = 0;
438  itd = DetectITypeParse(" 8 ");
439  if (itd != NULL) {
440  if (itd->type1 == 8 && itd->mode == DETECT_ITYPE_EQ)
441  result = 1;
442  DetectITypeFree(itd);
443  }
444  return result;
445 }
446 
447 /**
448  * \test DetectITypeParseTest06 is a test for setting a valid itype value
449  * with ">" operator and spaces all around
450  */
451 static int DetectITypeParseTest06(void)
452 {
453 DetectITypeData *itd = NULL;
454  int result = 0;
455  itd = DetectITypeParse(" > 8 ");
456  if (itd != NULL) {
457  if (itd->type1 == 8 && itd->mode == DETECT_ITYPE_GT)
458  result = 1;
459  DetectITypeFree(itd);
460  }
461  return result;
462 }
463 
464 /**
465  * \test DetectITypeParseTest07 is a test for setting a valid itype value
466  * with "<>" operator and spaces all around
467  */
468 static int DetectITypeParseTest07(void)
469 {
470 DetectITypeData *itd = NULL;
471  int result = 0;
472  itd = DetectITypeParse(" 8 <> 20 ");
473  if (itd != NULL) {
474  if (itd->type1 == 8 && itd->type2 == 20 && itd->mode == DETECT_ITYPE_RN)
475  result = 1;
476  DetectITypeFree(itd);
477  }
478  return result;
479 }
480 
481 /**
482  * \test DetectITypeParseTest08 is a test for setting an invalid itype value
483  */
484 static int DetectITypeParseTest08(void)
485 {
486  DetectITypeData *itd = NULL;
487  itd = DetectITypeParse("> 8 <> 20");
488  if (itd == NULL)
489  return 1;
490  DetectITypeFree(itd);
491  return 0;
492 }
493 
494 /**
495  * \test DetectITypeMatchTest01 is a test for checking the working of itype
496  * keyword by creating 5 rules and matching a crafted packet against
497  * them. 4 out of 5 rules shall trigger.
498  */
499 static int DetectITypeMatchTest01(void)
500 {
501 
502  Packet *p = NULL;
503  Signature *s = NULL;
504  ThreadVars th_v;
505  DetectEngineThreadCtx *det_ctx;
506  int result = 0;
507 
508  memset(&th_v, 0, sizeof(th_v));
509 
510  p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
511  p->icmpv4h->type = 10;
512 
514  if (de_ctx == NULL) {
515  goto end;
516  }
517 
518  de_ctx->flags |= DE_QUIET;
519 
520  s = de_ctx->sig_list = SigInit(de_ctx,"alert icmp any any -> any any (itype:10; sid:1;)");
521  if (s == NULL) {
522  goto end;
523  }
524 
525  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (itype:<15; sid:2;)");
526  if (s == NULL) {
527  goto end;
528  }
529 
530  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (itype:>20; sid:3;)");
531  if (s == NULL) {
532  goto end;
533  }
534 
535  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (itype:8<>20; sid:4;)");
536  if (s == NULL) {
537  goto end;
538  }
539 
540  s = s->next = SigInit(de_ctx,"alert icmp any any -> any any (itype:20<>8; sid:5;)");
541  if (s == NULL) {
542  goto end;
543  }
544 
545 
546  SigGroupBuild(de_ctx);
547  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
548 
549  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
550  if (PacketAlertCheck(p, 1) == 0) {
551  SCLogDebug("sid 1 did not alert, but should have");
552  goto cleanup;
553  } else if (PacketAlertCheck(p, 2) == 0) {
554  SCLogDebug("sid 2 did not alert, but should have");
555  goto cleanup;
556  } else if (PacketAlertCheck(p, 3)) {
557  SCLogDebug("sid 3 alerted, but should not have");
558  goto cleanup;
559  } else if (PacketAlertCheck(p, 4) == 0) {
560  SCLogDebug("sid 4 did not alert, but should have");
561  goto cleanup;
562  } else if (PacketAlertCheck(p, 5) == 0) {
563  SCLogDebug("sid 5 did not alert, but should have");
564  goto cleanup;
565  }
566 
567  result = 1;
568 
569 cleanup:
570  SigGroupCleanup(de_ctx);
571  SigCleanSignatures(de_ctx);
572 
573  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
574  DetectEngineCtxFree(de_ctx);
575 
576  UTHFreePackets(&p, 1);
577 end:
578  return result;
579 }
580 
581 
582 #endif /* UNITTESTS */
583 
584 /**
585  * \brief this function registers unit tests for DetectIType
586  */
588 {
589 #ifdef UNITTESTS
590  UtRegisterTest("DetectITypeParseTest01", DetectITypeParseTest01);
591  UtRegisterTest("DetectITypeParseTest02", DetectITypeParseTest02);
592  UtRegisterTest("DetectITypeParseTest03", DetectITypeParseTest03);
593  UtRegisterTest("DetectITypeParseTest04", DetectITypeParseTest04);
594  UtRegisterTest("DetectITypeParseTest05", DetectITypeParseTest05);
595  UtRegisterTest("DetectITypeParseTest06", DetectITypeParseTest06);
596  UtRegisterTest("DetectITypeParseTest07", DetectITypeParseTest07);
597  UtRegisterTest("DetectITypeParseTest08", DetectITypeParseTest08);
598  UtRegisterTest("DetectITypeMatchTest01", DetectITypeMatchTest01);
599 #endif /* UNITTESTS */
600 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
SignatureInitData * init_data
Definition: detect.h:560
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
#define SCLogDebug(...)
Definition: util-debug.h:335
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1149
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint32_t flags
Definition: detect.h:493
_Bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1148
#define FALSE
#define DETECT_ITYPE_GT
Definition: detect-itype.c:79
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
ICMPV4Hdr * icmpv4h
Definition: decode.h:531
Signature * sig_list
Definition: detect.h:726
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Container for matching data for a signature group.
Definition: detect.h:1295
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:230
int ByteExtractStringUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:238
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1160
Signature container.
Definition: detect.h:492
#define DETECT_ITYPE_EQ
Definition: detect-itype.c:77
#define ICMPV4_GET_TYPE(p)
#define TRUE
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
struct SigMatch_ * next
Definition: detect.h:328
main detection engine ctx
Definition: detect.h:720
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define DE_QUIET
Definition: detect.h:298
void DetectITypeRegisterTests(void)
this function registers unit tests for DetectIType
Definition: detect-itype.c:587
uint8_t flags
Definition: detect.h:721
int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), _Bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
void(* Free)(void *)
Definition: detect.h:1151
#define DETECT_ITYPE_LT
Definition: detect-itype.c:78
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void DetectITypeRegister(void)
Registration function for itype: keyword.
Definition: detect-itype.c:61
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define PKT_IS_ICMPV6(p)
Definition: decode.h:255
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
PrefilterRuleStore pmq
Definition: detect.h:1061
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
struct DetectITypeData_ DetectITypeData
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct Signature_ * next
Definition: detect.h:563
uint8_t type
Definition: detect.h:325
void DetectITypeFree(void *)
this function will free memory associated with DetectITypeData
Definition: detect-itype.c:282
const char * desc
Definition: detect.h:1162
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
struct SigMatch_ ** smlists
Definition: detect.h:486
SigMatchCtx * ctx
Definition: detect.h:327
#define DETECT_ITYPE_RN
Definition: detect-itype.c:80
#define SCMalloc(a)
Definition: util-mem.h:174
#define MAX_SUBSTRINGS
#define SCFree(a)
Definition: util-mem.h:236
PoolThreadReserved res
#define ICMPV6_GET_TYPE(p)
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
#define PKT_IS_ICMPV4(p)
Definition: decode.h:254
const char * url
Definition: detect.h:1163
#define DOC_URL
Definition: suricata.h:86
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1140
#define PARSE_REGEX
Regex for parsing our itype options.
Definition: detect-itype.c:44
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
#define SCReturn
Definition: util-debug.h:339
Per thread variable structure.
Definition: threadvars.h:57
#define DOC_VERSION
Definition: suricata.h:91
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
void(* RegisterTests)(void)
Definition: detect.h:1152
a single match condition for a signature
Definition: detect.h:324
DetectEngineCtx * DetectEngineCtxInit(void)