suricata
detect-quic-cyu-hash.c
Go to the documentation of this file.
1 /* Copyright (C) 2021-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  *
20  * Implements the quic.cyu.hash sticky buffer
21  */
22 
23 #include "suricata-common.h"
24 #include "detect.h"
25 #include "detect-parse.h"
26 #include "detect-content.h"
27 
28 #include "detect-engine.h"
29 #include "detect-engine-mpm.h"
32 #include "detect-quic-cyu-hash.h"
33 #include "detect-engine-build.h"
34 #include "rust.h"
35 #include "util-profiling.h"
36 
37 #ifdef UNITTESTS
38 static void DetectQuicCyuHashRegisterTests(void);
39 #endif
40 
41 #define KEYWORD_NAME "quic.cyu.hash"
42 #define KEYWORD_DOC "quic-cyu.html#quic-cyu-hash"
43 #define BUFFER_NAME "quic.cyu.hash"
44 #define BUFFER_DESC "QUIC CYU Hash"
45 static int g_buffer_id = 0;
46 
48  uint32_t local_id; /**< used as index into thread inspect array */
49  void *txv;
50 };
51 
52 static int DetectQuicCyuHashSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
53 {
54  if (DetectBufferSetActiveList(s, g_buffer_id) < 0)
55  return -1;
56 
58  return -1;
59 
60  return 0;
61 }
62 
63 static InspectionBuffer *QuicHashGetData(DetectEngineThreadCtx *det_ctx,
64  const DetectEngineTransforms *transforms, Flow *f, struct QuicHashGetDataArgs *cbdata,
65  int list_id)
66 {
67  SCEnter();
68 
69  InspectionBuffer *buffer =
70  InspectionBufferMultipleForListGet(det_ctx, list_id, cbdata->local_id);
71  if (buffer == NULL)
72  return NULL;
73  if (buffer->initialized)
74  return buffer;
75 
76  const uint8_t *data;
77  uint32_t data_len;
78  if (rs_quic_tx_get_cyu_hash(cbdata->txv, (uint16_t)cbdata->local_id, &data, &data_len) == 0) {
79  return NULL;
80  }
81 
82  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
83 
84  SCReturnPtr(buffer, "InspectionBuffer");
85 }
86 
87 static uint8_t DetectEngineInspectQuicHash(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
88  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
89  void *alstate, void *txv, uint64_t tx_id)
90 {
91  uint32_t local_id = 0;
92 
93  const DetectEngineTransforms *transforms = NULL;
94  if (!engine->mpm) {
95  transforms = engine->v2.transforms;
96  }
97 
98  while (1) {
99  struct QuicHashGetDataArgs cbdata = {
100  local_id,
101  txv,
102  };
103  InspectionBuffer *buffer =
104  QuicHashGetData(det_ctx, transforms, f, &cbdata, engine->sm_list);
105  if (buffer == NULL || buffer->inspect == NULL)
106  break;
107 
108  det_ctx->buffer_offset = 0;
109  det_ctx->discontinue_matching = 0;
110  det_ctx->inspection_recursion_counter = 0;
111 
112  const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
113  (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
115  if (match == 1) {
117  }
118  local_id++;
119  }
121 }
122 
123 typedef struct PrefilterMpmQuicHash {
124  int list_id;
125  const MpmCtx *mpm_ctx;
128 
129 /** \brief QuicHash Mpm prefilter callback
130  *
131  * \param det_ctx detection engine thread ctx
132  * \param p packet to inspect
133  * \param f flow to inspect
134  * \param txv tx to inspect
135  * \param pectx inspection context
136  */
137 static void PrefilterTxQuicHash(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
138  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags)
139 {
140  SCEnter();
141 
142  const PrefilterMpmQuicHash *ctx = (const PrefilterMpmQuicHash *)pectx;
143  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
144  const int list_id = ctx->list_id;
145 
146  uint32_t local_id = 0;
147  while (1) {
148  // loop until we get a NULL
149 
150  struct QuicHashGetDataArgs cbdata = { local_id, txv };
151  InspectionBuffer *buffer = QuicHashGetData(det_ctx, ctx->transforms, f, &cbdata, list_id);
152  if (buffer == NULL)
153  break;
154 
155  if (buffer->inspect_len >= mpm_ctx->minlen) {
156  (void)mpm_table[mpm_ctx->mpm_type].Search(
157  mpm_ctx, &det_ctx->mtcu, &det_ctx->pmq, buffer->inspect, buffer->inspect_len);
158  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
159  }
160 
161  local_id++;
162  }
163 }
164 
165 static void PrefilterMpmQuicHashFree(void *ptr)
166 {
167  SCFree(ptr);
168 }
169 
170 static int PrefilterMpmQuicHashRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
171  const DetectBufferMpmRegistery *mpm_reg, int list_id)
172 {
173  PrefilterMpmQuicHash *pectx = SCCalloc(1, sizeof(*pectx));
174  if (pectx == NULL)
175  return -1;
176  pectx->list_id = list_id;
177  pectx->mpm_ctx = mpm_ctx;
178  pectx->transforms = &mpm_reg->transforms;
179 
180  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxQuicHash, mpm_reg->app_v2.alproto,
181  mpm_reg->app_v2.tx_min_progress, pectx, PrefilterMpmQuicHashFree, mpm_reg->pname);
182 }
183 
184 static bool DetectQuicHashValidateCallback(const Signature *s, const char **sigerror)
185 {
186  const SigMatch *sm = s->init_data->smlists[g_buffer_id];
187  for (; sm != NULL; sm = sm->next) {
188  if (sm->type != DETECT_CONTENT)
189  continue;
190 
191  const DetectContentData *cd = (DetectContentData *)sm->ctx;
192 
193  if (cd->flags & DETECT_CONTENT_NOCASE) {
194  *sigerror = BUFFER_NAME " should not be used together with "
195  "nocase, since the rule is automatically "
196  "lowercased anyway which makes nocase redundant.";
197  SCLogWarning("rule %u: %s", s->id, *sigerror);
198  }
199 
200  if (cd->content_len != 32) {
201  *sigerror = "Invalid length of the specified" BUFFER_NAME " (should "
202  "be 32 characters long). This rule will therefore "
203  "never match.";
204  SCLogWarning("rule %u: %s", s->id, *sigerror);
205  return FALSE;
206  }
207  for (size_t i = 0; i < cd->content_len; ++i) {
208  if (!isxdigit(cd->content[i])) {
209  *sigerror = "Invalid " BUFFER_NAME
210  " string (should be string of hexadecimal characters)."
211  "This rule will therefore never match.";
212  SCLogWarning("rule %u: %s", s->id, *sigerror);
213  return FALSE;
214  }
215  }
216  }
217 
218  return TRUE;
219 }
220 
222 {
223  /* quic.cyu.hash sticky buffer */
225  sigmatch_table[DETECT_AL_QUIC_CYU_HASH].desc = "sticky buffer to match on the QUIC CYU hash";
227  sigmatch_table[DETECT_AL_QUIC_CYU_HASH].Setup = DetectQuicCyuHashSetup;
229 #ifdef UNITTESTS
230  sigmatch_table[DETECT_AL_QUIC_CYU_HASH].RegisterTests = DetectQuicCyuHashRegisterTests;
231 #endif
232 
234  BUFFER_NAME, SIG_FLAG_TOSERVER, 2, PrefilterMpmQuicHashRegister, NULL, ALPROTO_QUIC, 1);
235 
237  BUFFER_NAME, ALPROTO_QUIC, SIG_FLAG_TOSERVER, 0, DetectEngineInspectQuicHash, NULL);
238 
240 
241  g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
242 
243  DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectQuicHashValidateCallback);
244 }
245 
246 #ifdef UNITTESTS
247 #include "app-layer-parser.h"
248 #include "util-unittest.h"
249 #include "util-unittest-helper.h"
250 #include "flow-util.h"
251 #include "detect-engine-alert.h"
252 
253 /**
254  * \test DetectQuicCyuHashTest01 is a test for a valid quic packet, matching
255  * on the cyu hash
256  *
257  * \retval 1 on success
258  * \retval 0 on failure
259  */
260 static int DetectQuicCyuHashTest01(void)
261 {
262  /* quic packet */
263  uint8_t buf[] = { 0xc3, 0x51, 0x30, 0x34, 0x36, 0x50, 0x76, 0xd8, 0x63, 0xb7, 0x54, 0xf7, 0xab,
264  0x32, 0x00, 0x00, 0x00, 0x01, 0x54, 0xfd, 0xf4, 0x79, 0x48, 0x76, 0xd0, 0x87, 0x58, 0x8d,
265  0x26, 0x8f, 0xa0, 0x01, 0x04, 0x00, 0x43, 0x48, 0x4c, 0x4f, 0x11, 0x00, 0x00, 0x00, 0x50,
266  0x41, 0x44, 0x00, 0xe4, 0x02, 0x00, 0x00, 0x53, 0x4e, 0x49, 0x00, 0xf7, 0x02, 0x00, 0x00,
267  0x56, 0x45, 0x52, 0x00, 0xfb, 0x02, 0x00, 0x00, 0x43, 0x43, 0x53, 0x00, 0x0b, 0x03, 0x00,
268  0x00, 0x55, 0x41, 0x49, 0x44, 0x2c, 0x03, 0x00, 0x00, 0x54, 0x43, 0x49, 0x44, 0x30, 0x03,
269  0x00, 0x00, 0x50, 0x44, 0x4d, 0x44, 0x34, 0x03, 0x00, 0x00, 0x53, 0x4d, 0x48, 0x4c, 0x38,
270  0x03, 0x00, 0x00, 0x49, 0x43, 0x53, 0x4c, 0x3c, 0x03, 0x00, 0x00, 0x4e, 0x4f, 0x4e, 0x50,
271  0x5c, 0x03, 0x00, 0x00, 0x4d, 0x49, 0x44, 0x53, 0x60, 0x03, 0x00, 0x00, 0x53, 0x43, 0x4c,
272  0x53, 0x64, 0x03, 0x00, 0x00, 0x43, 0x53, 0x43, 0x54, 0x64, 0x03, 0x00, 0x00, 0x43, 0x4f,
273  0x50, 0x54, 0x64, 0x03, 0x00, 0x00, 0x49, 0x52, 0x54, 0x54, 0x68, 0x03, 0x00, 0x00, 0x43,
274  0x46, 0x43, 0x57, 0x6c, 0x03, 0x00, 0x00, 0x53, 0x46, 0x43, 0x57, 0x70, 0x03, 0x00, 0x00,
275  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
276  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
277  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
278  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
279  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
280  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
281  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
282  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
283  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
284  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
285  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
286  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
287  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
288  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
289  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
290  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
291  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
292  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
293  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
294  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
295  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
296  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
297  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
298  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
299  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
300  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
301  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
302  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
303  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
304  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
305  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
306  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
307  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
308  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
309  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
310  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
311  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
312  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
313  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
314  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
315  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
316  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
317  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
318  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
319  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
320  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
321  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
322  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
323  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
324  0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73, 0x31, 0x2e, 0x67,
325  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x51, 0x30, 0x34, 0x36, 0x01, 0xe8,
326  0x81, 0x60, 0x92, 0x92, 0x1a, 0xe8, 0x7e, 0xed, 0x80, 0x86, 0xa2, 0x15, 0x82, 0x91, 0x43,
327  0x68, 0x72, 0x6f, 0x6d, 0x65, 0x2f, 0x37, 0x39, 0x2e, 0x30, 0x2e, 0x33, 0x39, 0x34, 0x35,
328  0x2e, 0x31, 0x31, 0x37, 0x20, 0x4c, 0x69, 0x6e, 0x75, 0x78, 0x20, 0x78, 0x38, 0x36, 0x5f,
329  0x36, 0x34, 0x00, 0x00, 0x00, 0x00, 0x58, 0x35, 0x30, 0x39, 0x01, 0x00, 0x00, 0x00, 0x1e,
330  0x00, 0x00, 0x00, 0x82, 0x88, 0x09, 0x00, 0xfa, 0x0f, 0xde, 0xb7, 0x2e, 0x7e, 0x6c, 0x78,
331  0xcc, 0x09, 0x65, 0xab, 0x06, 0x0c, 0x31, 0x05, 0xfa, 0xd9, 0xa2, 0x0b, 0xdd, 0x74, 0x5c,
332  0x28, 0xdf, 0x7b, 0x74, 0x23, 0x64, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1d, 0x43,
333  0x00, 0x00, 0x00, 0x00, 0xf0, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
334  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
335  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
336  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
337  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
338  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
339  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
340  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
341  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
342  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
343  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
344  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
345  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
346  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
347  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
348  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
349  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
350  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
351  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
352  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
353  0x00, 0x00 };
354 
355  Flow f;
356  void *quic_state = NULL;
357  Packet *p = NULL;
358  Signature *s = NULL;
359  ThreadVars tv;
360  DetectEngineThreadCtx *det_ctx = NULL;
362 
363  memset(&tv, 0, sizeof(ThreadVars));
364  memset(&f, 0, sizeof(Flow));
365 
366  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP, "192.168.1.5", "192.168.1.1", 41424, 443);
367 
368  FLOW_INITIALIZE(&f);
369  f.flags |= FLOW_IPV4;
370  f.proto = IPPROTO_UDP;
372 
373  p->flow = &f;
374  p->flags |= PKT_HAS_FLOW;
376  f.alproto = ALPROTO_QUIC;
377 
381  de_ctx->flags |= DE_QUIET;
382 
384  "alert quic any any -> any any "
385  "(msg:\"Test QUIC CYU hash\"; "
386  "quic.cyu.hash; content:\"910a5e3a4d51593bd59a44611544f209\"; "
387  "sid:1;)");
388  FAIL_IF_NULL(s);
389 
391  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
392 
393  int r = AppLayerParserParse(
394  NULL, alp_tctx, &f, ALPROTO_QUIC, STREAM_TOSERVER, buf, sizeof(buf));
395  if (r != 0) {
396  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
397  FAIL;
398  }
399 
400  quic_state = f.alstate;
401  FAIL_IF_NULL(quic_state);
402 
403  /* do detect */
404  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
405 
406  if (!(PacketAlertCheck(p, 1))) {
407  printf("sig 1 didn't alert, but it should have: ");
408  FAIL;
409  }
410 
411  if (alp_tctx != NULL)
413  if (det_ctx != NULL)
414  DetectEngineThreadCtxDeinit(&tv, det_ctx);
415  if (de_ctx != NULL)
417  if (de_ctx != NULL)
419 
420  FLOW_DESTROY(&f);
421  UTHFreePacket(p);
422  PASS;
423 }
424 
425 static void DetectQuicCyuHashRegisterTests(void)
426 {
427  UtRegisterTest("DetectQuicCyuHashTest01", DetectQuicCyuHashTest01);
428 }
429 
430 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectEngineAppInspectionEngine_
Definition: detect.h:390
SigTableElmt_::url
const char * url
Definition: detect.h:1241
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1498
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:394
detect-content.h
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1053
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1003
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
flow-util.h
QuicHashGetDataArgs::local_id
uint32_t local_id
Definition: detect-quic-cyu-hash.c:48
SigTableElmt_::name
const char * name
Definition: detect.h:1238
PrefilterMpmQuicHash
Definition: detect-quic-cyu-hash.c:123
InspectionBuffer::initialized
bool initialized
Definition: detect.h:341
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1395
DetectQuicCyuHashRegister
void DetectQuicCyuHashRegister(void)
Definition: detect-quic-cyu-hash.c:221
DetectEngineTransforms
Definition: detect.h:372
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
Flow_::proto
uint8_t proto
Definition: flow.h:379
ALPROTO_QUIC
@ ALPROTO_QUIC
Definition: app-layer-protos.h:51
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:640
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
InspectionBuffer
Definition: detect.h:337
Packet_::flags
uint32_t flags
Definition: decode.h:463
Flow_
Flow data structure.
Definition: flow.h:357
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1134
Flow_::protomap
uint8_t protomap
Definition: flow.h:451
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
PrefilterMpmQuicHash::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-quic-cyu-hash.c:125
KEYWORD_DOC
#define KEYWORD_DOC
Definition: detect-quic-cyu-hash.c:42
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
rust.h
PrefilterMpmQuicHash
struct PrefilterMpmQuicHash PrefilterMpmQuicHash
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
PrefilterMpmQuicHash::transforms
const DetectEngineTransforms * transforms
Definition: detect-quic-cyu-hash.c:126
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:626
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
DetectContentData_
Definition: detect-content.h:86
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:244
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1132
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:396
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
DetectBufferTypeRegisterValidateCallback
void DetectBufferTypeRegisterValidateCallback(const char *name, bool(*ValidateCallback)(const Signature *, const char **sigerror))
Definition: detect-engine.c:1273
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
BUFFER_DESC
#define BUFFER_DESC
Definition: detect-quic-cyu-hash.c:44
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:835
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:339
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2019
util-profiling.h
FALSE
#define FALSE
Definition: suricata-common.h:34
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
Packet_
Definition: decode.h:428
DETECT_AL_QUIC_CYU_HASH
@ DETECT_AL_QUIC_CYU_HASH
Definition: detect-engine-register.h:307
detect-engine-build.h
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
detect-engine-content-inspection.h
detect-quic-cyu-hash.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1092
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:106
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1303
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:307
BUFFER_NAME
#define BUFFER_NAME
Definition: detect-quic-cyu-hash.c:43
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:628
flags
uint8_t flags
Definition: decode-gre.h:0
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1323
QuicHashGetDataArgs
Definition: detect-quic-cyu-hash.c:47
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1111
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1431
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:340
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:338
PrefilterMpmQuicHash::list_id
int list_id
Definition: detect-quic-cyu-hash.c:124
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:482
Signature_::id
uint32_t id
Definition: detect.h:574
Flow_::flags
uint32_t flags
Definition: flow.h:427
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
FAIL
#define FAIL
Fail a test.
Definition: util-unittest.h:60
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:404
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
QuicHashGetDataArgs::txv
void * txv
Definition: detect-quic-cyu-hash.c:49
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1384
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1423
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1293
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
KEYWORD_NAME
#define KEYWORD_NAME
Definition: detect-quic-cyu-hash.c:41
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1176
MpmCtx_
Definition: util-mpm.h:88
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:129
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230