Go to the documentation of this file.
46 #define PARSE_REGEX "^\\s*([0-9]{0,10})\\s*(?:,\\s*([0-9]{0,10}|[*])\\s*(?:,\\s*([0-9]{0,10}|[*]))?)?\\s*$"
54 static void DetectRpcRegisterTests(
void);
97 char *rpcmsg = (
char *)p->
payload;
113 SCLogDebug(
"No valid proto for the rpc message");
151 char *args[3] = {NULL,NULL,NULL};
152 int ret = 0, res = 0;
156 if (ret < 1 || ret > 4) {
157 SCLogError(
"parse error, ret %" PRId32
", string %s", ret, rpcstr);
163 res = pcre2_substring_get_bynumber(
164 parse_regex.
match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
166 SCLogError(
"pcre2_substring_get_bynumber failed");
169 args[0] = (
char *)str_ptr;
172 res = pcre2_substring_get_bynumber(
173 parse_regex.
match, 2, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
175 SCLogError(
"pcre2_substring_get_bynumber failed");
178 args[1] = (
char *)str_ptr;
181 res = pcre2_substring_get_bynumber(
182 parse_regex.
match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
184 SCLogError(
"pcre2_substring_get_bynumber failed");
187 args[2] = (
char *)str_ptr;
200 for (i = 0; i < (ret - 1); i++) {
205 SCLogError(
"Invalid size specified for the rpc program:\"%s\"", args[i]);
211 if (args[i][0] !=
'*') {
214 "Invalid size specified for the rpc version:\"%s\"", args[i]);
221 if (args[i][0] !=
'*') {
224 "Invalid size specified for the rpc procedure:\"%s\"", args[i]);
236 for (i = 0; i < (ret -1); i++){
238 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
243 for (i = 0; i < (ret -1) && i < 3; i++){
245 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
269 rd = DetectRpcParse(
de_ctx, rpcstr);
270 if (rd == NULL)
goto error;
286 if (sm != NULL)
SCFree(sm);
316 static int DetectRpcTestParse01 (
void)
328 static int DetectRpcTestParse02 (
void)
331 rd = DetectRpcParse(NULL,
"111,222,333");
349 static int DetectRpcTestParse03 (
void)
353 rd = DetectRpcParse(NULL,
"111,*,333");
365 rd = DetectRpcParse(NULL,
"111,222,*");
377 rd = DetectRpcParse(NULL,
"111,*,*");
389 rd = DetectRpcParse(NULL,
"111,222");
401 rd = DetectRpcParse(NULL,
"111");
418 static int DetectRpcTestParse04 (
void)
421 rd = DetectRpcParse(NULL,
"");
432 static int DetectRpcTestParse05 (
void)
435 rd = DetectRpcParse(NULL,
"111,aaa,*");
446 static int DetectRpcTestSig01(
void)
477 0x00,0x00,0x00,0x00 };
478 uint16_t buflen =
sizeof(buf);
484 memset(&th_v, 0,
sizeof(th_v));
494 "alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, 2, 3; sid:1;)");
498 "alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, 2, *; sid:2;)");
502 "alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, *, 3; sid:3;)");
506 "alert udp any any -> any any (msg:\"RPC Get Port Call\"; rpc:100000, *, *; sid:4;)");
510 "match\"; rpc:123456, *, 3; sid:5;)");
534 static void DetectRpcRegisterTests(
void)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
#define PARSE_REGEX
Regex for parsing our rpc options.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
void DetectRpcRegister(void)
Registration function for rpc keyword.
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define DETECT_RPC_CHECK_PROCEDURE
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Per thread variable structure.
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
void DetectRpcFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectRpcData
#define SCLogError(...)
Macro used to log ERROR messages.
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
#define DETECT_RPC_CHECK_PROGRAM
#define DETECT_RPC_CHECK_VERSION
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)
#define SIG_FLAG_REQUIRE_PACKET
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.