Go to the documentation of this file.
54 #define PARSE_REGEX "^\\s*(host|session)\\s*(,\\s*(\\d+)\\s*,\\s*(packets|bytes|seconds)\\s*(,\\s*(src|dst))?\\s*)?$"
62 static void DetectTagRegisterTests(
void);
117 SCLogDebug(
"Tagging Host with sid %"PRIu32
":%"PRIu32
"", s->
id, s->
gid);
121 if (p->
flow != NULL) {
130 SCLogDebug(
"Adding to or updating flow; first_ts %u count %u",
134 SCLogDebug(
"No flow to append the session tag");
139 SCLogDebug(
"unknown type of a tag keyword (not session nor host)");
159 int ret = 0, res = 0;
161 const char *str_ptr = NULL;
165 SCLogError(
"parse error, ret %" PRId32
", string %s", ret, tagstr);
169 res = pcre2_substring_get_bynumber(parse_regex.
match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
170 if (res < 0 || str_ptr == NULL) {
171 SCLogError(
"pcre2_substring_get_bynumber failed");
176 if (strcasecmp(
"session", str_ptr) == 0) {
178 }
else if (strcasecmp(
"host", str_ptr) == 0) {
181 SCLogError(
"Invalid argument type. Must be session or host (%s)", tagstr);
184 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
193 res = pcre2_substring_get_bynumber(
194 parse_regex.
match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
195 if (res < 0 || str_ptr == NULL) {
196 SCLogError(
"pcre2_substring_get_bynumber failed");
203 SCLogError(
"Invalid argument for count. Must be a value in the range of 0 to %" PRIu32
209 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
212 res = pcre2_substring_get_bynumber(
213 parse_regex.
match, 4, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
214 if (res < 0 || str_ptr == NULL) {
215 SCLogError(
"pcre2_substring_get_bynumber failed");
220 if (strcasecmp(
"packets", str_ptr) == 0) {
225 }
else if (strcasecmp(
"seconds", str_ptr) == 0) {
227 }
else if (strcasecmp(
"bytes", str_ptr) == 0) {
231 "Invalid argument metric. Must be one of \"seconds\", \"packets\" or \"bytes\" "
237 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
242 res = pcre2_substring_get_bynumber(
243 parse_regex.
match, 6, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
244 if (res < 0 || str_ptr == NULL) {
245 SCLogError(
"pcre2_substring_get_bynumber failed");
250 if (strcasecmp(
"src", str_ptr) == 0) {
252 }
else if (strcasecmp(
"dst", str_ptr) == 0) {
256 "Invalid argument direction. Must be one of \"src\" or \"dst\" (only valid "
257 "for tag host type, not sessions) (%s)",
264 "Argument direction doesn't make sense for type \"session\" (%s [%" PRIu8
269 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
285 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
325 static void DetectTagDataEntryFree(
void *ptr)
345 while (entry != NULL) {
347 DetectTagDataEntryFree(entry);
371 static int DetectTagTestParse01(
void)
375 td = DetectTagParse(
"session, 123, packets");
389 static int DetectTagTestParse02(
void)
393 td = DetectTagParse(
"host, 200, bytes, src");
408 static int DetectTagTestParse03(
void)
412 td = DetectTagParse(
"host, 200, bytes, dst");
427 static int DetectTagTestParse04(
void)
431 td = DetectTagParse(
"session");
445 static int DetectTagTestParse05(
void)
449 td = DetectTagParse(
"host");
464 void DetectTagRegisterTests(
void)
@ DETECT_TAG_METRIC_PACKET
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
@ DETECT_TAG_TYPE_SESSION
@ DETECT_TAG_METRIC_BYTES
main detection engine ctx
void DetectTagDataListFree(void *ptr)
this function will free all the entries of a list DetectTagDataEntry
@ DETECT_TAG_METRIC_SECONDS
#define TAG_ENTRY_FLAG_DIR_SRC
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define TAG_ENTRY_FLAG_DIR_DST
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
#define SCLogWarning(...)
Macro used to log WARNING messages.
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
SC_ATOMIC_EXTERN(unsigned int, num_tags)
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
void DetectTagRegister(void)
Registration function for keyword tag.
#define DETECT_TAG_MAX_PKTS
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
void DetectEngineTagRegisterTests(void)
this function registers unit tests for DetectTag
#define SCLogError(...)
Macro used to log ERROR messages.
int TagFlowAdd(Packet *p, DetectTagDataEntry *tde)
This function is used to add a tag to a session (type session) or update it if it's already installed...
a single match condition for a signature
int TagHashAddTag(DetectTagDataEntry *tde, Packet *p)
Add a tag entry for a host. If it already exist, update it.
struct DetectTagDataEntry_ * next
#define SIGMATCH_IPONLY_COMPAT
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void DetectTagDataFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectTagData
void(* RegisterTests)(void)