Go to the documentation of this file.
54 #define PARSE_REGEX "^\\s*(host|session)\\s*(,\\s*(\\d+)\\s*,\\s*(packets|bytes|seconds)\\s*(,\\s*(src|dst))?\\s*)?$"
62 static void DetectTagRegisterTests(
void);
119 SCLogDebug(
"Tagging Host with sid %"PRIu32
":%"PRIu32
"", s->
id, s->
gid);
123 if (p->
flow != NULL) {
132 SCLogDebug(
"Adding to or updating flow; first_ts %" PRIu64
" count %u",
136 SCLogDebug(
"No flow to append the session tag");
141 SCLogDebug(
"unknown type of a tag keyword (not session nor host)");
162 const char *str_ptr = NULL;
164 pcre2_match_data *match = NULL;
167 SCLogError(
"parse error, ret %" PRId32
", string %s", ret, tagstr);
171 int res = pcre2_substring_get_bynumber(match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
172 if (res < 0 || str_ptr == NULL) {
173 SCLogError(
"pcre2_substring_get_bynumber failed");
178 if (strcasecmp(
"session", str_ptr) == 0) {
180 }
else if (strcasecmp(
"host", str_ptr) == 0) {
183 SCLogError(
"Invalid argument type. Must be session or host (%s)", tagstr);
186 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
195 res = pcre2_substring_get_bynumber(match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
196 if (res < 0 || str_ptr == NULL) {
197 SCLogError(
"pcre2_substring_get_bynumber failed");
204 SCLogError(
"Invalid argument for count. Must be a value in the range of 0 to %" PRIu32
210 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
213 res = pcre2_substring_get_bynumber(match, 4, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
214 if (res < 0 || str_ptr == NULL) {
215 SCLogError(
"pcre2_substring_get_bynumber failed");
220 if (strcasecmp(
"packets", str_ptr) == 0) {
225 }
else if (strcasecmp(
"seconds", str_ptr) == 0) {
227 }
else if (strcasecmp(
"bytes", str_ptr) == 0) {
231 "Invalid argument metric. Must be one of \"seconds\", \"packets\" or \"bytes\" "
237 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
242 res = pcre2_substring_get_bynumber(match, 6, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
243 if (res < 0 || str_ptr == NULL) {
244 SCLogError(
"pcre2_substring_get_bynumber failed");
249 if (strcasecmp(
"src", str_ptr) == 0) {
251 }
else if (strcasecmp(
"dst", str_ptr) == 0) {
255 "Invalid argument direction. Must be one of \"src\" or \"dst\" (only valid "
256 "for tag host type, not sessions) (%s)",
263 "Argument direction doesn't make sense for type \"session\" (%s [%" PRIu8
268 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
280 pcre2_match_data_free(match);
285 pcre2_match_data_free(match);
288 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
323 static void DetectTagDataEntryFree(
void *ptr)
343 while (entry != NULL) {
345 DetectTagDataEntryFree(entry);
369 static int DetectTagTestParse01(
void)
373 td = DetectTagParse(
"session, 123, packets");
387 static int DetectTagTestParse02(
void)
391 td = DetectTagParse(
"host, 200, bytes, src");
406 static int DetectTagTestParse03(
void)
410 td = DetectTagParse(
"host, 200, bytes, dst");
425 static int DetectTagTestParse04(
void)
429 td = DetectTagParse(
"session");
443 static int DetectTagTestParse05(
void)
447 td = DetectTagParse(
"host");
462 void DetectTagRegisterTests(
void)
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
@ DETECT_TAG_METRIC_BYTES
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
main detection engine ctx
void DetectTagDataListFree(void *ptr)
this function will free all the entries of a list DetectTagDataEntry
#define TAG_ENTRY_FLAG_DIR_SRC
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
@ DETECT_TAG_METRIC_SECONDS
#define TAG_ENTRY_FLAG_DIR_DST
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
#define SCLogWarning(...)
Macro used to log WARNING messages.
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
SC_ATOMIC_EXTERN(unsigned int, num_tags)
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
void DetectTagRegister(void)
Registration function for keyword tag.
#define DETECT_TAG_MAX_PKTS
@ DETECT_TAG_TYPE_SESSION
void DetectEngineTagRegisterTests(void)
this function registers unit tests for DetectTag
#define SCLogError(...)
Macro used to log ERROR messages.
@ DETECT_TAG_METRIC_PACKET
int TagFlowAdd(Packet *p, DetectTagDataEntry *tde)
This function is used to add a tag to a session (type session) or update it if it's already installed...
int TagHashAddTag(DetectTagDataEntry *tde, Packet *p)
Add a tag entry for a host. If it already exist, update it.
struct DetectTagDataEntry_ * next
#define SIGMATCH_IPONLY_COMPAT
void DetectTagDataFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectTagData
void(* RegisterTests)(void)