Go to the documentation of this file.
55 #define PARSE_REGEX "^\\s*(host|session)\\s*(,\\s*(\\d+)\\s*,\\s*(packets|bytes|seconds)\\s*(,\\s*(src|dst))?\\s*)?$"
63 static void DetectTagRegisterTests(
void);
118 SCLogDebug(
"Tagging Host with sid %"PRIu32
":%"PRIu32
"", s->
id, s->
gid);
122 if (p->
flow != NULL) {
131 SCLogDebug(
"Adding to or updating flow; first_ts %u count %u",
135 SCLogDebug(
"No flow to append the session tag");
140 SCLogDebug(
"unknown type of a tag keyword (not session nor host)");
160 int ret = 0,
res = 0;
162 const char *str_ptr = NULL;
170 res = pcre2_substring_get_bynumber(parse_regex.
match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
171 if (
res < 0 || str_ptr == NULL) {
177 if (strcasecmp(
"session", str_ptr) == 0) {
179 }
else if (strcasecmp(
"host", str_ptr) == 0) {
185 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
194 res = pcre2_substring_get_bynumber(
195 parse_regex.
match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
196 if (
res < 0 || str_ptr == NULL) {
208 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
211 res = pcre2_substring_get_bynumber(
212 parse_regex.
match, 4, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
213 if (
res < 0 || str_ptr == NULL) {
219 if (strcasecmp(
"packets", str_ptr) == 0) {
224 }
else if (strcasecmp(
"seconds", str_ptr) == 0) {
226 }
else if (strcasecmp(
"bytes", str_ptr) == 0) {
233 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
238 res = pcre2_substring_get_bynumber(
239 parse_regex.
match, 6, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
240 if (
res < 0 || str_ptr == NULL) {
246 if (strcasecmp(
"src", str_ptr) == 0) {
248 }
else if (strcasecmp(
"dst", str_ptr) == 0) {
251 SCLogError(
SC_ERR_INVALID_VALUE,
"Invalid argument direction. Must be one of \"src\" or \"dst\" (only valid for tag host type, not sessions) (%s)", tagstr);
259 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
275 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
315 static void DetectTagDataEntryFree(
void *ptr)
335 while (entry != NULL) {
337 DetectTagDataEntryFree(entry);
361 static int DetectTagTestParse01(
void)
365 td = DetectTagParse(
"session, 123, packets");
379 static int DetectTagTestParse02(
void)
383 td = DetectTagParse(
"host, 200, bytes, src");
398 static int DetectTagTestParse03(
void)
402 td = DetectTagParse(
"host, 200, bytes, dst");
417 static int DetectTagTestParse04(
void)
421 td = DetectTagParse(
"session");
435 static int DetectTagTestParse05(
void)
439 td = DetectTagParse(
"host");
454 void DetectTagRegisterTests(
void)
@ DETECT_TAG_METRIC_PACKET
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
@ DETECT_TAG_TYPE_SESSION
@ DETECT_TAG_METRIC_BYTES
main detection engine ctx
void DetectTagDataListFree(void *ptr)
this function will free all the entries of a list DetectTagDataEntry
@ DETECT_TAG_METRIC_SECONDS
#define TAG_ENTRY_FLAG_DIR_SRC
@ SC_ERR_PCRE_GET_SUBSTRING
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define TAG_ENTRY_FLAG_DIR_DST
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
SC_ATOMIC_EXTERN(unsigned int, num_tags)
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
void DetectTagRegister(void)
Registration function for keyword tag.
#define DETECT_TAG_MAX_PKTS
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
void DetectEngineTagRegisterTests(void)
this function registers unit tests for DetectTag
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
int TagFlowAdd(Packet *p, DetectTagDataEntry *tde)
This function is used to add a tag to a session (type session) or update it if it's already installed...
a single match condition for a signature
int TagHashAddTag(DetectTagDataEntry *tde, Packet *p)
Add a tag entry for a host. If it already exist, update it.
struct DetectTagDataEntry_ * next
#define SIGMATCH_IPONLY_COMPAT
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void DetectTagDataFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectTagData
void(* RegisterTests)(void)