48 #define PARSE_REGEX "^\\s*(?:([\\+\\*!]))?\\s*([SAPRFU120CE\\+\\*!]+)(?:\\s*,\\s*([SAPRFU12CE]+))?\\s*$"
55 #define MODIFIER_NOT 1
56 #define MODIFIER_PLUS 2
57 #define MODIFIER_ANY 3
66 static bool PrefilterTcpFlagsIsPrefilterable(
const Signature *s);
69 static void FlagsRegisterTests(
void);
94 static inline int FlagsMatch(
const uint8_t pflags,
const uint8_t modifier,
95 const uint8_t dflags,
const uint8_t iflags)
97 if (!dflags && pflags) {
105 const uint8_t
flags = pflags & iflags;
109 if ((
flags & dflags) > 0) {
115 if (((
flags & dflags) == dflags)) {
121 if ((
flags & dflags) != dflags) {
128 if (
flags == dflags) {
159 const TCPHdr *tcph = PacketGetTCP(p);
162 return FlagsMatch(
flags,
de->modifier,
de->flags,
de->ignored_flags);
178 int found = 0, ignore = 0;
186 pcre2_match_data *match = NULL;
188 SCLogDebug(
"input '%s', pcre said %d", rawstr, ret);
194 size_t pcre2len =
sizeof(arg1);
197 SCLogError(
"pcre2_substring_copy_bynumber failed");
201 pcre2len =
sizeof(arg2);
202 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)arg2, &pcre2len);
204 SCLogError(
"pcre2_substring_copy_bynumber failed");
209 pcre2len =
sizeof(arg3);
212 SCLogError(
"pcre2_substring_copy_bynumber failed");
216 SCLogDebug(
"args '%s', '%s', '%s'", arg1, arg2, arg3);
218 if (strlen(arg2) == 0) {
226 de->ignored_flags = 0xff;
230 while (*ptr !=
'\0') {
299 if (strlen(arg2) > 0) {
301 while (*ptr !=
'\0') {
351 if (
de->modifier != 0) {
353 " one modifier at a time");
360 if (
de->modifier != 0) {
362 " one modifier at a time");
369 if (
de->modifier != 0) {
371 " one modifier at a time");
388 if (strlen(arg3) > 0) {
391 while (*ptr !=
'\0') {
455 pcre2_match_data_free(match);
456 SCLogDebug(
"found %"PRId32
" ignore %"PRId32
"", found, ignore);
464 pcre2_match_data_free(match);
485 de = DetectFlagsParse(rawstr);
561 if (!PrefilterPacketHeaderExtraMatch(ctx, p))
564 const TCPHdr *tcph = PacketGetTCP(p);
597 PrefilterPacketFlagsSet,
598 PrefilterPacketFlagsCompare,
599 PrefilterPacketFlagsMatch);
603 static bool PrefilterTcpFlagsIsPrefilterable(
const Signature *s)
626 static int FlagsTestParse01 (
void)
631 DetectFlagsFree(NULL,
de);
641 static int FlagsTestParse02 (
void)
644 de = DetectFlagsParse(
"G");
646 DetectFlagsFree(NULL,
de);
659 static int FlagsTestParse03 (
void)
672 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
673 memset(&tcph, 0,
sizeof(
TCPHdr));
679 de = DetectFlagsParse(
"AP+");
691 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
713 static int FlagsTestParse04 (
void)
726 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
727 memset(&tcph, 0,
sizeof(
TCPHdr));
733 de = DetectFlagsParse(
"A");
745 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
768 static int FlagsTestParse05 (
void)
781 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
782 memset(&tcph, 0,
sizeof(
TCPHdr));
788 de = DetectFlagsParse(
"+AP,SR");
800 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
823 static int FlagsTestParse06 (
void)
836 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
837 memset(&tcph, 0,
sizeof(
TCPHdr));
843 de = DetectFlagsParse(
"+AP,UR");
855 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
877 static int FlagsTestParse07 (
void)
890 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
891 memset(&tcph, 0,
sizeof(
TCPHdr));
897 de = DetectFlagsParse(
"*AP");
909 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
932 static int FlagsTestParse08 (
void)
945 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
946 memset(&tcph, 0,
sizeof(
TCPHdr));
952 de = DetectFlagsParse(
"*SA");
964 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
986 static int FlagsTestParse09 (
void)
999 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
1000 memset(&tcph, 0,
sizeof(
TCPHdr));
1006 de = DetectFlagsParse(
"!PA");
1018 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
1040 static int FlagsTestParse10 (
void)
1053 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
1054 memset(&tcph, 0,
sizeof(
TCPHdr));
1060 de = DetectFlagsParse(
"!AP");
1072 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
1094 static int FlagsTestParse11 (
void)
1107 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
1108 memset(&tcph, 0,
sizeof(
TCPHdr));
1114 de = DetectFlagsParse(
"*AP,SR");
1126 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
1149 static int FlagsTestParse12 (
void)
1162 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
1163 memset(&tcph, 0,
sizeof(
TCPHdr));
1169 de = DetectFlagsParse(
"0");
1171 if (
de == NULL ||
de->flags != 0) {
1172 printf(
"de setup: ");
1183 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
1206 static int FlagsTestParse13 (
void)
1209 de = DetectFlagsParse(
"+S*");
1211 DetectFlagsFree(NULL,
de);
1224 static int FlagsTestParse14(
void)
1228 DetectFlagsFree(NULL,
de);
1235 static int FlagsTestParse15(
void)
1248 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
1249 memset(&tcph, 0,
sizeof(
TCPHdr));
1255 de = DetectFlagsParse(
"EC+");
1267 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
1287 static int FlagsTestParse16(
void)
1300 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
1301 memset(&tcph, 0,
sizeof(
TCPHdr));
1307 de = DetectFlagsParse(
"EC*");
1319 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
1342 static int FlagsTestParse17(
void)
1355 memset(&ipv4h, 0,
sizeof(
IPV4Hdr));
1356 memset(&tcph, 0,
sizeof(
TCPHdr));
1362 de = DetectFlagsParse(
"EC+");
1374 ret = DetectFlagsMatch(NULL, p, NULL, sm->
ctx);
1397 static void FlagsRegisterTests(
void)