suricata
detect-threshold.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup threshold
20  * @{
21  */
22 
23 /**
24  * \file
25  *
26  * \author Breno Silva <breno.silva@gmail.com>
27  * \author Victor Julien <victor@inliniac.net>
28  *
29  * Implements the threshold keyword.
30  *
31  * The feature depends on what is provided
32  * by detect-engine-threshold.c and util-threshold-config.c
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "decode.h"
38 
39 #include "host.h"
40 #include "host-storage.h"
41 
42 #include "detect.h"
43 #include "detect-parse.h"
44 
45 #include "flow-var.h"
46 #include "decode-events.h"
47 #include "stream-tcp.h"
48 
49 #include "detect-threshold.h"
50 #include "detect-engine-threshold.h"
51 #include "detect-engine-address.h"
52 #include "detect-engine-build.h"
53 
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 #include "util-byte.h"
57 #include "util-debug.h"
58 
59 #ifdef UNITTESTS
60 #include "util-cpu.h"
61 #endif
62 
63 #define PARSE_REGEX "^\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*"
64 
65 static DetectParseRegex parse_regex;
66 
67 static int DetectThresholdMatch(DetectEngineThreadCtx *, Packet *,
68  const Signature *, const SigMatchCtx *);
69 static int DetectThresholdSetup(DetectEngineCtx *, Signature *, const char *);
70 static void DetectThresholdFree(DetectEngineCtx *, void *);
71 #ifdef UNITTESTS
72 static void ThresholdRegisterTests(void);
73 #endif
74 
75 /**
76  * \brief Registration function for threshold: keyword
77  */
78 
79 void DetectThresholdRegister(void)
80 {
81  sigmatch_table[DETECT_THRESHOLD].name = "threshold";
82  sigmatch_table[DETECT_THRESHOLD].desc = "control the rule's alert frequency";
83  sigmatch_table[DETECT_THRESHOLD].url = "/rules/thresholding.html#threshold";
84  sigmatch_table[DETECT_THRESHOLD].Match = DetectThresholdMatch;
85  sigmatch_table[DETECT_THRESHOLD].Setup = DetectThresholdSetup;
86  sigmatch_table[DETECT_THRESHOLD].Free = DetectThresholdFree;
87 #ifdef UNITTESTS
88  sigmatch_table[DETECT_THRESHOLD].RegisterTests = ThresholdRegisterTests;
89 #endif
90  /* this is compatible to ip-only signatures */
91  sigmatch_table[DETECT_THRESHOLD].flags |= SIGMATCH_IPONLY_COMPAT;
92 
93  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
94 }
95 
96 static int DetectThresholdMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
97  const Signature *s, const SigMatchCtx *ctx)
98 {
99  return 1;
100 }
101 
102 /**
103  * \internal
104  * \brief This function is used to parse threshold options passed via threshold: keyword
105  *
106  * \param rawstr Pointer to the user provided threshold options
107  *
108  * \retval de pointer to DetectThresholdData on success
109  * \retval NULL on failure
110  */
111 static DetectThresholdData *DetectThresholdParse(const char *rawstr)
112 {
113  DetectThresholdData *de = NULL;
114  int ret = 0, res = 0;
115  size_t pcre2_len;
116  const char *str_ptr = NULL;
117  char *args[9] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
118  char *copy_str = NULL, *threshold_opt = NULL;
119  int second_found = 0, count_found = 0;
120  int type_found = 0, track_found = 0;
121  int second_pos = 0, count_pos = 0;
122  size_t pos = 0;
123  int i = 0;
124 
125  copy_str = SCStrdup(rawstr);
126  if (unlikely(copy_str == NULL)) {
127  goto error;
128  }
129 
130  char *saveptr = NULL;
131  for (pos = 0, threshold_opt = strtok_r(copy_str,",", &saveptr);
132  pos < strlen(copy_str) && threshold_opt != NULL;
133  pos++, threshold_opt = strtok_r(NULL,"," , &saveptr))
134  {
135  if(strstr(threshold_opt,"count"))
136  count_found++;
137  if(strstr(threshold_opt,"second"))
138  second_found++;
139  if(strstr(threshold_opt,"type"))
140  type_found++;
141  if(strstr(threshold_opt,"track"))
142  track_found++;
143  }
144  SCFree(copy_str);
145  copy_str = NULL;
146 
147  if(count_found != 1 || second_found != 1 || type_found != 1 || track_found != 1)
148  goto error;
149 
150  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
151  if (ret < 5) {
152  SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
153  goto error;
154  }
155 
156  de = SCMalloc(sizeof(DetectThresholdData));
157  if (unlikely(de == NULL))
158  goto error;
159 
160  memset(de,0,sizeof(DetectThresholdData));
161 
162  for (i = 0; i < (ret - 1); i++) {
163 
164  res = pcre2_substring_get_bynumber(
165  parse_regex.match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
166 
167  if (res < 0) {
168  SCLogError("pcre2_substring_get_bynumber failed");
169  goto error;
170  }
171 
172  args[i] = (char *)str_ptr;
173 
174  if (strncasecmp(args[i],"limit",strlen("limit")) == 0)
175  de->type = TYPE_LIMIT;
176  if (strncasecmp(args[i],"both",strlen("both")) == 0)
177  de->type = TYPE_BOTH;
178  if (strncasecmp(args[i],"threshold",strlen("threshold")) == 0)
179  de->type = TYPE_THRESHOLD;
180  if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
181  de->track = TRACK_DST;
182  if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
183  de->track = TRACK_SRC;
184  if (strncasecmp(args[i],"by_both",strlen("by_both")) == 0)
185  de->track = TRACK_BOTH;
186  if (strncasecmp(args[i],"by_rule",strlen("by_rule")) == 0)
187  de->track = TRACK_RULE;
188  if (strncasecmp(args[i],"count",strlen("count")) == 0)
189  count_pos = i+1;
190  if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
191  second_pos = i+1;
192  }
193 
194  if (args[count_pos] == NULL || args[second_pos] == NULL) {
195  goto error;
196  }
197 
198  if (StringParseUint32(&de->count, 10, strlen(args[count_pos]),
199  args[count_pos]) <= 0) {
200  goto error;
201  }
202 
203  if (StringParseUint32(&de->seconds, 10, strlen(args[second_pos]),
204  args[second_pos]) <= 0) {
205  goto error;
206  }
207 
208  for (i = 0; i < (ret - 1); i++){
209  if (args[i] != NULL)
210  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
211  }
212  return de;
213 
214 error:
215  for (i = 0; i < (ret - 1); i++){
216  if (args[i] != NULL)
217  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
218  }
219  if (de != NULL)
220  SCFree(de);
221  return NULL;
222 }
223 
224 /**
225  * \internal
226  * \brief this function is used to add the parsed threshold into the current signature
227  *
228  * \param de_ctx pointer to the Detection Engine Context
229  * \param s pointer to the Current Signature
230  * \param rawstr pointer to the user provided threshold options
231  *
232  * \retval 0 on Success
233  * \retval -1 on Failure
234  */
235 static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
236 {
237  DetectThresholdData *de = NULL;
238  SigMatch *sm = NULL;
239  SigMatch *tmpm = NULL;
240 
241  /* checks if there is a previous instance of detection_filter */
242  tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1);
243  if (tmpm != NULL) {
244  if (tmpm->type == DETECT_DETECTION_FILTER) {
245  SCLogError("\"detection_filter\" and "
246  "\"threshold\" are not allowed in the same rule");
247  } else {
248  SCLogError("multiple \"threshold\" "
249  "options are not allowed in the same rule");
250  }
251  SCReturnInt(-1);
252  }
253 
254  de = DetectThresholdParse(rawstr);
255  if (de == NULL)
256  goto error;
257 
258  sm = SigMatchAlloc();
259  if (sm == NULL)
260  goto error;
261 
262  sm->type = DETECT_THRESHOLD;
263  sm->ctx = (SigMatchCtx *)de;
264 
265  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_THRESHOLD);
266 
267  return 0;
268 
269 error:
270  if (de) SCFree(de);
271  if (sm) SCFree(sm);
272  return -1;
273 }
274 
275 /**
276  * \internal
277  * \brief this function will free memory associated with DetectThresholdData
278  *
279  * \param de pointer to DetectThresholdData
280  */
281 static void DetectThresholdFree(DetectEngineCtx *de_ctx, void *de_ptr)
282 {
283  DetectThresholdData *de = (DetectThresholdData *)de_ptr;
284  if (de) {
285  DetectAddressHeadCleanup(&de->addrs);
286  SCFree(de);
287  }
288 }
289 
290 /**
291  * \brief Make a deep-copy of an extant DetectTHresholdData object.
292  *
293  * \param de pointer to DetectThresholdData
294  */
295 DetectThresholdData *DetectThresholdDataCopy(DetectThresholdData *de)
296 {
297  DetectThresholdData *new_de = SCCalloc(1, sizeof(DetectThresholdData));
298  if (unlikely(new_de == NULL))
299  return NULL;
300 
301  *new_de = *de;
302  new_de->addrs.ipv4_head = NULL;
303  new_de->addrs.ipv6_head = NULL;
304 
305  for (DetectAddress *last = NULL, *tmp_ad = de->addrs.ipv4_head; tmp_ad; tmp_ad = tmp_ad->next) {
306  DetectAddress *n_addr = DetectAddressCopy(tmp_ad);
307  if (n_addr == NULL)
308  goto error;
309  if (last == NULL) {
310  new_de->addrs.ipv4_head = n_addr;
311  } else {
312  last->next = n_addr;
313  n_addr->prev = last;
314  }
315  last = n_addr;
316  }
317  for (DetectAddress *last = NULL, *tmp_ad = de->addrs.ipv6_head; tmp_ad; tmp_ad = tmp_ad->next) {
318  DetectAddress *n_addr = DetectAddressCopy(tmp_ad);
319  if (n_addr == NULL)
320  goto error;
321  if (last == NULL) {
322  new_de->addrs.ipv6_head = n_addr;
323  } else {
324  last->next = n_addr;
325  n_addr->prev = last;
326  }
327  last = n_addr;
328  }
329 
330  return new_de;
331 
332 error:
333  DetectThresholdFree(NULL, new_de);
334  return NULL;
335 }
336 
337 /*
338  * ONLY TESTS BELOW THIS COMMENT
339  */
340 #ifdef UNITTESTS
341 #include "detect-engine.h"
342 #include "detect-engine-mpm.h"
343 #include "detect-engine-alert.h"
344 #include "util-time.h"
345 #include "util-hashlist.h"
346 #include "packet.h"
347 #include "action-globals.h"
348 /**
349  * \test ThresholdTestParse01 is a test for a valid threshold options
350  *
351  * \retval 1 on success
352  * \retval 0 on failure
353  */
354 static int ThresholdTestParse01(void)
355 {
356  DetectThresholdData *de = NULL;
357  de = DetectThresholdParse("type limit,track by_dst,count 10,seconds 60");
358  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
359  DetectThresholdFree(NULL, de);
360  return 1;
361  }
362 
363  return 0;
364 }
365 
366 /**
367  * \test ThresholdTestParse02 is a test for a invalid threshold options
368  *
369  * \retval 1 on success
370  * \retval 0 on failure
371  */
372 static int ThresholdTestParse02(void)
373 {
374  DetectThresholdData *de = NULL;
375  de = DetectThresholdParse("type any,track by_dst,count 10,seconds 60");
376  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
377  DetectThresholdFree(NULL, de);
378  return 0;
379  }
380 
381  return 1;
382 }
383 
384 /**
385  * \test ThresholdTestParse03 is a test for a valid threshold options in any order
386  *
387  * \retval 1 on success
388  * \retval 0 on failure
389  */
390 static int ThresholdTestParse03(void)
391 {
392  DetectThresholdData *de = NULL;
393  de = DetectThresholdParse("track by_dst, type limit, seconds 60, count 10");
394  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
395  DetectThresholdFree(NULL, de);
396  return 1;
397  }
398 
399  return 0;
400 }
401 
402 
403 /**
404  * \test ThresholdTestParse04 is a test for an invalid threshold options in any order
405  *
406  * \retval 1 on success
407  * \retval 0 on failure
408  */
409 static int ThresholdTestParse04(void)
410 {
411  DetectThresholdData *de = NULL;
412  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both, count 10");
413  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
414  DetectThresholdFree(NULL, de);
415  return 0;
416  }
417 
418  return 1;
419 }
420 
421 /**
422  * \test ThresholdTestParse05 is a test for a valid threshold options in any order
423  *
424  * \retval 1 on success
425  * \retval 0 on failure
426  */
427 static int ThresholdTestParse05(void)
428 {
429  DetectThresholdData *de = NULL;
430  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both");
431  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
432  DetectThresholdFree(NULL, de);
433  return 1;
434  }
435 
436  return 0;
437 }
438 
439 /**
440  * \test ThresholdTestParse06 is a test for thresholding by_both
441  *
442  * \retval 1 on success
443  * \retval 0 on failure
444  */
445 static int ThresholdTestParse06(void)
446 {
447  DetectThresholdData *de = NULL;
448  de = DetectThresholdParse("count 10, track by_both, seconds 60, type limit");
449  FAIL_IF_NULL(de);
450  FAIL_IF_NOT(de->type == TYPE_LIMIT);
451  FAIL_IF_NOT(de->track == TRACK_BOTH);
452  FAIL_IF_NOT(de->count == 10);
453  FAIL_IF_NOT(de->seconds == 60);
454  DetectThresholdFree(NULL, de);
455  PASS;
456 }
457 
458 /**
459  * \test ThresholdTestParse07 is a test for thresholding by_rule
460  *
461  * \retval 1 on success
462  * \retval 0 on failure
463  */
464 static int ThresholdTestParse07(void)
465 {
466  DetectThresholdData *de = NULL;
467  de = DetectThresholdParse("count 10, track by_rule, seconds 60, type limit");
468  FAIL_IF_NULL(de);
469  FAIL_IF_NOT(de->type == TYPE_LIMIT);
470  FAIL_IF_NOT(de->track == TRACK_RULE);
471  FAIL_IF_NOT(de->count == 10);
472  FAIL_IF_NOT(de->seconds == 60);
473  DetectThresholdFree(NULL, de);
474  PASS;
475 }
476 
477 /**
478  * \test DetectThresholdTestSig1 is a test for checking the working of limit keyword
479  * by setting up the signature and later testing its working by matching
480  * the received packet against the sig.
481  *
482  * \retval 1 on success
483  * \retval 0 on failure
484  */
485 
486 static int DetectThresholdTestSig1(void)
487 {
488  Packet *p = NULL;
489  Signature *s = NULL;
490  ThreadVars th_v;
491  DetectEngineThreadCtx *det_ctx;
492  int result = 0;
493  int alerts = 0;
494 
495  HostInitConfig(HOST_QUIET);
496 
497  memset(&th_v, 0, sizeof(th_v));
498 
499  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
500 
501  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
502  if (de_ctx == NULL) {
503  goto end;
504  }
505 
506  de_ctx->flags |= DE_QUIET;
507 
508  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; content:\"A\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
509  if (s == NULL) {
510  goto end;
511  }
512 
513  SigGroupBuild(de_ctx);
514 
515  if (s->flags & SIG_FLAG_IPONLY) {
516  printf("signature is ip-only: ");
517  goto end;
518  }
519 
520  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
521 
522  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
523  alerts = PacketAlertCheck(p, 1);
524  if (alerts != 1) {
525  printf("alerts %"PRIi32", expected 1: ", alerts);
526  }
527  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
528  alerts += PacketAlertCheck(p, 1);
529  if (alerts != 2) {
530  printf("alerts %"PRIi32", expected 2: ", alerts);
531  }
532  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
533  alerts += PacketAlertCheck(p, 1);
534  if (alerts != 3) {
535  printf("alerts %"PRIi32", expected 3: ", alerts);
536  }
537  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
538  alerts += PacketAlertCheck(p, 1);
539  if (alerts != 4) {
540  printf("alerts %"PRIi32", expected 4: ", alerts);
541  }
542  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
543  alerts += PacketAlertCheck(p, 1);
544  if (alerts != 5) {
545  printf("alerts %"PRIi32", expected 5: ", alerts);
546  }
547  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
548  alerts += PacketAlertCheck(p, 1);
549  if (alerts != 5) {
550  printf("alerts %"PRIi32", expected 5: ", alerts);
551  }
552  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
553  alerts += PacketAlertCheck(p, 1);
554  if (alerts != 5) {
555  printf("alerts %"PRIi32", expected 5: ", alerts);
556  }
557  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
558  alerts += PacketAlertCheck(p, 1);
559  if (alerts != 5) {
560  printf("alerts %"PRIi32", expected 5: ", alerts);
561  }
562 
563  if(alerts == 5)
564  result = 1;
565  else
566  printf("alerts %"PRIi32", expected 5: ", alerts);
567 
568  SigGroupCleanup(de_ctx);
569  SigCleanSignatures(de_ctx);
570 
571  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
572  DetectEngineCtxFree(de_ctx);
573 
574  UTHFreePackets(&p, 1);
575 
576  HostShutdown();
577 end:
578  return result;
579 }
580 
581 /**
582  * \test DetectThresholdTestSig2 is a test for checking the working of threshold keyword
583  * by setting up the signature and later testing its working by matching
584  * the received packet against the sig.
585  *
586  * \retval 1 on success
587  * \retval 0 on failure
588  */
589 
590 static int DetectThresholdTestSig2(void)
591 {
592  Packet *p = NULL;
593  Signature *s = NULL;
594  ThreadVars th_v;
595  DetectEngineThreadCtx *det_ctx;
596  int result = 0;
597  int alerts = 0;
598 
599  HostInitConfig(HOST_QUIET);
600 
601  memset(&th_v, 0, sizeof(th_v));
602 
603  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
604 
605  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
606  if (de_ctx == NULL) {
607  goto end;
608  }
609 
610  de_ctx->flags |= DE_QUIET;
611 
612  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold\"; threshold: type threshold, track by_dst, count 5, seconds 60; sid:1;)");
613  if (s == NULL) {
614  goto end;
615  }
616 
617  SigGroupBuild(de_ctx);
618  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
619 
620  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
621  alerts = PacketAlertCheck(p, 1);
622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
623  alerts += PacketAlertCheck(p, 1);
624  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
625  alerts += PacketAlertCheck(p, 1);
626  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
627  alerts += PacketAlertCheck(p, 1);
628  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
629  alerts += PacketAlertCheck(p, 1);
630  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
631  alerts += PacketAlertCheck(p, 1);
632  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
633  alerts += PacketAlertCheck(p, 1);
634  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
635  alerts += PacketAlertCheck(p, 1);
636  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
637  alerts += PacketAlertCheck(p, 1);
638  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
639  alerts += PacketAlertCheck(p, 1);
640 
641  if (alerts == 2)
642  result = 1;
643  else
644  goto cleanup;
645 
646 cleanup:
647  SigGroupCleanup(de_ctx);
648  SigCleanSignatures(de_ctx);
649 
650  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
651  DetectEngineCtxFree(de_ctx);
652 
653 end:
654  UTHFreePackets(&p, 1);
655  HostShutdown();
656  return result;
657 }
658 
659 /**
660  * \test DetectThresholdTestSig3 is a test for checking the working of limit keyword
661  * by setting up the signature and later testing its working by matching
662  * the received packet against the sig.
663  *
664  * \retval 1 on success
665  * \retval 0 on failure
666  */
667 
668 static int DetectThresholdTestSig3(void)
669 {
670  Packet *p = NULL;
671  Signature *s = NULL;
672  ThreadVars th_v;
673  DetectEngineThreadCtx *det_ctx;
674  int result = 0;
675  int alerts = 0;
676  DetectThresholdEntry *lookup_tsh = NULL;
677 
678  HostInitConfig(HOST_QUIET);
679 
680  memset(&th_v, 0, sizeof(th_v));
681 
682  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
683 
684  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
685  if (de_ctx == NULL) {
686  goto end;
687  }
688 
689  de_ctx->flags |= DE_QUIET;
690 
691  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
692  if (s == NULL) {
693  goto end;
694  }
695 
696  SigGroupBuild(de_ctx);
697  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
698 
699  p->ts = TimeGet();
700 
701  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
702  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
703  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
704 
705  Host *host = HostLookupHostFromHash(&p->dst);
706  if (host == NULL) {
707  printf("host not found: ");
708  goto cleanup;
709  }
710 
711  if (!(ThresholdHostHasThreshold(host))) {
712  HostRelease(host);
713  printf("host has no threshold: ");
714  goto cleanup;
715  }
716  HostRelease(host);
717 
718  TimeSetIncrementTime(200);
719  p->ts = TimeGet();
720 
721  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
722  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
723  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
724 
725  host = HostLookupHostFromHash(&p->dst);
726  if (host == NULL) {
727  printf("host not found: ");
728  goto cleanup;
729  }
730  HostRelease(host);
731 
732  lookup_tsh = HostGetStorageById(host, ThresholdHostStorageId());
733  if (lookup_tsh == NULL) {
734  HostRelease(host);
735  printf("lookup_tsh is NULL: ");
736  goto cleanup;
737  }
738 
739  alerts = lookup_tsh->current_count;
740 
741  if (alerts == 3)
742  result = 1;
743  else {
744  printf("alerts %u != 3: ", alerts);
745  goto cleanup;
746  }
747 
748 cleanup:
749  SigGroupCleanup(de_ctx);
750  SigCleanSignatures(de_ctx);
751 
752  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
753  DetectEngineCtxFree(de_ctx);
754 end:
755  UTHFreePackets(&p, 1);
756  HostShutdown();
757  return result;
758 }
759 
760 /**
761  * \test DetectThresholdTestSig4 is a test for checking the working of both keyword
762  * by setting up the signature and later testing its working by matching
763  * the received packet against the sig.
764  *
765  * \retval 1 on success
766  * \retval 0 on failure
767  */
768 
769 static int DetectThresholdTestSig4(void)
770 {
771  Packet *p = NULL;
772  Signature *s = NULL;
773  ThreadVars th_v;
774  DetectEngineThreadCtx *det_ctx;
775  int result = 0;
776  int alerts = 0;
777 
778  HostInitConfig(HOST_QUIET);
779 
780  memset(&th_v, 0, sizeof(th_v));
781 
782  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
783 
784  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
785  if (de_ctx == NULL) {
786  goto end;
787  }
788 
789  de_ctx->flags |= DE_QUIET;
790 
791  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)");
792  if (s == NULL) {
793  goto end;
794  }
795 
796  SigGroupBuild(de_ctx);
797  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
798 
799  p->ts = TimeGet();
800  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
801  alerts = PacketAlertCheck(p, 10);
802  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
803  alerts += PacketAlertCheck(p, 10);
804  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
805  alerts += PacketAlertCheck(p, 10);
806 
807  TimeSetIncrementTime(200);
808  p->ts = TimeGet();
809 
810  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
811  alerts += PacketAlertCheck(p, 10);
812  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
813  alerts += PacketAlertCheck(p, 10);
814  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
815  alerts += PacketAlertCheck(p, 10);
816 
817  if (alerts == 2)
818  result = 1;
819  else
820  goto cleanup;
821 
822 cleanup:
823  SigGroupCleanup(de_ctx);
824  SigCleanSignatures(de_ctx);
825 
826  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
827  DetectEngineCtxFree(de_ctx);
828 end:
829  UTHFreePackets(&p, 1);
830  HostShutdown();
831  return result;
832 }
833 
834 /**
835  * \test DetectThresholdTestSig5 is a test for checking the working of limit keyword
836  * by setting up the signature and later testing its working by matching
837  * the received packet against the sig.
838  *
839  * \retval 1 on success
840  * \retval 0 on failure
841  */
842 
843 static int DetectThresholdTestSig5(void)
844 {
845  Packet *p = NULL;
846  Signature *s = NULL;
847  ThreadVars th_v;
848  DetectEngineThreadCtx *det_ctx;
849  int result = 0;
850  int alerts = 0;
851 
852  HostInitConfig(HOST_QUIET);
853 
854  memset(&th_v, 0, sizeof(th_v));
855  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
856 
857  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
858  if (de_ctx == NULL) {
859  goto end;
860  }
861 
862  de_ctx->flags |= DE_QUIET;
863 
864  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
865  if (s == NULL) {
866  goto end;
867  }
868 
869  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
870  if (s == NULL) {
871  goto end;
872  }
873 
874  SigGroupBuild(de_ctx);
875  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
876 
877  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
878  alerts = PacketAlertCheck(p, 1);
879  alerts += PacketAlertCheck(p, 1000);
880  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
881  alerts += PacketAlertCheck(p, 1);
882  alerts += PacketAlertCheck(p, 1000);
883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
884  alerts += PacketAlertCheck(p, 1);
885  alerts += PacketAlertCheck(p, 1000);
886  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
887  alerts += PacketAlertCheck(p, 1);
888  alerts += PacketAlertCheck(p, 1000);
889  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
890  alerts += PacketAlertCheck(p, 1);
891  alerts += PacketAlertCheck(p, 1000);
892  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
893  alerts += PacketAlertCheck(p, 1);
894  alerts += PacketAlertCheck(p, 1000);
895  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
896  alerts += PacketAlertCheck(p, 1);
897  alerts += PacketAlertCheck(p, 1000);
898  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
899  alerts += PacketAlertCheck(p, 1);
900  alerts += PacketAlertCheck(p, 1000);
901 
902  if(alerts == 10)
903  result = 1;
904  else {
905  printf("alerts %d != 10: ", alerts);
906  goto cleanup;
907  }
908 
909 cleanup:
910  SigGroupCleanup(de_ctx);
911  SigCleanSignatures(de_ctx);
912 
913  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
914  DetectEngineCtxFree(de_ctx);
915 
916 end:
917  UTHFreePackets(&p, 1);
918  HostShutdown();
919  return result;
920 }
921 
922 static int DetectThresholdTestSig6Ticks(void)
923 {
924  Packet *p = NULL;
925  Signature *s = NULL;
926  ThreadVars th_v;
927  DetectEngineThreadCtx *det_ctx;
928  int result = 0;
929  int alerts = 0;
930 
931  HostInitConfig(HOST_QUIET);
932 
933  memset(&th_v, 0, sizeof(th_v));
934  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
935 
936  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
937  if (de_ctx == NULL) {
938  goto end;
939  }
940 
941  de_ctx->flags |= DE_QUIET;
942 
943  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
944  if (s == NULL) {
945  goto end;
946  }
947 
948  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
949  if (s == NULL) {
950  goto end;
951  }
952 
953  SigGroupBuild(de_ctx);
954  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
955 
956  uint64_t ticks_start = 0;
957  uint64_t ticks_end = 0;
958 
959  ticks_start = UtilCpuGetTicks();
960  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
961  alerts = PacketAlertCheck(p, 1);
962  alerts += PacketAlertCheck(p, 1000);
963  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
964  alerts += PacketAlertCheck(p, 1);
965  alerts += PacketAlertCheck(p, 1000);
966  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
967  alerts += PacketAlertCheck(p, 1);
968  alerts += PacketAlertCheck(p, 1000);
969  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
970  alerts += PacketAlertCheck(p, 1);
971  alerts += PacketAlertCheck(p, 1000);
972  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
973  alerts += PacketAlertCheck(p, 1);
974  alerts += PacketAlertCheck(p, 1000);
975  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
976  alerts += PacketAlertCheck(p, 1);
977  alerts += PacketAlertCheck(p, 1000);
978  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
979  alerts += PacketAlertCheck(p, 1);
980  alerts += PacketAlertCheck(p, 1000);
981  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
982  alerts += PacketAlertCheck(p, 1);
983  alerts += PacketAlertCheck(p, 1000);
984  ticks_end = UtilCpuGetTicks();
985  printf("test run %"PRIu64"\n", (ticks_end - ticks_start));
986 
987  if(alerts == 10)
988  result = 1;
989  else
990  goto cleanup;
991 
992 cleanup:
993  SigGroupCleanup(de_ctx);
994  SigCleanSignatures(de_ctx);
995 
996  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
997  DetectEngineCtxFree(de_ctx);
998 
999 end:
1000  UTHFreePackets(&p, 1);
1001  HostShutdown();
1002  return result;
1003 }
1004 
1005 /**
1006  * \test Test drop action being set even if thresholded
1007  */
1008 static int DetectThresholdTestSig7(void)
1009 {
1010  Packet *p = NULL;
1011  Signature *s = NULL;
1012  ThreadVars th_v;
1013  DetectEngineThreadCtx *det_ctx;
1014  int result = 0;
1015  int alerts = 0;
1016  int drops = 0;
1017 
1018  HostInitConfig(HOST_QUIET);
1019 
1020  memset(&th_v, 0, sizeof(th_v));
1021 
1022  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1023 
1024  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1025  if (de_ctx == NULL) {
1026  goto end;
1027  }
1028 
1029  de_ctx->flags |= DE_QUIET;
1030 
1031  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 1, seconds 300; sid:10;)");
1032  if (s == NULL) {
1033  goto end;
1034  }
1035 
1036  SigGroupBuild(de_ctx);
1037  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1038 
1039  p->ts = TimeGet();
1040  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1041  alerts = PacketAlertCheck(p, 10);
1042  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1043  p->action = 0;
1044 
1045  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1046  alerts += PacketAlertCheck(p, 10);
1047  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1048  p->action = 0;
1049 
1050  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1051  alerts += PacketAlertCheck(p, 10);
1052  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1053  p->action = 0;
1054 
1055  TimeSetIncrementTime(200);
1056  p->ts = TimeGet();
1057 
1058  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1059  alerts += PacketAlertCheck(p, 10);
1060  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1061  p->action = 0;
1062 
1063  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1064  alerts += PacketAlertCheck(p, 10);
1065  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1066  p->action = 0;
1067 
1068  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1069  alerts += PacketAlertCheck(p, 10);
1070  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1071  p->action = 0;
1072 
1073  if (alerts == 1 && drops == 6)
1074  result = 1;
1075  else {
1076  if (alerts != 1)
1077  printf("alerts: %d != 1: ", alerts);
1078  if (drops != 6)
1079  printf("drops: %d != 6: ", drops);
1080  goto cleanup;
1081  }
1082 
1083 cleanup:
1084  SigGroupCleanup(de_ctx);
1085  SigCleanSignatures(de_ctx);
1086 
1087  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1088  DetectEngineCtxFree(de_ctx);
1089 end:
1090  UTHFreePackets(&p, 1);
1091  HostShutdown();
1092  return result;
1093 }
1094 
1095 /**
1096  * \test Test drop action being set even if thresholded
1097  */
1098 static int DetectThresholdTestSig8(void)
1099 {
1100  Packet *p = NULL;
1101  Signature *s = NULL;
1102  ThreadVars th_v;
1103  DetectEngineThreadCtx *det_ctx;
1104  int result = 0;
1105  int alerts = 0;
1106  int drops = 0;
1107 
1108  HostInitConfig(HOST_QUIET);
1109 
1110  memset(&th_v, 0, sizeof(th_v));
1111 
1112  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1113 
1114  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1115  if (de_ctx == NULL) {
1116  goto end;
1117  }
1118 
1119  de_ctx->flags |= DE_QUIET;
1120 
1121  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 2, seconds 300; sid:10;)");
1122  if (s == NULL) {
1123  goto end;
1124  }
1125 
1126  SigGroupBuild(de_ctx);
1127  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1128 
1129  p->ts = TimeGet();
1130  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1131  alerts = PacketAlertCheck(p, 10);
1132  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1133  p->action = 0;
1134 
1135  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1136  alerts += PacketAlertCheck(p, 10);
1137  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1138  p->action = 0;
1139 
1140  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1141  alerts += PacketAlertCheck(p, 10);
1142  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1143  p->action = 0;
1144 
1145  TimeSetIncrementTime(200);
1146  p->ts = TimeGet();
1147 
1148  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1149  alerts += PacketAlertCheck(p, 10);
1150  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1151  p->action = 0;
1152 
1153  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1154  alerts += PacketAlertCheck(p, 10);
1155  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1156  p->action = 0;
1157 
1158  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1159  alerts += PacketAlertCheck(p, 10);
1160  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1161  p->action = 0;
1162 
1163  if (alerts == 2 && drops == 6)
1164  result = 1;
1165  else {
1166  if (alerts != 1)
1167  printf("alerts: %d != 1: ", alerts);
1168  if (drops != 6)
1169  printf("drops: %d != 6: ", drops);
1170  goto cleanup;
1171  }
1172 
1173 cleanup:
1174  SigGroupCleanup(de_ctx);
1175  SigCleanSignatures(de_ctx);
1176 
1177  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1178  DetectEngineCtxFree(de_ctx);
1179 end:
1180  UTHFreePackets(&p, 1);
1181  HostShutdown();
1182  return result;
1183 }
1184 
1185 /**
1186  * \test Test drop action being set even if thresholded
1187  */
1188 static int DetectThresholdTestSig9(void)
1189 {
1190  Packet *p = NULL;
1191  Signature *s = NULL;
1192  ThreadVars th_v;
1193  DetectEngineThreadCtx *det_ctx;
1194  int result = 0;
1195  int alerts = 0;
1196  int drops = 0;
1197 
1198  HostInitConfig(HOST_QUIET);
1199 
1200  memset(&th_v, 0, sizeof(th_v));
1201 
1202  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1203 
1204  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1205  if (de_ctx == NULL) {
1206  goto end;
1207  }
1208 
1209  de_ctx->flags |= DE_QUIET;
1210 
1211  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 3, seconds 100; sid:10;)");
1212  if (s == NULL) {
1213  goto end;
1214  }
1215 
1216  SigGroupBuild(de_ctx);
1217  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1218 
1219  p->ts = TimeGet();
1220  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1221  alerts = PacketAlertCheck(p, 10);
1222  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1223  p->action = 0;
1224 
1225  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1226  alerts += PacketAlertCheck(p, 10);
1227  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1228  p->action = 0;
1229 
1230  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1231  alerts += PacketAlertCheck(p, 10);
1232  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1233  p->action = 0;
1234 
1235  TimeSetIncrementTime(200);
1236  p->ts = TimeGet();
1237 
1238  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1239  alerts += PacketAlertCheck(p, 10);
1240  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1241  p->action = 0;
1242 
1243  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1244  alerts += PacketAlertCheck(p, 10);
1245  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1246  p->action = 0;
1247 
1248  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1249  alerts += PacketAlertCheck(p, 10);
1250  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1251  p->action = 0;
1252 
1253  if (alerts == 2 && drops == 2)
1254  result = 1;
1255  else {
1256  if (alerts != 2)
1257  printf("alerts: %d != 2: ", alerts);
1258  if (drops != 2)
1259  printf("drops: %d != 2: ", drops);
1260  goto cleanup;
1261  }
1262 
1263 cleanup:
1264  SigGroupCleanup(de_ctx);
1265  SigCleanSignatures(de_ctx);
1266 
1267  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1268  DetectEngineCtxFree(de_ctx);
1269 end:
1270  UTHFreePackets(&p, 1);
1271  HostShutdown();
1272  return result;
1273 }
1274 
1275 /**
1276  * \test Test drop action being set even if thresholded
1277  */
1278 static int DetectThresholdTestSig10(void)
1279 {
1280  Packet *p = NULL;
1281  Signature *s = NULL;
1282  ThreadVars th_v;
1283  DetectEngineThreadCtx *det_ctx;
1284  int result = 0;
1285  int alerts = 0;
1286  int drops = 0;
1287 
1288  HostInitConfig(HOST_QUIET);
1289 
1290  memset(&th_v, 0, sizeof(th_v));
1291 
1292  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1293 
1294  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1295  if (de_ctx == NULL) {
1296  goto end;
1297  }
1298 
1299  de_ctx->flags |= DE_QUIET;
1300 
1301  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 5, seconds 300; sid:10;)");
1302  if (s == NULL) {
1303  goto end;
1304  }
1305 
1306  SigGroupBuild(de_ctx);
1307  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1308 
1309  p->ts = TimeGet();
1310  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1311  alerts = PacketAlertCheck(p, 10);
1312  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1313  p->action = 0;
1314 
1315  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1316  alerts += PacketAlertCheck(p, 10);
1317  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1318  p->action = 0;
1319 
1320  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1321  alerts += PacketAlertCheck(p, 10);
1322  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1323  p->action = 0;
1324 
1325  TimeSetIncrementTime(200);
1326  p->ts = TimeGet();
1327 
1328  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1329  alerts += PacketAlertCheck(p, 10);
1330  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1331  p->action = 0;
1332 
1333  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1334  alerts += PacketAlertCheck(p, 10);
1335  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1336  p->action = 0;
1337 
1338  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1339  alerts += PacketAlertCheck(p, 10);
1340  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1341  p->action = 0;
1342 
1343  if (alerts == 1 && drops == 1)
1344  result = 1;
1345  else {
1346  if (alerts != 1)
1347  printf("alerts: %d != 1: ", alerts);
1348  if (drops != 1)
1349  printf("drops: %d != 1: ", drops);
1350  goto cleanup;
1351  }
1352 
1353 cleanup:
1354  SigGroupCleanup(de_ctx);
1355  SigCleanSignatures(de_ctx);
1356 
1357  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1358  DetectEngineCtxFree(de_ctx);
1359 end:
1360  UTHFreePackets(&p, 1);
1361  HostShutdown();
1362  return result;
1363 }
1364 
1365 /**
1366  * \test Test drop action being set even if thresholded
1367  */
1368 static int DetectThresholdTestSig11(void)
1369 {
1370  Packet *p = NULL;
1371  Signature *s = NULL;
1372  ThreadVars th_v;
1373  DetectEngineThreadCtx *det_ctx;
1374  int result = 0;
1375  int alerts = 0;
1376  int drops = 0;
1377 
1378  HostInitConfig(HOST_QUIET);
1379 
1380  memset(&th_v, 0, sizeof(th_v));
1381 
1382  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1383 
1384  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1385  if (de_ctx == NULL) {
1386  goto end;
1387  }
1388 
1389  de_ctx->flags |= DE_QUIET;
1390 
1391  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 3, seconds 300; sid:10;)");
1392  if (s == NULL) {
1393  goto end;
1394  }
1395 
1396  SigGroupBuild(de_ctx);
1397  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1398 
1399  p->ts = TimeGet();
1400  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1401  alerts = PacketAlertCheck(p, 10);
1402  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1403  p->action = 0;
1404 
1405  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1406  alerts += PacketAlertCheck(p, 10);
1407  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1408  p->action = 0;
1409 
1410  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1411  alerts += PacketAlertCheck(p, 10);
1412  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1413  p->action = 0;
1414 
1415  TimeSetIncrementTime(200);
1416  p->ts = TimeGet();
1417 
1418  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1419  alerts += PacketAlertCheck(p, 10);
1420  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1421  p->action = 0;
1422 
1423  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1424  alerts += PacketAlertCheck(p, 10);
1425  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1426  p->action = 0;
1427 
1428  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1429  alerts += PacketAlertCheck(p, 10);
1430  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1431  p->action = 0;
1432 
1433  if (alerts == 1 && drops == 4)
1434  result = 1;
1435  else {
1436  if (alerts != 1)
1437  printf("alerts: %d != 1: ", alerts);
1438  if (drops != 4)
1439  printf("drops: %d != 4: ", drops);
1440  goto cleanup;
1441  }
1442 
1443 cleanup:
1444  SigGroupCleanup(de_ctx);
1445  SigCleanSignatures(de_ctx);
1446 
1447  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1448  DetectEngineCtxFree(de_ctx);
1449 end:
1450  UTHFreePackets(&p, 1);
1451  HostShutdown();
1452  return result;
1453 }
1454 
1455 /**
1456  * \test Test drop action being set even if thresholded
1457  */
1458 static int DetectThresholdTestSig12(void)
1459 {
1460  Packet *p = NULL;
1461  Signature *s = NULL;
1462  ThreadVars th_v;
1463  DetectEngineThreadCtx *det_ctx;
1464  int result = 0;
1465  int alerts = 0;
1466  int drops = 0;
1467 
1468  HostInitConfig(HOST_QUIET);
1469 
1470  memset(&th_v, 0, sizeof(th_v));
1471 
1472  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1473 
1474  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1475  if (de_ctx == NULL) {
1476  goto end;
1477  }
1478 
1479  de_ctx->flags |= DE_QUIET;
1480 
1481  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 5, seconds 300; sid:10;)");
1482  if (s == NULL) {
1483  goto end;
1484  }
1485 
1486  SigGroupBuild(de_ctx);
1487  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1488 
1489  p->ts = TimeGet();
1490  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1491  alerts = PacketAlertCheck(p, 10);
1492  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1493  p->action = 0;
1494 
1495  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1496  alerts += PacketAlertCheck(p, 10);
1497  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1498  p->action = 0;
1499 
1500  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1501  alerts += PacketAlertCheck(p, 10);
1502  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1503  p->action = 0;
1504 
1505  TimeSetIncrementTime(200);
1506  p->ts = TimeGet();
1507 
1508  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1509  alerts += PacketAlertCheck(p, 10);
1510  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1511  p->action = 0;
1512 
1513  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1514  alerts += PacketAlertCheck(p, 10);
1515  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1516  p->action = 0;
1517 
1518  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1519  alerts += PacketAlertCheck(p, 10);
1520  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1521  p->action = 0;
1522 
1523  if (alerts == 1 && drops == 2)
1524  result = 1;
1525  else {
1526  if (alerts != 1)
1527  printf("alerts: %d != 1: ", alerts);
1528  if (drops != 2)
1529  printf("drops: %d != 2: ", drops);
1530  goto cleanup;
1531  }
1532 
1533 cleanup:
1534  SigGroupCleanup(de_ctx);
1535  SigCleanSignatures(de_ctx);
1536 
1537  DetectEngineThreadCtxDeinit(&th_v, (void*)det_ctx);
1538  DetectEngineCtxFree(de_ctx);
1539 end:
1540  UTHFreePackets(&p, 1);
1541  HostShutdown();
1542  return result;
1543 }
1544 
1545 /**
1546  * \test DetectThresholdTestSig13 is a test for checking the working by_rule limits
1547  * by setting up the signature and later testing its working by matching
1548  * received packets against the sig.
1549  *
1550  * \retval 1 on success
1551  * \retval 0 on failure
1552  */
1553 
1554 static int DetectThresholdTestSig13(void)
1555 {
1556  Packet *p = NULL;
1557  Signature *s = NULL;
1558  ThreadVars th_v;
1559  DetectEngineThreadCtx *det_ctx;
1560  int alerts = 0;
1561 
1562  HostInitConfig(HOST_QUIET);
1563 
1564  memset(&th_v, 0, sizeof(th_v));
1565  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1566  FAIL_IF_NULL(p);
1567 
1568  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1569  FAIL_IF_NULL(de_ctx);
1570 
1571  de_ctx->flags |= DE_QUIET;
1572 
1573  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_rule, count 2, seconds 60; sid:1;)");
1574  FAIL_IF_NULL(s);
1575 
1576  SigGroupBuild(de_ctx);
1577  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1578 
1579  /* should alert twice */
1580  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1581  alerts += PacketAlertCheck(p, 1);
1582  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1583  alerts += PacketAlertCheck(p, 1);
1584  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1585  alerts += PacketAlertCheck(p, 1);
1586  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1587  alerts += PacketAlertCheck(p, 1);
1588 
1589  FAIL_IF(alerts != 2);
1590 
1591  TimeSetIncrementTime(70);
1592  p->ts = TimeGet();
1593 
1594  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1595  alerts += PacketAlertCheck(p, 1);
1596  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1597  alerts += PacketAlertCheck(p, 1);
1598  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1599  alerts += PacketAlertCheck(p, 1);
1600  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1601  alerts += PacketAlertCheck(p, 1);
1602 
1603  FAIL_IF(alerts != 4);
1604 
1605  SigGroupCleanup(de_ctx);
1606  SigCleanSignatures(de_ctx);
1607  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1608  DetectEngineCtxFree(de_ctx);
1609  UTHFreePackets(&p, 1);
1610  HostShutdown();
1611  PASS;
1612 }
1613 
1614 /**
1615  * \test DetectThresholdTestSig14 is a test for checking the working by_both limits
1616  * by setting up the signature and later testing its working by matching
1617  * received packets against the sig.
1618  *
1619  * \retval 1 on success
1620  * \retval 0 on failure
1621  */
1622 
1623 static int DetectThresholdTestSig14(void)
1624 {
1625  Packet *p1 = NULL;
1626  Packet *p2 = NULL;
1627  Signature *s = NULL;
1628  ThreadVars th_v;
1629  DetectEngineThreadCtx *det_ctx;
1630  int alerts1 = 0;
1631  int alerts2 = 0;
1632 
1633  HostInitConfig(HOST_QUIET);
1634  IPPairInitConfig(IPPAIR_QUIET);
1635 
1636  memset(&th_v, 0, sizeof(th_v));
1637  p1 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1638  p2 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "3.3.3.3", 1024, 80);
1639  FAIL_IF_NULL(p1);
1640  FAIL_IF_NULL(p2);
1641 
1642  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1643  FAIL_IF_NULL(de_ctx);
1644 
1645  de_ctx->flags |= DE_QUIET;
1646 
1647  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_both, count 2, seconds 60; sid:1;)");
1648  FAIL_IF_NULL(s);
1649 
1650  SigGroupBuild(de_ctx);
1651  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1652 
1653  /* Both p1 and p2 should alert twice */
1654  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1655  alerts1 += PacketAlertCheck(p1, 1);
1656  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1657  alerts1 += PacketAlertCheck(p1, 1);
1658  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1659  alerts1 += PacketAlertCheck(p1, 1);
1660  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1661  alerts1 += PacketAlertCheck(p1, 1);
1662 
1663  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1664  alerts2 += PacketAlertCheck(p2, 1);
1665  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1666  alerts2 += PacketAlertCheck(p2, 1);
1667  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1668  alerts2 += PacketAlertCheck(p2, 1);
1669  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1670  alerts2 += PacketAlertCheck(p2, 1);
1671 
1672  FAIL_IF(alerts1 != 2);
1673  FAIL_IF(alerts2 != 2);
1674 
1675  TimeSetIncrementTime(70);
1676  p1->ts = TimeGet();
1677  p2->ts = TimeGet();
1678 
1679  /* Now they should both alert again after previous alerts expire */
1680  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1681  alerts1 += PacketAlertCheck(p1, 1);
1682  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1683  alerts2 += PacketAlertCheck(p2, 1);
1684 
1685  FAIL_IF(alerts1 != 3);
1686  FAIL_IF(alerts2 != 3);
1687 
1688  SigGroupCleanup(de_ctx);
1689  SigCleanSignatures(de_ctx);
1690  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1691  DetectEngineCtxFree(de_ctx);
1692  UTHFreePackets(&p1, 1);
1693  UTHFreePackets(&p2, 1);
1694  HostShutdown();
1695  PASS;
1696 }
1697 
1698 static void ThresholdRegisterTests(void)
1699 {
1700  UtRegisterTest("ThresholdTestParse01", ThresholdTestParse01);
1701  UtRegisterTest("ThresholdTestParse02", ThresholdTestParse02);
1702  UtRegisterTest("ThresholdTestParse03", ThresholdTestParse03);
1703  UtRegisterTest("ThresholdTestParse04", ThresholdTestParse04);
1704  UtRegisterTest("ThresholdTestParse05", ThresholdTestParse05);
1705  UtRegisterTest("ThresholdTestParse06", ThresholdTestParse06);
1706  UtRegisterTest("ThresholdTestParse07", ThresholdTestParse07);
1707  UtRegisterTest("DetectThresholdTestSig1", DetectThresholdTestSig1);
1708  UtRegisterTest("DetectThresholdTestSig2", DetectThresholdTestSig2);
1709  UtRegisterTest("DetectThresholdTestSig3", DetectThresholdTestSig3);
1710  UtRegisterTest("DetectThresholdTestSig4", DetectThresholdTestSig4);
1711  UtRegisterTest("DetectThresholdTestSig5", DetectThresholdTestSig5);
1712  UtRegisterTest("DetectThresholdTestSig6Ticks",
1713  DetectThresholdTestSig6Ticks);
1714  UtRegisterTest("DetectThresholdTestSig7", DetectThresholdTestSig7);
1715  UtRegisterTest("DetectThresholdTestSig8", DetectThresholdTestSig8);
1716  UtRegisterTest("DetectThresholdTestSig9", DetectThresholdTestSig9);
1717  UtRegisterTest("DetectThresholdTestSig10", DetectThresholdTestSig10);
1718  UtRegisterTest("DetectThresholdTestSig11", DetectThresholdTestSig11);
1719  UtRegisterTest("DetectThresholdTestSig12", DetectThresholdTestSig12);
1720  UtRegisterTest("DetectThresholdTestSig13", DetectThresholdTestSig13);
1721  UtRegisterTest("DetectThresholdTestSig14", DetectThresholdTestSig14);
1722 }
1723 #endif /* UNITTESTS */
1724 
1725 /**
1726  * @}
1727  */
TRACK_BOTH
#define TRACK_BOTH
Definition: detect-threshold.h:39
util-byte.h
host.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1241
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
host-storage.h
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:169
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1228
util-hashlist.h
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1238
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectAddress_
address structure for use in the detection engine.
Definition: detect.h:128
DetectAddressHeadCleanup
void DetectAddressHeadCleanup(DetectAddressHead *gh)
Cleans a DetectAddressHead. The functions frees the address group heads(ipv4 and ipv6) inside the Det...
Definition: detect-engine-address.c:1492
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
action-globals.h
Packet_::action
uint8_t action
Definition: decode.h:577
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:93
HostRelease
void HostRelease(Host *h)
Definition: host.c:477
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
TYPE_LIMIT
#define TYPE_LIMIT
Definition: detect-threshold.h:28
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
HostGetStorageById
void * HostGetStorageById(Host *h, HostStorageId id)
Get a value from a given Host storage.
Definition: host-storage.c:88
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
DetectThresholdEntry_
Definition: detect-threshold.h:65
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:244
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
ThresholdHostHasThreshold
int ThresholdHostHasThreshold(Host *host)
Definition: detect-engine-threshold.c:93
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
UtilCpuGetTicks
uint64_t UtilCpuGetTicks(void)
Definition: util-cpu.c:194
DetectAddress_::prev
struct DetectAddress_ * prev
Definition: detect.h:137
Signature_::next
struct Signature_ * next
Definition: detect.h:614
TRACK_RULE
#define TRACK_RULE
Definition: detect-threshold.h:37
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
util-cpu.h
Packet_::ts
SCTime_t ts
Definition: decode.h:471
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:57
de
uint8_t de
Definition: app-layer-htp.c:576
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2609
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-threshold.c:63
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
util-time.h
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
TYPE_BOTH
#define TYPE_BOTH
Definition: detect-threshold.h:29
DetectAddressCopy
DetectAddress * DetectAddressCopy(DetectAddress *orig)
copy a DetectAddress
Definition: detect-engine-address.c:128
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2019
Signature_::flags
uint32_t flags
Definition: detect.h:541
TimeSetIncrementTime
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:180
ThresholdHostStorageId
HostStorageId ThresholdHostStorageId(void)
Definition: detect-engine-threshold.c:76
Packet_
Definition: decode.h:428
detect-engine-build.h
SIG_FLAG_IPONLY
#define SIG_FLAG_IPONLY
Definition: detect.h:208
TimeGet
SCTime_t TimeGet(void)
Definition: util-time.c:152
detect-engine-alert.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1206
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:239
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
IPPAIR_QUIET
#define IPPAIR_QUIET
Definition: ippair.h:90
DetectThresholdEntry_::current_count
uint32_t current_count
Definition: detect-threshold.h:72
DetectAddressHead_::ipv6_head
DetectAddress * ipv6_head
Definition: detect.h:145
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
DetectThresholdData_
Definition: detect-threshold.h:54
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:306
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
TYPE_THRESHOLD
#define TYPE_THRESHOLD
Definition: detect-threshold.h:30
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:100
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
detect-threshold.h
DetectAddress_::next
struct DetectAddress_ * next
Definition: detect.h:139
DetectThresholdRegister
void DetectThresholdRegister(void)
Registration function for threshold: keyword.
Definition: detect-threshold.c:79
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:601
suricata.h
Packet_::dst
Address dst
Definition: decode.h:433
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:175
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:474
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
Host_
Definition: host.h:58
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
DetectThresholdDataCopy
DetectThresholdData * DetectThresholdDataCopy(DetectThresholdData *de)
Make a deep-copy of an extant DetectTHresholdData object.
Definition: detect-threshold.c:295
flow-var.h
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1425
DetectAddressHead_::ipv4_head
DetectAddress * ipv4_head
Definition: detect.h:144
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:354
detect-engine-address.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
detect-engine-threshold.h
DetectThresholdData_::addrs
DetectAddressHead addrs
Definition: detect-threshold.h:62
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468