suricata
detect-threshold.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup threshold
20  * @{
21  */
22 
23 /**
24  * \file
25  *
26  * \author Breno Silva <breno.silva@gmail.com>
27  * \author Victor Julien <victor@inliniac.net>
28  *
29  * Implements the threshold keyword.
30  *
31  * The feature depends on what is provided
32  * by detect-engine-threshold.c and util-threshold-config.c
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "decode.h"
38 
39 #include "host.h"
40 #include "host-storage.h"
41 
42 #include "detect.h"
43 #include "detect-parse.h"
44 
45 #include "flow-var.h"
46 #include "decode-events.h"
47 #include "stream-tcp.h"
48 
49 #include "detect-threshold.h"
50 #include "detect-engine-threshold.h"
51 #include "detect-engine-address.h"
52 
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 #include "util-byte.h"
56 #include "util-debug.h"
57 
58 #ifdef UNITTESTS
59 #include "util-cpu.h"
60 #endif
61 
62 #define PARSE_REGEX "^\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*"
63 
64 static DetectParseRegex parse_regex;
65 
66 static int DetectThresholdMatch(DetectEngineThreadCtx *, Packet *,
67  const Signature *, const SigMatchCtx *);
68 static int DetectThresholdSetup(DetectEngineCtx *, Signature *, const char *);
69 static void DetectThresholdFree(DetectEngineCtx *, void *);
70 #ifdef UNITTESTS
71 static void ThresholdRegisterTests(void);
72 #endif
73 
74 /**
75  * \brief Registration function for threshold: keyword
76  */
77 
78 void DetectThresholdRegister(void)
79 {
80  sigmatch_table[DETECT_THRESHOLD].name = "threshold";
81  sigmatch_table[DETECT_THRESHOLD].desc = "control the rule's alert frequency";
82  sigmatch_table[DETECT_THRESHOLD].url = "/rules/thresholding.html#threshold";
83  sigmatch_table[DETECT_THRESHOLD].Match = DetectThresholdMatch;
84  sigmatch_table[DETECT_THRESHOLD].Setup = DetectThresholdSetup;
85  sigmatch_table[DETECT_THRESHOLD].Free = DetectThresholdFree;
86 #ifdef UNITTESTS
87  sigmatch_table[DETECT_THRESHOLD].RegisterTests = ThresholdRegisterTests;
88 #endif
89  /* this is compatible to ip-only signatures */
90  sigmatch_table[DETECT_THRESHOLD].flags |= SIGMATCH_IPONLY_COMPAT;
91 
92  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
93 }
94 
95 static int DetectThresholdMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
96  const Signature *s, const SigMatchCtx *ctx)
97 {
98  return 1;
99 }
100 
101 /**
102  * \internal
103  * \brief This function is used to parse threshold options passed via threshold: keyword
104  *
105  * \param rawstr Pointer to the user provided threshold options
106  *
107  * \retval de pointer to DetectThresholdData on success
108  * \retval NULL on failure
109  */
110 static DetectThresholdData *DetectThresholdParse(const char *rawstr)
111 {
112  DetectThresholdData *de = NULL;
113  int ret = 0, res = 0;
114  size_t pcre2_len;
115  const char *str_ptr = NULL;
116  char *args[9] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
117  char *copy_str = NULL, *threshold_opt = NULL;
118  int second_found = 0, count_found = 0;
119  int type_found = 0, track_found = 0;
120  int second_pos = 0, count_pos = 0;
121  uint16_t pos = 0;
122  int i = 0;
123 
124  copy_str = SCStrdup(rawstr);
125  if (unlikely(copy_str == NULL)) {
126  goto error;
127  }
128 
129  char *saveptr = NULL;
130  for (pos = 0, threshold_opt = strtok_r(copy_str,",", &saveptr);
131  pos < strlen(copy_str) && threshold_opt != NULL;
132  pos++, threshold_opt = strtok_r(NULL,"," , &saveptr))
133  {
134  if(strstr(threshold_opt,"count"))
135  count_found++;
136  if(strstr(threshold_opt,"second"))
137  second_found++;
138  if(strstr(threshold_opt,"type"))
139  type_found++;
140  if(strstr(threshold_opt,"track"))
141  track_found++;
142  }
143  SCFree(copy_str);
144  copy_str = NULL;
145 
146  if(count_found != 1 || second_found != 1 || type_found != 1 || track_found != 1)
147  goto error;
148 
149  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
150  if (ret < 5) {
151  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
152  goto error;
153  }
154 
155  de = SCMalloc(sizeof(DetectThresholdData));
156  if (unlikely(de == NULL))
157  goto error;
158 
159  memset(de,0,sizeof(DetectThresholdData));
160 
161  for (i = 0; i < (ret - 1); i++) {
162 
163  res = pcre2_substring_get_bynumber(
164  parse_regex.match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
165 
166  if (res < 0) {
167  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
168  goto error;
169  }
170 
171  args[i] = (char *)str_ptr;
172 
173  if (strncasecmp(args[i],"limit",strlen("limit")) == 0)
174  de->type = TYPE_LIMIT;
175  if (strncasecmp(args[i],"both",strlen("both")) == 0)
176  de->type = TYPE_BOTH;
177  if (strncasecmp(args[i],"threshold",strlen("threshold")) == 0)
178  de->type = TYPE_THRESHOLD;
179  if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
180  de->track = TRACK_DST;
181  if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
182  de->track = TRACK_SRC;
183  if (strncasecmp(args[i],"by_both",strlen("by_both")) == 0)
184  de->track = TRACK_BOTH;
185  if (strncasecmp(args[i],"by_rule",strlen("by_rule")) == 0)
186  de->track = TRACK_RULE;
187  if (strncasecmp(args[i],"count",strlen("count")) == 0)
188  count_pos = i+1;
189  if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
190  second_pos = i+1;
191  }
192 
193  if (args[count_pos] == NULL || args[second_pos] == NULL) {
194  goto error;
195  }
196 
197  if (StringParseUint32(&de->count, 10, strlen(args[count_pos]),
198  args[count_pos]) <= 0) {
199  goto error;
200  }
201 
202  if (StringParseUint32(&de->seconds, 10, strlen(args[second_pos]),
203  args[second_pos]) <= 0) {
204  goto error;
205  }
206 
207  for (i = 0; i < (ret - 1); i++){
208  if (args[i] != NULL)
209  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
210  }
211  return de;
212 
213 error:
214  for (i = 0; i < (ret - 1); i++){
215  if (args[i] != NULL)
216  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
217  }
218  if (de != NULL)
219  SCFree(de);
220  return NULL;
221 }
222 
223 /**
224  * \internal
225  * \brief this function is used to add the parsed threshold into the current signature
226  *
227  * \param de_ctx pointer to the Detection Engine Context
228  * \param s pointer to the Current Signature
229  * \param rawstr pointer to the user provided threshold options
230  *
231  * \retval 0 on Success
232  * \retval -1 on Failure
233  */
234 static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
235 {
236  DetectThresholdData *de = NULL;
237  SigMatch *sm = NULL;
238  SigMatch *tmpm = NULL;
239 
240  /* checks if there is a previous instance of detection_filter */
241  tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1);
242  if (tmpm != NULL) {
243  if (tmpm->type == DETECT_DETECTION_FILTER) {
244  SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and "
245  "\"threshold\" are not allowed in the same rule");
246  } else {
247  SCLogError(SC_ERR_INVALID_SIGNATURE, "multiple \"threshold\" "
248  "options are not allowed in the same rule");
249  }
250  SCReturnInt(-1);
251  }
252 
253  de = DetectThresholdParse(rawstr);
254  if (de == NULL)
255  goto error;
256 
257  sm = SigMatchAlloc();
258  if (sm == NULL)
259  goto error;
260 
261  sm->type = DETECT_THRESHOLD;
262  sm->ctx = (SigMatchCtx *)de;
263 
264  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_THRESHOLD);
265 
266  return 0;
267 
268 error:
269  if (de) SCFree(de);
270  if (sm) SCFree(sm);
271  return -1;
272 }
273 
274 /**
275  * \internal
276  * \brief this function will free memory associated with DetectThresholdData
277  *
278  * \param de pointer to DetectThresholdData
279  */
280 static void DetectThresholdFree(DetectEngineCtx *de_ctx, void *de_ptr)
281 {
282  DetectThresholdData *de = (DetectThresholdData *)de_ptr;
283  if (de) {
284  DetectAddressHeadCleanup(&de->addrs);
285  SCFree(de);
286  }
287 }
288 
289 /**
290  * \brief Make a deep-copy of an extant DetectTHresholdData object.
291  *
292  * \param de pointer to DetectThresholdData
293  */
294 DetectThresholdData *DetectThresholdDataCopy(DetectThresholdData *de)
295 {
296  DetectThresholdData *new_de = SCCalloc(1, sizeof(DetectThresholdData));
297  if (unlikely(new_de == NULL))
298  return NULL;
299 
300  *new_de = *de;
301  new_de->addrs.ipv4_head = NULL;
302  new_de->addrs.ipv6_head = NULL;
303 
304  for (DetectAddress *last = NULL, *tmp_ad = de->addrs.ipv4_head; tmp_ad; tmp_ad = tmp_ad->next) {
305  DetectAddress *n_addr = DetectAddressCopy(tmp_ad);
306  if (n_addr == NULL)
307  goto error;
308  if (last == NULL) {
309  new_de->addrs.ipv4_head = n_addr;
310  } else {
311  last->next = n_addr;
312  n_addr->prev = last;
313  }
314  last = n_addr;
315  }
316  for (DetectAddress *last = NULL, *tmp_ad = de->addrs.ipv6_head; tmp_ad; tmp_ad = tmp_ad->next) {
317  DetectAddress *n_addr = DetectAddressCopy(tmp_ad);
318  if (n_addr == NULL)
319  goto error;
320  if (last == NULL) {
321  new_de->addrs.ipv6_head = n_addr;
322  } else {
323  last->next = n_addr;
324  n_addr->prev = last;
325  }
326  last = n_addr;
327  }
328 
329  return new_de;
330 
331 error:
332  DetectThresholdFree(NULL, new_de);
333  return NULL;
334 }
335 
336 /*
337  * ONLY TESTS BELOW THIS COMMENT
338  */
339 #ifdef UNITTESTS
340 #include "detect-engine.h"
341 #include "detect-engine-mpm.h"
342 #include "util-time.h"
343 #include "util-hashlist.h"
344 
345 /**
346  * \test ThresholdTestParse01 is a test for a valid threshold options
347  *
348  * \retval 1 on success
349  * \retval 0 on failure
350  */
351 static int ThresholdTestParse01(void)
352 {
353  DetectThresholdData *de = NULL;
354  de = DetectThresholdParse("type limit,track by_dst,count 10,seconds 60");
355  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
356  DetectThresholdFree(NULL, de);
357  return 1;
358  }
359 
360  return 0;
361 }
362 
363 /**
364  * \test ThresholdTestParse02 is a test for a invalid threshold options
365  *
366  * \retval 1 on success
367  * \retval 0 on failure
368  */
369 static int ThresholdTestParse02(void)
370 {
371  DetectThresholdData *de = NULL;
372  de = DetectThresholdParse("type any,track by_dst,count 10,seconds 60");
373  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
374  DetectThresholdFree(NULL, de);
375  return 0;
376  }
377 
378  return 1;
379 }
380 
381 /**
382  * \test ThresholdTestParse03 is a test for a valid threshold options in any order
383  *
384  * \retval 1 on success
385  * \retval 0 on failure
386  */
387 static int ThresholdTestParse03(void)
388 {
389  DetectThresholdData *de = NULL;
390  de = DetectThresholdParse("track by_dst, type limit, seconds 60, count 10");
391  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
392  DetectThresholdFree(NULL, de);
393  return 1;
394  }
395 
396  return 0;
397 }
398 
399 
400 /**
401  * \test ThresholdTestParse04 is a test for an invalid threshold options in any order
402  *
403  * \retval 1 on success
404  * \retval 0 on failure
405  */
406 static int ThresholdTestParse04(void)
407 {
408  DetectThresholdData *de = NULL;
409  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both, count 10");
410  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
411  DetectThresholdFree(NULL, de);
412  return 0;
413  }
414 
415  return 1;
416 }
417 
418 /**
419  * \test ThresholdTestParse05 is a test for a valid threshold options in any order
420  *
421  * \retval 1 on success
422  * \retval 0 on failure
423  */
424 static int ThresholdTestParse05(void)
425 {
426  DetectThresholdData *de = NULL;
427  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both");
428  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
429  DetectThresholdFree(NULL, de);
430  return 1;
431  }
432 
433  return 0;
434 }
435 
436 /**
437  * \test ThresholdTestParse06 is a test for thresholding by_both
438  *
439  * \retval 1 on success
440  * \retval 0 on failure
441  */
442 static int ThresholdTestParse06(void)
443 {
444  DetectThresholdData *de = NULL;
445  de = DetectThresholdParse("count 10, track by_both, seconds 60, type limit");
446  FAIL_IF_NULL(de);
447  FAIL_IF_NOT(de->type == TYPE_LIMIT);
448  FAIL_IF_NOT(de->track == TRACK_BOTH);
449  FAIL_IF_NOT(de->count == 10);
450  FAIL_IF_NOT(de->seconds == 60);
451  DetectThresholdFree(NULL, de);
452  PASS;
453 }
454 
455 /**
456  * \test ThresholdTestParse07 is a test for thresholding by_rule
457  *
458  * \retval 1 on success
459  * \retval 0 on failure
460  */
461 static int ThresholdTestParse07(void)
462 {
463  DetectThresholdData *de = NULL;
464  de = DetectThresholdParse("count 10, track by_rule, seconds 60, type limit");
465  FAIL_IF_NULL(de);
466  FAIL_IF_NOT(de->type == TYPE_LIMIT);
467  FAIL_IF_NOT(de->track == TRACK_RULE);
468  FAIL_IF_NOT(de->count == 10);
469  FAIL_IF_NOT(de->seconds == 60);
470  DetectThresholdFree(NULL, de);
471  PASS;
472 }
473 
474 /**
475  * \test DetectThresholdTestSig1 is a test for checking the working of limit keyword
476  * by setting up the signature and later testing its working by matching
477  * the received packet against the sig.
478  *
479  * \retval 1 on success
480  * \retval 0 on failure
481  */
482 
483 static int DetectThresholdTestSig1(void)
484 {
485  Packet *p = NULL;
486  Signature *s = NULL;
487  ThreadVars th_v;
488  DetectEngineThreadCtx *det_ctx;
489  int result = 0;
490  int alerts = 0;
491 
492  HostInitConfig(HOST_QUIET);
493 
494  memset(&th_v, 0, sizeof(th_v));
495 
496  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
497 
498  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
499  if (de_ctx == NULL) {
500  goto end;
501  }
502 
503  de_ctx->flags |= DE_QUIET;
504 
505  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; content:\"A\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
506  if (s == NULL) {
507  goto end;
508  }
509 
510  SigGroupBuild(de_ctx);
511 
512  if (s->flags & SIG_FLAG_IPONLY) {
513  printf("signature is ip-only: ");
514  goto end;
515  }
516 
517  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
518 
519  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
520  alerts = PacketAlertCheck(p, 1);
521  if (alerts != 1) {
522  printf("alerts %"PRIi32", expected 1: ", alerts);
523  }
524  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
525  alerts += PacketAlertCheck(p, 1);
526  if (alerts != 2) {
527  printf("alerts %"PRIi32", expected 2: ", alerts);
528  }
529  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
530  alerts += PacketAlertCheck(p, 1);
531  if (alerts != 3) {
532  printf("alerts %"PRIi32", expected 3: ", alerts);
533  }
534  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
535  alerts += PacketAlertCheck(p, 1);
536  if (alerts != 4) {
537  printf("alerts %"PRIi32", expected 4: ", alerts);
538  }
539  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
540  alerts += PacketAlertCheck(p, 1);
541  if (alerts != 5) {
542  printf("alerts %"PRIi32", expected 5: ", alerts);
543  }
544  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
545  alerts += PacketAlertCheck(p, 1);
546  if (alerts != 5) {
547  printf("alerts %"PRIi32", expected 5: ", alerts);
548  }
549  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
550  alerts += PacketAlertCheck(p, 1);
551  if (alerts != 5) {
552  printf("alerts %"PRIi32", expected 5: ", alerts);
553  }
554  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
555  alerts += PacketAlertCheck(p, 1);
556  if (alerts != 5) {
557  printf("alerts %"PRIi32", expected 5: ", alerts);
558  }
559 
560  if(alerts == 5)
561  result = 1;
562  else
563  printf("alerts %"PRIi32", expected 5: ", alerts);
564 
565  SigGroupCleanup(de_ctx);
566  SigCleanSignatures(de_ctx);
567 
568  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
569  DetectEngineCtxFree(de_ctx);
570 
571  UTHFreePackets(&p, 1);
572 
573  HostShutdown();
574 end:
575  return result;
576 }
577 
578 /**
579  * \test DetectThresholdTestSig2 is a test for checking the working of threshold keyword
580  * by setting up the signature and later testing its working by matching
581  * the received packet against the sig.
582  *
583  * \retval 1 on success
584  * \retval 0 on failure
585  */
586 
587 static int DetectThresholdTestSig2(void)
588 {
589  Packet *p = NULL;
590  Signature *s = NULL;
591  ThreadVars th_v;
592  DetectEngineThreadCtx *det_ctx;
593  int result = 0;
594  int alerts = 0;
595 
596  HostInitConfig(HOST_QUIET);
597 
598  memset(&th_v, 0, sizeof(th_v));
599 
600  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
601 
602  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
603  if (de_ctx == NULL) {
604  goto end;
605  }
606 
607  de_ctx->flags |= DE_QUIET;
608 
609  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold\"; threshold: type threshold, track by_dst, count 5, seconds 60; sid:1;)");
610  if (s == NULL) {
611  goto end;
612  }
613 
614  SigGroupBuild(de_ctx);
615  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
616 
617  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
618  alerts = PacketAlertCheck(p, 1);
619  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
620  alerts += PacketAlertCheck(p, 1);
621  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
622  alerts += PacketAlertCheck(p, 1);
623  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
624  alerts += PacketAlertCheck(p, 1);
625  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
626  alerts += PacketAlertCheck(p, 1);
627  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
628  alerts += PacketAlertCheck(p, 1);
629  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
630  alerts += PacketAlertCheck(p, 1);
631  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
632  alerts += PacketAlertCheck(p, 1);
633  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
634  alerts += PacketAlertCheck(p, 1);
635  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
636  alerts += PacketAlertCheck(p, 1);
637 
638  if (alerts == 2)
639  result = 1;
640  else
641  goto cleanup;
642 
643 cleanup:
644  SigGroupCleanup(de_ctx);
645  SigCleanSignatures(de_ctx);
646 
647  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
648  DetectEngineCtxFree(de_ctx);
649 
650 end:
651  UTHFreePackets(&p, 1);
652  HostShutdown();
653  return result;
654 }
655 
656 /**
657  * \test DetectThresholdTestSig3 is a test for checking the working of limit keyword
658  * by setting up the signature and later testing its working by matching
659  * the received packet against the sig.
660  *
661  * \retval 1 on success
662  * \retval 0 on failure
663  */
664 
665 static int DetectThresholdTestSig3(void)
666 {
667  Packet *p = NULL;
668  Signature *s = NULL;
669  ThreadVars th_v;
670  DetectEngineThreadCtx *det_ctx;
671  int result = 0;
672  int alerts = 0;
673  struct timeval ts;
674  DetectThresholdEntry *lookup_tsh = NULL;
675 
676  HostInitConfig(HOST_QUIET);
677 
678  memset (&ts, 0, sizeof(struct timeval));
679  TimeGet(&ts);
680 
681  memset(&th_v, 0, sizeof(th_v));
682 
683  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
684 
685  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
686  if (de_ctx == NULL) {
687  goto end;
688  }
689 
690  de_ctx->flags |= DE_QUIET;
691 
692  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
693  if (s == NULL) {
694  goto end;
695  }
696 
697  SigGroupBuild(de_ctx);
698  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
699 
700  TimeGet(&p->ts);
701 
702  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
703  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
704  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
705 
706  Host *host = HostLookupHostFromHash(&p->dst);
707  if (host == NULL) {
708  printf("host not found: ");
709  goto cleanup;
710  }
711 
712  if (!(ThresholdHostHasThreshold(host))) {
713  HostRelease(host);
714  printf("host has no threshold: ");
715  goto cleanup;
716  }
717  HostRelease(host);
718 
719  TimeSetIncrementTime(200);
720  TimeGet(&p->ts);
721 
722  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
723  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
724  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
725 
726  host = HostLookupHostFromHash(&p->dst);
727  if (host == NULL) {
728  printf("host not found: ");
729  goto cleanup;
730  }
731  HostRelease(host);
732 
733  lookup_tsh = HostGetStorageById(host, ThresholdHostStorageId());
734  if (lookup_tsh == NULL) {
735  HostRelease(host);
736  printf("lookup_tsh is NULL: ");
737  goto cleanup;
738  }
739 
740  alerts = lookup_tsh->current_count;
741 
742  if (alerts == 3)
743  result = 1;
744  else {
745  printf("alerts %u != 3: ", alerts);
746  goto cleanup;
747  }
748 
749 cleanup:
750  SigGroupCleanup(de_ctx);
751  SigCleanSignatures(de_ctx);
752 
753  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
754  DetectEngineCtxFree(de_ctx);
755 end:
756  UTHFreePackets(&p, 1);
757  HostShutdown();
758  return result;
759 }
760 
761 /**
762  * \test DetectThresholdTestSig4 is a test for checking the working of both keyword
763  * by setting up the signature and later testing its working by matching
764  * the received packet against the sig.
765  *
766  * \retval 1 on success
767  * \retval 0 on failure
768  */
769 
770 static int DetectThresholdTestSig4(void)
771 {
772  Packet *p = NULL;
773  Signature *s = NULL;
774  ThreadVars th_v;
775  DetectEngineThreadCtx *det_ctx;
776  int result = 0;
777  int alerts = 0;
778  struct timeval ts;
779 
780  HostInitConfig(HOST_QUIET);
781 
782  memset (&ts, 0, sizeof(struct timeval));
783  TimeGet(&ts);
784 
785  memset(&th_v, 0, sizeof(th_v));
786 
787  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
788 
789  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
790  if (de_ctx == NULL) {
791  goto end;
792  }
793 
794  de_ctx->flags |= DE_QUIET;
795 
796  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)");
797  if (s == NULL) {
798  goto end;
799  }
800 
801  SigGroupBuild(de_ctx);
802  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
803 
804  TimeGet(&p->ts);
805  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
806  alerts = PacketAlertCheck(p, 10);
807  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
808  alerts += PacketAlertCheck(p, 10);
809  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
810  alerts += PacketAlertCheck(p, 10);
811 
812  TimeSetIncrementTime(200);
813  TimeGet(&p->ts);
814 
815  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
816  alerts += PacketAlertCheck(p, 10);
817  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
818  alerts += PacketAlertCheck(p, 10);
819  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
820  alerts += PacketAlertCheck(p, 10);
821 
822  if (alerts == 2)
823  result = 1;
824  else
825  goto cleanup;
826 
827 cleanup:
828  SigGroupCleanup(de_ctx);
829  SigCleanSignatures(de_ctx);
830 
831  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
832  DetectEngineCtxFree(de_ctx);
833 end:
834  UTHFreePackets(&p, 1);
835  HostShutdown();
836  return result;
837 }
838 
839 /**
840  * \test DetectThresholdTestSig5 is a test for checking the working of limit keyword
841  * by setting up the signature and later testing its working by matching
842  * the received packet against the sig.
843  *
844  * \retval 1 on success
845  * \retval 0 on failure
846  */
847 
848 static int DetectThresholdTestSig5(void)
849 {
850  Packet *p = NULL;
851  Signature *s = NULL;
852  ThreadVars th_v;
853  DetectEngineThreadCtx *det_ctx;
854  int result = 0;
855  int alerts = 0;
856 
857  HostInitConfig(HOST_QUIET);
858 
859  memset(&th_v, 0, sizeof(th_v));
860  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
861 
862  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
863  if (de_ctx == NULL) {
864  goto end;
865  }
866 
867  de_ctx->flags |= DE_QUIET;
868 
869  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
870  if (s == NULL) {
871  goto end;
872  }
873 
874  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
875  if (s == NULL) {
876  goto end;
877  }
878 
879  SigGroupBuild(de_ctx);
880  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
881 
882  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
883  alerts = PacketAlertCheck(p, 1);
884  alerts += PacketAlertCheck(p, 1000);
885  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
886  alerts += PacketAlertCheck(p, 1);
887  alerts += PacketAlertCheck(p, 1000);
888  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
889  alerts += PacketAlertCheck(p, 1);
890  alerts += PacketAlertCheck(p, 1000);
891  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
892  alerts += PacketAlertCheck(p, 1);
893  alerts += PacketAlertCheck(p, 1000);
894  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
895  alerts += PacketAlertCheck(p, 1);
896  alerts += PacketAlertCheck(p, 1000);
897  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
898  alerts += PacketAlertCheck(p, 1);
899  alerts += PacketAlertCheck(p, 1000);
900  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
901  alerts += PacketAlertCheck(p, 1);
902  alerts += PacketAlertCheck(p, 1000);
903  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
904  alerts += PacketAlertCheck(p, 1);
905  alerts += PacketAlertCheck(p, 1000);
906 
907  if(alerts == 10)
908  result = 1;
909  else {
910  printf("alerts %d != 10: ", alerts);
911  goto cleanup;
912  }
913 
914 cleanup:
915  SigGroupCleanup(de_ctx);
916  SigCleanSignatures(de_ctx);
917 
918  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
919  DetectEngineCtxFree(de_ctx);
920 
921 end:
922  UTHFreePackets(&p, 1);
923  HostShutdown();
924  return result;
925 }
926 
927 static int DetectThresholdTestSig6Ticks(void)
928 {
929  Packet *p = NULL;
930  Signature *s = NULL;
931  ThreadVars th_v;
932  DetectEngineThreadCtx *det_ctx;
933  int result = 0;
934  int alerts = 0;
935 
936  HostInitConfig(HOST_QUIET);
937 
938  memset(&th_v, 0, sizeof(th_v));
939  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
940 
941  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
942  if (de_ctx == NULL) {
943  goto end;
944  }
945 
946  de_ctx->flags |= DE_QUIET;
947 
948  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
949  if (s == NULL) {
950  goto end;
951  }
952 
953  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
954  if (s == NULL) {
955  goto end;
956  }
957 
958  SigGroupBuild(de_ctx);
959  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
960 
961  uint64_t ticks_start = 0;
962  uint64_t ticks_end = 0;
963 
964  ticks_start = UtilCpuGetTicks();
965  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
966  alerts = PacketAlertCheck(p, 1);
967  alerts += PacketAlertCheck(p, 1000);
968  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
969  alerts += PacketAlertCheck(p, 1);
970  alerts += PacketAlertCheck(p, 1000);
971  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
972  alerts += PacketAlertCheck(p, 1);
973  alerts += PacketAlertCheck(p, 1000);
974  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
975  alerts += PacketAlertCheck(p, 1);
976  alerts += PacketAlertCheck(p, 1000);
977  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
978  alerts += PacketAlertCheck(p, 1);
979  alerts += PacketAlertCheck(p, 1000);
980  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
981  alerts += PacketAlertCheck(p, 1);
982  alerts += PacketAlertCheck(p, 1000);
983  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
984  alerts += PacketAlertCheck(p, 1);
985  alerts += PacketAlertCheck(p, 1000);
986  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
987  alerts += PacketAlertCheck(p, 1);
988  alerts += PacketAlertCheck(p, 1000);
989  ticks_end = UtilCpuGetTicks();
990  printf("test run %"PRIu64"\n", (ticks_end - ticks_start));
991 
992  if(alerts == 10)
993  result = 1;
994  else
995  goto cleanup;
996 
997 cleanup:
998  SigGroupCleanup(de_ctx);
999  SigCleanSignatures(de_ctx);
1000 
1001  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1002  DetectEngineCtxFree(de_ctx);
1003 
1004 end:
1005  UTHFreePackets(&p, 1);
1006  HostShutdown();
1007  return result;
1008 }
1009 
1010 /**
1011  * \test Test drop action being set even if thresholded
1012  */
1013 static int DetectThresholdTestSig7(void)
1014 {
1015  Packet *p = NULL;
1016  Signature *s = NULL;
1017  ThreadVars th_v;
1018  DetectEngineThreadCtx *det_ctx;
1019  int result = 0;
1020  int alerts = 0;
1021  int drops = 0;
1022  struct timeval ts;
1023 
1024  HostInitConfig(HOST_QUIET);
1025 
1026  memset (&ts, 0, sizeof(struct timeval));
1027  TimeGet(&ts);
1028 
1029  memset(&th_v, 0, sizeof(th_v));
1030 
1031  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1032 
1033  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1034  if (de_ctx == NULL) {
1035  goto end;
1036  }
1037 
1038  de_ctx->flags |= DE_QUIET;
1039 
1040  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 1, seconds 300; sid:10;)");
1041  if (s == NULL) {
1042  goto end;
1043  }
1044 
1045  SigGroupBuild(de_ctx);
1046  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1047 
1048  TimeGet(&p->ts);
1049  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1050  alerts = PacketAlertCheck(p, 10);
1051  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1052  p->action = 0;
1053 
1054  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1055  alerts += PacketAlertCheck(p, 10);
1056  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1057  p->action = 0;
1058 
1059  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1060  alerts += PacketAlertCheck(p, 10);
1061  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1062  p->action = 0;
1063 
1064  TimeSetIncrementTime(200);
1065  TimeGet(&p->ts);
1066 
1067  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1068  alerts += PacketAlertCheck(p, 10);
1069  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1070  p->action = 0;
1071 
1072  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1073  alerts += PacketAlertCheck(p, 10);
1074  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1075  p->action = 0;
1076 
1077  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1078  alerts += PacketAlertCheck(p, 10);
1079  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1080  p->action = 0;
1081 
1082  if (alerts == 1 && drops == 6)
1083  result = 1;
1084  else {
1085  if (alerts != 1)
1086  printf("alerts: %d != 1: ", alerts);
1087  if (drops != 6)
1088  printf("drops: %d != 6: ", drops);
1089  goto cleanup;
1090  }
1091 
1092 cleanup:
1093  SigGroupCleanup(de_ctx);
1094  SigCleanSignatures(de_ctx);
1095 
1096  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1097  DetectEngineCtxFree(de_ctx);
1098 end:
1099  UTHFreePackets(&p, 1);
1100  HostShutdown();
1101  return result;
1102 }
1103 
1104 /**
1105  * \test Test drop action being set even if thresholded
1106  */
1107 static int DetectThresholdTestSig8(void)
1108 {
1109  Packet *p = NULL;
1110  Signature *s = NULL;
1111  ThreadVars th_v;
1112  DetectEngineThreadCtx *det_ctx;
1113  int result = 0;
1114  int alerts = 0;
1115  int drops = 0;
1116  struct timeval ts;
1117 
1118  HostInitConfig(HOST_QUIET);
1119 
1120  memset (&ts, 0, sizeof(struct timeval));
1121  TimeGet(&ts);
1122 
1123  memset(&th_v, 0, sizeof(th_v));
1124 
1125  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1126 
1127  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1128  if (de_ctx == NULL) {
1129  goto end;
1130  }
1131 
1132  de_ctx->flags |= DE_QUIET;
1133 
1134  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 2, seconds 300; sid:10;)");
1135  if (s == NULL) {
1136  goto end;
1137  }
1138 
1139  SigGroupBuild(de_ctx);
1140  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1141 
1142  TimeGet(&p->ts);
1143  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1144  alerts = PacketAlertCheck(p, 10);
1145  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1146  p->action = 0;
1147 
1148  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1149  alerts += PacketAlertCheck(p, 10);
1150  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1151  p->action = 0;
1152 
1153  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1154  alerts += PacketAlertCheck(p, 10);
1155  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1156  p->action = 0;
1157 
1158  TimeSetIncrementTime(200);
1159  TimeGet(&p->ts);
1160 
1161  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1162  alerts += PacketAlertCheck(p, 10);
1163  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1164  p->action = 0;
1165 
1166  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1167  alerts += PacketAlertCheck(p, 10);
1168  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1169  p->action = 0;
1170 
1171  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1172  alerts += PacketAlertCheck(p, 10);
1173  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1174  p->action = 0;
1175 
1176  if (alerts == 2 && drops == 6)
1177  result = 1;
1178  else {
1179  if (alerts != 1)
1180  printf("alerts: %d != 1: ", alerts);
1181  if (drops != 6)
1182  printf("drops: %d != 6: ", drops);
1183  goto cleanup;
1184  }
1185 
1186 cleanup:
1187  SigGroupCleanup(de_ctx);
1188  SigCleanSignatures(de_ctx);
1189 
1190  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1191  DetectEngineCtxFree(de_ctx);
1192 end:
1193  UTHFreePackets(&p, 1);
1194  HostShutdown();
1195  return result;
1196 }
1197 
1198 /**
1199  * \test Test drop action being set even if thresholded
1200  */
1201 static int DetectThresholdTestSig9(void)
1202 {
1203  Packet *p = NULL;
1204  Signature *s = NULL;
1205  ThreadVars th_v;
1206  DetectEngineThreadCtx *det_ctx;
1207  int result = 0;
1208  int alerts = 0;
1209  int drops = 0;
1210  struct timeval ts;
1211 
1212  HostInitConfig(HOST_QUIET);
1213 
1214  memset (&ts, 0, sizeof(struct timeval));
1215  TimeGet(&ts);
1216 
1217  memset(&th_v, 0, sizeof(th_v));
1218 
1219  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1220 
1221  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1222  if (de_ctx == NULL) {
1223  goto end;
1224  }
1225 
1226  de_ctx->flags |= DE_QUIET;
1227 
1228  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 3, seconds 100; sid:10;)");
1229  if (s == NULL) {
1230  goto end;
1231  }
1232 
1233  SigGroupBuild(de_ctx);
1234  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1235 
1236  TimeGet(&p->ts);
1237  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1238  alerts = PacketAlertCheck(p, 10);
1239  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1240  p->action = 0;
1241 
1242  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1243  alerts += PacketAlertCheck(p, 10);
1244  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1245  p->action = 0;
1246 
1247  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1248  alerts += PacketAlertCheck(p, 10);
1249  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1250  p->action = 0;
1251 
1252  TimeSetIncrementTime(200);
1253  TimeGet(&p->ts);
1254 
1255  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1256  alerts += PacketAlertCheck(p, 10);
1257  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1258  p->action = 0;
1259 
1260  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1261  alerts += PacketAlertCheck(p, 10);
1262  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1263  p->action = 0;
1264 
1265  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1266  alerts += PacketAlertCheck(p, 10);
1267  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1268  p->action = 0;
1269 
1270  if (alerts == 2 && drops == 2)
1271  result = 1;
1272  else {
1273  if (alerts != 2)
1274  printf("alerts: %d != 2: ", alerts);
1275  if (drops != 2)
1276  printf("drops: %d != 2: ", drops);
1277  goto cleanup;
1278  }
1279 
1280 cleanup:
1281  SigGroupCleanup(de_ctx);
1282  SigCleanSignatures(de_ctx);
1283 
1284  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1285  DetectEngineCtxFree(de_ctx);
1286 end:
1287  UTHFreePackets(&p, 1);
1288  HostShutdown();
1289  return result;
1290 }
1291 
1292 /**
1293  * \test Test drop action being set even if thresholded
1294  */
1295 static int DetectThresholdTestSig10(void)
1296 {
1297  Packet *p = NULL;
1298  Signature *s = NULL;
1299  ThreadVars th_v;
1300  DetectEngineThreadCtx *det_ctx;
1301  int result = 0;
1302  int alerts = 0;
1303  int drops = 0;
1304  struct timeval ts;
1305 
1306  HostInitConfig(HOST_QUIET);
1307 
1308  memset (&ts, 0, sizeof(struct timeval));
1309  TimeGet(&ts);
1310 
1311  memset(&th_v, 0, sizeof(th_v));
1312 
1313  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1314 
1315  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1316  if (de_ctx == NULL) {
1317  goto end;
1318  }
1319 
1320  de_ctx->flags |= DE_QUIET;
1321 
1322  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 5, seconds 300; sid:10;)");
1323  if (s == NULL) {
1324  goto end;
1325  }
1326 
1327  SigGroupBuild(de_ctx);
1328  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1329 
1330  TimeGet(&p->ts);
1331  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1332  alerts = PacketAlertCheck(p, 10);
1333  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1334  p->action = 0;
1335 
1336  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1337  alerts += PacketAlertCheck(p, 10);
1338  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1339  p->action = 0;
1340 
1341  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1342  alerts += PacketAlertCheck(p, 10);
1343  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1344  p->action = 0;
1345 
1346  TimeSetIncrementTime(200);
1347  TimeGet(&p->ts);
1348 
1349  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1350  alerts += PacketAlertCheck(p, 10);
1351  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1352  p->action = 0;
1353 
1354  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1355  alerts += PacketAlertCheck(p, 10);
1356  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1357  p->action = 0;
1358 
1359  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1360  alerts += PacketAlertCheck(p, 10);
1361  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1362  p->action = 0;
1363 
1364  if (alerts == 1 && drops == 1)
1365  result = 1;
1366  else {
1367  if (alerts != 1)
1368  printf("alerts: %d != 1: ", alerts);
1369  if (drops != 1)
1370  printf("drops: %d != 1: ", drops);
1371  goto cleanup;
1372  }
1373 
1374 cleanup:
1375  SigGroupCleanup(de_ctx);
1376  SigCleanSignatures(de_ctx);
1377 
1378  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1379  DetectEngineCtxFree(de_ctx);
1380 end:
1381  UTHFreePackets(&p, 1);
1382  HostShutdown();
1383  return result;
1384 }
1385 
1386 /**
1387  * \test Test drop action being set even if thresholded
1388  */
1389 static int DetectThresholdTestSig11(void)
1390 {
1391  Packet *p = NULL;
1392  Signature *s = NULL;
1393  ThreadVars th_v;
1394  DetectEngineThreadCtx *det_ctx;
1395  int result = 0;
1396  int alerts = 0;
1397  int drops = 0;
1398  struct timeval ts;
1399 
1400  HostInitConfig(HOST_QUIET);
1401 
1402  memset (&ts, 0, sizeof(struct timeval));
1403  TimeGet(&ts);
1404 
1405  memset(&th_v, 0, sizeof(th_v));
1406 
1407  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1408 
1409  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1410  if (de_ctx == NULL) {
1411  goto end;
1412  }
1413 
1414  de_ctx->flags |= DE_QUIET;
1415 
1416  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 3, seconds 300; sid:10;)");
1417  if (s == NULL) {
1418  goto end;
1419  }
1420 
1421  SigGroupBuild(de_ctx);
1422  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1423 
1424  TimeGet(&p->ts);
1425  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1426  alerts = PacketAlertCheck(p, 10);
1427  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1428  p->action = 0;
1429 
1430  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1431  alerts += PacketAlertCheck(p, 10);
1432  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1433  p->action = 0;
1434 
1435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1436  alerts += PacketAlertCheck(p, 10);
1437  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1438  p->action = 0;
1439 
1440  TimeSetIncrementTime(200);
1441  TimeGet(&p->ts);
1442 
1443  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1444  alerts += PacketAlertCheck(p, 10);
1445  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1446  p->action = 0;
1447 
1448  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1449  alerts += PacketAlertCheck(p, 10);
1450  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1451  p->action = 0;
1452 
1453  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1454  alerts += PacketAlertCheck(p, 10);
1455  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1456  p->action = 0;
1457 
1458  if (alerts == 1 && drops == 4)
1459  result = 1;
1460  else {
1461  if (alerts != 1)
1462  printf("alerts: %d != 1: ", alerts);
1463  if (drops != 4)
1464  printf("drops: %d != 4: ", drops);
1465  goto cleanup;
1466  }
1467 
1468 cleanup:
1469  SigGroupCleanup(de_ctx);
1470  SigCleanSignatures(de_ctx);
1471 
1472  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1473  DetectEngineCtxFree(de_ctx);
1474 end:
1475  UTHFreePackets(&p, 1);
1476  HostShutdown();
1477  return result;
1478 }
1479 
1480 /**
1481  * \test Test drop action being set even if thresholded
1482  */
1483 static int DetectThresholdTestSig12(void)
1484 {
1485  Packet *p = NULL;
1486  Signature *s = NULL;
1487  ThreadVars th_v;
1488  DetectEngineThreadCtx *det_ctx;
1489  int result = 0;
1490  int alerts = 0;
1491  int drops = 0;
1492  struct timeval ts;
1493 
1494  HostInitConfig(HOST_QUIET);
1495 
1496  memset (&ts, 0, sizeof(struct timeval));
1497  TimeGet(&ts);
1498 
1499  memset(&th_v, 0, sizeof(th_v));
1500 
1501  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1502 
1503  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1504  if (de_ctx == NULL) {
1505  goto end;
1506  }
1507 
1508  de_ctx->flags |= DE_QUIET;
1509 
1510  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 5, seconds 300; sid:10;)");
1511  if (s == NULL) {
1512  goto end;
1513  }
1514 
1515  SigGroupBuild(de_ctx);
1516  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1517 
1518  TimeGet(&p->ts);
1519  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1520  alerts = PacketAlertCheck(p, 10);
1521  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1522  p->action = 0;
1523 
1524  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1525  alerts += PacketAlertCheck(p, 10);
1526  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1527  p->action = 0;
1528 
1529  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1530  alerts += PacketAlertCheck(p, 10);
1531  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1532  p->action = 0;
1533 
1534  TimeSetIncrementTime(200);
1535  TimeGet(&p->ts);
1536 
1537  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1538  alerts += PacketAlertCheck(p, 10);
1539  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1540  p->action = 0;
1541 
1542  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1543  alerts += PacketAlertCheck(p, 10);
1544  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1545  p->action = 0;
1546 
1547  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1548  alerts += PacketAlertCheck(p, 10);
1549  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1550  p->action = 0;
1551 
1552  if (alerts == 1 && drops == 2)
1553  result = 1;
1554  else {
1555  if (alerts != 1)
1556  printf("alerts: %d != 1: ", alerts);
1557  if (drops != 2)
1558  printf("drops: %d != 2: ", drops);
1559  goto cleanup;
1560  }
1561 
1562 cleanup:
1563  SigGroupCleanup(de_ctx);
1564  SigCleanSignatures(de_ctx);
1565 
1566  DetectEngineThreadCtxDeinit(&th_v, (void*)det_ctx);
1567  DetectEngineCtxFree(de_ctx);
1568 end:
1569  UTHFreePackets(&p, 1);
1570  HostShutdown();
1571  return result;
1572 }
1573 
1574 /**
1575  * \test DetectThresholdTestSig13 is a test for checking the working by_rule limits
1576  * by setting up the signature and later testing its working by matching
1577  * received packets against the sig.
1578  *
1579  * \retval 1 on success
1580  * \retval 0 on failure
1581  */
1582 
1583 static int DetectThresholdTestSig13(void)
1584 {
1585  Packet *p = NULL;
1586  Signature *s = NULL;
1587  ThreadVars th_v;
1588  DetectEngineThreadCtx *det_ctx;
1589  int alerts = 0;
1590 
1591  HostInitConfig(HOST_QUIET);
1592 
1593  memset(&th_v, 0, sizeof(th_v));
1594  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1595  FAIL_IF_NULL(p);
1596 
1597  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1598  FAIL_IF_NULL(de_ctx);
1599 
1600  de_ctx->flags |= DE_QUIET;
1601 
1602  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_rule, count 2, seconds 60; sid:1;)");
1603  FAIL_IF_NULL(s);
1604 
1605  SigGroupBuild(de_ctx);
1606  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1607 
1608  /* should alert twice */
1609  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1610  alerts += PacketAlertCheck(p, 1);
1611  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1612  alerts += PacketAlertCheck(p, 1);
1613  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1614  alerts += PacketAlertCheck(p, 1);
1615  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1616  alerts += PacketAlertCheck(p, 1);
1617 
1618  FAIL_IF(alerts != 2);
1619 
1620  TimeSetIncrementTime(70);
1621  TimeGet(&p->ts);
1622 
1623  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1624  alerts += PacketAlertCheck(p, 1);
1625  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1626  alerts += PacketAlertCheck(p, 1);
1627  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1628  alerts += PacketAlertCheck(p, 1);
1629  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1630  alerts += PacketAlertCheck(p, 1);
1631 
1632  FAIL_IF(alerts != 4);
1633 
1634  SigGroupCleanup(de_ctx);
1635  SigCleanSignatures(de_ctx);
1636  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1637  DetectEngineCtxFree(de_ctx);
1638  UTHFreePackets(&p, 1);
1639  HostShutdown();
1640  PASS;
1641 }
1642 
1643 /**
1644  * \test DetectThresholdTestSig14 is a test for checking the working by_both limits
1645  * by setting up the signature and later testing its working by matching
1646  * received packets against the sig.
1647  *
1648  * \retval 1 on success
1649  * \retval 0 on failure
1650  */
1651 
1652 static int DetectThresholdTestSig14(void)
1653 {
1654  Packet *p1 = NULL;
1655  Packet *p2 = NULL;
1656  Signature *s = NULL;
1657  ThreadVars th_v;
1658  DetectEngineThreadCtx *det_ctx;
1659  int alerts1 = 0;
1660  int alerts2 = 0;
1661 
1662  HostInitConfig(HOST_QUIET);
1663  IPPairInitConfig(IPPAIR_QUIET);
1664 
1665  memset(&th_v, 0, sizeof(th_v));
1666  p1 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1667  p2 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "3.3.3.3", 1024, 80);
1668  FAIL_IF_NULL(p1);
1669  FAIL_IF_NULL(p2);
1670 
1671  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1672  FAIL_IF_NULL(de_ctx);
1673 
1674  de_ctx->flags |= DE_QUIET;
1675 
1676  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_both, count 2, seconds 60; sid:1;)");
1677  FAIL_IF_NULL(s);
1678 
1679  SigGroupBuild(de_ctx);
1680  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1681 
1682  /* Both p1 and p2 should alert twice */
1683  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1684  alerts1 += PacketAlertCheck(p1, 1);
1685  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1686  alerts1 += PacketAlertCheck(p1, 1);
1687  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1688  alerts1 += PacketAlertCheck(p1, 1);
1689  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1690  alerts1 += PacketAlertCheck(p1, 1);
1691 
1692  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1693  alerts2 += PacketAlertCheck(p2, 1);
1694  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1695  alerts2 += PacketAlertCheck(p2, 1);
1696  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1697  alerts2 += PacketAlertCheck(p2, 1);
1698  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1699  alerts2 += PacketAlertCheck(p2, 1);
1700 
1701  FAIL_IF(alerts1 != 2);
1702  FAIL_IF(alerts2 != 2);
1703 
1704  TimeSetIncrementTime(70);
1705  TimeGet(&p1->ts);
1706  TimeGet(&p2->ts);
1707 
1708  /* Now they should both alert again after previous alerts expire */
1709  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1710  alerts1 += PacketAlertCheck(p1, 1);
1711  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1712  alerts2 += PacketAlertCheck(p2, 1);
1713 
1714  FAIL_IF(alerts1 != 3);
1715  FAIL_IF(alerts2 != 3);
1716 
1717  SigGroupCleanup(de_ctx);
1718  SigCleanSignatures(de_ctx);
1719  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1720  DetectEngineCtxFree(de_ctx);
1721  UTHFreePackets(&p1, 1);
1722  UTHFreePackets(&p2, 1);
1723  HostShutdown();
1724  PASS;
1725 }
1726 
1727 static void ThresholdRegisterTests(void)
1728 {
1729  UtRegisterTest("ThresholdTestParse01", ThresholdTestParse01);
1730  UtRegisterTest("ThresholdTestParse02", ThresholdTestParse02);
1731  UtRegisterTest("ThresholdTestParse03", ThresholdTestParse03);
1732  UtRegisterTest("ThresholdTestParse04", ThresholdTestParse04);
1733  UtRegisterTest("ThresholdTestParse05", ThresholdTestParse05);
1734  UtRegisterTest("ThresholdTestParse06", ThresholdTestParse06);
1735  UtRegisterTest("ThresholdTestParse07", ThresholdTestParse07);
1736  UtRegisterTest("DetectThresholdTestSig1", DetectThresholdTestSig1);
1737  UtRegisterTest("DetectThresholdTestSig2", DetectThresholdTestSig2);
1738  UtRegisterTest("DetectThresholdTestSig3", DetectThresholdTestSig3);
1739  UtRegisterTest("DetectThresholdTestSig4", DetectThresholdTestSig4);
1740  UtRegisterTest("DetectThresholdTestSig5", DetectThresholdTestSig5);
1741  UtRegisterTest("DetectThresholdTestSig6Ticks",
1742  DetectThresholdTestSig6Ticks);
1743  UtRegisterTest("DetectThresholdTestSig7", DetectThresholdTestSig7);
1744  UtRegisterTest("DetectThresholdTestSig8", DetectThresholdTestSig8);
1745  UtRegisterTest("DetectThresholdTestSig9", DetectThresholdTestSig9);
1746  UtRegisterTest("DetectThresholdTestSig10", DetectThresholdTestSig10);
1747  UtRegisterTest("DetectThresholdTestSig11", DetectThresholdTestSig11);
1748  UtRegisterTest("DetectThresholdTestSig12", DetectThresholdTestSig12);
1749  UtRegisterTest("DetectThresholdTestSig13", DetectThresholdTestSig13);
1750  UtRegisterTest("DetectThresholdTestSig14", DetectThresholdTestSig14);
1751 }
1752 #endif /* UNITTESTS */
1753 
1754 /**
1755  * @}
1756  */
TRACK_BOTH
#define TRACK_BOTH
Definition: detect-threshold.h:42
util-byte.h
host.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
SigTableElmt_::url
const char * url
Definition: detect.h:1270
ts
uint64_t ts
Definition: source-erf-file.c:54
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
host-storage.h
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:169
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2474
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
util-hashlist.h
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1267
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectAddress_
address structure for use in the detection engine.
Definition: detect.h:139
DetectAddressHeadCleanup
void DetectAddressHeadCleanup(DetectAddressHead *gh)
Cleans a DetectAddressHead. The functions frees the address group heads(ipv4 and ipv6) inside the Det...
Definition: detect-engine-address.c:1491
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
Packet_::action
uint8_t action
Definition: decode.h:571
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
HostRelease
void HostRelease(Host *h)
Definition: host.c:480
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1261
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
TYPE_LIMIT
#define TYPE_LIMIT
Definition: detect-threshold.h:31
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
HostGetStorageById
void * HostGetStorageById(Host *h, HostStorageId id)
Get a value from a given Host storage.
Definition: host-storage.c:88
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
DetectThresholdEntry_
Definition: detect-threshold.h:68
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:42
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:242
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
ThresholdHostHasThreshold
int ThresholdHostHasThreshold(Host *host)
Definition: detect-engine-threshold.c:94
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
UtilCpuGetTicks
uint64_t UtilCpuGetTicks(void)
Definition: util-cpu.c:190
DetectAddress_::prev
struct DetectAddress_ * prev
Definition: detect.h:148
Signature_::next
struct Signature_ * next
Definition: detect.h:622
TRACK_RULE
#define TRACK_RULE
Definition: detect-threshold.h:40
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
util-cpu.h
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:55
de
uint8_t de
Definition: app-layer-htp.c:563
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-threshold.c:62
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
util-time.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
TYPE_BOTH
#define TYPE_BOTH
Definition: detect-threshold.h:32
DetectAddressCopy
DetectAddress * DetectAddressCopy(DetectAddress *orig)
copy a DetectAddress
Definition: detect-engine-address.c:128
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2016
Signature_::flags
uint32_t flags
Definition: detect.h:549
TimeSetIncrementTime
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:182
ThresholdHostStorageId
HostStorageId ThresholdHostStorageId(void)
Definition: detect-engine-threshold.c:75
Packet_
Definition: decode.h:427
SIG_FLAG_IPONLY
#define SIG_FLAG_IPONLY
Definition: detect.h:219
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1235
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:316
IPPAIR_QUIET
#define IPPAIR_QUIET
Definition: ippair.h:90
DetectAddressHead_::ipv6_head
DetectAddress * ipv6_head
Definition: detect.h:156
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
Packet_::ts
struct timeval ts
Definition: decode.h:470
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3354
SigMatch_::type
uint16_t type
Definition: detect.h:322
DetectThresholdData_
Definition: detect-threshold.h:57
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:309
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:817
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
TYPE_THRESHOLD
#define TYPE_THRESHOLD
Definition: detect-threshold.h:33
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:98
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
detect-threshold.h
DetectAddress_::next
struct DetectAddress_ * next
Definition: detect.h:150
DetectThresholdRegister
void DetectThresholdRegister(void)
Registration function for threshold: keyword.
Definition: detect-threshold.c:78
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:153
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:604
suricata.h
Packet_::dst
Address dst
Definition: decode.h:432
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:175
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
Host_
Definition: host.h:58
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
DetectThresholdDataCopy
DetectThresholdData * DetectThresholdDataCopy(DetectThresholdData *de)
Make a deep-copy of an extant DetectTHresholdData object.
Definition: detect-threshold.c:294
flow-var.h
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1455
DetectAddressHead_::ipv4_head
DetectAddress * ipv4_head
Definition: detect.h:155
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
detect-engine-address.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
detect-engine-threshold.h
DetectThresholdData_::addrs
DetectAddressHead addrs
Definition: detect-threshold.h:65
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468