suricata
detect-urilen.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersighdahiya@gmail.com>
22  *
23  * Implements the urilen keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "app-layer.h"
28 #include "app-layer-protos.h"
29 #include "app-layer-htp.h"
30 #include "util-unittest.h"
31 #include "util-unittest-helper.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 #include "detect-content.h"
38 
39 #include "detect-urilen.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 #include "flow-util.h"
43 #include "stream-tcp.h"
44 
45 /**
46  * \brief Regex for parsing our urilen
47  */
48 #define PARSE_REGEX "^(?:\\s*)(<|>)?(?:\\s*)([0-9]{1,5})(?:\\s*)(?:(<>)(?:\\s*)([0-9]{1,5}))?\\s*(?:,\\s*(norm|raw))?\\s*$"
49 
50 static DetectParseRegex parse_regex;
51 
52 /*prototypes*/
53 static int DetectUrilenSetup (DetectEngineCtx *, Signature *, const char *);
54 void DetectUrilenFree (void *);
55 void DetectUrilenRegisterTests (void);
56 
57 static int g_http_uri_buffer_id = 0;
58 static int g_http_raw_uri_buffer_id = 0;
59 
60 /**
61  * \brief Registration function for urilen: keyword
62  */
63 
65 {
67  sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri";
68  sigmatch_table[DETECT_AL_URILEN].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#urilen";
70  sigmatch_table[DETECT_AL_URILEN].Setup = DetectUrilenSetup;
73 
74  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
75 
76  g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
77  g_http_raw_uri_buffer_id = DetectBufferTypeRegister("http_raw_uri");
78 }
79 
80 /**
81  * \brief This function is used to parse urilen options passed via urilen: keyword
82  *
83  * \param urilenstr Pointer to the user provided urilen options
84  *
85  * \retval urilend pointer to DetectUrilenData on success
86  * \retval NULL on failure
87  */
88 
89 static DetectUrilenData *DetectUrilenParse (const char *urilenstr)
90 {
91 
92  DetectUrilenData *urilend = NULL;
93  char *arg1 = NULL;
94  char *arg2 = NULL;
95  char *arg3 = NULL;
96  char *arg4 = NULL;
97  char *arg5 = NULL;
98  int ret = 0, res = 0;
99  int ov[MAX_SUBSTRINGS];
100 
101  ret = DetectParsePcreExec(&parse_regex, urilenstr, 0, 0, ov, MAX_SUBSTRINGS);
102  if (ret < 3 || ret > 6) {
103  SCLogError(SC_ERR_PCRE_PARSE, "urilen option pcre parse error: \"%s\"", urilenstr);
104  goto error;
105  }
106  const char *str_ptr;
107 
108  SCLogDebug("ret %d", ret);
109 
110  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
111  if (res < 0) {
112  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
113  goto error;
114  }
115  arg1 = (char *) str_ptr;
116  SCLogDebug("Arg1 \"%s\"", arg1);
117 
118  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
119  if (res < 0) {
120  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
121  goto error;
122  }
123  arg2 = (char *) str_ptr;
124  SCLogDebug("Arg2 \"%s\"", arg2);
125 
126  if (ret > 3) {
127  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
128  if (res < 0) {
129  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
130  goto error;
131  }
132  arg3 = (char *) str_ptr;
133  SCLogDebug("Arg3 \"%s\"", arg3);
134 
135  if (ret > 4) {
136  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 4, &str_ptr);
137  if (res < 0) {
138  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
139  goto error;
140  }
141  arg4 = (char *) str_ptr;
142  SCLogDebug("Arg4 \"%s\"", arg4);
143  }
144  if (ret > 5) {
145  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 5, &str_ptr);
146  if (res < 0) {
147  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
148  goto error;
149  }
150  arg5 = (char *) str_ptr;
151  SCLogDebug("Arg5 \"%s\"", arg5);
152  }
153  }
154 
155  urilend = SCMalloc(sizeof (DetectUrilenData));
156  if (unlikely(urilend == NULL))
157  goto error;
158  memset(urilend, 0, sizeof(DetectUrilenData));
159 
160  if (arg1[0] == '<')
161  urilend->mode = DETECT_URILEN_LT;
162  else if (arg1[0] == '>')
163  urilend->mode = DETECT_URILEN_GT;
164  else
165  urilend->mode = DETECT_URILEN_EQ;
166 
167  if (arg3 != NULL && strcmp("<>", arg3) == 0) {
168  if (strlen(arg1) != 0) {
169  SCLogError(SC_ERR_INVALID_ARGUMENT,"Range specified but mode also set");
170  goto error;
171  }
172  urilend->mode = DETECT_URILEN_RA;
173  }
174 
175  /** set the first urilen value */
176  if (StringParseUint16(&urilend->urilen1,10,strlen(arg2),arg2) <= 0){
177  SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg2);
178  goto error;
179  }
180 
181  /** set the second urilen value if specified */
182  if (arg4 != NULL && strlen(arg4) > 0) {
183  if (urilend->mode != DETECT_URILEN_RA) {
184  SCLogError(SC_ERR_INVALID_ARGUMENT,"Multiple urilen values specified"
185  " but mode is not range");
186  goto error;
187  }
188 
189  if(StringParseUint16(&urilend->urilen2,10,strlen(arg4),arg4) <= 0)
190  {
191  SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg4);
192  goto error;
193  }
194 
195  if (urilend->urilen2 <= urilend->urilen1){
196  SCLogError(SC_ERR_INVALID_ARGUMENT,"urilen2:%"PRIu16" <= urilen:"
197  "%"PRIu16"",urilend->urilen2,urilend->urilen1);
198  goto error;
199  }
200  }
201 
202  if (arg5 != NULL) {
203  if (strcasecmp("raw", arg5) == 0) {
204  urilend->raw_buffer = 1;
205  }
206  }
207 
208  pcre_free_substring(arg1);
209  pcre_free_substring(arg2);
210  if (arg3 != NULL)
211  pcre_free_substring(arg3);
212  if (arg4 != NULL)
213  pcre_free_substring(arg4);
214  if (arg5 != NULL)
215  pcre_free_substring(arg5);
216  return urilend;
217 
218 error:
219  if (urilend)
220  SCFree(urilend);
221  if (arg1 != NULL)
222  SCFree(arg1);
223  if (arg2 != NULL)
224  SCFree(arg2);
225  if (arg3 != NULL)
226  SCFree(arg3);
227  if (arg4 != NULL)
228  SCFree(arg4);
229  return NULL;
230 }
231 
232 /**
233  * \brief this function is used to parse urilen data into the current signature
234  *
235  * \param de_ctx pointer to the Detection Engine Context
236  * \param s pointer to the Current Signature
237  * \param urilenstr pointer to the user provided urilen options
238  *
239  * \retval 0 on Success
240  * \retval -1 on Failure
241  */
242 static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, const char *urilenstr)
243 {
244  SCEnter();
245  DetectUrilenData *urilend = NULL;
246  SigMatch *sm = NULL;
247 
249  return -1;
250 
251  urilend = DetectUrilenParse(urilenstr);
252  if (urilend == NULL)
253  goto error;
254  sm = SigMatchAlloc();
255  if (sm == NULL)
256  goto error;
257  sm->type = DETECT_AL_URILEN;
258  sm->ctx = (void *)urilend;
259 
260  if (urilend->raw_buffer)
261  SigMatchAppendSMToList(s, sm, g_http_raw_uri_buffer_id);
262  else
263  SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id);
264 
265  SCReturnInt(0);
266 
267 error:
268  DetectUrilenFree(urilend);
269  SCReturnInt(-1);
270 }
271 
272 /**
273  * \brief this function will free memory associated with DetectUrilenData
274  *
275  * \param ptr pointer to DetectUrilenData
276  */
277 void DetectUrilenFree(void *ptr)
278 {
279  if (ptr == NULL)
280  return;
281 
282  DetectUrilenData *urilend = (DetectUrilenData *)ptr;
283  SCFree(urilend);
284 }
285 
286 /** \brief set prefilter dsize pair
287  * \param s signature to get dsize value from
288  */
290 {
291  uint16_t high = 65535;
292  bool found = false;
293 
294  SigMatch *sm = s->init_data->smlists[list];
295  for ( ; sm != NULL; sm = sm->next) {
296  if (sm->type != DETECT_AL_URILEN)
297  continue;
298 
300 
301  switch (dd->mode) {
302  case DETECT_URILEN_LT:
303  high = dd->urilen1 + 1;
304  break;
305  case DETECT_URILEN_EQ:
306  high = dd->urilen1;
307  break;
308  case DETECT_URILEN_RA:
309  high = dd->urilen2 + 1;
310  break;
311  case DETECT_URILEN_GT:
312  high = 65535;
313  break;
314  }
315  found = true;
316  }
317 
318  // skip 65535 to avoid mismatch on uri > 64k
319  if (!found || high == 65535)
320  return;
321 
322  SCLogDebug("high %u", high);
323 
324  sm = s->init_data->smlists[list];
325  for ( ; sm != NULL; sm = sm->next) {
326  if (sm->type != DETECT_CONTENT) {
327  continue;
328  }
330  if (cd == NULL) {
331  continue;
332  }
333 
334  if (cd->depth == 0 || cd->depth > high) {
335  cd->depth = (uint16_t)high;
336  SCLogDebug("updated %u, content %u to have depth %u "
337  "because of urilen.", s->id, cd->id, cd->depth);
338  }
339  }
340 }
341 
342 bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
343 {
344  const SigMatch *sm = s->init_data->smlists[list];
345  for ( ; sm != NULL; sm = sm->next) {
346  if (sm->type != DETECT_CONTENT) {
347  continue;
348  }
350  if (cd == NULL) {
351  continue;
352  }
353 
354  if (cd->depth && cd->depth < cd->content_len) {
355  *sigerror = "depth or urilen smaller than content len";
356  SCLogError(SC_ERR_INVALID_SIGNATURE, "depth or urilen %u smaller "
357  "than content len %u", cd->depth, cd->content_len);
358  return false;
359  }
360  }
361  return true;
362 }
363 
364 #ifdef UNITTESTS
365 
366 #include "stream.h"
367 #include "stream-tcp-private.h"
368 #include "stream-tcp-reassemble.h"
369 #include "detect-engine.h"
370 #include "detect-engine-mpm.h"
371 #include "app-layer-parser.h"
372 
373 /** \test Test the Urilen keyword setup */
374 static int DetectUrilenParseTest01(void)
375 {
376  int ret = 0;
377  DetectUrilenData *urilend = NULL;
378 
379  urilend = DetectUrilenParse("10");
380  if (urilend != NULL) {
381  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_EQ &&
382  !urilend->raw_buffer)
383  ret = 1;
384 
385  DetectUrilenFree(urilend);
386  }
387  return ret;
388 }
389 
390 /** \test Test the Urilen keyword setup */
391 static int DetectUrilenParseTest02(void)
392 {
393  int ret = 0;
394  DetectUrilenData *urilend = NULL;
395 
396  urilend = DetectUrilenParse(" < 10 ");
397  if (urilend != NULL) {
398  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_LT &&
399  !urilend->raw_buffer)
400  ret = 1;
401 
402  DetectUrilenFree(urilend);
403  }
404  return ret;
405 }
406 
407 /** \test Test the Urilen keyword setup */
408 static int DetectUrilenParseTest03(void)
409 {
410  int ret = 0;
411  DetectUrilenData *urilend = NULL;
412 
413  urilend = DetectUrilenParse(" > 10 ");
414  if (urilend != NULL) {
415  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_GT &&
416  !urilend->raw_buffer)
417  ret = 1;
418 
419  DetectUrilenFree(urilend);
420  }
421  return ret;
422 }
423 
424 /** \test Test the Urilen keyword setup */
425 static int DetectUrilenParseTest04(void)
426 {
427  int ret = 0;
428  DetectUrilenData *urilend = NULL;
429 
430  urilend = DetectUrilenParse(" 5 <> 10 ");
431  if (urilend != NULL) {
432  if (urilend->urilen1 == 5 && urilend->urilen2 == 10 &&
433  urilend->mode == DETECT_URILEN_RA &&
434  !urilend->raw_buffer)
435  ret = 1;
436 
437  DetectUrilenFree(urilend);
438  }
439  return ret;
440 }
441 
442 /** \test Test the Urilen keyword setup */
443 static int DetectUrilenParseTest05(void)
444 {
445  int ret = 0;
446  DetectUrilenData *urilend = NULL;
447 
448  urilend = DetectUrilenParse("5<>10,norm");
449  if (urilend != NULL) {
450  if (urilend->urilen1 == 5 && urilend->urilen2 == 10 &&
451  urilend->mode == DETECT_URILEN_RA &&
452  !urilend->raw_buffer)
453  ret = 1;
454 
455  DetectUrilenFree(urilend);
456  }
457  return ret;
458 }
459 
460 /** \test Test the Urilen keyword setup */
461 static int DetectUrilenParseTest06(void)
462 {
463  int ret = 0;
464  DetectUrilenData *urilend = NULL;
465 
466  urilend = DetectUrilenParse("5<>10,raw");
467  if (urilend != NULL) {
468  if (urilend->urilen1 == 5 && urilend->urilen2 == 10 &&
469  urilend->mode == DETECT_URILEN_RA &&
470  urilend->raw_buffer)
471  ret = 1;
472 
473  DetectUrilenFree(urilend);
474  }
475  return ret;
476 }
477 
478 /** \test Test the Urilen keyword setup */
479 static int DetectUrilenParseTest07(void)
480 {
481  int ret = 0;
482  DetectUrilenData *urilend = NULL;
483 
484  urilend = DetectUrilenParse(">10, norm ");
485  if (urilend != NULL) {
486  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_GT &&
487  !urilend->raw_buffer)
488  ret = 1;
489 
490  DetectUrilenFree(urilend);
491  }
492  return ret;
493 }
494 
495 /** \test Test the Urilen keyword setup */
496 static int DetectUrilenParseTest08(void)
497 {
498  int ret = 0;
499  DetectUrilenData *urilend = NULL;
500 
501  urilend = DetectUrilenParse("<10, norm ");
502  if (urilend != NULL) {
503  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_LT &&
504  !urilend->raw_buffer)
505  ret = 1;
506 
507  DetectUrilenFree(urilend);
508  }
509  return ret;
510 }
511 
512 /** \test Test the Urilen keyword setup */
513 static int DetectUrilenParseTest09(void)
514 {
515  int ret = 0;
516  DetectUrilenData *urilend = NULL;
517 
518  urilend = DetectUrilenParse(">10, raw ");
519  if (urilend != NULL) {
520  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_GT &&
521  urilend->raw_buffer)
522  ret = 1;
523 
524  DetectUrilenFree(urilend);
525  }
526  return ret;
527 }
528 
529 /** \test Test the Urilen keyword setup */
530 static int DetectUrilenParseTest10(void)
531 {
532  int ret = 0;
533  DetectUrilenData *urilend = NULL;
534 
535  urilend = DetectUrilenParse("<10, raw ");
536  if (urilend != NULL) {
537  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_LT &&
538  urilend->raw_buffer)
539  ret = 1;
540 
541  DetectUrilenFree(urilend);
542  }
543  return ret;
544 }
545 
546 /**
547  * \brief this function is used to initialize the detection engine context and
548  * setup the signature with passed values.
549  *
550  */
551 
552 static int DetectUrilenInitTest(DetectEngineCtx **de_ctx, Signature **sig,
553  DetectUrilenData **urilend, const char *str)
554 {
555  char fullstr[1024];
556  int result = 0;
557 
558  *de_ctx = NULL;
559  *sig = NULL;
560 
561  if (snprintf(fullstr, 1024, "alert ip any any -> any any (msg:\"Urilen "
562  "test\"; urilen:%s; sid:1;)", str) >= 1024) {
563  goto end;
564  }
565 
567  if (*de_ctx == NULL) {
568  goto end;
569  }
570 
571  (*de_ctx)->flags |= DE_QUIET;
572 
573  (*de_ctx)->sig_list = SigInit(*de_ctx, fullstr);
574  if ((*de_ctx)->sig_list == NULL) {
575  goto end;
576  }
577 
578  *sig = (*de_ctx)->sig_list;
579 
580  *urilend = DetectUrilenParse(str);
581 
582  result = 1;
583 
584 end:
585  return result;
586 }
587 
588 /**
589  * \test DetectUrilenSetpTest01 is a test for setting up an valid urilen values
590  * with valid "<>" operator and include spaces arround the given values.
591  * In the test the values are setup with initializing the detection engine
592  * context and setting up the signature itself.
593  */
594 
595 static int DetectUrilenSetpTest01(void)
596 {
597 
598  DetectUrilenData *urilend = NULL;
599  uint8_t res = 0;
600  Signature *sig = NULL;
601  DetectEngineCtx *de_ctx = NULL;
602 
603  res = DetectUrilenInitTest(&de_ctx, &sig, &urilend, "1 <> 2 ");
604  if (res == 0) {
605  goto end;
606  }
607 
608  if(urilend == NULL)
609  goto cleanup;
610 
611  if (urilend != NULL) {
612  if (urilend->urilen1 == 1 && urilend->urilen2 == 2 &&
613  urilend->mode == DETECT_URILEN_RA)
614  res = 1;
615  }
616 
617 cleanup:
618  if (urilend) SCFree(urilend);
622 end:
623  return res;
624 }
625 
626 /** \test Check a signature with gievn urilen */
627 static int DetectUrilenSigTest01(void)
628 {
629  int result = 0;
630  Flow f;
631  uint8_t httpbuf1[] = "POST /suricata HTTP/1.0\r\n"
632  "Host: foo.bar.tld\r\n"
633  "\r\n";
634  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
635  TcpSession ssn;
636  Packet *p = NULL;
637  Signature *s = NULL;
638  ThreadVars th_v;
639  DetectEngineThreadCtx *det_ctx;
641 
642  memset(&th_v, 0, sizeof(th_v));
643  memset(&f, 0, sizeof(f));
644  memset(&ssn, 0, sizeof(ssn));
645 
646  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
647 
648  FLOW_INITIALIZE(&f);
649  f.protoctx = (void *)&ssn;
650  f.proto = IPPROTO_TCP;
651  f.flags |= FLOW_IPV4;
652 
653  p->flow = &f;
657  f.alproto = ALPROTO_HTTP;
658 
660 
662  if (de_ctx == NULL) {
663  goto end;
664  }
665 
666  de_ctx->flags |= DE_QUIET;
667 
668  s = de_ctx->sig_list = SigInit(de_ctx,
669  "alert tcp any any -> any any "
670  "(msg:\"Testing urilen\"; "
671  "urilen: <5; sid:1;)");
672  if (s == NULL) {
673  goto end;
674  }
675 
676  s = s->next = SigInit(de_ctx,
677  "alert tcp any any -> any any "
678  "(msg:\"Testing http_method\"; "
679  "urilen: >5; sid:2;)");
680  if (s == NULL) {
681  goto end;
682  }
683 
685  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
686 
687  FLOWLOCK_WRLOCK(&f);
688  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
689  STREAM_TOSERVER, httpbuf1, httplen1);
690  if (r != 0) {
691  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
692  FLOWLOCK_UNLOCK(&f);
693  goto end;
694  }
695  FLOWLOCK_UNLOCK(&f);
696 
697  HtpState *htp_state = f.alstate;
698  if (htp_state == NULL) {
699  SCLogDebug("no http state: ");
700  goto end;
701  }
702 
703  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
704 
705  if ((PacketAlertCheck(p, 1))) {
706  printf("sid 1 alerted, but should not have: \n");
707  goto end;
708  }
709  if (!PacketAlertCheck(p, 2)) {
710  printf("sid 2 did not alerted, but should have: \n");
711  goto end;
712  }
713 
714  result = 1;
715 
716 end:
717  if (alp_tctx != NULL)
719  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
720  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
721  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
722 
724  FLOW_DESTROY(&f);
725  UTHFreePackets(&p, 1);
726  return result;
727 }
728 
729 #endif /* UNITTESTS */
730 
731 /**
732  * \brief this function registers unit tests for DetectUrilen
733  */
735 {
736 #ifdef UNITTESTS
737  UtRegisterTest("DetectUrilenParseTest01", DetectUrilenParseTest01);
738  UtRegisterTest("DetectUrilenParseTest02", DetectUrilenParseTest02);
739  UtRegisterTest("DetectUrilenParseTest03", DetectUrilenParseTest03);
740  UtRegisterTest("DetectUrilenParseTest04", DetectUrilenParseTest04);
741  UtRegisterTest("DetectUrilenParseTest05", DetectUrilenParseTest05);
742  UtRegisterTest("DetectUrilenParseTest06", DetectUrilenParseTest06);
743  UtRegisterTest("DetectUrilenParseTest07", DetectUrilenParseTest07);
744  UtRegisterTest("DetectUrilenParseTest08", DetectUrilenParseTest08);
745  UtRegisterTest("DetectUrilenParseTest09", DetectUrilenParseTest09);
746  UtRegisterTest("DetectUrilenParseTest10", DetectUrilenParseTest10);
747  UtRegisterTest("DetectUrilenSetpTest01", DetectUrilenSetpTest01);
748  UtRegisterTest("DetectUrilenSigTest01", DetectUrilenSigTest01);
749 #endif /* UNITTESTS */
750 }
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1204
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1459
detect-content.h
detect-engine.h
StringParseUint16
int StringParseUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:324
DetectUrilenRegisterTests
void DetectUrilenRegisterTests(void)
this function registers unit tests for DetectUrilen
Definition: detect-urilen.c:734
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
DetectUrilenData_::urilen2
uint16_t urilen2
Definition: detect-urilen.h:34
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1077
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1201
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
Flow_::proto
uint8_t proto
Definition: flow.h:361
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:444
Flow_
Flow data structure.
Definition: flow.h:342
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
DetectUrilenData_::raw_buffer
uint8_t raw_buffer
Definition: detect-urilen.h:36
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2030
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
DetectUrilenData_::urilen1
uint16_t urilen1
Definition: detect-urilen.h:33
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
DetectContentData_
Definition: detect-content.h:86
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1192
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
Flow_::protoctx
void * protoctx
Definition: flow.h:416
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
DetectUrilenApplyToContent
void DetectUrilenApplyToContent(Signature *s, int list)
set prefilter dsize pair
Definition: detect-urilen.c:289
util-unittest.h
HtpState_
Definition: app-layer-htp.h:245
util-unittest-helper.h
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:260
SC_ERR_PCRE_PARSE
@ SC_ERR_PCRE_PARSE
Definition: util-error.h:37
DETECT_URILEN_GT
#define DETECT_URILEN_GT
Definition: detect-urilen.h:28
Signature_::next
struct Signature_ * next
Definition: detect.h:594
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
app-layer-htp.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
DetectEngineThreadCtx_
Definition: detect.h:1004
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
DETECT_URILEN_EQ
#define DETECT_URILEN_EQ
Definition: detect-urilen.h:30
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2440
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:257
SCEnter
#define SCEnter(...)
Definition: util-debug.h:337
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectUrilenFree
void DetectUrilenFree(void *)
this function will free memory associated with DetectUrilenData
Definition: detect-urilen.c:277
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:322
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
DetectContentData_::id
PatIntId id
Definition: detect-content.h:98
app-layer-parser.h
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1665
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:99
stream.h
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
Packet_
Definition: decode.h:408
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
stream-tcp-private.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:591
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1171
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:516
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our urilen.
Definition: detect-urilen.c:48
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:319
DETECT_URILEN_RA
#define DETECT_URILEN_RA
Definition: detect-urilen.h:29
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
DETECT_URILEN_LT
#define DETECT_URILEN_LT
Definition: detect-urilen.h:27
Packet_::flow
struct Flow_ * flow
Definition: decode.h:446
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2726
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:816
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1181
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DOC_URL
#define DOC_URL
Definition: suricata.h:86
DetectUrilenRegister
void DetectUrilenRegister(void)
Registration function for urilen: keyword.
Definition: detect-urilen.c:64
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
str
#define str(s)
Definition: suricata-common.h:256
Flow_::alstate
void * alstate
Definition: flow.h:454
Signature_::id
uint32_t id
Definition: detect.h:555
Flow_::flags
uint32_t flags
Definition: flow.h:396
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1985
app-layer-protos.h
DetectUrilenData_::mode
uint8_t mode
Definition: detect-urilen.h:35
detect-urilen.h
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
DetectUrilenData_
Definition: detect-urilen.h:32
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
TcpSession_
Definition: stream-tcp-private.h:260
DetectUrilenValidateContent
bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
Definition: detect-urilen.c:342
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
DETECT_AL_URILEN
@ DETECT_AL_URILEN
Definition: detect-engine-register.h:122
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1075
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:393