suricata
detect-urilen.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersighdahiya@gmail.com>
22  *
23  * Implements the urilen keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "app-layer.h"
28 #include "app-layer-protos.h"
29 #include "app-layer-htp.h"
30 #include "util-unittest.h"
31 #include "util-unittest-helper.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 #include "detect-content.h"
38 
39 #include "detect-urilen.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 #include "flow-util.h"
43 #include "stream-tcp.h"
44 
45 /**
46  * \brief Regex for parsing our urilen
47  */
48 #define PARSE_REGEX "^(?:\\s*)(<|>)?(?:\\s*)([0-9]{1,5})(?:\\s*)(?:(<>)(?:\\s*)([0-9]{1,5}))?\\s*(?:,\\s*(norm|raw))?\\s*$"
49 
50 static pcre *parse_regex;
51 static pcre_extra *parse_regex_study;
52 
53 /*prototypes*/
54 static int DetectUrilenSetup (DetectEngineCtx *, Signature *, const char *);
55 void DetectUrilenFree (void *);
56 void DetectUrilenRegisterTests (void);
57 
58 static int g_http_uri_buffer_id = 0;
59 static int g_http_raw_uri_buffer_id = 0;
60 
61 /**
62  * \brief Registration function for urilen: keyword
63  */
64 
66 {
68  sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri";
69  sigmatch_table[DETECT_AL_URILEN].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#urilen";
71  sigmatch_table[DETECT_AL_URILEN].Setup = DetectUrilenSetup;
74 
75  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
76 
77  g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
78  g_http_raw_uri_buffer_id = DetectBufferTypeRegister("http_raw_uri");
79 }
80 
81 /**
82  * \brief This function is used to parse urilen options passed via urilen: keyword
83  *
84  * \param urilenstr Pointer to the user provided urilen options
85  *
86  * \retval urilend pointer to DetectUrilenData on success
87  * \retval NULL on failure
88  */
89 
90 static DetectUrilenData *DetectUrilenParse (const char *urilenstr)
91 {
92 
93  DetectUrilenData *urilend = NULL;
94  char *arg1 = NULL;
95  char *arg2 = NULL;
96  char *arg3 = NULL;
97  char *arg4 = NULL;
98  char *arg5 = NULL;
99 #define MAX_SUBSTRINGS 30
100  int ret = 0, res = 0;
101  int ov[MAX_SUBSTRINGS];
102 
103  ret = pcre_exec(parse_regex, parse_regex_study, urilenstr, strlen(urilenstr),
104  0, 0, ov, MAX_SUBSTRINGS);
105  if (ret < 3 || ret > 6) {
106  SCLogError(SC_ERR_PCRE_PARSE, "urilen option pcre parse error: \"%s\"", urilenstr);
107  goto error;
108  }
109  const char *str_ptr;
110 
111  SCLogDebug("ret %d", ret);
112 
113  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
114  if (res < 0) {
115  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
116  goto error;
117  }
118  arg1 = (char *) str_ptr;
119  SCLogDebug("Arg1 \"%s\"", arg1);
120 
121  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
122  if (res < 0) {
123  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
124  goto error;
125  }
126  arg2 = (char *) str_ptr;
127  SCLogDebug("Arg2 \"%s\"", arg2);
128 
129  if (ret > 3) {
130  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
131  if (res < 0) {
132  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
133  goto error;
134  }
135  arg3 = (char *) str_ptr;
136  SCLogDebug("Arg3 \"%s\"", arg3);
137 
138  if (ret > 4) {
139  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 4, &str_ptr);
140  if (res < 0) {
141  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
142  goto error;
143  }
144  arg4 = (char *) str_ptr;
145  SCLogDebug("Arg4 \"%s\"", arg4);
146  }
147  if (ret > 5) {
148  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 5, &str_ptr);
149  if (res < 0) {
150  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
151  goto error;
152  }
153  arg5 = (char *) str_ptr;
154  SCLogDebug("Arg5 \"%s\"", arg5);
155  }
156  }
157 
158  urilend = SCMalloc(sizeof (DetectUrilenData));
159  if (unlikely(urilend == NULL))
160  goto error;
161  memset(urilend, 0, sizeof(DetectUrilenData));
162 
163  if (arg1[0] == '<')
164  urilend->mode = DETECT_URILEN_LT;
165  else if (arg1[0] == '>')
166  urilend->mode = DETECT_URILEN_GT;
167  else
168  urilend->mode = DETECT_URILEN_EQ;
169 
170  if (arg3 != NULL && strcmp("<>", arg3) == 0) {
171  if (strlen(arg1) != 0) {
172  SCLogError(SC_ERR_INVALID_ARGUMENT,"Range specified but mode also set");
173  goto error;
174  }
175  urilend->mode = DETECT_URILEN_RA;
176  }
177 
178  /** set the first urilen value */
179  if (ByteExtractStringUint16(&urilend->urilen1,10,strlen(arg2),arg2) <= 0){
180  SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg2);
181  goto error;
182  }
183 
184  /** set the second urilen value if specified */
185  if (arg4 != NULL && strlen(arg4) > 0) {
186  if (urilend->mode != DETECT_URILEN_RA) {
187  SCLogError(SC_ERR_INVALID_ARGUMENT,"Multiple urilen values specified"
188  " but mode is not range");
189  goto error;
190  }
191 
192  if(ByteExtractStringUint16(&urilend->urilen2,10,strlen(arg4),arg4) <= 0)
193  {
194  SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg4);
195  goto error;
196  }
197 
198  if (urilend->urilen2 <= urilend->urilen1){
199  SCLogError(SC_ERR_INVALID_ARGUMENT,"urilen2:%"PRIu16" <= urilen:"
200  "%"PRIu16"",urilend->urilen2,urilend->urilen1);
201  goto error;
202  }
203  }
204 
205  if (arg5 != NULL) {
206  if (strcasecmp("raw", arg5) == 0) {
207  urilend->raw_buffer = 1;
208  }
209  }
210 
211  pcre_free_substring(arg1);
212  pcre_free_substring(arg2);
213  if (arg3 != NULL)
214  pcre_free_substring(arg3);
215  if (arg4 != NULL)
216  pcre_free_substring(arg4);
217  if (arg5 != NULL)
218  pcre_free_substring(arg5);
219  return urilend;
220 
221 error:
222  if (urilend)
223  SCFree(urilend);
224  if (arg1 != NULL)
225  SCFree(arg1);
226  if (arg2 != NULL)
227  SCFree(arg2);
228  if (arg3 != NULL)
229  SCFree(arg3);
230  if (arg4 != NULL)
231  SCFree(arg4);
232  return NULL;
233 }
234 
235 /**
236  * \brief this function is used to parse urilen data into the current signature
237  *
238  * \param de_ctx pointer to the Detection Engine Context
239  * \param s pointer to the Current Signature
240  * \param urilenstr pointer to the user provided urilen options
241  *
242  * \retval 0 on Success
243  * \retval -1 on Failure
244  */
245 static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, const char *urilenstr)
246 {
247  SCEnter();
248  DetectUrilenData *urilend = NULL;
249  SigMatch *sm = NULL;
250 
252  return -1;
253 
254  urilend = DetectUrilenParse(urilenstr);
255  if (urilend == NULL)
256  goto error;
257  sm = SigMatchAlloc();
258  if (sm == NULL)
259  goto error;
260  sm->type = DETECT_AL_URILEN;
261  sm->ctx = (void *)urilend;
262 
263  if (urilend->raw_buffer)
264  SigMatchAppendSMToList(s, sm, g_http_raw_uri_buffer_id);
265  else
266  SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id);
267 
268  SCReturnInt(0);
269 
270 error:
271  DetectUrilenFree(urilend);
272  SCReturnInt(-1);
273 }
274 
275 /**
276  * \brief this function will free memory associated with DetectUrilenData
277  *
278  * \param ptr pointer to DetectUrilenData
279  */
280 void DetectUrilenFree(void *ptr)
281 {
282  if (ptr == NULL)
283  return;
284 
285  DetectUrilenData *urilend = (DetectUrilenData *)ptr;
286  SCFree(urilend);
287 }
288 
289 /** \brief set prefilter dsize pair
290  * \param s signature to get dsize value from
291  */
293 {
294  uint16_t high = 65535;
295  bool found = false;
296 
297  SigMatch *sm = s->init_data->smlists[list];
298  for ( ; sm != NULL; sm = sm->next) {
299  if (sm->type != DETECT_AL_URILEN)
300  continue;
301 
303 
304  switch (dd->mode) {
305  case DETECT_URILEN_LT:
306  high = dd->urilen1 + 1;
307  break;
308  case DETECT_URILEN_EQ:
309  high = dd->urilen1;
310  break;
311  case DETECT_URILEN_RA:
312  high = dd->urilen2 + 1;
313  break;
314  case DETECT_URILEN_GT:
315  high = 65535;
316  break;
317  }
318  found = true;
319  }
320 
321  // skip 65535 to avoid mismatch on uri > 64k
322  if (!found || high == 65535)
323  return;
324 
325  SCLogDebug("high %u", high);
326 
327  sm = s->init_data->smlists[list];
328  for ( ; sm != NULL; sm = sm->next) {
329  if (sm->type != DETECT_CONTENT) {
330  continue;
331  }
333  if (cd == NULL) {
334  continue;
335  }
336 
337  if (cd->depth == 0 || cd->depth > high) {
338  cd->depth = (uint16_t)high;
339  SCLogDebug("updated %u, content %u to have depth %u "
340  "because of urilen.", s->id, cd->id, cd->depth);
341  }
342  }
343 }
344 
345 bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
346 {
347  const SigMatch *sm = s->init_data->smlists[list];
348  for ( ; sm != NULL; sm = sm->next) {
349  if (sm->type != DETECT_CONTENT) {
350  continue;
351  }
353  if (cd == NULL) {
354  continue;
355  }
356 
357  if (cd->depth && cd->depth < cd->content_len) {
358  *sigerror = "depth or urilen smaller than content len";
359  SCLogError(SC_ERR_INVALID_SIGNATURE, "depth or urilen %u smaller "
360  "than content len %u", cd->depth, cd->content_len);
361  return false;
362  }
363  }
364  return true;
365 }
366 
367 #ifdef UNITTESTS
368 
369 #include "stream.h"
370 #include "stream-tcp-private.h"
371 #include "stream-tcp-reassemble.h"
372 #include "detect-engine.h"
373 #include "detect-engine-mpm.h"
374 #include "app-layer-parser.h"
375 
376 /** \test Test the Urilen keyword setup */
377 static int DetectUrilenParseTest01(void)
378 {
379  int ret = 0;
380  DetectUrilenData *urilend = NULL;
381 
382  urilend = DetectUrilenParse("10");
383  if (urilend != NULL) {
384  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_EQ &&
385  !urilend->raw_buffer)
386  ret = 1;
387 
388  DetectUrilenFree(urilend);
389  }
390  return ret;
391 }
392 
393 /** \test Test the Urilen keyword setup */
394 static int DetectUrilenParseTest02(void)
395 {
396  int ret = 0;
397  DetectUrilenData *urilend = NULL;
398 
399  urilend = DetectUrilenParse(" < 10 ");
400  if (urilend != NULL) {
401  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_LT &&
402  !urilend->raw_buffer)
403  ret = 1;
404 
405  DetectUrilenFree(urilend);
406  }
407  return ret;
408 }
409 
410 /** \test Test the Urilen keyword setup */
411 static int DetectUrilenParseTest03(void)
412 {
413  int ret = 0;
414  DetectUrilenData *urilend = NULL;
415 
416  urilend = DetectUrilenParse(" > 10 ");
417  if (urilend != NULL) {
418  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_GT &&
419  !urilend->raw_buffer)
420  ret = 1;
421 
422  DetectUrilenFree(urilend);
423  }
424  return ret;
425 }
426 
427 /** \test Test the Urilen keyword setup */
428 static int DetectUrilenParseTest04(void)
429 {
430  int ret = 0;
431  DetectUrilenData *urilend = NULL;
432 
433  urilend = DetectUrilenParse(" 5 <> 10 ");
434  if (urilend != NULL) {
435  if (urilend->urilen1 == 5 && urilend->urilen2 == 10 &&
436  urilend->mode == DETECT_URILEN_RA &&
437  !urilend->raw_buffer)
438  ret = 1;
439 
440  DetectUrilenFree(urilend);
441  }
442  return ret;
443 }
444 
445 /** \test Test the Urilen keyword setup */
446 static int DetectUrilenParseTest05(void)
447 {
448  int ret = 0;
449  DetectUrilenData *urilend = NULL;
450 
451  urilend = DetectUrilenParse("5<>10,norm");
452  if (urilend != NULL) {
453  if (urilend->urilen1 == 5 && urilend->urilen2 == 10 &&
454  urilend->mode == DETECT_URILEN_RA &&
455  !urilend->raw_buffer)
456  ret = 1;
457 
458  DetectUrilenFree(urilend);
459  }
460  return ret;
461 }
462 
463 /** \test Test the Urilen keyword setup */
464 static int DetectUrilenParseTest06(void)
465 {
466  int ret = 0;
467  DetectUrilenData *urilend = NULL;
468 
469  urilend = DetectUrilenParse("5<>10,raw");
470  if (urilend != NULL) {
471  if (urilend->urilen1 == 5 && urilend->urilen2 == 10 &&
472  urilend->mode == DETECT_URILEN_RA &&
473  urilend->raw_buffer)
474  ret = 1;
475 
476  DetectUrilenFree(urilend);
477  }
478  return ret;
479 }
480 
481 /** \test Test the Urilen keyword setup */
482 static int DetectUrilenParseTest07(void)
483 {
484  int ret = 0;
485  DetectUrilenData *urilend = NULL;
486 
487  urilend = DetectUrilenParse(">10, norm ");
488  if (urilend != NULL) {
489  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_GT &&
490  !urilend->raw_buffer)
491  ret = 1;
492 
493  DetectUrilenFree(urilend);
494  }
495  return ret;
496 }
497 
498 /** \test Test the Urilen keyword setup */
499 static int DetectUrilenParseTest08(void)
500 {
501  int ret = 0;
502  DetectUrilenData *urilend = NULL;
503 
504  urilend = DetectUrilenParse("<10, norm ");
505  if (urilend != NULL) {
506  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_LT &&
507  !urilend->raw_buffer)
508  ret = 1;
509 
510  DetectUrilenFree(urilend);
511  }
512  return ret;
513 }
514 
515 /** \test Test the Urilen keyword setup */
516 static int DetectUrilenParseTest09(void)
517 {
518  int ret = 0;
519  DetectUrilenData *urilend = NULL;
520 
521  urilend = DetectUrilenParse(">10, raw ");
522  if (urilend != NULL) {
523  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_GT &&
524  urilend->raw_buffer)
525  ret = 1;
526 
527  DetectUrilenFree(urilend);
528  }
529  return ret;
530 }
531 
532 /** \test Test the Urilen keyword setup */
533 static int DetectUrilenParseTest10(void)
534 {
535  int ret = 0;
536  DetectUrilenData *urilend = NULL;
537 
538  urilend = DetectUrilenParse("<10, raw ");
539  if (urilend != NULL) {
540  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_LT &&
541  urilend->raw_buffer)
542  ret = 1;
543 
544  DetectUrilenFree(urilend);
545  }
546  return ret;
547 }
548 
549 /**
550  * \brief this function is used to initialize the detection engine context and
551  * setup the signature with passed values.
552  *
553  */
554 
555 static int DetectUrilenInitTest(DetectEngineCtx **de_ctx, Signature **sig,
556  DetectUrilenData **urilend, const char *str)
557 {
558  char fullstr[1024];
559  int result = 0;
560 
561  *de_ctx = NULL;
562  *sig = NULL;
563 
564  if (snprintf(fullstr, 1024, "alert ip any any -> any any (msg:\"Urilen "
565  "test\"; urilen:%s; sid:1;)", str) >= 1024) {
566  goto end;
567  }
568 
569  *de_ctx = DetectEngineCtxInit();
570  if (*de_ctx == NULL) {
571  goto end;
572  }
573 
574  (*de_ctx)->flags |= DE_QUIET;
575 
576  (*de_ctx)->sig_list = SigInit(*de_ctx, fullstr);
577  if ((*de_ctx)->sig_list == NULL) {
578  goto end;
579  }
580 
581  *sig = (*de_ctx)->sig_list;
582 
583  *urilend = DetectUrilenParse(str);
584 
585  result = 1;
586 
587 end:
588  return result;
589 }
590 
591 /**
592  * \test DetectUrilenSetpTest01 is a test for setting up an valid urilen values
593  * with valid "<>" operator and include spaces arround the given values.
594  * In the test the values are setup with initializing the detection engine
595  * context and setting up the signature itself.
596  */
597 
598 static int DetectUrilenSetpTest01(void)
599 {
600 
601  DetectUrilenData *urilend = NULL;
602  uint8_t res = 0;
603  Signature *sig = NULL;
604  DetectEngineCtx *de_ctx = NULL;
605 
606  res = DetectUrilenInitTest(&de_ctx, &sig, &urilend, "1 <> 2 ");
607  if (res == 0) {
608  goto end;
609  }
610 
611  if(urilend == NULL)
612  goto cleanup;
613 
614  if (urilend != NULL) {
615  if (urilend->urilen1 == 1 && urilend->urilen2 == 2 &&
616  urilend->mode == DETECT_URILEN_RA)
617  res = 1;
618  }
619 
620 cleanup:
621  if (urilend) SCFree(urilend);
622  SigGroupCleanup(de_ctx);
623  SigCleanSignatures(de_ctx);
624  DetectEngineCtxFree(de_ctx);
625 end:
626  return res;
627 }
628 
629 /** \test Check a signature with gievn urilen */
630 static int DetectUrilenSigTest01(void)
631 {
632  int result = 0;
633  Flow f;
634  uint8_t httpbuf1[] = "POST /suricata HTTP/1.0\r\n"
635  "Host: foo.bar.tld\r\n"
636  "\r\n";
637  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
638  TcpSession ssn;
639  Packet *p = NULL;
640  Signature *s = NULL;
641  ThreadVars th_v;
642  DetectEngineThreadCtx *det_ctx;
644 
645  memset(&th_v, 0, sizeof(th_v));
646  memset(&f, 0, sizeof(f));
647  memset(&ssn, 0, sizeof(ssn));
648 
649  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
650 
651  FLOW_INITIALIZE(&f);
652  f.protoctx = (void *)&ssn;
653  f.proto = IPPROTO_TCP;
654  f.flags |= FLOW_IPV4;
655 
656  p->flow = &f;
660  f.alproto = ALPROTO_HTTP;
661 
663 
665  if (de_ctx == NULL) {
666  goto end;
667  }
668 
669  de_ctx->flags |= DE_QUIET;
670 
671  s = de_ctx->sig_list = SigInit(de_ctx,
672  "alert tcp any any -> any any "
673  "(msg:\"Testing urilen\"; "
674  "urilen: <5; sid:1;)");
675  if (s == NULL) {
676  goto end;
677  }
678 
679  s = s->next = SigInit(de_ctx,
680  "alert tcp any any -> any any "
681  "(msg:\"Testing http_method\"; "
682  "urilen: >5; sid:2;)");
683  if (s == NULL) {
684  goto end;
685  }
686 
687  SigGroupBuild(de_ctx);
688  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
689 
690  FLOWLOCK_WRLOCK(&f);
691  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
692  STREAM_TOSERVER, httpbuf1, httplen1);
693  if (r != 0) {
694  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
695  FLOWLOCK_UNLOCK(&f);
696  goto end;
697  }
698  FLOWLOCK_UNLOCK(&f);
699 
700  HtpState *htp_state = f.alstate;
701  if (htp_state == NULL) {
702  SCLogDebug("no http state: ");
703  goto end;
704  }
705 
706  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
707 
708  if ((PacketAlertCheck(p, 1))) {
709  printf("sid 1 alerted, but should not have: \n");
710  goto end;
711  }
712  if (!PacketAlertCheck(p, 2)) {
713  printf("sid 2 did not alerted, but should have: \n");
714  goto end;
715  }
716 
717  result = 1;
718 
719 end:
720  if (alp_tctx != NULL)
721  AppLayerParserThreadCtxFree(alp_tctx);
722  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
723  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
724  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
725 
727  FLOW_DESTROY(&f);
728  UTHFreePackets(&p, 1);
729  return result;
730 }
731 
732 #endif /* UNITTESTS */
733 
734 /**
735  * \brief this function registers unit tests for DetectUrilen
736  */
738 {
739 #ifdef UNITTESTS
740  UtRegisterTest("DetectUrilenParseTest01", DetectUrilenParseTest01);
741  UtRegisterTest("DetectUrilenParseTest02", DetectUrilenParseTest02);
742  UtRegisterTest("DetectUrilenParseTest03", DetectUrilenParseTest03);
743  UtRegisterTest("DetectUrilenParseTest04", DetectUrilenParseTest04);
744  UtRegisterTest("DetectUrilenParseTest05", DetectUrilenParseTest05);
745  UtRegisterTest("DetectUrilenParseTest06", DetectUrilenParseTest06);
746  UtRegisterTest("DetectUrilenParseTest07", DetectUrilenParseTest07);
747  UtRegisterTest("DetectUrilenParseTest08", DetectUrilenParseTest08);
748  UtRegisterTest("DetectUrilenParseTest09", DetectUrilenParseTest09);
749  UtRegisterTest("DetectUrilenParseTest10", DetectUrilenParseTest10);
750  UtRegisterTest("DetectUrilenSetpTest01", DetectUrilenSetpTest01);
751  UtRegisterTest("DetectUrilenSigTest01", DetectUrilenSigTest01);
752 #endif /* UNITTESTS */
753 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
SignatureInitData * init_data
Definition: detect.h:560
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
struct Flow_ * flow
Definition: decode.h:444
void DetectUrilenRegisterTests(void)
this function registers unit tests for DetectUrilen
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:346
uint32_t id
Definition: detect.h:525
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:235
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define MAX_SUBSTRINGS
Signature * sig_list
Definition: detect.h:726
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:195
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:232
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1160
Signature container.
Definition: detect.h:492
#define DETECT_URILEN_EQ
Definition: detect-urilen.h:30
#define TRUE
void * protoctx
Definition: flow.h:398
struct SigMatch_ * next
Definition: detect.h:328
main detection engine ctx
Definition: detect.h:720
int ByteExtractStringUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:265
void DetectUrilenApplyToContent(Signature *s, int list)
set prefilter dsize pair
void * alstate
Definition: flow.h:436
#define DE_QUIET
Definition: detect.h:298
#define str(s)
#define DETECT_URILEN_GT
Definition: detect-urilen.h:28
uint8_t flags
Definition: detect.h:721
Data structures and function prototypes for keeping state for the detection engine.
void(* Free)(void *)
Definition: detect.h:1151
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define DETECT_URILEN_LT
Definition: detect-urilen.h:27
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:438
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
#define PARSE_REGEX
Regex for parsing our urilen.
Definition: detect-urilen.c:48
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct Signature_ * next
Definition: detect.h:563
#define DETECT_URILEN_RA
Definition: detect-urilen.h:29
uint8_t type
Definition: detect.h:325
#define SCReturnInt(x)
Definition: util-debug.h:341
const char * desc
Definition: detect.h:1162
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
struct SigMatch_ ** smlists
Definition: detect.h:486
int DetectBufferTypeRegister(const char *name)
void DetectUrilenFree(void *)
this function will free memory associated with DetectUrilenData
SigMatchCtx * ctx
Definition: detect.h:327
#define SCMalloc(a)
Definition: util-mem.h:174
#define SCFree(a)
Definition: util-mem.h:236
PoolThreadReserved res
bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
const char * url
Definition: detect.h:1163
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
#define PKT_HAS_FLOW
Definition: decode.h:1101
#define DOC_URL
Definition: suricata.h:86
void DetectUrilenRegister(void)
Registration function for urilen: keyword.
Definition: detect-urilen.c:65
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:407
uint32_t flags
Definition: decode.h:442
#define DOC_VERSION
Definition: suricata.h:91
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:327
#define FLOW_IPV4
Definition: flow.h:93
uint32_t flags
Definition: flow.h:377
#define PKT_STREAM_EST
Definition: decode.h:1099
void(* RegisterTests)(void)
Definition: detect.h:1152
a single match condition for a signature
Definition: detect.h:324
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)