suricata
detect-urilen.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersighdahiya@gmail.com>
22  *
23  * Implements the urilen keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "app-layer.h"
28 #include "app-layer-protos.h"
29 #include "app-layer-htp.h"
30 #include "util-unittest.h"
31 #include "util-unittest-helper.h"
32 
33 #include "detect.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 #include "detect-content.h"
38 
39 #include "detect-urilen.h"
40 #include "util-debug.h"
41 #include "util-byte.h"
42 #include "flow-util.h"
43 #include "stream-tcp.h"
44 
45 /**
46  * \brief Regex for parsing our urilen
47  */
48 #define PARSE_REGEX "^(?:\\s*)(<|>)?(?:\\s*)([0-9]{1,5})(?:\\s*)(?:(<>)(?:\\s*)([0-9]{1,5}))?\\s*(?:,\\s*(norm|raw))?\\s*$"
49 
50 static DetectParseRegex parse_regex;
51 
52 /*prototypes*/
53 static int DetectUrilenSetup (DetectEngineCtx *, Signature *, const char *);
54 static void DetectUrilenFree (DetectEngineCtx *, void *);
55 #ifdef UNITTESTS
56 static void DetectUrilenRegisterTests (void);
57 #endif
58 static int g_http_uri_buffer_id = 0;
59 static int g_http_raw_uri_buffer_id = 0;
60 
61 /**
62  * \brief Registration function for urilen: keyword
63  */
64 
66 {
68  sigmatch_table[DETECT_AL_URILEN].desc = "match on the length of the HTTP uri";
69  sigmatch_table[DETECT_AL_URILEN].url = "/rules/http-keywords.html#urilen";
71  sigmatch_table[DETECT_AL_URILEN].Setup = DetectUrilenSetup;
72  sigmatch_table[DETECT_AL_URILEN].Free = DetectUrilenFree;
73 #ifdef UNITTESTS
74  sigmatch_table[DETECT_AL_URILEN].RegisterTests = DetectUrilenRegisterTests;
75 #endif
76  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
77 
78  g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
79  g_http_raw_uri_buffer_id = DetectBufferTypeRegister("http_raw_uri");
80 }
81 
82 /**
83  * \brief This function is used to parse urilen options passed via urilen: keyword
84  *
85  * \param urilenstr Pointer to the user provided urilen options
86  *
87  * \retval urilend pointer to DetectUrilenData on success
88  * \retval NULL on failure
89  */
90 
91 static DetectUrilenData *DetectUrilenParse (const char *urilenstr)
92 {
93  DetectUrilenData *urilend = NULL;
94  char *arg1 = NULL;
95  char *arg2 = NULL;
96  char *arg3 = NULL;
97  char *arg4 = NULL;
98  char *arg5 = NULL;
99  int ret = 0, res = 0;
100  int ov[MAX_SUBSTRINGS];
101 
102  ret = DetectParsePcreExec(&parse_regex, urilenstr, 0, 0, ov, MAX_SUBSTRINGS);
103  if (ret < 3 || ret > 6) {
104  SCLogError(SC_ERR_PCRE_PARSE, "urilen option pcre parse error: \"%s\"", urilenstr);
105  goto error;
106  }
107  const char *str_ptr;
108 
109  SCLogDebug("ret %d", ret);
110 
111  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
112  if (res < 0) {
113  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
114  goto error;
115  }
116  arg1 = (char *) str_ptr;
117  SCLogDebug("Arg1 \"%s\"", arg1);
118 
119  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
120  if (res < 0) {
121  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
122  goto error;
123  }
124  arg2 = (char *) str_ptr;
125  SCLogDebug("Arg2 \"%s\"", arg2);
126 
127  if (ret > 3) {
128  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
129  if (res < 0) {
130  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
131  goto error;
132  }
133  arg3 = (char *) str_ptr;
134  SCLogDebug("Arg3 \"%s\"", arg3);
135 
136  if (ret > 4) {
137  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 4, &str_ptr);
138  if (res < 0) {
139  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
140  goto error;
141  }
142  arg4 = (char *) str_ptr;
143  SCLogDebug("Arg4 \"%s\"", arg4);
144  }
145  if (ret > 5) {
146  res = pcre_get_substring((char *)urilenstr, ov, MAX_SUBSTRINGS, 5, &str_ptr);
147  if (res < 0) {
148  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
149  goto error;
150  }
151  arg5 = (char *) str_ptr;
152  SCLogDebug("Arg5 \"%s\"", arg5);
153  }
154  }
155 
156  urilend = SCMalloc(sizeof (DetectUrilenData));
157  if (unlikely(urilend == NULL))
158  goto error;
159  memset(urilend, 0, sizeof(DetectUrilenData));
160 
161  if (arg1[0] == '<')
162  urilend->mode = DETECT_URILEN_LT;
163  else if (arg1[0] == '>')
164  urilend->mode = DETECT_URILEN_GT;
165  else
166  urilend->mode = DETECT_URILEN_EQ;
167 
168  if (arg3 != NULL && strcmp("<>", arg3) == 0) {
169  if (strlen(arg1) != 0) {
170  SCLogError(SC_ERR_INVALID_ARGUMENT,"Range specified but mode also set");
171  goto error;
172  }
173  urilend->mode = DETECT_URILEN_RA;
174  }
175 
176  /** set the first urilen value */
177  if (StringParseUint16(&urilend->urilen1,10,strlen(arg2),arg2) <= 0){
178  SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg2);
179  goto error;
180  }
181 
182  /** set the second urilen value if specified */
183  if (arg4 != NULL && strlen(arg4) > 0) {
184  if (urilend->mode != DETECT_URILEN_RA) {
185  SCLogError(SC_ERR_INVALID_ARGUMENT,"Multiple urilen values specified"
186  " but mode is not range");
187  goto error;
188  }
189 
190  if(StringParseUint16(&urilend->urilen2,10,strlen(arg4),arg4) <= 0)
191  {
192  SCLogError(SC_ERR_INVALID_ARGUMENT,"Invalid size :\"%s\"",arg4);
193  goto error;
194  }
195 
196  if (urilend->urilen2 <= urilend->urilen1){
197  SCLogError(SC_ERR_INVALID_ARGUMENT,"urilen2:%"PRIu16" <= urilen:"
198  "%"PRIu16"",urilend->urilen2,urilend->urilen1);
199  goto error;
200  }
201  }
202 
203  if (arg5 != NULL) {
204  if (strcasecmp("raw", arg5) == 0) {
205  urilend->raw_buffer = 1;
206  }
207  }
208 
209  pcre_free_substring(arg1);
210  pcre_free_substring(arg2);
211  if (arg3 != NULL)
212  pcre_free_substring(arg3);
213  if (arg4 != NULL)
214  pcre_free_substring(arg4);
215  if (arg5 != NULL)
216  pcre_free_substring(arg5);
217  return urilend;
218 
219 error:
220  if (urilend)
221  SCFree(urilend);
222  if (arg1 != NULL)
223  SCFree(arg1);
224  if (arg2 != NULL)
225  SCFree(arg2);
226  if (arg3 != NULL)
227  SCFree(arg3);
228  if (arg4 != NULL)
229  SCFree(arg4);
230  return NULL;
231 }
232 
233 /**
234  * \brief this function is used to parse urilen data into the current signature
235  *
236  * \param de_ctx pointer to the Detection Engine Context
237  * \param s pointer to the Current Signature
238  * \param urilenstr pointer to the user provided urilen options
239  *
240  * \retval 0 on Success
241  * \retval -1 on Failure
242  */
243 static int DetectUrilenSetup (DetectEngineCtx *de_ctx, Signature *s, const char *urilenstr)
244 {
245  SCEnter();
246  DetectUrilenData *urilend = NULL;
247  SigMatch *sm = NULL;
248 
250  return -1;
251 
252  urilend = DetectUrilenParse(urilenstr);
253  if (urilend == NULL)
254  goto error;
255  sm = SigMatchAlloc();
256  if (sm == NULL)
257  goto error;
258  sm->type = DETECT_AL_URILEN;
259  sm->ctx = (void *)urilend;
260 
261  if (urilend->raw_buffer)
262  SigMatchAppendSMToList(s, sm, g_http_raw_uri_buffer_id);
263  else
264  SigMatchAppendSMToList(s, sm, g_http_uri_buffer_id);
265 
266  SCReturnInt(0);
267 
268 error:
269  DetectUrilenFree(de_ctx, urilend);
270  SCReturnInt(-1);
271 }
272 
273 /**
274  * \brief this function will free memory associated with DetectUrilenData
275  *
276  * \param ptr pointer to DetectUrilenData
277  */
278 static void DetectUrilenFree(DetectEngineCtx *de_ctx, void *ptr)
279 {
280  if (ptr == NULL)
281  return;
282 
283  DetectUrilenData *urilend = (DetectUrilenData *)ptr;
284  SCFree(urilend);
285 }
286 
287 /** \brief set prefilter dsize pair
288  * \param s signature to get dsize value from
289  */
291 {
292  uint16_t high = 65535;
293  bool found = false;
294 
295  SigMatch *sm = s->init_data->smlists[list];
296  for ( ; sm != NULL; sm = sm->next) {
297  if (sm->type != DETECT_AL_URILEN)
298  continue;
299 
301 
302  switch (dd->mode) {
303  case DETECT_URILEN_LT:
304  high = dd->urilen1 + 1;
305  break;
306  case DETECT_URILEN_EQ:
307  high = dd->urilen1;
308  break;
309  case DETECT_URILEN_RA:
310  high = dd->urilen2 + 1;
311  break;
312  case DETECT_URILEN_GT:
313  high = 65535;
314  break;
315  }
316  found = true;
317  }
318 
319  // skip 65535 to avoid mismatch on uri > 64k
320  if (!found || high == 65535)
321  return;
322 
323  SCLogDebug("high %u", high);
324 
325  sm = s->init_data->smlists[list];
326  for ( ; sm != NULL; sm = sm->next) {
327  if (sm->type != DETECT_CONTENT) {
328  continue;
329  }
331  if (cd == NULL) {
332  continue;
333  }
334 
335  if (cd->depth == 0 || cd->depth > high) {
336  cd->depth = (uint16_t)high;
337  SCLogDebug("updated %u, content %u to have depth %u "
338  "because of urilen.", s->id, cd->id, cd->depth);
339  }
340  }
341 }
342 
343 bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
344 {
345  const SigMatch *sm = s->init_data->smlists[list];
346  for ( ; sm != NULL; sm = sm->next) {
347  if (sm->type != DETECT_CONTENT) {
348  continue;
349  }
351  if (cd == NULL) {
352  continue;
353  }
354 
355  if (cd->depth && cd->depth < cd->content_len) {
356  *sigerror = "depth or urilen smaller than content len";
357  SCLogError(SC_ERR_INVALID_SIGNATURE, "depth or urilen %u smaller "
358  "than content len %u", cd->depth, cd->content_len);
359  return false;
360  }
361  }
362  return true;
363 }
364 
365 #ifdef UNITTESTS
366 
367 #include "stream.h"
368 #include "stream-tcp-private.h"
369 #include "stream-tcp-reassemble.h"
370 #include "detect-engine.h"
371 #include "detect-engine-mpm.h"
372 #include "app-layer-parser.h"
373 
374 /** \test Test the Urilen keyword setup */
375 static int DetectUrilenParseTest01(void)
376 {
377  int ret = 0;
378  DetectUrilenData *urilend = NULL;
379 
380  urilend = DetectUrilenParse("10");
381  if (urilend != NULL) {
382  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_EQ &&
383  !urilend->raw_buffer)
384  ret = 1;
385 
386  DetectUrilenFree(NULL, urilend);
387  }
388  return ret;
389 }
390 
391 /** \test Test the Urilen keyword setup */
392 static int DetectUrilenParseTest02(void)
393 {
394  int ret = 0;
395  DetectUrilenData *urilend = NULL;
396 
397  urilend = DetectUrilenParse(" < 10 ");
398  if (urilend != NULL) {
399  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_LT &&
400  !urilend->raw_buffer)
401  ret = 1;
402 
403  DetectUrilenFree(NULL, urilend);
404  }
405  return ret;
406 }
407 
408 /** \test Test the Urilen keyword setup */
409 static int DetectUrilenParseTest03(void)
410 {
411  int ret = 0;
412  DetectUrilenData *urilend = NULL;
413 
414  urilend = DetectUrilenParse(" > 10 ");
415  if (urilend != NULL) {
416  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_GT &&
417  !urilend->raw_buffer)
418  ret = 1;
419 
420  DetectUrilenFree(NULL, urilend);
421  }
422  return ret;
423 }
424 
425 /** \test Test the Urilen keyword setup */
426 static int DetectUrilenParseTest04(void)
427 {
428  int ret = 0;
429  DetectUrilenData *urilend = NULL;
430 
431  urilend = DetectUrilenParse(" 5 <> 10 ");
432  if (urilend != NULL) {
433  if (urilend->urilen1 == 5 && urilend->urilen2 == 10 &&
434  urilend->mode == DETECT_URILEN_RA &&
435  !urilend->raw_buffer)
436  ret = 1;
437 
438  DetectUrilenFree(NULL, urilend);
439  }
440  return ret;
441 }
442 
443 /** \test Test the Urilen keyword setup */
444 static int DetectUrilenParseTest05(void)
445 {
446  int ret = 0;
447  DetectUrilenData *urilend = NULL;
448 
449  urilend = DetectUrilenParse("5<>10,norm");
450  if (urilend != NULL) {
451  if (urilend->urilen1 == 5 && urilend->urilen2 == 10 &&
452  urilend->mode == DETECT_URILEN_RA &&
453  !urilend->raw_buffer)
454  ret = 1;
455 
456  DetectUrilenFree(NULL, urilend);
457  }
458  return ret;
459 }
460 
461 /** \test Test the Urilen keyword setup */
462 static int DetectUrilenParseTest06(void)
463 {
464  int ret = 0;
465  DetectUrilenData *urilend = NULL;
466 
467  urilend = DetectUrilenParse("5<>10,raw");
468  if (urilend != NULL) {
469  if (urilend->urilen1 == 5 && urilend->urilen2 == 10 &&
470  urilend->mode == DETECT_URILEN_RA &&
471  urilend->raw_buffer)
472  ret = 1;
473 
474  DetectUrilenFree(NULL, urilend);
475  }
476  return ret;
477 }
478 
479 /** \test Test the Urilen keyword setup */
480 static int DetectUrilenParseTest07(void)
481 {
482  int ret = 0;
483  DetectUrilenData *urilend = NULL;
484 
485  urilend = DetectUrilenParse(">10, norm ");
486  if (urilend != NULL) {
487  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_GT &&
488  !urilend->raw_buffer)
489  ret = 1;
490 
491  DetectUrilenFree(NULL, urilend);
492  }
493  return ret;
494 }
495 
496 /** \test Test the Urilen keyword setup */
497 static int DetectUrilenParseTest08(void)
498 {
499  int ret = 0;
500  DetectUrilenData *urilend = NULL;
501 
502  urilend = DetectUrilenParse("<10, norm ");
503  if (urilend != NULL) {
504  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_LT &&
505  !urilend->raw_buffer)
506  ret = 1;
507 
508  DetectUrilenFree(NULL, urilend);
509  }
510  return ret;
511 }
512 
513 /** \test Test the Urilen keyword setup */
514 static int DetectUrilenParseTest09(void)
515 {
516  int ret = 0;
517  DetectUrilenData *urilend = NULL;
518 
519  urilend = DetectUrilenParse(">10, raw ");
520  if (urilend != NULL) {
521  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_GT &&
522  urilend->raw_buffer)
523  ret = 1;
524 
525  DetectUrilenFree(NULL, urilend);
526  }
527  return ret;
528 }
529 
530 /** \test Test the Urilen keyword setup */
531 static int DetectUrilenParseTest10(void)
532 {
533  int ret = 0;
534  DetectUrilenData *urilend = NULL;
535 
536  urilend = DetectUrilenParse("<10, raw ");
537  if (urilend != NULL) {
538  if (urilend->urilen1 == 10 && urilend->mode == DETECT_URILEN_LT &&
539  urilend->raw_buffer)
540  ret = 1;
541 
542  DetectUrilenFree(NULL, urilend);
543  }
544  return ret;
545 }
546 
547 /**
548  * \brief this function is used to initialize the detection engine context and
549  * setup the signature with passed values.
550  *
551  */
552 
553 static int DetectUrilenInitTest(DetectEngineCtx **de_ctx, Signature **sig,
554  DetectUrilenData **urilend, const char *str)
555 {
556  char fullstr[1024];
557  int result = 0;
558 
559  *de_ctx = NULL;
560  *sig = NULL;
561 
562  if (snprintf(fullstr, 1024, "alert ip any any -> any any (msg:\"Urilen "
563  "test\"; urilen:%s; sid:1;)", str) >= 1024) {
564  goto end;
565  }
566 
568  if (*de_ctx == NULL) {
569  goto end;
570  }
571 
572  (*de_ctx)->flags |= DE_QUIET;
573 
574  (*de_ctx)->sig_list = SigInit(*de_ctx, fullstr);
575  if ((*de_ctx)->sig_list == NULL) {
576  goto end;
577  }
578 
579  *sig = (*de_ctx)->sig_list;
580 
581  *urilend = DetectUrilenParse(str);
582 
583  result = 1;
584 
585 end:
586  return result;
587 }
588 
589 /**
590  * \test DetectUrilenSetpTest01 is a test for setting up an valid urilen values
591  * with valid "<>" operator and include spaces arround the given values.
592  * In the test the values are setup with initializing the detection engine
593  * context and setting up the signature itself.
594  */
595 
596 static int DetectUrilenSetpTest01(void)
597 {
598 
599  DetectUrilenData *urilend = NULL;
600  uint8_t res = 0;
601  Signature *sig = NULL;
602  DetectEngineCtx *de_ctx = NULL;
603 
604  res = DetectUrilenInitTest(&de_ctx, &sig, &urilend, "1 <> 2 ");
605  if (res == 0) {
606  goto end;
607  }
608 
609  if(urilend == NULL)
610  goto cleanup;
611 
612  if (urilend != NULL) {
613  if (urilend->urilen1 == 1 && urilend->urilen2 == 2 &&
614  urilend->mode == DETECT_URILEN_RA)
615  res = 1;
616  }
617 
618 cleanup:
619  if (urilend) SCFree(urilend);
623 end:
624  return res;
625 }
626 
627 /** \test Check a signature with gievn urilen */
628 static int DetectUrilenSigTest01(void)
629 {
630  int result = 0;
631  Flow f;
632  uint8_t httpbuf1[] = "POST /suricata HTTP/1.0\r\n"
633  "Host: foo.bar.tld\r\n"
634  "\r\n";
635  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
636  TcpSession ssn;
637  Packet *p = NULL;
638  Signature *s = NULL;
639  ThreadVars th_v;
640  DetectEngineThreadCtx *det_ctx;
642 
643  memset(&th_v, 0, sizeof(th_v));
644  memset(&f, 0, sizeof(f));
645  memset(&ssn, 0, sizeof(ssn));
646 
647  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
648 
649  FLOW_INITIALIZE(&f);
650  f.protoctx = (void *)&ssn;
651  f.proto = IPPROTO_TCP;
652  f.flags |= FLOW_IPV4;
653 
654  p->flow = &f;
658  f.alproto = ALPROTO_HTTP;
659 
661 
663  if (de_ctx == NULL) {
664  goto end;
665  }
666 
667  de_ctx->flags |= DE_QUIET;
668 
669  s = de_ctx->sig_list = SigInit(de_ctx,
670  "alert tcp any any -> any any "
671  "(msg:\"Testing urilen\"; "
672  "urilen: <5; sid:1;)");
673  if (s == NULL) {
674  goto end;
675  }
676 
677  s = s->next = SigInit(de_ctx,
678  "alert tcp any any -> any any "
679  "(msg:\"Testing http_method\"; "
680  "urilen: >5; sid:2;)");
681  if (s == NULL) {
682  goto end;
683  }
684 
686  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
687 
688  FLOWLOCK_WRLOCK(&f);
689  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
690  STREAM_TOSERVER, httpbuf1, httplen1);
691  if (r != 0) {
692  SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
693  FLOWLOCK_UNLOCK(&f);
694  goto end;
695  }
696  FLOWLOCK_UNLOCK(&f);
697 
698  HtpState *htp_state = f.alstate;
699  if (htp_state == NULL) {
700  SCLogDebug("no http state: ");
701  goto end;
702  }
703 
704  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
705 
706  if ((PacketAlertCheck(p, 1))) {
707  printf("sid 1 alerted, but should not have: \n");
708  goto end;
709  }
710  if (!PacketAlertCheck(p, 2)) {
711  printf("sid 2 did not alerted, but should have: \n");
712  goto end;
713  }
714 
715  result = 1;
716 
717 end:
718  if (alp_tctx != NULL)
720  if (de_ctx != NULL) SigGroupCleanup(de_ctx);
721  if (de_ctx != NULL) SigCleanSignatures(de_ctx);
722  if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
723 
725  FLOW_DESTROY(&f);
726  UTHFreePackets(&p, 1);
727  return result;
728 }
729 
730 /**
731  * \brief this function registers unit tests for DetectUrilen
732  */
733 void DetectUrilenRegisterTests(void)
734 {
735  UtRegisterTest("DetectUrilenParseTest01", DetectUrilenParseTest01);
736  UtRegisterTest("DetectUrilenParseTest02", DetectUrilenParseTest02);
737  UtRegisterTest("DetectUrilenParseTest03", DetectUrilenParseTest03);
738  UtRegisterTest("DetectUrilenParseTest04", DetectUrilenParseTest04);
739  UtRegisterTest("DetectUrilenParseTest05", DetectUrilenParseTest05);
740  UtRegisterTest("DetectUrilenParseTest06", DetectUrilenParseTest06);
741  UtRegisterTest("DetectUrilenParseTest07", DetectUrilenParseTest07);
742  UtRegisterTest("DetectUrilenParseTest08", DetectUrilenParseTest08);
743  UtRegisterTest("DetectUrilenParseTest09", DetectUrilenParseTest09);
744  UtRegisterTest("DetectUrilenParseTest10", DetectUrilenParseTest10);
745  UtRegisterTest("DetectUrilenSetpTest01", DetectUrilenSetpTest01);
746  UtRegisterTest("DetectUrilenSigTest01", DetectUrilenSigTest01);
747 }
748 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
detect-content.h
detect-engine.h
StringParseUint16
int StringParseUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:336
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
DetectUrilenData_::urilen2
uint16_t urilen2
Definition: detect-urilen.h:34
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1109
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Flow_::proto
uint8_t proto
Definition: flow.h:365
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:449
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectUrilenData_::raw_buffer
uint8_t raw_buffer
Definition: detect-urilen.h:36
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:278
DetectUrilenData_::urilen1
uint16_t urilen1
Definition: detect-urilen.h:33
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
DetectContentData_
Definition: detect-content.h:86
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
Flow_::protoctx
void * protoctx
Definition: flow.h:441
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:95
DetectUrilenApplyToContent
void DetectUrilenApplyToContent(Signature *s, int list)
set prefilter dsize pair
Definition: detect-urilen.c:290
util-unittest.h
HtpState_
Definition: app-layer-htp.h:243
util-unittest-helper.h
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:264
SC_ERR_PCRE_PARSE
@ SC_ERR_PCRE_PARSE
Definition: util-error.h:37
DETECT_URILEN_GT
#define DETECT_URILEN_GT
Definition: detect-urilen.h:28
Signature_::next
struct Signature_ * next
Definition: detect.h:600
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
app-layer-htp.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DETECT_URILEN_EQ
#define DETECT_URILEN_EQ
Definition: detect-urilen.h:30
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2493
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:261
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:324
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
DetectContentData_::id
PatIntId id
Definition: detect-content.h:98
app-layer-parser.h
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:99
stream.h
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2423
Packet_
Definition: decode.h:414
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
stream-tcp-private.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:597
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:522
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our urilen.
Definition: detect-urilen.c:48
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1888
SigMatch_::type
uint8_t type
Definition: detect.h:321
DETECT_URILEN_RA
#define DETECT_URILEN_RA
Definition: detect-urilen.h:29
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:252
DETECT_URILEN_LT
#define DETECT_URILEN_LT
Definition: detect-urilen.h:27
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:836
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1203
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectUrilenRegister
void DetectUrilenRegister(void)
Registration function for urilen: keyword.
Definition: detect-urilen.c:65
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:476
Signature_::id
uint32_t id
Definition: detect.h:561
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:30
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:221
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
app-layer-protos.h
DetectUrilenData_::mode
uint8_t mode
Definition: detect-urilen.h:35
detect-urilen.h
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
DetectUrilenData_
Definition: detect-urilen.h:32
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:87
TcpSession_
Definition: stream-tcp-private.h:260
DetectUrilenValidateContent
bool DetectUrilenValidateContent(const Signature *s, int list, const char **sigerror)
Definition: detect-urilen.c:343
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
DETECT_AL_URILEN
@ DETECT_AL_URILEN
Definition: detect-engine-register.h:123
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1107
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468