Go to the documentation of this file.
58 #define PARSE_REGEX "^([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
64 static void XBitsRegisterTests(
void);
147 return DetectIPPairbitMatchIsset(p,xd);
149 return DetectIPPairbitMatchIsnotset(p,xd);
151 return DetectIPPairbitMatchSet(p,xd);
153 return DetectIPPairbitMatchUnset(p,xd);
155 return DetectIPPairbitMatchToggle(p,xd);
198 char fb_cmd_str[16] =
"", fb_name[256] =
"";
199 char hb_dir_str[16] =
"";
203 pcre2_match_data *match = NULL;
205 if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
206 SCLogError(
"\"%s\" is not a valid setting for xbits.", rawstr);
208 pcre2_match_data_free(match);
213 pcre2len =
sizeof(fb_cmd_str);
214 int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)fb_cmd_str, &pcre2len);
216 SCLogError(
"pcre2_substring_copy_bynumber failed");
217 pcre2_match_data_free(match);
222 pcre2len =
sizeof(fb_name);
223 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)fb_name, &pcre2len);
225 SCLogError(
"pcre2_substring_copy_bynumber failed");
226 pcre2_match_data_free(match);
230 pcre2len =
sizeof(hb_dir_str);
231 res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)hb_dir_str, &pcre2len);
233 SCLogError(
"pcre2_substring_copy_bynumber failed");
234 pcre2_match_data_free(match);
238 if (strlen(hb_dir_str) > 0) {
239 if (strcmp(hb_dir_str,
"ip_src") == 0) {
242 }
else if (strcmp(hb_dir_str,
"ip_dst") == 0) {
245 }
else if (strcmp(hb_dir_str,
"ip_pair") == 0) {
250 pcre2_match_data_free(match);
256 char expire_str[16] =
"";
257 pcre2len =
sizeof(expire_str);
258 res = pcre2_substring_copy_bynumber(
259 match, 4, (PCRE2_UCHAR8 *)expire_str, &pcre2len);
261 SCLogError(
"pcre2_substring_copy_bynumber failed");
262 pcre2_match_data_free(match);
270 pcre2_match_data_free(match);
275 pcre2_match_data_free(match);
283 pcre2_match_data_free(match);
284 if (strcmp(fb_cmd_str,
"noalert") == 0) {
286 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
288 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
290 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
292 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
294 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
297 SCLogError(
"xbits action \"%s\" is not supported.", fb_cmd_str);
303 if (strlen(fb_name) != 0)
314 if (strlen(fb_name) == 0)
329 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
330 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
340 int result = DetectXbitParse(
de_ctx, rawstr, &cd);
343 }
else if (cd == NULL) {
391 static void XBitsTestSetup(
void)
401 static void XBitsTestShutdown(
void)
409 static int XBitsTestParse01(
void)
417 #define BAD_INPUT(str) \
418 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == -1);
423 BAD_INPUT(
"set,abc,track nonsense, expire 3600");
424 BAD_INPUT(
"set,abc,track ip_source, expire 3600");
425 BAD_INPUT(
"set,abc,track ip_src, expire -1");
426 BAD_INPUT(
"set,abc,track ip_src, expire 0");
430 #define GOOD_INPUT(str, command, trk, typ, exp) \
431 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == 0); \
433 FAIL_IF_NOT(cd->cmd == (command)); \
434 FAIL_IF_NOT(cd->tracker == (trk)); \
435 FAIL_IF_NOT(cd->type == (typ)); \
436 FAIL_IF_NOT(cd->expire == (exp)); \
437 DetectXbitFree(NULL, cd); \
444 GOOD_INPUT(
"set,abc,track ip_pair, expire 3600",
448 GOOD_INPUT(
"set,abc,track ip_src, expire 1234",
463 static int XBitsTestSig01(
void)
465 uint8_t *buf = (uint8_t *)
466 "GET /one/ HTTP/1.1\r\n"
467 "Host: one.example.org\r\n"
469 uint16_t buflen = strlen((
char *)buf);
477 memset(&th_v, 0,
sizeof(th_v));
482 p->
proto = IPPROTO_TCP;
491 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:1;)");
513 static int XBitsTestSig02(
void)
522 "alert ip any any -> any any (xbits:isset,abc,track ip_src; content:\"GET \"; sid:1;)");
526 "alert ip any any -> any any (xbits:isnotset,abc,track ip_dst; content:\"GET \"; sid:2;)");
530 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:3;)");
534 "alert ip any any -> any any (xbits:unset,abc,track ip_src; content:\"GET \"; sid:4;)");
538 "alert ip any any -> any any (xbits:toggle,abc,track ip_dst; content:\"GET \"; sid:5;)");
542 "alert ip any any -> any any (xbits:!set,abc,track ip_dst; content:\"GET \"; sid:6;)");
552 static void XBitsRegisterTests(
void)
void IPPairBitUnset(IPPair *h, uint32_t idx)
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void DetectXbitsRegister(void)
void IPPairInitConfig(bool quiet)
initialize the configuration
void(* Free)(DetectEngineCtx *, void *)
void IPPairRelease(IPPair *h)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
main detection engine ctx
void IPPairBitSet(IPPair *h, uint32_t idx, uint32_t expire)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void StorageCleanup(void)
#define DETECT_XBITS_TRACK_IPDST
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void HostBitInitCtx(void)
#define GOOD_INPUT(str, command, trk, typ, exp)
@ DETECT_SM_LIST_POSTMATCH
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
#define DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_EXPIRE_DEFAULT
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
void IPPairBitToggle(IPPair *h, uint32_t idx, uint32_t expire)
void IPPairCleanup(void)
Cleanup the ippair engine.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void HostCleanup(void)
Cleanup the host engine.
Per thread variable structure.
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
#define DETECT_XBITS_TRACK_IPPAIR
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
int IPPairBitIsnotset(IPPair *h, uint32_t idx, uint32_t ts)
int StorageFinalize(void)
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
void IPPairBitInitCtx(void)
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_ISSET
DetectEngineCtx * DetectEngineCtxInit(void)
IPPair * IPPairLookupIPPairFromHash(Address *a, Address *b)
look up a ippair in the hash
void HostInitConfig(bool quiet)
initialize the configuration
int IPPairBitIsset(IPPair *h, uint32_t idx, uint32_t ts)
#define DETECT_XBITS_CMD_SET
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
#define DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_UNSET
void StatsThreadCleanup(ThreadVars *tv)
#define SIGMATCH_IPONLY_COMPAT
void(* RegisterTests)(void)