suricata
detect-xbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the xbits keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-util.h"
32 #include "detect-xbits.h"
33 #include "detect-hostbits.h"
34 #include "util-spm.h"
35 
36 #include "detect-engine-sigorder.h"
37 
38 #include "app-layer-parser.h"
39 
40 #include "detect-parse.h"
41 #include "detect-engine.h"
42 #include "detect-engine-mpm.h"
43 #include "detect-engine-state.h"
44 
45 #include "flow-bit.h"
46 #include "host-bit.h"
47 #include "ippair-bit.h"
48 #include "util-var-name.h"
49 #include "util-unittest.h"
50 #include "util-debug.h"
51 
52 /*
53  xbits:set,bitname,track ip_pair,expire 60
54  */
55 
56 #define PARSE_REGEX "^([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
57 static pcre *parse_regex;
58 static pcre_extra *parse_regex_study;
59 
60 static int DetectXbitMatch (DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
61 static int DetectXbitSetup (DetectEngineCtx *, Signature *, const char *);
62 void DetectXbitFree (void *);
63 void XBitsRegisterTests(void);
64 
65 void DetectXbitsRegister (void)
66 {
67  sigmatch_table[DETECT_XBITS].name = "xbits";
68  sigmatch_table[DETECT_XBITS].desc = "operate on bits";
69  sigmatch_table[DETECT_XBITS].url = DOC_URL DOC_VERSION "/rules/xbits.html";
70  sigmatch_table[DETECT_XBITS].Match = DetectXbitMatch;
71  sigmatch_table[DETECT_XBITS].Setup = DetectXbitSetup;
72  sigmatch_table[DETECT_XBITS].Free = DetectXbitFree;
73  sigmatch_table[DETECT_XBITS].RegisterTests = XBitsRegisterTests;
74  /* this is compatible to ip-only signatures */
75  sigmatch_table[DETECT_XBITS].flags |= SIGMATCH_IPONLY_COMPAT;
76 
77  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
78 }
79 
80 static int DetectIPPairbitMatchToggle (Packet *p, const DetectXbitsData *fd)
81 {
82  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
83  if (pair == NULL)
84  return 0;
85 
86  IPPairBitToggle(pair,fd->idx,p->ts.tv_sec + fd->expire);
87  IPPairRelease(pair);
88  return 1;
89 }
90 
91 /* return true even if bit not found */
92 static int DetectIPPairbitMatchUnset (Packet *p, const DetectXbitsData *fd)
93 {
94  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
95  if (pair == NULL)
96  return 1;
97 
98  IPPairBitUnset(pair,fd->idx);
99  IPPairRelease(pair);
100  return 1;
101 }
102 
103 static int DetectIPPairbitMatchSet (Packet *p, const DetectXbitsData *fd)
104 {
105  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
106  if (pair == NULL)
107  return 0;
108 
109  IPPairBitSet(pair, fd->idx, p->ts.tv_sec + fd->expire);
110  IPPairRelease(pair);
111  return 1;
112 }
113 
114 static int DetectIPPairbitMatchIsset (Packet *p, const DetectXbitsData *fd)
115 {
116  int r = 0;
117  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
118  if (pair == NULL)
119  return 0;
120 
121  r = IPPairBitIsset(pair,fd->idx,p->ts.tv_sec);
122  IPPairRelease(pair);
123  return r;
124 }
125 
126 static int DetectIPPairbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
127 {
128  int r = 0;
129  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
130  if (pair == NULL)
131  return 1;
132 
133  r = IPPairBitIsnotset(pair,fd->idx,p->ts.tv_sec);
134  IPPairRelease(pair);
135  return r;
136 }
137 
138 static int DetectXbitMatchIPPair(Packet *p, const DetectXbitsData *xd)
139 {
140  switch (xd->cmd) {
141  case DETECT_XBITS_CMD_ISSET:
142  return DetectIPPairbitMatchIsset(p,xd);
143  case DETECT_XBITS_CMD_ISNOTSET:
144  return DetectIPPairbitMatchIsnotset(p,xd);
145  case DETECT_XBITS_CMD_SET:
146  return DetectIPPairbitMatchSet(p,xd);
147  case DETECT_XBITS_CMD_UNSET:
148  return DetectIPPairbitMatchUnset(p,xd);
149  case DETECT_XBITS_CMD_TOGGLE:
150  return DetectIPPairbitMatchToggle(p,xd);
151  default:
152  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown cmd %" PRIu32 "", xd->cmd);
153  return 0;
154  }
155  return 0;
156 }
157 
158 /*
159  * returns 0: no match
160  * 1: match
161  * -1: error
162  */
163 
164 static int DetectXbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
165 {
166  const DetectXbitsData *fd = (const DetectXbitsData *)ctx;
167  if (fd == NULL)
168  return 0;
169 
170  switch (fd->type) {
171  case VAR_TYPE_HOST_BIT:
172  return DetectXbitMatchHost(p, (const DetectXbitsData *)fd);
173  break;
174  case VAR_TYPE_IPPAIR_BIT:
175  return DetectXbitMatchIPPair(p, (const DetectXbitsData *)fd);
176  break;
177  default:
178  break;
179  }
180  return 0;
181 }
182 
183 /** \internal
184  * \brief parse xbits rule options
185  * \retval 0 ok
186  * \retval -1 bad
187  * \param[out] cdout return DetectXbitsData structure or NULL if noalert
188  */
189 static int DetectXbitParse(DetectEngineCtx *de_ctx,
190  const char *rawstr, DetectXbitsData **cdout)
191 {
192  DetectXbitsData *cd = NULL;
193  uint8_t fb_cmd = 0;
194  uint8_t hb_dir = 0;
195 #define MAX_SUBSTRINGS 30
196  int ret = 0, res = 0;
197  int ov[MAX_SUBSTRINGS];
198  char fb_cmd_str[16] = "", fb_name[256] = "";
199  char hb_dir_str[16] = "";
200  enum VarTypes var_type = VAR_TYPE_NOT_SET;
201  int expire = DETECT_XBITS_EXPIRE_DEFAULT;
202 
203  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
204  if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
205  SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for xbits.", rawstr);
206  return -1;
207  }
208  SCLogDebug("ret %d, %s", ret, rawstr);
209  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, fb_cmd_str, sizeof(fb_cmd_str));
210  if (res < 0) {
211  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
212  return -1;
213  }
214 
215  if (ret >= 3) {
216  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, fb_name, sizeof(fb_name));
217  if (res < 0) {
218  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
219  return -1;
220  }
221  if (ret >= 4) {
222  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3, hb_dir_str, sizeof(hb_dir_str));
223  if (res < 0) {
224  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
225  return -1;
226  }
227  SCLogDebug("hb_dir_str %s", hb_dir_str);
228  if (strlen(hb_dir_str) > 0) {
229  if (strcmp(hb_dir_str, "ip_src") == 0) {
230  hb_dir = DETECT_XBITS_TRACK_IPSRC;
231  var_type = VAR_TYPE_HOST_BIT;
232  } else if (strcmp(hb_dir_str, "ip_dst") == 0) {
233  hb_dir = DETECT_XBITS_TRACK_IPDST;
234  var_type = VAR_TYPE_HOST_BIT;
235  } else if (strcmp(hb_dir_str, "ip_pair") == 0) {
236  hb_dir = DETECT_XBITS_TRACK_IPPAIR;
237  var_type = VAR_TYPE_IPPAIR_BIT;
238  } else {
239  // TODO
240  return -1;
241  }
242  }
243 
244  if (ret >= 5) {
245  char expire_str[16] = "";
246  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4, expire_str, sizeof(expire_str));
247  if (res < 0) {
248  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
249  return -1;
250  }
251  SCLogDebug("expire_str %s", expire_str);
252  expire = atoi(expire_str);
253  if (expire < 0) {
254  SCLogError(SC_ERR_INVALID_VALUE, "expire must be positive. "
255  "Got %d (\"%s\")", expire, expire_str);
256  return -1;
257  }
258  if (expire == 0) {
259  SCLogError(SC_ERR_INVALID_VALUE, "expire must be bigger than 0");
260  return -1;
261  }
262  SCLogDebug("expire %d", expire);
263  }
264  }
265  }
266 
267  if (strcmp(fb_cmd_str,"noalert") == 0) {
268  fb_cmd = DETECT_XBITS_CMD_NOALERT;
269  } else if (strcmp(fb_cmd_str,"isset") == 0) {
270  fb_cmd = DETECT_XBITS_CMD_ISSET;
271  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
272  fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
273  } else if (strcmp(fb_cmd_str,"set") == 0) {
274  fb_cmd = DETECT_XBITS_CMD_SET;
275  } else if (strcmp(fb_cmd_str,"unset") == 0) {
276  fb_cmd = DETECT_XBITS_CMD_UNSET;
277  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
278  fb_cmd = DETECT_XBITS_CMD_TOGGLE;
279  } else {
280  SCLogError(SC_ERR_UNKNOWN_VALUE, "xbits action \"%s\" is not supported.", fb_cmd_str);
281  return -1;
282  }
283 
284  switch (fb_cmd) {
285  case DETECT_XBITS_CMD_NOALERT: {
286  if (strlen(fb_name) != 0)
287  return -1;
288  /* return ok, cd is NULL. Flag sig. */
289  *cdout = NULL;
290  return 0;
291  }
292  case DETECT_XBITS_CMD_ISNOTSET:
293  case DETECT_XBITS_CMD_ISSET:
294  case DETECT_XBITS_CMD_SET:
295  case DETECT_XBITS_CMD_UNSET:
296  case DETECT_XBITS_CMD_TOGGLE:
297  default:
298  if (strlen(fb_name) == 0)
299  return -1;
300  break;
301  }
302 
303  cd = SCMalloc(sizeof(DetectXbitsData));
304  if (unlikely(cd == NULL))
305  return -1;
306 
307  cd->idx = VarNameStoreSetupAdd(fb_name, var_type);
308  cd->cmd = fb_cmd;
309  cd->tracker = hb_dir;
310  cd->type = var_type;
311  cd->expire = expire;
312 
313  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
314  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
315 
316  *cdout = cd;
317  return 0;
318 }
319 
320 int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
321 {
322  SigMatch *sm = NULL;
323  DetectXbitsData *cd = NULL;
324 
325  int result = DetectXbitParse(de_ctx, rawstr, &cd);
326  if (result < 0) {
327  return -1;
328  /* noalert doesn't use a cd/sm struct. It flags the sig. We're done. */
329  } else if (result == 0 && cd == NULL) {
330  s->flags |= SIG_FLAG_NOALERT;
331  return 0;
332  }
333 
334  /* Okay so far so good, lets get this into a SigMatch
335  * and put it in the Signature. */
336  sm = SigMatchAlloc();
337  if (sm == NULL)
338  goto error;
339 
340  sm->type = DETECT_XBITS;
341  sm->ctx = (void *)cd;
342 
343  switch (cd->cmd) {
344  /* case DETECT_XBITS_CMD_NOALERT can't happen here */
345 
346  case DETECT_XBITS_CMD_ISNOTSET:
347  case DETECT_XBITS_CMD_ISSET:
348  /* checks, so packet list */
349  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
350  break;
351 
352  case DETECT_XBITS_CMD_SET:
353  case DETECT_XBITS_CMD_UNSET:
354  case DETECT_XBITS_CMD_TOGGLE:
355  /* modifiers, only run when entire sig has matched */
356  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
357  break;
358  }
359 
360  return 0;
361 
362 error:
363  if (cd != NULL)
364  SCFree(cd);
365  return -1;
366 }
367 
368 void DetectXbitFree (void *ptr)
369 {
370  DetectXbitsData *fd = (DetectXbitsData *)ptr;
371 
372  if (fd == NULL)
373  return;
374 
375  SCFree(fd);
376 }
377 
378 #ifdef UNITTESTS
379 
380 static void XBitsTestSetup(void)
381 {
382  StorageInit();
383  HostBitInitCtx();
384  IPPairBitInitCtx();
385  StorageFinalize();
386  HostInitConfig(TRUE);
387  IPPairInitConfig(TRUE);
388 }
389 
390 static void XBitsTestShutdown(void)
391 {
392  HostCleanup();
393  IPPairCleanup();
394  StorageCleanup();
395 }
396 
397 
398 static int XBitsTestParse01(void)
399 {
400  DetectEngineCtx *de_ctx = NULL;
401  de_ctx = DetectEngineCtxInit();
402  FAIL_IF_NULL(de_ctx);
403  de_ctx->flags |= DE_QUIET;
404  DetectXbitsData *cd = NULL;
405 
406 #define BAD_INPUT(str) \
407  FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == -1);
408 
409  BAD_INPUT("alert");
410  BAD_INPUT("n0alert");
411  BAD_INPUT("nOalert");
412  BAD_INPUT("set,abc,track nonsense, expire 3600");
413  BAD_INPUT("set,abc,track ip_source, expire 3600");
414  BAD_INPUT("set,abc,track ip_src, expire -1");
415  BAD_INPUT("set,abc,track ip_src, expire 0");
416 
417 #undef BAD_INPUT
418 
419 #define GOOD_INPUT(str, command, trk, typ, exp) \
420  FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == 0); \
421  FAIL_IF_NULL(cd); \
422  FAIL_IF_NOT(cd->cmd == (command)); \
423  FAIL_IF_NOT(cd->tracker == (trk)); \
424  FAIL_IF_NOT(cd->type == (typ)); \
425  FAIL_IF_NOT(cd->expire == (exp)); \
426  DetectXbitFree(cd); \
427  cd = NULL;
428 
429  GOOD_INPUT("set,abc,track ip_pair",
430  DETECT_XBITS_CMD_SET,
431  DETECT_XBITS_TRACK_IPPAIR, VAR_TYPE_IPPAIR_BIT,
432  DETECT_XBITS_EXPIRE_DEFAULT);
433  GOOD_INPUT("set,abc,track ip_pair, expire 3600",
434  DETECT_XBITS_CMD_SET,
435  DETECT_XBITS_TRACK_IPPAIR, VAR_TYPE_IPPAIR_BIT,
436  3600);
437  GOOD_INPUT("set,abc,track ip_src, expire 1234",
438  DETECT_XBITS_CMD_SET,
439  DETECT_XBITS_TRACK_IPSRC, VAR_TYPE_HOST_BIT,
440  1234);
441 
442 #undef GOOD_INPUT
443 
444  DetectEngineCtxFree(de_ctx);
445  PASS;
446 }
447 
448 /**
449  * \test
450  */
451 
452 static int XBitsTestSig01(void)
453 {
454  uint8_t *buf = (uint8_t *)
455  "GET /one/ HTTP/1.1\r\n"
456  "Host: one.example.org\r\n"
457  "\r\n";
458  uint16_t buflen = strlen((char *)buf);
459  Packet *p = SCMalloc(SIZE_OF_PACKET);
460  FAIL_IF_NULL(p);
461  Signature *s = NULL;
462  ThreadVars th_v;
463  DetectEngineThreadCtx *det_ctx = NULL;
464  DetectEngineCtx *de_ctx = NULL;
465 
466  memset(&th_v, 0, sizeof(th_v));
467  memset(p, 0, SIZE_OF_PACKET);
468  p->src.family = AF_INET;
469  p->dst.family = AF_INET;
470  p->payload = buf;
471  p->payload_len = buflen;
472  p->proto = IPPROTO_TCP;
473 
474  XBitsTestSetup();
475 
476  de_ctx = DetectEngineCtxInit();
477  FAIL_IF_NULL(de_ctx);
478  de_ctx->flags |= DE_QUIET;
479 
480  s = DetectEngineAppendSig(de_ctx,
481  "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:1;)");
482  FAIL_IF_NULL(s);
483 
484  SigGroupBuild(de_ctx);
485  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
486  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
487  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
488  DetectEngineCtxFree(de_ctx);
489  XBitsTestShutdown();
490  SCFree(p);
491  StatsThreadCleanup(&th_v);
492  StatsReleaseResources();
493  PASS;
494 }
495 
496 /**
497  * \test various options
498  *
499  * \retval 1 on succces
500  * \retval 0 on failure
501  */
502 
503 static int XBitsTestSig02(void)
504 {
505  Signature *s = NULL;
506  DetectEngineCtx *de_ctx = NULL;
507  de_ctx = DetectEngineCtxInit();
508  FAIL_IF_NULL(de_ctx);
509  de_ctx->flags |= DE_QUIET;
510 
511  s = DetectEngineAppendSig(de_ctx,
512  "alert ip any any -> any any (xbits:isset,abc,track ip_src; content:\"GET \"; sid:1;)");
513  FAIL_IF_NULL(s);
514 
515  s = DetectEngineAppendSig(de_ctx,
516  "alert ip any any -> any any (xbits:isnotset,abc,track ip_dst; content:\"GET \"; sid:2;)");
517  FAIL_IF_NULL(s);
518 
519  s = DetectEngineAppendSig(de_ctx,
520  "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:3;)");
521  FAIL_IF_NULL(s);
522 
523  s = DetectEngineAppendSig(de_ctx,
524  "alert ip any any -> any any (xbits:unset,abc,track ip_src; content:\"GET \"; sid:4;)");
525  FAIL_IF_NULL(s);
526 
527  s = DetectEngineAppendSig(de_ctx,
528  "alert ip any any -> any any (xbits:toggle,abc,track ip_dst; content:\"GET \"; sid:5;)");
529  FAIL_IF_NULL(s);
530 
531  s = DetectEngineAppendSig(de_ctx,
532  "alert ip any any -> any any (xbits:!set,abc,track ip_dst; content:\"GET \"; sid:6;)");
533  FAIL_IF_NOT_NULL(s);
534 
535  DetectEngineCtxFree(de_ctx);
536  PASS;
537 }
538 
539 #endif /* UNITTESTS */
540 
541 /**
542  * \brief this function registers unit tests for XBits
543  */
544 void XBitsRegisterTests(void)
545 {
546 #ifdef UNITTESTS
547  UtRegisterTest("XBitsTestParse01", XBitsTestParse01);
548  UtRegisterTest("XBitsTestSig01", XBitsTestSig01);
549  UtRegisterTest("XBitsTestSig02", XBitsTestSig02);
550 #endif /* UNITTESTS */
551 }
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2298
IPPairBitUnset
void IPPairBitUnset(IPPair *h, uint32_t idx)
Definition: ippair-bit.c:140
VarTypes
VarTypes
Definition: util-var.h:27
BAD_INPUT
#define BAD_INPUT(str)
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:344
IPPairBitIsnotset
int IPPairBitIsnotset(IPPair *h, uint32_t idx, uint32_t ts)
Definition: ippair-bit.c:172
StatsReleaseResources
void StatsReleaseResources()
Releases the resources alloted by the Stats API.
Definition: counters.c:1256
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:139
Signature_::flags
uint32_t flags
Definition: detect.h:523
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1297
Packet_::dst
Address dst
Definition: decode.h:414
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:43
IPPairGetIPPairFromHash
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
Definition: ippair.c:544
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2770
SigTableElmt_::name
const char * name
Definition: detect.h:1200
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
Signature_
Signature container.
Definition: detect.h:522
IPPairBitSet
void IPPairBitSet(IPPair *h, uint32_t idx, uint32_t expire)
Definition: ippair-bit.c:132
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
DetectXbitMatchHost
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
Definition: detect-hostbits.c:242
IPPairBitInitCtx
void IPPairBitInitCtx(void)
Definition: ippair-bit.c:49
IPPairLookupIPPairFromHash
IPPair * IPPairLookupIPPairFromHash(Address *a, Address *b)
look up a ippair in the hash
Definition: ippair.c:643
XBitsRegisterTests
void XBitsRegisterTests(void)
this function registers unit tests for XBits
Definition: detect-xbits.c:544
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:168
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2978
IPPairInitConfig
void IPPairInitConfig(char quiet)
initialize the configuration
Definition: ippair.c:164
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:35
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:48
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_NOALERT
Definition: detect-xbits.h:32
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:619
DetectXbitsData_
Definition: detect-xbits.h:42
Address_::family
char family
Definition: decode.h:112
Packet_::proto
uint8_t proto
Definition: decode.h:431
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1191
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
IPPairBitToggle
void IPPairBitToggle(IPPair *h, uint32_t idx, uint32_t expire)
Definition: ippair-bit.c:148
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2384
IPPairBitIsset
int IPPairBitIsset(IPPair *h, uint32_t idx, uint32_t ts)
Definition: ippair-bit.c:158
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-xbits.c:56
IPPair_
Definition: ippair.h:58
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1170
SigMatch_::type
uint8_t type
Definition: detect.h:319
Packet_
Definition: decode.h:408
SigTableElmt_::desc
const char * desc
Definition: detect.h:1202
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:346
DetectXbitsRegister
void DetectXbitsRegister(void)
Definition: detect-xbits.c:65
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
SCFree
#define SCFree(a)
Definition: util-mem.h:322
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
SIG_FLAG_NOALERT
#define SIG_FLAG_NOALERT
Definition: detect.h:216
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:44
StorageInit
void StorageInit(void)
Definition: util-storage.c:67
StorageCleanup
void StorageCleanup(void)
Definition: util-storage.c:75
VarNameStoreSetupAdd
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
Definition: util-var-name.c:323
SigTableElmt_::url
const char * url
Definition: detect.h:1203
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:36
GOOD_INPUT
#define GOOD_INPUT(str, command, trk, typ, exp)
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:45
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DETECT_XBITS_EXPIRE_DEFAULT
#define DETECT_XBITS_EXPIRE_DEFAULT
Definition: detect-xbits.h:40
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1371
DOC_URL
#define DOC_URL
Definition: suricata.h:86
DetectXbitFree
void DetectXbitFree(void *)
Definition: detect-xbits.c:368
IPPairCleanup
void IPPairCleanup(void)
Cleanup the ippair engine.
Definition: ippair.c:340
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:46
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
Packet_::ts
struct timeval ts
Definition: decode.h:452
DetectEngineThreadCtx_
Definition: detect.h:1003
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:542
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
IPPairRelease
void IPPairRelease(IPPair *h)
Definition: ippair.c:520
DETECT_XBITS_TRACK_IPPAIR
#define DETECT_XBITS_TRACK_IPPAIR
Definition: detect-xbits.h:37
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1194
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2074
Packet_::payload
uint8_t * payload
Definition: decode.h:541
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1192
SigMatch_
a single match condition for a signature
Definition: detect.h:318
Packet_::src
Address src
Definition: decode.h:413
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2029