suricata
detect-xbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the xbits keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "action-globals.h"
29 #include "detect.h"
30 #include "threads.h"
31 #include "flow.h"
32 #include "flow-util.h"
33 #include "detect-xbits.h"
34 #include "detect-hostbits.h"
35 #include "util-spm.h"
36 #include "util-byte.h"
37 
38 #include "detect-engine-sigorder.h"
39 
40 #include "app-layer-parser.h"
41 
42 #include "detect-parse.h"
43 #include "detect-engine.h"
44 #include "detect-engine-mpm.h"
45 #include "detect-engine-state.h"
46 #include "detect-engine-build.h"
47 
48 #include "flow-bit.h"
49 #include "host-bit.h"
50 #include "ippair-bit.h"
51 #include "util-var-name.h"
52 #include "util-unittest.h"
53 #include "util-debug.h"
54 
55 /*
56  xbits:set,bitname,track ip_pair,expire 60
57  */
58 
59 #define PARSE_REGEX "^([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
60 static DetectParseRegex parse_regex;
61 
62 static int DetectXbitMatch (DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
63 static int DetectXbitSetup (DetectEngineCtx *, Signature *, const char *);
64 #ifdef UNITTESTS
65 static void XBitsRegisterTests(void);
66 #endif
67 static void DetectXbitFree (DetectEngineCtx *, void *);
68 
70 {
71  sigmatch_table[DETECT_XBITS].name = "xbits";
72  sigmatch_table[DETECT_XBITS].desc = "operate on bits";
73  sigmatch_table[DETECT_XBITS].url = "/rules/xbits.html";
74  sigmatch_table[DETECT_XBITS].Match = DetectXbitMatch;
75  sigmatch_table[DETECT_XBITS].Setup = DetectXbitSetup;
76  sigmatch_table[DETECT_XBITS].Free = DetectXbitFree;
77 #ifdef UNITTESTS
78  sigmatch_table[DETECT_XBITS].RegisterTests = XBitsRegisterTests;
79 #endif
80  /* this is compatible to ip-only signatures */
82 
83  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
84 }
85 
86 static int DetectIPPairbitMatchToggle (Packet *p, const DetectXbitsData *fd)
87 {
88  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
89  if (pair == NULL)
90  return 0;
91 
92  IPPairBitToggle(pair, fd->idx, SCTIME_SECS(p->ts) + fd->expire);
93  IPPairRelease(pair);
94  return 1;
95 }
96 
97 /* return true even if bit not found */
98 static int DetectIPPairbitMatchUnset (Packet *p, const DetectXbitsData *fd)
99 {
100  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
101  if (pair == NULL)
102  return 1;
103 
104  IPPairBitUnset(pair,fd->idx);
105  IPPairRelease(pair);
106  return 1;
107 }
108 
109 static int DetectIPPairbitMatchSet (Packet *p, const DetectXbitsData *fd)
110 {
111  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
112  if (pair == NULL)
113  return 0;
114 
115  IPPairBitSet(pair, fd->idx, SCTIME_SECS(p->ts) + fd->expire);
116  IPPairRelease(pair);
117  return 1;
118 }
119 
120 static int DetectIPPairbitMatchIsset (Packet *p, const DetectXbitsData *fd)
121 {
122  int r = 0;
123  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
124  if (pair == NULL)
125  return 0;
126 
127  r = IPPairBitIsset(pair, fd->idx, SCTIME_SECS(p->ts));
128  IPPairRelease(pair);
129  return r;
130 }
131 
132 static int DetectIPPairbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
133 {
134  int r = 0;
135  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
136  if (pair == NULL)
137  return 1;
138 
139  r = IPPairBitIsnotset(pair, fd->idx, SCTIME_SECS(p->ts));
140  IPPairRelease(pair);
141  return r;
142 }
143 
144 static int DetectXbitMatchIPPair(Packet *p, const DetectXbitsData *xd)
145 {
146  switch (xd->cmd) {
148  return DetectIPPairbitMatchIsset(p,xd);
150  return DetectIPPairbitMatchIsnotset(p,xd);
152  return DetectIPPairbitMatchSet(p,xd);
154  return DetectIPPairbitMatchUnset(p,xd);
156  return DetectIPPairbitMatchToggle(p,xd);
157  }
158  return 0;
159 }
160 
161 /*
162  * returns 0: no match
163  * 1: match
164  * -1: error
165  */
166 
167 static int DetectXbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
168 {
169  const DetectXbitsData *fd = (const DetectXbitsData *)ctx;
170  if (fd == NULL)
171  return 0;
172 
173  switch (fd->type) {
174  case VAR_TYPE_HOST_BIT:
175  return DetectXbitMatchHost(p, (const DetectXbitsData *)fd);
176  break;
177  case VAR_TYPE_IPPAIR_BIT:
178  return DetectXbitMatchIPPair(p, (const DetectXbitsData *)fd);
179  break;
180  default:
181  break;
182  }
183  return 0;
184 }
185 
186 /** \internal
187  * \brief parse xbits rule options
188  * \retval 0 ok
189  * \retval -1 bad
190  * \param[out] cdout return DetectXbitsData structure or NULL if noalert
191  */
192 static int DetectXbitParse(DetectEngineCtx *de_ctx,
193  const char *rawstr, DetectXbitsData **cdout)
194 {
195  DetectXbitsData *cd = NULL;
196  uint8_t fb_cmd = 0;
197  uint8_t hb_dir = 0;
198  size_t pcre2len;
199  char fb_cmd_str[16] = "", fb_name[256] = "";
200  char hb_dir_str[16] = "";
201  enum VarTypes var_type = VAR_TYPE_NOT_SET;
202  uint32_t expire = DETECT_XBITS_EXPIRE_DEFAULT;
203 
204  pcre2_match_data *match = NULL;
205  int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
206  if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
207  SCLogError("\"%s\" is not a valid setting for xbits.", rawstr);
208  if (match) {
209  pcre2_match_data_free(match);
210  }
211  return -1;
212  }
213  SCLogDebug("ret %d, %s", ret, rawstr);
214  pcre2len = sizeof(fb_cmd_str);
215  int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)fb_cmd_str, &pcre2len);
216  if (res < 0) {
217  SCLogError("pcre2_substring_copy_bynumber failed");
218  pcre2_match_data_free(match);
219  return -1;
220  }
221 
222  if (ret >= 3) {
223  pcre2len = sizeof(fb_name);
224  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)fb_name, &pcre2len);
225  if (res < 0) {
226  SCLogError("pcre2_substring_copy_bynumber failed");
227  pcre2_match_data_free(match);
228  return -1;
229  }
230  if (ret >= 4) {
231  pcre2len = sizeof(hb_dir_str);
232  res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)hb_dir_str, &pcre2len);
233  if (res < 0) {
234  SCLogError("pcre2_substring_copy_bynumber failed");
235  pcre2_match_data_free(match);
236  return -1;
237  }
238  SCLogDebug("hb_dir_str %s", hb_dir_str);
239  if (strlen(hb_dir_str) > 0) {
240  if (strcmp(hb_dir_str, "ip_src") == 0) {
241  hb_dir = DETECT_XBITS_TRACK_IPSRC;
242  var_type = VAR_TYPE_HOST_BIT;
243  } else if (strcmp(hb_dir_str, "ip_dst") == 0) {
244  hb_dir = DETECT_XBITS_TRACK_IPDST;
245  var_type = VAR_TYPE_HOST_BIT;
246  } else if (strcmp(hb_dir_str, "ip_pair") == 0) {
247  hb_dir = DETECT_XBITS_TRACK_IPPAIR;
248  var_type = VAR_TYPE_IPPAIR_BIT;
249  } else {
250  // TODO
251  pcre2_match_data_free(match);
252  return -1;
253  }
254  }
255 
256  if (ret >= 5) {
257  char expire_str[16] = "";
258  pcre2len = sizeof(expire_str);
259  res = pcre2_substring_copy_bynumber(
260  match, 4, (PCRE2_UCHAR8 *)expire_str, &pcre2len);
261  if (res < 0) {
262  SCLogError("pcre2_substring_copy_bynumber failed");
263  pcre2_match_data_free(match);
264  return -1;
265  }
266  SCLogDebug("expire_str %s", expire_str);
267  if (StringParseUint32(&expire, 10, 0, (const char *)expire_str) < 0) {
268  SCLogError("Invalid value for "
269  "expire: \"%s\"",
270  expire_str);
271  pcre2_match_data_free(match);
272  return -1;
273  }
274  if (expire == 0) {
275  SCLogError("expire must be bigger than 0");
276  pcre2_match_data_free(match);
277  return -1;
278  }
279  SCLogDebug("expire %d", expire);
280  }
281  }
282  }
283 
284  pcre2_match_data_free(match);
285  if (strcmp(fb_cmd_str,"noalert") == 0) {
286  fb_cmd = DETECT_XBITS_CMD_NOALERT;
287  } else if (strcmp(fb_cmd_str,"isset") == 0) {
288  fb_cmd = DETECT_XBITS_CMD_ISSET;
289  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
290  fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
291  } else if (strcmp(fb_cmd_str,"set") == 0) {
292  fb_cmd = DETECT_XBITS_CMD_SET;
293  } else if (strcmp(fb_cmd_str,"unset") == 0) {
294  fb_cmd = DETECT_XBITS_CMD_UNSET;
295  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
296  fb_cmd = DETECT_XBITS_CMD_TOGGLE;
297  } else {
298  SCLogError("xbits action \"%s\" is not supported.", fb_cmd_str);
299  return -1;
300  }
301 
302  switch (fb_cmd) {
304  if (strlen(fb_name) != 0)
305  return -1;
306  /* return ok, cd is NULL. Flag sig. */
307  *cdout = NULL;
308  return 0;
309  }
315  if (strlen(fb_name) == 0)
316  return -1;
317  break;
318  }
319 
320  cd = SCMalloc(sizeof(DetectXbitsData));
321  if (unlikely(cd == NULL))
322  return -1;
323 
324  cd->idx = VarNameStoreRegister(fb_name, var_type);
325  cd->cmd = fb_cmd;
326  cd->tracker = hb_dir;
327  cd->type = var_type;
328  cd->expire = expire;
329 
330  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
331  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
332 
333  *cdout = cd;
334  return 0;
335 }
336 
337 int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
338 {
339  DetectXbitsData *cd = NULL;
340 
341  int result = DetectXbitParse(de_ctx, rawstr, &cd);
342  if (result < 0) {
343  return -1;
344  } else if (cd == NULL) {
345  /* noalert doesn't use a cd/sm struct. It flags the sig. We're done. */
346  s->action &= ~ACTION_ALERT;
347  return 0;
348  }
349 
350  /* Okay so far so good, lets get this into a SigMatch
351  * and put it in the Signature. */
352  switch (cd->cmd) {
353  /* case DETECT_XBITS_CMD_NOALERT can't happen here */
356  /* checks, so packet list */
358  de_ctx, s, DETECT_XBITS, (SigMatchCtx *)cd, DETECT_SM_LIST_MATCH) == NULL) {
359  SCFree(cd);
360  return -1;
361  }
362  break;
363 
364  // all other cases
365  // DETECT_XBITS_CMD_SET, DETECT_XBITS_CMD_UNSET, DETECT_XBITS_CMD_TOGGLE:
366  default:
367  /* modifiers, only run when entire sig has matched */
369  DETECT_SM_LIST_POSTMATCH) == NULL) {
370  SCFree(cd);
371  return -1;
372  }
373  break;
374  }
375 
376  return 0;
377 }
378 
379 static void DetectXbitFree (DetectEngineCtx *de_ctx, void *ptr)
380 {
381  DetectXbitsData *fd = (DetectXbitsData *)ptr;
382 
383  if (fd == NULL)
384  return;
385  VarNameStoreUnregister(fd->idx, fd->type);
386 
387  SCFree(fd);
388 }
389 
390 #ifdef UNITTESTS
391 
392 static void XBitsTestSetup(void)
393 {
394  StorageInit();
395  HostBitInitCtx();
397  StorageFinalize();
398  HostInitConfig(true);
399  IPPairInitConfig(true);
400 }
401 
402 static void XBitsTestShutdown(void)
403 {
404  HostCleanup();
405  IPPairCleanup();
406  StorageCleanup();
407 }
408 
409 
410 static int XBitsTestParse01(void)
411 {
412  DetectEngineCtx *de_ctx = NULL;
415  de_ctx->flags |= DE_QUIET;
416  DetectXbitsData *cd = NULL;
417 
418 #define BAD_INPUT(str) \
419  FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == -1);
420 
421  BAD_INPUT("alert");
422  BAD_INPUT("n0alert");
423  BAD_INPUT("nOalert");
424  BAD_INPUT("set,abc,track nonsense, expire 3600");
425  BAD_INPUT("set,abc,track ip_source, expire 3600");
426  BAD_INPUT("set,abc,track ip_src, expire -1");
427  BAD_INPUT("set,abc,track ip_src, expire 0");
428 
429 #undef BAD_INPUT
430 
431 #define GOOD_INPUT(str, command, trk, typ, exp) \
432  FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == 0); \
433  FAIL_IF_NULL(cd); \
434  FAIL_IF_NOT(cd->cmd == (command)); \
435  FAIL_IF_NOT(cd->tracker == (trk)); \
436  FAIL_IF_NOT(cd->type == (typ)); \
437  FAIL_IF_NOT(cd->expire == (exp)); \
438  DetectXbitFree(NULL, cd); \
439  cd = NULL;
440 
441  GOOD_INPUT("set,abc,track ip_pair",
445  GOOD_INPUT("set,abc,track ip_pair, expire 3600",
448  3600);
449  GOOD_INPUT("set,abc,track ip_src, expire 1234",
452  1234);
453 
454 #undef GOOD_INPUT
455 
457  PASS;
458 }
459 
460 /**
461  * \test
462  */
463 
464 static int XBitsTestSig01(void)
465 {
466  uint8_t *buf = (uint8_t *)
467  "GET /one/ HTTP/1.1\r\n"
468  "Host: one.example.org\r\n"
469  "\r\n";
470  uint16_t buflen = strlen((char *)buf);
471  Packet *p = PacketGetFromAlloc();
472  FAIL_IF_NULL(p);
473  Signature *s = NULL;
474  ThreadVars th_v;
475  DetectEngineThreadCtx *det_ctx = NULL;
476  DetectEngineCtx *de_ctx = NULL;
477 
478  memset(&th_v, 0, sizeof(th_v));
479  p->src.family = AF_INET;
480  p->dst.family = AF_INET;
481  p->payload = buf;
482  p->payload_len = buflen;
483  p->proto = IPPROTO_TCP;
484 
485  XBitsTestSetup();
486 
489  de_ctx->flags |= DE_QUIET;
490 
492  "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:1;)");
493  FAIL_IF_NULL(s);
494 
496  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
497  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
498  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
500  XBitsTestShutdown();
501  SCFree(p);
502  StatsThreadCleanup(&th_v);
504  PASS;
505 }
506 
507 /**
508  * \test various options
509  *
510  * \retval 1 on success
511  * \retval 0 on failure
512  */
513 
514 static int XBitsTestSig02(void)
515 {
516  Signature *s = NULL;
517  DetectEngineCtx *de_ctx = NULL;
520  de_ctx->flags |= DE_QUIET;
521 
523  "alert ip any any -> any any (xbits:isset,abc,track ip_src; content:\"GET \"; sid:1;)");
524  FAIL_IF_NULL(s);
525 
527  "alert ip any any -> any any (xbits:isnotset,abc,track ip_dst; content:\"GET \"; sid:2;)");
528  FAIL_IF_NULL(s);
529 
531  "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:3;)");
532  FAIL_IF_NULL(s);
533 
535  "alert ip any any -> any any (xbits:unset,abc,track ip_src; content:\"GET \"; sid:4;)");
536  FAIL_IF_NULL(s);
537 
539  "alert ip any any -> any any (xbits:toggle,abc,track ip_dst; content:\"GET \"; sid:5;)");
540  FAIL_IF_NULL(s);
541 
543  "alert ip any any -> any any (xbits:!set,abc,track ip_dst; content:\"GET \"; sid:6;)");
544  FAIL_IF_NOT_NULL(s);
545 
547  PASS;
548 }
549 
550 /**
551  * \brief this function registers unit tests for XBits
552  */
553 static void XBitsRegisterTests(void)
554 {
555  UtRegisterTest("XBitsTestParse01", XBitsTestParse01);
556  UtRegisterTest("XBitsTestSig01", XBitsTestSig01);
557  UtRegisterTest("XBitsTestSig02", XBitsTestSig02);
558 }
559 #endif /* UNITTESTS */
IPPairBitUnset
void IPPairBitUnset(IPPair *h, uint32_t idx)
Definition: ippair-bit.c:139
util-byte.h
StatsReleaseResources
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
Definition: counters.c:1262
SigTableElmt_::url
const char * url
Definition: detect.h:1312
Packet_::proto
uint8_t proto
Definition: decode.h:498
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectXbitsRegister
void DetectXbitsRegister(void)
Definition: detect-xbits.c:69
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:162
SigTableElmt_::desc
const char * desc
Definition: detect.h:1311
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:128
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:44
StorageInit
void StorageInit(void)
Definition: util-storage.c:70
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1299
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
IPPairRelease
void IPPairRelease(IPPair *h)
Definition: ippair.c:505
SigTableElmt_::name
const char * name
Definition: detect.h:1309
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::payload
uint8_t * payload
Definition: decode.h:574
action-globals.h
ippair-bit.h
threads.h
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1303
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:42
IPPairBitSet
void IPPairBitSet(IPPair *h, uint32_t idx, uint32_t expire)
Definition: ippair-bit.c:131
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2623
StorageCleanup
void StorageCleanup(void)
Definition: util-storage.c:78
flow-bit.h
util-var-name.h
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:35
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1950
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2645
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:155
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2591
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1294
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:575
DetectXbitsData_
Definition: detect-xbits.h:40
util-unittest.h
VAR_TYPE_NOT_SET
@ VAR_TYPE_NOT_SET
Definition: util-var.h:29
GOOD_INPUT
#define GOOD_INPUT(str, command, trk, typ, exp)
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:124
DetectXbitMatchHost
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
Definition: detect-hostbits.c:248
detect-xbits.h
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
DETECT_XBITS_EXPIRE_DEFAULT
#define DETECT_XBITS_EXPIRE_DEFAULT
Definition: detect-xbits.h:38
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
IPPairBitToggle
void IPPairBitToggle(IPPair *h, uint32_t idx, uint32_t expire)
Definition: ippair-bit.c:147
IPPairCleanup
void IPPairCleanup(void)
Cleanup the ippair engine.
Definition: ippair.c:330
DetectEngineThreadCtx_
Definition: detect.h:1098
Packet_::ts
SCTime_t ts
Definition: decode.h:524
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2771
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:332
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
BAD_INPUT
#define BAD_INPUT(str)
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3365
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:201
DETECT_XBITS_TRACK_IPPAIR
#define DETECT_XBITS_TRACK_IPPAIR
Definition: detect-xbits.h:36
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
IPPairGetIPPairFromHash
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
Definition: ippair.c:524
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
app-layer-parser.h
DETECT_XBITS
@ DETECT_XBITS
Definition: detect-engine-register.h:67
IPPairBitIsnotset
int IPPairBitIsnotset(IPPair *h, uint32_t idx, uint32_t ts)
Definition: ippair-bit.c:171
Signature_::action
uint8_t action
Definition: detect.h:618
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:46
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:476
detect-engine-build.h
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:140
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1277
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2145
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
suricata-common.h
IPPair_
Definition: ippair.h:58
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3592
util-spm.h
SCTIME_SECS
#define SCTIME_SECS(t)
Definition: util-time.h:57
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:41
detect-hostbits.h
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:40
IPPairBitInitCtx
void IPPairBitInitCtx(void)
Definition: ippair-bit.c:49
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:43
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:34
detect-parse.h
Signature_
Signature container.
Definition: detect.h:603
DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_NOALERT
Definition: detect-xbits.h:32
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2584
VarTypes
VarTypes
Definition: util-var.h:28
Address_::family
char family
Definition: decode.h:109
Packet_::dst
Address dst
Definition: decode.h:481
IPPairLookupIPPairFromHash
IPPair * IPPairLookupIPPairFromHash(Address *a, Address *b)
look up a ippair in the hash
Definition: ippair.c:623
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
IPPairBitIsset
int IPPairBitIsset(IPPair *h, uint32_t idx, uint32_t ts)
Definition: ippair-bit.c:157
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:845
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
flow.h
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
VAR_TYPE_IPPAIR_BIT
@ VAR_TYPE_IPPAIR_BIT
Definition: util-var.h:44
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1303
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1495
Packet_::src
Address src
Definition: decode.h:480
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-xbits.c:59
host-bit.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1301