suricata
detect-xbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the xbits keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "action-globals.h"
29 #include "detect.h"
30 #include "threads.h"
31 #include "flow.h"
32 #include "flow-util.h"
33 #include "detect-xbits.h"
34 #include "detect-hostbits.h"
35 #include "util-spm.h"
36 #include "util-byte.h"
37 
38 #include "detect-engine-sigorder.h"
39 
40 #include "app-layer-parser.h"
41 
42 #include "detect-parse.h"
43 #include "detect-engine.h"
44 #include "detect-engine-mpm.h"
45 #include "detect-engine-state.h"
46 #include "detect-engine-build.h"
47 
48 #include "flow-bit.h"
49 #include "host-bit.h"
50 #include "ippair-bit.h"
51 #include "tx-bit.h"
52 
53 #include "util-var-name.h"
54 #include "util-unittest.h"
55 #include "util-debug.h"
56 
57 /*
58  xbits:set,bitname,track ip_pair,expire 60
59  */
60 
61 #define PARSE_REGEX "^([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
62 static DetectParseRegex parse_regex;
63 
64 static int DetectXbitTxMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state,
65  void *txv, const Signature *s, const SigMatchCtx *ctx);
66 static int DetectXbitMatch (DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
67 static int DetectXbitSetup (DetectEngineCtx *, Signature *, const char *);
68 #ifdef UNITTESTS
69 static void XBitsRegisterTests(void);
70 #endif
71 static void DetectXbitFree (DetectEngineCtx *, void *);
72 
74 {
75  sigmatch_table[DETECT_XBITS].name = "xbits";
76  sigmatch_table[DETECT_XBITS].desc = "operate on bits";
77  sigmatch_table[DETECT_XBITS].url = "/rules/xbits.html";
78  sigmatch_table[DETECT_XBITS].AppLayerTxMatch = DetectXbitTxMatch;
79  sigmatch_table[DETECT_XBITS].Match = DetectXbitMatch;
80  sigmatch_table[DETECT_XBITS].Setup = DetectXbitSetup;
81  sigmatch_table[DETECT_XBITS].Free = DetectXbitFree;
82 #ifdef UNITTESTS
83  sigmatch_table[DETECT_XBITS].RegisterTests = XBitsRegisterTests;
84 #endif
85  /* this is compatible to ip-only signatures */
87 
88  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
89 }
90 
91 static int DetectIPPairbitMatchToggle (Packet *p, const DetectXbitsData *fd)
92 {
93  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
94  if (pair == NULL)
95  return 0;
96 
97  IPPairBitToggle(pair, fd->idx, SCTIME_SECS(p->ts) + fd->expire);
98  IPPairRelease(pair);
99  return 1;
100 }
101 
102 /* return true even if bit not found */
103 static int DetectIPPairbitMatchUnset (Packet *p, const DetectXbitsData *fd)
104 {
105  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
106  if (pair == NULL)
107  return 1;
108 
109  IPPairBitUnset(pair,fd->idx);
110  IPPairRelease(pair);
111  return 1;
112 }
113 
114 static int DetectIPPairbitMatchSet (Packet *p, const DetectXbitsData *fd)
115 {
116  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
117  if (pair == NULL)
118  return 0;
119 
120  IPPairBitSet(pair, fd->idx, SCTIME_SECS(p->ts) + fd->expire);
121  IPPairRelease(pair);
122  return 1;
123 }
124 
125 static int DetectIPPairbitMatchIsset (Packet *p, const DetectXbitsData *fd)
126 {
127  int r = 0;
128  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
129  if (pair == NULL)
130  return 0;
131 
132  r = IPPairBitIsset(pair, fd->idx, SCTIME_SECS(p->ts));
133  IPPairRelease(pair);
134  return r;
135 }
136 
137 static int DetectIPPairbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
138 {
139  int r = 0;
140  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
141  if (pair == NULL)
142  return 1;
143 
144  r = IPPairBitIsnotset(pair, fd->idx, SCTIME_SECS(p->ts));
145  IPPairRelease(pair);
146  return r;
147 }
148 
149 static int DetectXbitMatchIPPair(Packet *p, const DetectXbitsData *xd)
150 {
151  switch (xd->cmd) {
153  return DetectIPPairbitMatchIsset(p,xd);
155  return DetectIPPairbitMatchIsnotset(p,xd);
157  return DetectIPPairbitMatchSet(p,xd);
159  return DetectIPPairbitMatchUnset(p,xd);
161  return DetectIPPairbitMatchToggle(p,xd);
162  }
163  return 0;
164 }
165 
166 static int DetectXbitPostMatchTx(
167  DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const DetectXbitsData *xd)
168 {
169  if (p->flow == NULL)
170  return 0;
171  if (!det_ctx->tx_id_set)
172  return 0;
173  Flow *f = p->flow;
174  void *txv = AppLayerParserGetTx(f->proto, f->alproto, f->alstate, det_ctx->tx_id);
175  if (txv == NULL)
176  return 0;
178  if (txd == NULL) {
179  return 0;
180  }
181 
182  if (xd->cmd != DETECT_XBITS_CMD_SET)
183  return 0;
184 
185  SCLogDebug("sid %u: post-match SET for bit %u on tx:%" PRIu64 ", txd:%p", s->id, xd->idx,
186  det_ctx->tx_id, txd);
187 
188  return TxBitSet(txd, xd->idx);
189 }
190 
191 /*
192  * returns 0: no match
193  * 1: match
194  * -1: error
195  */
196 
197 static int DetectXbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
198 {
199  const DetectXbitsData *fd = (const DetectXbitsData *)ctx;
200  if (fd == NULL)
201  return 0;
202 
203  switch (fd->type) {
204  case VAR_TYPE_HOST_BIT:
205  return DetectXbitMatchHost(p, (const DetectXbitsData *)fd);
206  break;
207  case VAR_TYPE_IPPAIR_BIT:
208  return DetectXbitMatchIPPair(p, (const DetectXbitsData *)fd);
209  break;
210  case VAR_TYPE_TX_BIT:
211  // TODO this is for PostMatch only. Can we validate somehow?
212  return DetectXbitPostMatchTx(det_ctx, p, s, fd);
213  break;
214  default:
215  break;
216  }
217  return 0;
218 }
219 
220 static int DetectXbitTxMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state,
221  void *txv, const Signature *s, const SigMatchCtx *ctx)
222 {
223  const DetectXbitsData *xd = (const DetectXbitsData *)ctx;
224  BUG_ON(xd == NULL);
225 
227  if (txd == NULL) {
228  return 0;
229  }
230 
231  SCLogDebug("sid:%u: tx:%" PRIu64 ", txd->txbits:%p", s->id, det_ctx->tx_id, txd->txbits);
232  int r = TxBitIsset(txd, xd->idx);
233  if (r == 1) {
235  }
237 }
238 
239 /** \internal
240  * \brief parse xbits rule options
241  * \retval 0 ok
242  * \retval -1 bad
243  * \param[out] cdout return DetectXbitsData structure or NULL if noalert
244  */
245 static int DetectXbitParse(DetectEngineCtx *de_ctx,
246  const char *rawstr, DetectXbitsData **cdout)
247 {
248  DetectXbitsData *cd = NULL;
249  uint8_t fb_cmd = 0;
250  uint8_t hb_dir = 0;
251  size_t pcre2len;
252  char fb_cmd_str[16] = "", fb_name[256] = "";
253  char hb_dir_str[16] = "";
254  enum VarTypes var_type = VAR_TYPE_NOT_SET;
255  uint32_t expire = DETECT_XBITS_EXPIRE_DEFAULT;
256 
257  pcre2_match_data *match = NULL;
258  int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
259  if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
260  SCLogError("\"%s\" is not a valid setting for xbits.", rawstr);
261  if (match) {
262  pcre2_match_data_free(match);
263  }
264  return -1;
265  }
266  SCLogDebug("ret %d, %s", ret, rawstr);
267  pcre2len = sizeof(fb_cmd_str);
268  int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)fb_cmd_str, &pcre2len);
269  if (res < 0) {
270  SCLogError("pcre2_substring_copy_bynumber failed");
271  pcre2_match_data_free(match);
272  return -1;
273  }
274 
275  if (ret >= 3) {
276  pcre2len = sizeof(fb_name);
277  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)fb_name, &pcre2len);
278  if (res < 0) {
279  SCLogError("pcre2_substring_copy_bynumber failed");
280  pcre2_match_data_free(match);
281  return -1;
282  }
283  if (ret >= 4) {
284  pcre2len = sizeof(hb_dir_str);
285  res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)hb_dir_str, &pcre2len);
286  if (res < 0) {
287  SCLogError("pcre2_substring_copy_bynumber failed");
288  pcre2_match_data_free(match);
289  return -1;
290  }
291  SCLogDebug("hb_dir_str %s", hb_dir_str);
292  if (strlen(hb_dir_str) > 0) {
293  if (strcmp(hb_dir_str, "ip_src") == 0) {
294  hb_dir = DETECT_XBITS_TRACK_IPSRC;
295  var_type = VAR_TYPE_HOST_BIT;
296  } else if (strcmp(hb_dir_str, "ip_dst") == 0) {
297  hb_dir = DETECT_XBITS_TRACK_IPDST;
298  var_type = VAR_TYPE_HOST_BIT;
299  } else if (strcmp(hb_dir_str, "ip_pair") == 0) {
300  hb_dir = DETECT_XBITS_TRACK_IPPAIR;
301  var_type = VAR_TYPE_IPPAIR_BIT;
302  } else if (strcmp(hb_dir_str, "tx") == 0) {
303  hb_dir = DETECT_XBITS_TRACK_TX;
304  var_type = VAR_TYPE_TX_BIT;
305  } else {
306  // TODO
307  pcre2_match_data_free(match);
308  return -1;
309  }
310  }
311 
312  if (ret >= 5) {
313  char expire_str[16] = "";
314  pcre2len = sizeof(expire_str);
315  res = pcre2_substring_copy_bynumber(
316  match, 4, (PCRE2_UCHAR8 *)expire_str, &pcre2len);
317  if (res < 0) {
318  SCLogError("pcre2_substring_copy_bynumber failed");
319  pcre2_match_data_free(match);
320  return -1;
321  }
322  SCLogDebug("expire_str %s", expire_str);
323  if (StringParseUint32(&expire, 10, 0, (const char *)expire_str) < 0) {
324  SCLogError("Invalid value for "
325  "expire: \"%s\"",
326  expire_str);
327  pcre2_match_data_free(match);
328  return -1;
329  }
330  if (expire == 0) {
331  SCLogError("expire must be bigger than 0");
332  pcre2_match_data_free(match);
333  return -1;
334  }
335  SCLogDebug("expire %d", expire);
336  }
337  }
338  }
339 
340  pcre2_match_data_free(match);
341  if (strcmp(fb_cmd_str,"noalert") == 0) {
342  fb_cmd = DETECT_XBITS_CMD_NOALERT;
343  } else if (strcmp(fb_cmd_str,"isset") == 0) {
344  fb_cmd = DETECT_XBITS_CMD_ISSET;
345  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
346  fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
347  } else if (strcmp(fb_cmd_str,"set") == 0) {
348  fb_cmd = DETECT_XBITS_CMD_SET;
349  } else if (strcmp(fb_cmd_str,"unset") == 0) {
350  fb_cmd = DETECT_XBITS_CMD_UNSET;
351  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
352  fb_cmd = DETECT_XBITS_CMD_TOGGLE;
353  } else {
354  SCLogError("xbits action \"%s\" is not supported.", fb_cmd_str);
355  return -1;
356  }
357 
358  switch (fb_cmd) {
360  if (strlen(fb_name) != 0)
361  return -1;
362  /* return ok, cd is NULL. Flag sig. */
363  *cdout = NULL;
364  return 0;
365  }
371  if (strlen(fb_name) == 0)
372  return -1;
373  break;
374  }
375 
376  if (hb_dir == DETECT_XBITS_TRACK_TX) {
377  if (fb_cmd != DETECT_XBITS_CMD_ISSET && fb_cmd != DETECT_XBITS_CMD_SET) {
378  SCLogError("tx xbits only support set and isset");
379  return -1;
380  }
381  }
382 
383  cd = SCMalloc(sizeof(DetectXbitsData));
384  if (unlikely(cd == NULL))
385  return -1;
386 
387  cd->idx = VarNameStoreRegister(fb_name, var_type);
388  cd->cmd = fb_cmd;
389  cd->tracker = hb_dir;
390  cd->type = var_type;
391  cd->expire = expire;
392 
393  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s", cd->idx, fb_cmd_str,
394  strlen(fb_name) ? fb_name : "(none)");
395 
396  *cdout = cd;
397  return 0;
398 }
399 
400 int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
401 {
402  DetectXbitsData *cd = NULL;
403 
404  int result = DetectXbitParse(de_ctx, rawstr, &cd);
405  if (result < 0) {
406  return -1;
407  } else if (cd == NULL) {
408  /* noalert doesn't use a cd/sm struct. It flags the sig. We're done. */
409  s->action &= ~ACTION_ALERT;
410  return 0;
411  }
412 
413  /* Okay so far so good, lets get this into a SigMatch
414  * and put it in the Signature. */
415  switch (cd->cmd) {
416  /* case DETECT_XBITS_CMD_NOALERT can't happen here */
418  case DETECT_XBITS_CMD_ISSET: {
419  int list = DETECT_SM_LIST_MATCH;
420  if (cd->tracker == DETECT_XBITS_TRACK_TX) {
421  SCLogDebug("tx xbit isset");
423  SCLogError("tx xbits require an explicit rule hook");
424  SCFree(cd);
425  return -1;
426  }
427  list = s->init_data->hook.sm_list;
428  SCLogDebug("setting list %d", list);
429 
430  if (list == -1) {
431  SCLogError("tx xbits failed to set up"); // TODO how would we get here?
432  SCFree(cd);
433  return -1;
434  }
435  }
436 
437  SCLogDebug("adding match/txmatch");
438  /* checks, so packet list */
439  if (SigMatchAppendSMToList(de_ctx, s, DETECT_XBITS, (SigMatchCtx *)cd, list) == NULL) {
440  SCFree(cd);
441  return -1;
442  }
443  break;
444  }
445  // all other cases
446  // DETECT_XBITS_CMD_SET, DETECT_XBITS_CMD_UNSET, DETECT_XBITS_CMD_TOGGLE:
447  default:
448  SCLogDebug("adding post-match");
449  /* modifiers, only run when entire sig has matched */
451  DETECT_SM_LIST_POSTMATCH) == NULL) {
452  SCFree(cd);
453  return -1;
454  }
455  break;
456  }
457 
458  return 0;
459 }
460 
461 static void DetectXbitFree (DetectEngineCtx *de_ctx, void *ptr)
462 {
463  DetectXbitsData *fd = (DetectXbitsData *)ptr;
464 
465  if (fd == NULL)
466  return;
467  VarNameStoreUnregister(fd->idx, fd->type);
468 
469  SCFree(fd);
470 }
471 
472 #ifdef UNITTESTS
473 
474 static void XBitsTestSetup(void)
475 {
476  StorageInit();
477  HostBitInitCtx();
479  StorageFinalize();
480  HostInitConfig(true);
481  IPPairInitConfig(true);
482 }
483 
484 static void XBitsTestShutdown(void)
485 {
486  HostCleanup();
487  IPPairCleanup();
488  StorageCleanup();
489 }
490 
491 
492 static int XBitsTestParse01(void)
493 {
494  DetectEngineCtx *de_ctx = NULL;
497  de_ctx->flags |= DE_QUIET;
498  DetectXbitsData *cd = NULL;
499 
500 #define BAD_INPUT(str) \
501  FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == -1);
502 
503  BAD_INPUT("alert");
504  BAD_INPUT("n0alert");
505  BAD_INPUT("nOalert");
506  BAD_INPUT("set,abc,track nonsense, expire 3600");
507  BAD_INPUT("set,abc,track ip_source, expire 3600");
508  BAD_INPUT("set,abc,track ip_src, expire -1");
509  BAD_INPUT("set,abc,track ip_src, expire 0");
510 
511 #undef BAD_INPUT
512 
513 #define GOOD_INPUT(str, command, trk, typ, exp) \
514  FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == 0); \
515  FAIL_IF_NULL(cd); \
516  FAIL_IF_NOT(cd->cmd == (command)); \
517  FAIL_IF_NOT(cd->tracker == (trk)); \
518  FAIL_IF_NOT(cd->type == (typ)); \
519  FAIL_IF_NOT(cd->expire == (exp)); \
520  DetectXbitFree(NULL, cd); \
521  cd = NULL;
522 
523  GOOD_INPUT("set,abc,track ip_pair",
527  GOOD_INPUT("set,abc,track ip_pair, expire 3600",
530  3600);
531  GOOD_INPUT("set,abc,track ip_src, expire 1234",
534  1234);
535 
536 #undef GOOD_INPUT
537 
539  PASS;
540 }
541 
542 /**
543  * \test
544  */
545 
546 static int XBitsTestSig01(void)
547 {
548  uint8_t *buf = (uint8_t *)
549  "GET /one/ HTTP/1.1\r\n"
550  "Host: one.example.org\r\n"
551  "\r\n";
552  uint16_t buflen = strlen((char *)buf);
553  Packet *p = PacketGetFromAlloc();
554  FAIL_IF_NULL(p);
555  Signature *s = NULL;
556  ThreadVars th_v;
557  DetectEngineThreadCtx *det_ctx = NULL;
558  DetectEngineCtx *de_ctx = NULL;
559 
560  memset(&th_v, 0, sizeof(th_v));
561  p->src.family = AF_INET;
562  p->dst.family = AF_INET;
563  p->payload = buf;
564  p->payload_len = buflen;
565  p->proto = IPPROTO_TCP;
566 
567  XBitsTestSetup();
568 
571  de_ctx->flags |= DE_QUIET;
572 
574  "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:1;)");
575  FAIL_IF_NULL(s);
576 
578  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
579  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
580  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
582  XBitsTestShutdown();
583  SCFree(p);
584  StatsThreadCleanup(&th_v);
586  PASS;
587 }
588 
589 /**
590  * \test various options
591  *
592  * \retval 1 on success
593  * \retval 0 on failure
594  */
595 
596 static int XBitsTestSig02(void)
597 {
598  Signature *s = NULL;
599  DetectEngineCtx *de_ctx = NULL;
602  de_ctx->flags |= DE_QUIET;
603 
605  "alert ip any any -> any any (xbits:isset,abc,track ip_src; content:\"GET \"; sid:1;)");
606  FAIL_IF_NULL(s);
607 
609  "alert ip any any -> any any (xbits:isnotset,abc,track ip_dst; content:\"GET \"; sid:2;)");
610  FAIL_IF_NULL(s);
611 
613  "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:3;)");
614  FAIL_IF_NULL(s);
615 
617  "alert ip any any -> any any (xbits:unset,abc,track ip_src; content:\"GET \"; sid:4;)");
618  FAIL_IF_NULL(s);
619 
621  "alert ip any any -> any any (xbits:toggle,abc,track ip_dst; content:\"GET \"; sid:5;)");
622  FAIL_IF_NULL(s);
623 
625  "alert ip any any -> any any (xbits:!set,abc,track ip_dst; content:\"GET \"; sid:6;)");
626  FAIL_IF_NOT_NULL(s);
627 
629  PASS;
630 }
631 
632 /**
633  * \brief this function registers unit tests for XBits
634  */
635 static void XBitsRegisterTests(void)
636 {
637  UtRegisterTest("XBitsTestParse01", XBitsTestParse01);
638  UtRegisterTest("XBitsTestSig01", XBitsTestSig01);
639  UtRegisterTest("XBitsTestSig02", XBitsTestSig02);
640 }
641 #endif /* UNITTESTS */
IPPairBitUnset
void IPPairBitUnset(IPPair *h, uint32_t idx)
Definition: ippair-bit.c:139
util-byte.h
StatsReleaseResources
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
Definition: counters.c:1263
tx-bit.h
SigTableElmt_::url
const char * url
Definition: detect.h:1405
Packet_::proto
uint8_t proto
Definition: decode.h:506
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectXbitsRegister
void DetectXbitsRegister(void)
Definition: detect-xbits.c:73
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:162
SigTableElmt_::desc
const char * desc
Definition: detect.h:1404
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:45
StorageInit
void StorageInit(void)
Definition: util-storage.c:70
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1392
SignatureHook_::sm_list
int sm_list
Definition: detect.h:574
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
IPPairRelease
void IPPairRelease(IPPair *h)
Definition: ippair.c:502
SigTableElmt_::name
const char * name
Definition: detect.h:1402
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Flow_::proto
uint8_t proto
Definition: flow.h:378
Packet_::payload
uint8_t * payload
Definition: decode.h:588
DetectEngineThreadCtx_::tx_id
uint64_t tx_id
Definition: detect.h:1269
action-globals.h
ippair-bit.h
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1396
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:920
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:43
IPPairBitSet
void IPPairBitSet(IPPair *h, uint32_t idx, uint32_t expire)
Definition: ippair-bit.c:131
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2799
StorageCleanup
void StorageCleanup(void)
Definition: util-storage.c:78
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1373
flow-bit.h
util-var-name.h
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:35
DE_QUIET
#define DE_QUIET
Definition: detect.h:329
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2319
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:3398
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:155
SIGMATCH_SUPPORT_FIREWALL
#define SIGMATCH_SUPPORT_FIREWALL
Definition: detect.h:1622
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3344
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1387
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:589
DetectXbitsData_
Definition: detect-xbits.h:41
util-unittest.h
VAR_TYPE_NOT_SET
@ VAR_TYPE_NOT_SET
Definition: util-var.h:29
GOOD_INPUT
#define GOOD_INPUT(str, command, trk, typ, exp)
SIGNATURE_HOOK_TYPE_APP
@ SIGNATURE_HOOK_TYPE_APP
Definition: detect.h:560
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:126
DetectXbitMatchHost
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
Definition: detect-hostbits.c:248
detect-xbits.h
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
DETECT_XBITS_EXPIRE_DEFAULT
#define DETECT_XBITS_EXPIRE_DEFAULT
Definition: detect-xbits.h:39
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
IPPairBitToggle
void IPPairBitToggle(IPPair *h, uint32_t idx, uint32_t expire)
Definition: ippair-bit.c:147
IPPairCleanup
void IPPairCleanup(void)
Cleanup the ippair engine.
Definition: ippair.c:327
DetectEngineThreadCtx_
Definition: detect.h:1197
Packet_::ts
SCTime_t ts
Definition: decode.h:538
TxBitIsset
int TxBitIsset(AppLayerTxData *txd, uint32_t idx)
Definition: tx-bit.c:69
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:3524
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:332
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
BAD_INPUT
#define BAD_INPUT(str)
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3525
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:201
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
DETECT_XBITS_TRACK_IPPAIR
#define DETECT_XBITS_TRACK_IPPAIR
Definition: detect-xbits.h:36
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
IPPairGetIPPairFromHash
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
Definition: ippair.c:521
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:116
app-layer-parser.h
DETECT_XBITS
@ DETECT_XBITS
Definition: detect-engine-register.h:64
SignatureInitData_::hook
SignatureHook hook
Definition: detect.h:591
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:309
IPPairBitIsnotset
int IPPairBitIsnotset(IPPair *h, uint32_t idx, uint32_t ts)
Definition: ippair-bit.c:171
Signature_::action
uint8_t action
Definition: detect.h:684
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:47
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:484
detect-engine-build.h
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:140
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:748
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1370
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1118
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2129
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DETECT_XBITS_TRACK_TX
#define DETECT_XBITS_TRACK_TX
Definition: detect-xbits.h:37
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1466
Packet_::flow
struct Flow_ * flow
Definition: decode.h:529
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
IPPair_
Definition: ippair.h:58
SignatureHook_::type
enum SignatureHookType type
Definition: detect.h:573
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3751
util-spm.h
SCTIME_SECS
#define SCTIME_SECS(t)
Definition: util-time.h:57
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:42
AppLayerParserGetTxData
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
Definition: app-layer-parser.c:1192
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
detect-hostbits.h
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:40
IPPairBitInitCtx
void IPPairBitInitCtx(void)
Definition: ippair-bit.c:49
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
TxBitSet
int TxBitSet(AppLayerTxData *txd, uint32_t idx)
Definition: tx-bit.c:80
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:44
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:479
Signature_::id
uint32_t id
Definition: detect.h:714
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:34
detect-parse.h
Signature_
Signature container.
Definition: detect.h:669
DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_NOALERT
Definition: detect-xbits.h:32
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DetectEngineThreadCtx_::tx_id_set
bool tx_id_set
Definition: detect.h:1267
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2760
VarTypes
VarTypes
Definition: util-var.h:28
Address_::family
char family
Definition: decode.h:113
Packet_::dst
Address dst
Definition: decode.h:489
IPPairLookupIPPairFromHash
IPPair * IPPairLookupIPPairFromHash(Address *a, Address *b)
look up a ippair in the hash
Definition: ippair.c:620
VAR_TYPE_TX_BIT
@ VAR_TYPE_TX_BIT
Definition: util-var.h:48
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
IPPairBitIsset
int IPPairBitIsset(IPPair *h, uint32_t idx, uint32_t ts)
Definition: ippair-bit.c:157
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:464
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:922
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
flow.h
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
VAR_TYPE_IPPAIR_BIT
@ VAR_TYPE_IPPAIR_BIT
Definition: util-var.h:44
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1304
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1594
Packet_::src
Address src
Definition: decode.h:488
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-xbits.c:61
host-bit.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1394