Go to the documentation of this file.
61 #define PARSE_REGEX "^([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
69 static void XBitsRegisterTests(
void);
153 return DetectIPPairbitMatchIsset(p,xd);
155 return DetectIPPairbitMatchIsnotset(p,xd);
157 return DetectIPPairbitMatchSet(p,xd);
159 return DetectIPPairbitMatchUnset(p,xd);
161 return DetectIPPairbitMatchToggle(p,xd);
166 static int DetectXbitPostMatchTx(
185 SCLogDebug(
"sid %u: post-match SET for bit %u on tx:%" PRIu64
", txd:%p", s->
id, xd->
idx,
186 det_ctx->
tx_id, txd);
212 return DetectXbitPostMatchTx(det_ctx, p, s, fd);
231 SCLogDebug(
"sid:%u: tx:%" PRIu64
", txd->txbits:%p", s->
id, det_ctx->
tx_id, txd->txbits);
252 char fb_cmd_str[16] =
"", fb_name[256] =
"";
253 char hb_dir_str[16] =
"";
257 pcre2_match_data *match = NULL;
259 if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
260 SCLogError(
"\"%s\" is not a valid setting for xbits.", rawstr);
262 pcre2_match_data_free(match);
267 pcre2len =
sizeof(fb_cmd_str);
268 int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)fb_cmd_str, &pcre2len);
270 SCLogError(
"pcre2_substring_copy_bynumber failed");
271 pcre2_match_data_free(match);
276 pcre2len =
sizeof(fb_name);
277 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)fb_name, &pcre2len);
279 SCLogError(
"pcre2_substring_copy_bynumber failed");
280 pcre2_match_data_free(match);
284 pcre2len =
sizeof(hb_dir_str);
285 res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)hb_dir_str, &pcre2len);
287 SCLogError(
"pcre2_substring_copy_bynumber failed");
288 pcre2_match_data_free(match);
292 if (strlen(hb_dir_str) > 0) {
293 if (strcmp(hb_dir_str,
"ip_src") == 0) {
296 }
else if (strcmp(hb_dir_str,
"ip_dst") == 0) {
299 }
else if (strcmp(hb_dir_str,
"ip_pair") == 0) {
302 }
else if (strcmp(hb_dir_str,
"tx") == 0) {
307 pcre2_match_data_free(match);
313 char expire_str[16] =
"";
314 pcre2len =
sizeof(expire_str);
315 res = pcre2_substring_copy_bynumber(
316 match, 4, (PCRE2_UCHAR8 *)expire_str, &pcre2len);
318 SCLogError(
"pcre2_substring_copy_bynumber failed");
319 pcre2_match_data_free(match);
327 pcre2_match_data_free(match);
332 pcre2_match_data_free(match);
340 pcre2_match_data_free(match);
341 if (strcmp(fb_cmd_str,
"noalert") == 0) {
343 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
345 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
347 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
349 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
351 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
354 SCLogError(
"xbits action \"%s\" is not supported.", fb_cmd_str);
360 if (strlen(fb_name) != 0)
371 if (strlen(fb_name) == 0)
378 SCLogError(
"tx xbits only support set and isset");
393 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s", cd->
idx, fb_cmd_str,
394 strlen(fb_name) ? fb_name :
"(none)");
404 int result = DetectXbitParse(
de_ctx, rawstr, &cd);
407 }
else if (cd == NULL) {
423 SCLogError(
"tx xbits require an explicit rule hook");
474 static void XBitsTestSetup(
void)
484 static void XBitsTestShutdown(
void)
492 static int XBitsTestParse01(
void)
500 #define BAD_INPUT(str) \
501 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == -1);
506 BAD_INPUT(
"set,abc,track nonsense, expire 3600");
507 BAD_INPUT(
"set,abc,track ip_source, expire 3600");
508 BAD_INPUT(
"set,abc,track ip_src, expire -1");
509 BAD_INPUT(
"set,abc,track ip_src, expire 0");
513 #define GOOD_INPUT(str, command, trk, typ, exp) \
514 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == 0); \
516 FAIL_IF_NOT(cd->cmd == (command)); \
517 FAIL_IF_NOT(cd->tracker == (trk)); \
518 FAIL_IF_NOT(cd->type == (typ)); \
519 FAIL_IF_NOT(cd->expire == (exp)); \
520 DetectXbitFree(NULL, cd); \
527 GOOD_INPUT(
"set,abc,track ip_pair, expire 3600",
531 GOOD_INPUT(
"set,abc,track ip_src, expire 1234",
546 static int XBitsTestSig01(
void)
548 uint8_t *buf = (uint8_t *)
549 "GET /one/ HTTP/1.1\r\n"
550 "Host: one.example.org\r\n"
552 uint16_t buflen = strlen((
char *)buf);
560 memset(&th_v, 0,
sizeof(th_v));
565 p->
proto = IPPROTO_TCP;
574 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:1;)");
596 static int XBitsTestSig02(
void)
605 "alert ip any any -> any any (xbits:isset,abc,track ip_src; content:\"GET \"; sid:1;)");
609 "alert ip any any -> any any (xbits:isnotset,abc,track ip_dst; content:\"GET \"; sid:2;)");
613 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:3;)");
617 "alert ip any any -> any any (xbits:unset,abc,track ip_src; content:\"GET \"; sid:4;)");
621 "alert ip any any -> any any (xbits:toggle,abc,track ip_dst; content:\"GET \"; sid:5;)");
625 "alert ip any any -> any any (xbits:!set,abc,track ip_dst; content:\"GET \"; sid:6;)");
635 static void XBitsRegisterTests(
void)
void IPPairBitUnset(IPPair *h, uint32_t idx)
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void DetectXbitsRegister(void)
void IPPairInitConfig(bool quiet)
initialize the configuration
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
void IPPairRelease(IPPair *h)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
main detection engine ctx
void IPPairBitSet(IPPair *h, uint32_t idx, uint32_t expire)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void StorageCleanup(void)
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
#define DETECT_XBITS_TRACK_IPDST
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
#define SIGMATCH_SUPPORT_FIREWALL
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void HostBitInitCtx(void)
#define GOOD_INPUT(str, command, trk, typ, exp)
@ SIGNATURE_HOOK_TYPE_APP
@ DETECT_SM_LIST_POSTMATCH
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
#define DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_EXPIRE_DEFAULT
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
void IPPairBitToggle(IPPair *h, uint32_t idx, uint32_t expire)
void IPPairCleanup(void)
Cleanup the ippair engine.
int TxBitIsset(AppLayerTxData *txd, uint32_t idx)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void HostCleanup(void)
Cleanup the host engine.
Per thread variable structure.
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_XBITS_TRACK_IPPAIR
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
int IPPairBitIsnotset(IPPair *h, uint32_t idx, uint32_t ts)
int StorageFinalize(void)
SignatureInitData * init_data
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_XBITS_TRACK_TX
struct AppLayerTxData AppLayerTxData
enum SignatureHookType type
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
void IPPairBitInitCtx(void)
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
int TxBitSet(AppLayerTxData *txd, uint32_t idx)
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_ISSET
DetectEngineCtx * DetectEngineCtxInit(void)
IPPair * IPPairLookupIPPairFromHash(Address *a, Address *b)
look up a ippair in the hash
void HostInitConfig(bool quiet)
initialize the configuration
int IPPairBitIsset(IPPair *h, uint32_t idx, uint32_t ts)
#define DETECT_XBITS_CMD_SET
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
#define DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_UNSET
AppProto alproto
application level protocol
void StatsThreadCleanup(ThreadVars *tv)
#define SIGMATCH_IPONLY_COMPAT
void(* RegisterTests)(void)