Go to the documentation of this file.
58 #define PARSE_REGEX "^([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
64 static void XBitsRegisterTests(
void);
147 return DetectIPPairbitMatchIsset(p,xd);
149 return DetectIPPairbitMatchIsnotset(p,xd);
151 return DetectIPPairbitMatchSet(p,xd);
153 return DetectIPPairbitMatchUnset(p,xd);
155 return DetectIPPairbitMatchToggle(p,xd);
197 int ret = 0, res = 0;
199 char fb_cmd_str[16] =
"", fb_name[256] =
"";
200 char hb_dir_str[16] =
"";
205 if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
206 SCLogError(
"\"%s\" is not a valid setting for xbits.", rawstr);
210 pcre2len =
sizeof(fb_cmd_str);
211 res = pcre2_substring_copy_bynumber(
212 parse_regex.
match, 1, (PCRE2_UCHAR8 *)fb_cmd_str, &pcre2len);
214 SCLogError(
"pcre2_substring_copy_bynumber failed");
219 pcre2len =
sizeof(fb_name);
220 res = pcre2_substring_copy_bynumber(
221 parse_regex.
match, 2, (PCRE2_UCHAR8 *)fb_name, &pcre2len);
223 SCLogError(
"pcre2_substring_copy_bynumber failed");
227 pcre2len =
sizeof(hb_dir_str);
228 res = pcre2_substring_copy_bynumber(
229 parse_regex.
match, 3, (PCRE2_UCHAR8 *)hb_dir_str, &pcre2len);
231 SCLogError(
"pcre2_substring_copy_bynumber failed");
235 if (strlen(hb_dir_str) > 0) {
236 if (strcmp(hb_dir_str,
"ip_src") == 0) {
239 }
else if (strcmp(hb_dir_str,
"ip_dst") == 0) {
242 }
else if (strcmp(hb_dir_str,
"ip_pair") == 0) {
252 char expire_str[16] =
"";
253 pcre2len =
sizeof(expire_str);
254 res = pcre2_substring_copy_bynumber(
255 parse_regex.
match, 4, (PCRE2_UCHAR8 *)expire_str, &pcre2len);
257 SCLogError(
"pcre2_substring_copy_bynumber failed");
276 if (strcmp(fb_cmd_str,
"noalert") == 0) {
278 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
280 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
282 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
284 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
286 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
289 SCLogError(
"xbits action \"%s\" is not supported.", fb_cmd_str);
295 if (strlen(fb_name) != 0)
306 if (strlen(fb_name) == 0)
321 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
322 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
333 int result = DetectXbitParse(
de_ctx, rawstr, &cd);
337 }
else if (result == 0 && cd == NULL) {
349 sm->
ctx = (
void *)cd;
388 static void XBitsTestSetup(
void)
398 static void XBitsTestShutdown(
void)
406 static int XBitsTestParse01(
void)
414 #define BAD_INPUT(str) \
415 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == -1);
420 BAD_INPUT(
"set,abc,track nonsense, expire 3600");
421 BAD_INPUT(
"set,abc,track ip_source, expire 3600");
422 BAD_INPUT(
"set,abc,track ip_src, expire -1");
423 BAD_INPUT(
"set,abc,track ip_src, expire 0");
427 #define GOOD_INPUT(str, command, trk, typ, exp) \
428 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == 0); \
430 FAIL_IF_NOT(cd->cmd == (command)); \
431 FAIL_IF_NOT(cd->tracker == (trk)); \
432 FAIL_IF_NOT(cd->type == (typ)); \
433 FAIL_IF_NOT(cd->expire == (exp)); \
434 DetectXbitFree(NULL, cd); \
441 GOOD_INPUT(
"set,abc,track ip_pair, expire 3600",
445 GOOD_INPUT(
"set,abc,track ip_src, expire 1234",
460 static int XBitsTestSig01(
void)
462 uint8_t *buf = (uint8_t *)
463 "GET /one/ HTTP/1.1\r\n"
464 "Host: one.example.org\r\n"
466 uint16_t buflen = strlen((
char *)buf);
474 memset(&th_v, 0,
sizeof(th_v));
479 p->
proto = IPPROTO_TCP;
488 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:1;)");
510 static int XBitsTestSig02(
void)
519 "alert ip any any -> any any (xbits:isset,abc,track ip_src; content:\"GET \"; sid:1;)");
523 "alert ip any any -> any any (xbits:isnotset,abc,track ip_dst; content:\"GET \"; sid:2;)");
527 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:3;)");
531 "alert ip any any -> any any (xbits:unset,abc,track ip_src; content:\"GET \"; sid:4;)");
535 "alert ip any any -> any any (xbits:toggle,abc,track ip_dst; content:\"GET \"; sid:5;)");
539 "alert ip any any -> any any (xbits:!set,abc,track ip_dst; content:\"GET \"; sid:6;)");
549 static void XBitsRegisterTests(
void)
void IPPairBitUnset(IPPair *h, uint32_t idx)
void StatsReleaseResources(void)
Releases the resources alloted by the Stats API.
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void DetectXbitsRegister(void)
void IPPairInitConfig(bool quiet)
initialize the configuration
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
void IPPairRelease(IPPair *h)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
main detection engine ctx
void IPPairBitSet(IPPair *h, uint32_t idx, uint32_t expire)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void StorageCleanup(void)
#define DETECT_XBITS_TRACK_IPDST
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void HostBitInitCtx(void)
#define GOOD_INPUT(str, command, trk, typ, exp)
@ DETECT_SM_LIST_POSTMATCH
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
#define DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_EXPIRE_DEFAULT
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
void IPPairBitToggle(IPPair *h, uint32_t idx, uint32_t expire)
void IPPairCleanup(void)
Cleanup the ippair engine.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void HostCleanup(void)
Cleanup the host engine.
Per thread variable structure.
#define DETECT_XBITS_TRACK_IPPAIR
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
int IPPairBitIsnotset(IPPair *h, uint32_t idx, uint32_t ts)
int StorageFinalize(void)
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
void IPPairBitInitCtx(void)
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_XBITS_TRACK_IPSRC
a single match condition for a signature
#define DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_ISSET
DetectEngineCtx * DetectEngineCtxInit(void)
IPPair * IPPairLookupIPPairFromHash(Address *a, Address *b)
look up a ippair in the hash
void HostInitConfig(bool quiet)
initialize the configuration
int IPPairBitIsset(IPPair *h, uint32_t idx, uint32_t ts)
#define DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_UNSET
void StatsThreadCleanup(ThreadVars *tv)
#define SIGMATCH_IPONLY_COMPAT
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)