suricata
detect-xbits.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the xbits keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "threads.h"
30 #include "flow.h"
31 #include "flow-util.h"
32 #include "detect-xbits.h"
33 #include "detect-hostbits.h"
34 #include "util-spm.h"
35 #include "util-byte.h"
36 
37 #include "detect-engine-sigorder.h"
38 
39 #include "app-layer-parser.h"
40 
41 #include "detect-parse.h"
42 #include "detect-engine.h"
43 #include "detect-engine-mpm.h"
44 #include "detect-engine-state.h"
45 
46 #include "flow-bit.h"
47 #include "host-bit.h"
48 #include "ippair-bit.h"
49 #include "util-var-name.h"
50 #include "util-unittest.h"
51 #include "util-debug.h"
52 
53 /*
54  xbits:set,bitname,track ip_pair,expire 60
55  */
56 
57 #define PARSE_REGEX "^([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
58 static DetectParseRegex parse_regex;
59 
60 static int DetectXbitMatch (DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
61 static int DetectXbitSetup (DetectEngineCtx *, Signature *, const char *);
62 #ifdef UNITTESTS
63 static void XBitsRegisterTests(void);
64 #endif
65 static void DetectXbitFree (DetectEngineCtx *, void *);
66 
68 {
69  sigmatch_table[DETECT_XBITS].name = "xbits";
70  sigmatch_table[DETECT_XBITS].desc = "operate on bits";
71  sigmatch_table[DETECT_XBITS].url = "/rules/xbits.html";
72  sigmatch_table[DETECT_XBITS].Match = DetectXbitMatch;
73  sigmatch_table[DETECT_XBITS].Setup = DetectXbitSetup;
74  sigmatch_table[DETECT_XBITS].Free = DetectXbitFree;
75 #ifdef UNITTESTS
76  sigmatch_table[DETECT_XBITS].RegisterTests = XBitsRegisterTests;
77 #endif
78  /* this is compatible to ip-only signatures */
80 
81  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
82 }
83 
84 static int DetectIPPairbitMatchToggle (Packet *p, const DetectXbitsData *fd)
85 {
86  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
87  if (pair == NULL)
88  return 0;
89 
90  IPPairBitToggle(pair,fd->idx,p->ts.tv_sec + fd->expire);
91  IPPairRelease(pair);
92  return 1;
93 }
94 
95 /* return true even if bit not found */
96 static int DetectIPPairbitMatchUnset (Packet *p, const DetectXbitsData *fd)
97 {
98  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
99  if (pair == NULL)
100  return 1;
101 
102  IPPairBitUnset(pair,fd->idx);
103  IPPairRelease(pair);
104  return 1;
105 }
106 
107 static int DetectIPPairbitMatchSet (Packet *p, const DetectXbitsData *fd)
108 {
109  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
110  if (pair == NULL)
111  return 0;
112 
113  IPPairBitSet(pair, fd->idx, p->ts.tv_sec + fd->expire);
114  IPPairRelease(pair);
115  return 1;
116 }
117 
118 static int DetectIPPairbitMatchIsset (Packet *p, const DetectXbitsData *fd)
119 {
120  int r = 0;
121  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
122  if (pair == NULL)
123  return 0;
124 
125  r = IPPairBitIsset(pair,fd->idx,p->ts.tv_sec);
126  IPPairRelease(pair);
127  return r;
128 }
129 
130 static int DetectIPPairbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
131 {
132  int r = 0;
133  IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
134  if (pair == NULL)
135  return 1;
136 
137  r = IPPairBitIsnotset(pair,fd->idx,p->ts.tv_sec);
138  IPPairRelease(pair);
139  return r;
140 }
141 
142 static int DetectXbitMatchIPPair(Packet *p, const DetectXbitsData *xd)
143 {
144  switch (xd->cmd) {
146  return DetectIPPairbitMatchIsset(p,xd);
148  return DetectIPPairbitMatchIsnotset(p,xd);
150  return DetectIPPairbitMatchSet(p,xd);
152  return DetectIPPairbitMatchUnset(p,xd);
154  return DetectIPPairbitMatchToggle(p,xd);
155  default:
156  SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown cmd %" PRIu32 "", xd->cmd);
157  return 0;
158  }
159  return 0;
160 }
161 
162 /*
163  * returns 0: no match
164  * 1: match
165  * -1: error
166  */
167 
168 static int DetectXbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
169 {
170  const DetectXbitsData *fd = (const DetectXbitsData *)ctx;
171  if (fd == NULL)
172  return 0;
173 
174  switch (fd->type) {
175  case VAR_TYPE_HOST_BIT:
176  return DetectXbitMatchHost(p, (const DetectXbitsData *)fd);
177  break;
178  case VAR_TYPE_IPPAIR_BIT:
179  return DetectXbitMatchIPPair(p, (const DetectXbitsData *)fd);
180  break;
181  default:
182  break;
183  }
184  return 0;
185 }
186 
187 /** \internal
188  * \brief parse xbits rule options
189  * \retval 0 ok
190  * \retval -1 bad
191  * \param[out] cdout return DetectXbitsData structure or NULL if noalert
192  */
193 static int DetectXbitParse(DetectEngineCtx *de_ctx,
194  const char *rawstr, DetectXbitsData **cdout)
195 {
196  DetectXbitsData *cd = NULL;
197  uint8_t fb_cmd = 0;
198  uint8_t hb_dir = 0;
199  int ret = 0, res = 0;
200  int ov[MAX_SUBSTRINGS];
201  char fb_cmd_str[16] = "", fb_name[256] = "";
202  char hb_dir_str[16] = "";
203  enum VarTypes var_type = VAR_TYPE_NOT_SET;
204  uint32_t expire = DETECT_XBITS_EXPIRE_DEFAULT;
205 
206  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
207  if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
208  SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for xbits.", rawstr);
209  return -1;
210  }
211  SCLogDebug("ret %d, %s", ret, rawstr);
212  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, fb_cmd_str, sizeof(fb_cmd_str));
213  if (res < 0) {
214  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
215  return -1;
216  }
217 
218  if (ret >= 3) {
219  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, fb_name, sizeof(fb_name));
220  if (res < 0) {
221  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
222  return -1;
223  }
224  if (ret >= 4) {
225  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3, hb_dir_str, sizeof(hb_dir_str));
226  if (res < 0) {
227  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
228  return -1;
229  }
230  SCLogDebug("hb_dir_str %s", hb_dir_str);
231  if (strlen(hb_dir_str) > 0) {
232  if (strcmp(hb_dir_str, "ip_src") == 0) {
233  hb_dir = DETECT_XBITS_TRACK_IPSRC;
234  var_type = VAR_TYPE_HOST_BIT;
235  } else if (strcmp(hb_dir_str, "ip_dst") == 0) {
236  hb_dir = DETECT_XBITS_TRACK_IPDST;
237  var_type = VAR_TYPE_HOST_BIT;
238  } else if (strcmp(hb_dir_str, "ip_pair") == 0) {
239  hb_dir = DETECT_XBITS_TRACK_IPPAIR;
240  var_type = VAR_TYPE_IPPAIR_BIT;
241  } else {
242  // TODO
243  return -1;
244  }
245  }
246 
247  if (ret >= 5) {
248  char expire_str[16] = "";
249  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4, expire_str, sizeof(expire_str));
250  if (res < 0) {
251  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
252  return -1;
253  }
254  SCLogDebug("expire_str %s", expire_str);
255  if (StringParseUint32(&expire, 10, 0, (const char *)expire_str) < 0) {
256  SCLogError(SC_ERR_INVALID_VALUE, "Invalid value for "
257  "expire: \"%s\"", expire_str);
258  return -1;
259  }
260  if (expire == 0) {
261  SCLogError(SC_ERR_INVALID_VALUE, "expire must be bigger than 0");
262  return -1;
263  }
264  SCLogDebug("expire %d", expire);
265  }
266  }
267  }
268 
269  if (strcmp(fb_cmd_str,"noalert") == 0) {
270  fb_cmd = DETECT_XBITS_CMD_NOALERT;
271  } else if (strcmp(fb_cmd_str,"isset") == 0) {
272  fb_cmd = DETECT_XBITS_CMD_ISSET;
273  } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
274  fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
275  } else if (strcmp(fb_cmd_str,"set") == 0) {
276  fb_cmd = DETECT_XBITS_CMD_SET;
277  } else if (strcmp(fb_cmd_str,"unset") == 0) {
278  fb_cmd = DETECT_XBITS_CMD_UNSET;
279  } else if (strcmp(fb_cmd_str,"toggle") == 0) {
280  fb_cmd = DETECT_XBITS_CMD_TOGGLE;
281  } else {
282  SCLogError(SC_ERR_UNKNOWN_VALUE, "xbits action \"%s\" is not supported.", fb_cmd_str);
283  return -1;
284  }
285 
286  switch (fb_cmd) {
288  if (strlen(fb_name) != 0)
289  return -1;
290  /* return ok, cd is NULL. Flag sig. */
291  *cdout = NULL;
292  return 0;
293  }
299  default:
300  if (strlen(fb_name) == 0)
301  return -1;
302  break;
303  }
304 
305  cd = SCMalloc(sizeof(DetectXbitsData));
306  if (unlikely(cd == NULL))
307  return -1;
308 
309  cd->idx = VarNameStoreSetupAdd(fb_name, var_type);
310  cd->cmd = fb_cmd;
311  cd->tracker = hb_dir;
312  cd->type = var_type;
313  cd->expire = expire;
314 
315  SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
316  cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
317 
318  *cdout = cd;
319  return 0;
320 }
321 
322 int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
323 {
324  SigMatch *sm = NULL;
325  DetectXbitsData *cd = NULL;
326 
327  int result = DetectXbitParse(de_ctx, rawstr, &cd);
328  if (result < 0) {
329  return -1;
330  /* noalert doesn't use a cd/sm struct. It flags the sig. We're done. */
331  } else if (result == 0 && cd == NULL) {
332  s->flags |= SIG_FLAG_NOALERT;
333  return 0;
334  }
335 
336  /* Okay so far so good, lets get this into a SigMatch
337  * and put it in the Signature. */
338  sm = SigMatchAlloc();
339  if (sm == NULL)
340  goto error;
341 
342  sm->type = DETECT_XBITS;
343  sm->ctx = (void *)cd;
344 
345  switch (cd->cmd) {
346  /* case DETECT_XBITS_CMD_NOALERT can't happen here */
347 
350  /* checks, so packet list */
352  break;
353 
357  /* modifiers, only run when entire sig has matched */
359  break;
360  }
361 
362  return 0;
363 
364 error:
365  if (cd != NULL)
366  SCFree(cd);
367  return -1;
368 }
369 
370 static void DetectXbitFree (DetectEngineCtx *de_ctx, void *ptr)
371 {
372  DetectXbitsData *fd = (DetectXbitsData *)ptr;
373 
374  if (fd == NULL)
375  return;
376 
377  SCFree(fd);
378 }
379 
380 #ifdef UNITTESTS
381 
382 static void XBitsTestSetup(void)
383 {
384  StorageInit();
385  HostBitInitCtx();
387  StorageFinalize();
390 }
391 
392 static void XBitsTestShutdown(void)
393 {
394  HostCleanup();
395  IPPairCleanup();
396  StorageCleanup();
397 }
398 
399 
400 static int XBitsTestParse01(void)
401 {
402  DetectEngineCtx *de_ctx = NULL;
405  de_ctx->flags |= DE_QUIET;
406  DetectXbitsData *cd = NULL;
407 
408 #define BAD_INPUT(str) \
409  FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == -1);
410 
411  BAD_INPUT("alert");
412  BAD_INPUT("n0alert");
413  BAD_INPUT("nOalert");
414  BAD_INPUT("set,abc,track nonsense, expire 3600");
415  BAD_INPUT("set,abc,track ip_source, expire 3600");
416  BAD_INPUT("set,abc,track ip_src, expire -1");
417  BAD_INPUT("set,abc,track ip_src, expire 0");
418 
419 #undef BAD_INPUT
420 
421 #define GOOD_INPUT(str, command, trk, typ, exp) \
422  FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == 0); \
423  FAIL_IF_NULL(cd); \
424  FAIL_IF_NOT(cd->cmd == (command)); \
425  FAIL_IF_NOT(cd->tracker == (trk)); \
426  FAIL_IF_NOT(cd->type == (typ)); \
427  FAIL_IF_NOT(cd->expire == (exp)); \
428  DetectXbitFree(NULL, cd); \
429  cd = NULL;
430 
431  GOOD_INPUT("set,abc,track ip_pair",
435  GOOD_INPUT("set,abc,track ip_pair, expire 3600",
438  3600);
439  GOOD_INPUT("set,abc,track ip_src, expire 1234",
442  1234);
443 
444 #undef GOOD_INPUT
445 
447  PASS;
448 }
449 
450 /**
451  * \test
452  */
453 
454 static int XBitsTestSig01(void)
455 {
456  uint8_t *buf = (uint8_t *)
457  "GET /one/ HTTP/1.1\r\n"
458  "Host: one.example.org\r\n"
459  "\r\n";
460  uint16_t buflen = strlen((char *)buf);
462  FAIL_IF_NULL(p);
463  Signature *s = NULL;
464  ThreadVars th_v;
465  DetectEngineThreadCtx *det_ctx = NULL;
466  DetectEngineCtx *de_ctx = NULL;
467 
468  memset(&th_v, 0, sizeof(th_v));
469  memset(p, 0, SIZE_OF_PACKET);
470  p->src.family = AF_INET;
471  p->dst.family = AF_INET;
472  p->payload = buf;
473  p->payload_len = buflen;
474  p->proto = IPPROTO_TCP;
475 
476  XBitsTestSetup();
477 
480  de_ctx->flags |= DE_QUIET;
481 
483  "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:1;)");
484  FAIL_IF_NULL(s);
485 
487  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
488  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
489  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
491  XBitsTestShutdown();
492  SCFree(p);
493  StatsThreadCleanup(&th_v);
495  PASS;
496 }
497 
498 /**
499  * \test various options
500  *
501  * \retval 1 on succces
502  * \retval 0 on failure
503  */
504 
505 static int XBitsTestSig02(void)
506 {
507  Signature *s = NULL;
508  DetectEngineCtx *de_ctx = NULL;
511  de_ctx->flags |= DE_QUIET;
512 
514  "alert ip any any -> any any (xbits:isset,abc,track ip_src; content:\"GET \"; sid:1;)");
515  FAIL_IF_NULL(s);
516 
518  "alert ip any any -> any any (xbits:isnotset,abc,track ip_dst; content:\"GET \"; sid:2;)");
519  FAIL_IF_NULL(s);
520 
522  "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:3;)");
523  FAIL_IF_NULL(s);
524 
526  "alert ip any any -> any any (xbits:unset,abc,track ip_src; content:\"GET \"; sid:4;)");
527  FAIL_IF_NULL(s);
528 
530  "alert ip any any -> any any (xbits:toggle,abc,track ip_dst; content:\"GET \"; sid:5;)");
531  FAIL_IF_NULL(s);
532 
534  "alert ip any any -> any any (xbits:!set,abc,track ip_dst; content:\"GET \"; sid:6;)");
535  FAIL_IF_NOT_NULL(s);
536 
538  PASS;
539 }
540 
541 /**
542  * \brief this function registers unit tests for XBits
543  */
544 static void XBitsRegisterTests(void)
545 {
546  UtRegisterTest("XBitsTestParse01", XBitsTestParse01);
547  UtRegisterTest("XBitsTestSig01", XBitsTestSig01);
548  UtRegisterTest("XBitsTestSig02", XBitsTestSig02);
549 }
550 #endif /* UNITTESTS */
IPPairBitUnset
void IPPairBitUnset(IPPair *h, uint32_t idx)
Definition: ippair-bit.c:139
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
Packet_::proto
uint8_t proto
Definition: decode.h:436
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectXbitsRegister
void DetectXbitsRegister(void)
Definition: detect-xbits.c:67
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
DetectXbitsData_::expire
uint32_t expire
Definition: detect-xbits.h:46
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
StorageInit
void StorageInit(void)
Definition: util-storage.c:67
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
IPPairRelease
void IPPairRelease(IPPair *h)
Definition: ippair.c:518
SigTableElmt_::name
const char * name
Definition: detect.h:1211
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::payload
uint8_t * payload
Definition: decode.h:549
ippair-bit.h
threads.h
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:173
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:44
IPPairBitSet
void IPPairBitSet(IPPair *h, uint32_t idx, uint32_t expire)
Definition: ippair-bit.c:131
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
StorageCleanup
void StorageCleanup(void)
Definition: util-storage.c:75
flow-bit.h
util-var-name.h
DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_TRACK_IPDST
Definition: detect-xbits.h:36
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
HostBitInitCtx
void HostBitInitCtx(void)
Definition: host-bit.c:49
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:550
DetectXbitsData_
Definition: detect-xbits.h:42
util-unittest.h
VAR_TYPE_NOT_SET
@ VAR_TYPE_NOT_SET
Definition: util-var.h:28
GOOD_INPUT
#define GOOD_INPUT(str, command, trk, typ, exp)
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
DetectXbitMatchHost
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
Definition: detect-hostbits.c:245
detect-xbits.h
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
DETECT_XBITS_EXPIRE_DEFAULT
#define DETECT_XBITS_EXPIRE_DEFAULT
Definition: detect-xbits.h:40
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
IPPairBitToggle
void IPPairBitToggle(IPPair *h, uint32_t idx, uint32_t expire)
Definition: ippair-bit.c:147
IPPairCleanup
void IPPairCleanup(void)
Cleanup the ippair engine.
Definition: ippair.c:338
DetectEngineThreadCtx_
Definition: detect.h:1010
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2488
HostCleanup
void HostCleanup(void)
Cleanup the host engine.
Definition: host.c:343
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
BAD_INPUT
#define BAD_INPUT(str)
DETECT_XBITS_TRACK_IPPAIR
#define DETECT_XBITS_TRACK_IPPAIR
Definition: detect-xbits.h:37
IPPairGetIPPairFromHash
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
Definition: ippair.c:542
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:627
IPPairInitConfig
void IPPairInitConfig(char quiet)
initialize the configuration
Definition: ippair.c:168
app-layer-parser.h
TRUE
#define TRUE
Definition: suricata-common.h:33
DETECT_XBITS
@ DETECT_XBITS
Definition: detect-engine-register.h:236
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
IPPairBitIsnotset
int IPPairBitIsnotset(IPPair *h, uint32_t idx, uint32_t ts)
Definition: ippair-bit.c:171
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:48
Signature_::flags
uint32_t flags
Definition: detect.h:529
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2418
Packet_
Definition: decode.h:414
StorageFinalize
int StorageFinalize(void)
Definition: util-storage.c:139
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1884
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2356
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
Packet_::ts
struct timeval ts
Definition: decode.h:457
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
IPPair_
Definition: ippair.h:58
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
util-spm.h
DetectXbitsData_::idx
uint32_t idx
Definition: detect-xbits.h:43
VarNameStoreSetupAdd
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
Definition: util-var-name.c:323
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SIG_FLAG_NOALERT
#define SIG_FLAG_NOALERT
Definition: detect.h:216
detect-hostbits.h
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:39
IPPairBitInitCtx
void IPPairBitInitCtx(void)
Definition: ippair-bit.c:49
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectXbitsData_::tracker
uint8_t tracker
Definition: detect-xbits.h:45
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPSRC
Definition: detect-xbits.h:35
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_NOALERT
Definition: detect-xbits.h:32
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
VarTypes
VarTypes
Definition: util-var.h:27
Address_::family
char family
Definition: decode.h:117
Packet_::dst
Address dst
Definition: decode.h:419
IPPairLookupIPPairFromHash
IPPair * IPPairLookupIPPairFromHash(Address *a, Address *b)
look up a ippair in the hash
Definition: ippair.c:641
IPPairBitIsset
int IPPairBitIsset(IPPair *h, uint32_t idx, uint32_t ts)
Definition: ippair-bit.c:157
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
flow.h
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
VAR_TYPE_IPPAIR_BIT
@ VAR_TYPE_IPPAIR_BIT
Definition: util-var.h:43
StatsReleaseResources
void StatsReleaseResources()
Releases the resources alloted by the Stats API.
Definition: counters.c:1252
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1293
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1382
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
Packet_::src
Address src
Definition: decode.h:418
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-xbits.c:57
host-bit.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203