Go to the documentation of this file.
57 #define PARSE_REGEX "^([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
63 static void XBitsRegisterTests(
void);
146 return DetectIPPairbitMatchIsset(p,xd);
148 return DetectIPPairbitMatchIsnotset(p,xd);
150 return DetectIPPairbitMatchSet(p,xd);
152 return DetectIPPairbitMatchUnset(p,xd);
154 return DetectIPPairbitMatchToggle(p,xd);
196 int ret = 0,
res = 0;
198 char fb_cmd_str[16] =
"", fb_name[256] =
"";
199 char hb_dir_str[16] =
"";
204 if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
209 pcre2len =
sizeof(fb_cmd_str);
210 res = pcre2_substring_copy_bynumber(
211 parse_regex.
match, 1, (PCRE2_UCHAR8 *)fb_cmd_str, &pcre2len);
218 pcre2len =
sizeof(fb_name);
219 res = pcre2_substring_copy_bynumber(
220 parse_regex.
match, 2, (PCRE2_UCHAR8 *)fb_name, &pcre2len);
226 pcre2len =
sizeof(hb_dir_str);
227 res = pcre2_substring_copy_bynumber(
228 parse_regex.
match, 3, (PCRE2_UCHAR8 *)hb_dir_str, &pcre2len);
234 if (strlen(hb_dir_str) > 0) {
235 if (strcmp(hb_dir_str,
"ip_src") == 0) {
238 }
else if (strcmp(hb_dir_str,
"ip_dst") == 0) {
241 }
else if (strcmp(hb_dir_str,
"ip_pair") == 0) {
251 char expire_str[16] =
"";
252 pcre2len =
sizeof(expire_str);
253 res = pcre2_substring_copy_bynumber(
254 parse_regex.
match, 4, (PCRE2_UCHAR8 *)expire_str, &pcre2len);
262 "expire: \"%s\"", expire_str);
274 if (strcmp(fb_cmd_str,
"noalert") == 0) {
276 }
else if (strcmp(fb_cmd_str,
"isset") == 0) {
278 }
else if (strcmp(fb_cmd_str,
"isnotset") == 0) {
280 }
else if (strcmp(fb_cmd_str,
"set") == 0) {
282 }
else if (strcmp(fb_cmd_str,
"unset") == 0) {
284 }
else if (strcmp(fb_cmd_str,
"toggle") == 0) {
293 if (strlen(fb_name) != 0)
304 if (strlen(fb_name) == 0)
319 SCLogDebug(
"idx %" PRIu32
", cmd %s, name %s",
320 cd->
idx, fb_cmd_str, strlen(fb_name) ? fb_name :
"(none)");
331 int result = DetectXbitParse(
de_ctx, rawstr, &cd);
335 }
else if (result == 0 && cd == NULL) {
347 sm->
ctx = (
void *)cd;
386 static void XBitsTestSetup(
void)
396 static void XBitsTestShutdown(
void)
404 static int XBitsTestParse01(
void)
412 #define BAD_INPUT(str) \
413 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == -1);
418 BAD_INPUT(
"set,abc,track nonsense, expire 3600");
419 BAD_INPUT(
"set,abc,track ip_source, expire 3600");
420 BAD_INPUT(
"set,abc,track ip_src, expire -1");
421 BAD_INPUT(
"set,abc,track ip_src, expire 0");
425 #define GOOD_INPUT(str, command, trk, typ, exp) \
426 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == 0); \
428 FAIL_IF_NOT(cd->cmd == (command)); \
429 FAIL_IF_NOT(cd->tracker == (trk)); \
430 FAIL_IF_NOT(cd->type == (typ)); \
431 FAIL_IF_NOT(cd->expire == (exp)); \
432 DetectXbitFree(NULL, cd); \
439 GOOD_INPUT(
"set,abc,track ip_pair, expire 3600",
443 GOOD_INPUT(
"set,abc,track ip_src, expire 1234",
458 static int XBitsTestSig01(
void)
460 uint8_t *buf = (uint8_t *)
461 "GET /one/ HTTP/1.1\r\n"
462 "Host: one.example.org\r\n"
464 uint16_t buflen = strlen((
char *)buf);
472 memset(&th_v, 0,
sizeof(th_v));
477 p->
proto = IPPROTO_TCP;
486 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:1;)");
508 static int XBitsTestSig02(
void)
517 "alert ip any any -> any any (xbits:isset,abc,track ip_src; content:\"GET \"; sid:1;)");
521 "alert ip any any -> any any (xbits:isnotset,abc,track ip_dst; content:\"GET \"; sid:2;)");
525 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:3;)");
529 "alert ip any any -> any any (xbits:unset,abc,track ip_src; content:\"GET \"; sid:4;)");
533 "alert ip any any -> any any (xbits:toggle,abc,track ip_dst; content:\"GET \"; sid:5;)");
537 "alert ip any any -> any any (xbits:!set,abc,track ip_dst; content:\"GET \"; sid:6;)");
547 static void XBitsRegisterTests(
void)
void IPPairBitUnset(IPPair *h, uint32_t idx)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void DetectXbitsRegister(void)
void IPPairInitConfig(bool quiet)
initialize the configuration
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
void IPPairRelease(IPPair *h)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
main detection engine ctx
void IPPairBitSet(IPPair *h, uint32_t idx, uint32_t expire)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void StorageCleanup(void)
#define DETECT_XBITS_TRACK_IPDST
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
@ SC_ERR_PCRE_GET_SUBSTRING
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void HostBitInitCtx(void)
#define GOOD_INPUT(str, command, trk, typ, exp)
@ DETECT_SM_LIST_POSTMATCH
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
#define DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_EXPIRE_DEFAULT
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
void IPPairBitToggle(IPPair *h, uint32_t idx, uint32_t expire)
void IPPairCleanup(void)
Cleanup the ippair engine.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
void HostCleanup(void)
Cleanup the host engine.
Per thread variable structure.
#define DETECT_XBITS_TRACK_IPPAIR
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
int IPPairBitIsnotset(IPPair *h, uint32_t idx, uint32_t ts)
int StorageFinalize(void)
Data structures and function prototypes for keeping state for the detection engine.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
void IPPairBitInitCtx(void)
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
#define DETECT_XBITS_TRACK_IPSRC
a single match condition for a signature
#define DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_CMD_ISSET
DetectEngineCtx * DetectEngineCtxInit(void)
IPPair * IPPairLookupIPPairFromHash(Address *a, Address *b)
look up a ippair in the hash
void HostInitConfig(bool quiet)
initialize the configuration
int IPPairBitIsset(IPPair *h, uint32_t idx, uint32_t ts)
#define DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_UNSET
void StatsReleaseResources()
Releases the resources alloted by the Stats API.
void StatsThreadCleanup(ThreadVars *tv)
#define SIGMATCH_IPONLY_COMPAT
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)