47#define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+.]+$"
61static bool PrefilterEventIsPrefilterable(
const Signature *s,
int smtype)
65 if (sm->
type == smtype) {
71static bool PrefilterStreamEventIsPrefilterable(
const Signature *s)
76static bool PrefilterDecodeEventIsPrefilterable(
const Signature *s)
92 DetectUintData_u8 du8;
102 for (uint8_t u = 0; u < p->
events.
cnt; u++) {
105 PrefilterAddSids(&det_ctx->
pmq, sa->
sigs, sa->
cnt);
114 PrefilterPacketEventMatch);
121 PrefilterPacketEventMatch);
182static bool OutdatedEvent(
const char *raw)
184 if (strcmp(raw,
"decoder.udp.hlen_invalid") == 0) {
202 int res = 0, found = 0;
204 pcre2_match_data *match = NULL;
208 SCLogError(
"pcre_exec parse error, ret %" PRId32
", string %s", ret, rawstr);
212 char copy_str[128] =
"";
213 pcre2len =
sizeof(copy_str);
214 res = pcre2_substring_copy_bynumber(match, 0, (PCRE2_UCHAR8 *)copy_str, &pcre2len);
217 SCLogError(
"pcre2_substring_copy_bynumber failed");
222 if (strcasecmp(
DEvents[i].event_name,copy_str) == 0) {
229 SCLogError(
"unknown decode event \"%s\"", copy_str);
243 if (OutdatedEvent(rawstr)) {
245 SCLogError(
"decode-event keyword no longer supports event \"%s\"", rawstr);
248 SCLogWarning(
"decode-event keyword no longer supports event \"%s\"", rawstr);
252 pcre2_match_data_free(match);
259 pcre2_match_data_free(match);
274static int DetectEngineEventSetupDo(
316 char drawstr[64] =
"decoder.";
319 strlcat(drawstr, rawstr,
sizeof(drawstr));
329 char srawstr[64] =
"stream.";
331 if (strcmp(rawstr,
"est_synack_resend_with_different_ack") == 0) {
332 rawstr =
"est_synack_resend_with_diff_ack";
333 }
else if (strcmp(rawstr,
"3whs_synack_resend_with_different_ack") == 0) {
334 rawstr =
"3whs_synack_resend_with_diff_ack";
338 strlcat(srawstr, rawstr,
sizeof(srawstr));
351static int EngineEventTestParse01 (
void)
357 DetectEngineEventFree(NULL, de);
366static int EngineEventTestParse02 (
void)
372 DetectEngineEventFree(NULL, de);
380static int EngineEventTestParse03 (
void)
386 DetectEngineEventFree(NULL, de);
394static int EngineEventTestParse04 (
void)
400 DetectEngineEventFree(NULL, de);
408static int EngineEventTestParse05 (
void)
414 DetectEngineEventFree(NULL, de);
422static int EngineEventTestParse06 (
void)
const struct DecodeEvents_ DEvents[]
@ STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA
#define ENGINE_ISSET_EVENT(p, e)
#define ENGINE_SET_EVENT(p, e)
void EngineEventRegisterTests(void)
this function registers unit tests for EngineEvent
void DetectEngineEventRegister(void)
Registration function for decode-event: keyword.
int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, SignatureMask mask, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
#define PREFILTER_U8HASH_MODE_EQ
bool PrefilterPacketU8Compare(PrefilterPacketHeaderValue v, void *smctx)
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
SigMatch * SigMatchAlloc(void)
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
SigTableElmt * sigmatch_table
#define SIGMATCH_DEONLY_COMPAT
#define SIG_MASK_REQUIRE_ENGINE_EVENT
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
#define PASS
Pass the test.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
void StreamTcpReassembleConfigEnableOverlapCheck(void)
main detection engine ctx
uint8_t events[PACKET_ENGINE_EVENT_MAX]
PacketEngineEvents events
Container for matching data for a signature group.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
a single match condition for a signature
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
void(* Free)(DetectEngineCtx *, void *)
void(* RegisterTests)(void)
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
bool(* SupportsPrefilter)(const Signature *s)
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
SignatureInitData * init_data
Per thread variable structure.
size_t strlcat(char *, const char *src, size_t siz)
#define SCLogWarning(...)
Macro used to log WARNING messages.
#define SCLogError(...)
Macro used to log ERROR messages.