suricata
detect-iprep.c
Go to the documentation of this file.
1/* Copyright (C) 2012-2021 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 *
23 * Implements the iprep keyword
24 */
25
26#include "suricata-common.h"
27#include "decode.h"
28#include "detect.h"
29#include "threads.h"
30#include "flow.h"
31#include "flow-bit.h"
32#include "flow-util.h"
33#include "detect-iprep.h"
34#include "util-spm.h"
35
36#include "app-layer-parser.h"
37
38#include "detect-parse.h"
39#include "detect-engine.h"
40#include "detect-engine-mpm.h"
41#include "detect-engine-state.h"
42#include "detect-engine-uint.h"
43#include "detect-engine-build.h"
44
45#include "util-debug.h"
46#include "util-byte.h"
47#include "util-unittest.h"
48#include "util-unittest-helper.h"
49#include "util-fmemopen.h"
50#include "util-validate.h"
51
52#include "reputation.h"
53#include "host.h"
54
55static int DetectIPRepMatch (DetectEngineThreadCtx *, Packet *,
56 const Signature *, const SigMatchCtx *);
57static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *);
58void DetectIPRepFree (DetectEngineCtx *, void *);
59#ifdef UNITTESTS
60static void IPRepRegisterTests(void);
61#endif
62
63void DetectIPRepRegister (void)
64{
65 sigmatch_table[DETECT_IPREP].name = "iprep";
66 sigmatch_table[DETECT_IPREP].desc = "match on the IP reputation information for a host";
67 sigmatch_table[DETECT_IPREP].url = "/rules/ip-reputation-rules.html#iprep";
68 sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch;
69 sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup;
70 sigmatch_table[DETECT_IPREP].Free = DetectIPRepFree;
71#ifdef UNITTESTS
72 sigmatch_table[DETECT_IPREP].RegisterTests = IPRepRegisterTests;
73#endif
74 /* this is compatible to ip-only signatures */
75 sigmatch_table[DETECT_IPREP].flags |= SIGMATCH_IPONLY_COMPAT;
76}
77
78static inline int8_t GetRep(const SReputation *r, const uint8_t cat, const uint32_t version)
79{
80 /* allow higher versions as this happens during
81 * rule reload */
82 if (r != NULL && r->version >= version) {
83 return r->rep[cat];
84 }
85 return -1;
86}
87
88/** \returns: -2 no host, -1 no rep entry, 0-127 rep values */
89static int8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version)
90{
91 if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) {
92 return -2;
93 } else if (p->host_src != NULL) {
94 Host *h = (Host *)p->host_src;
95 HostLock(h);
96 /* use_cnt: 1 for having iprep, 1 for packet ref */
97 DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);
98 int8_t val = GetRep(h->iprep, cat, version);
99 HostUnlock(h);
100 return val;
101 } else {
102 Host *h = HostLookupHostFromHash(&(p->src));
103 p->flags |= PKT_HOST_SRC_LOOKED_UP;
104 if (h == NULL)
105 return -2;
106 HostReference(&p->host_src, h);
107 /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,
108 * 1 for HostReference to packet */
109 DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);
110 int8_t val = GetRep(h->iprep, cat, version);
111 HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */
112 return val;
113 }
114}
115
116static int8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version)
117{
118 if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) {
119 return -2;
120 } else if (p->host_dst != NULL) {
121 Host *h = (Host *)p->host_dst;
122 HostLock(h);
123 /* use_cnt: 1 for having iprep, 1 for packet ref */
124 DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2);
125 int8_t val = GetRep(h->iprep, cat, version);
126 HostUnlock(h);
127 return val;
128 } else {
129 Host *h = HostLookupHostFromHash(&(p->dst));
130 p->flags |= PKT_HOST_DST_LOOKED_UP;
131 if (h == NULL)
132 return -2;
133 HostReference(&p->host_dst, h);
134 /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash,
135 * 1 for HostReference to packet */
136 DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3);
137 int8_t val = GetRep(h->iprep, cat, version);
138 HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */
139 return val;
140 }
141}
142
143/*
144 * returns 0: no match
145 * 1: match
146 * -1: error
147 */
148static int DetectIPRepMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
149 const Signature *s, const SigMatchCtx *ctx)
150{
151 const DetectIPRepData *rd = (const DetectIPRepData *)ctx;
152 if (rd == NULL)
153 return 0;
154
155 uint32_t version = det_ctx->de_ctx->srep_version;
156 int8_t val = 0;
157
158 SCLogDebug("rd->cmd %u", rd->cmd);
159 switch (rd->cmd) {
160 case IPRepCmdAny:
161 if (!rd->isnotset) {
162 val = GetHostRepSrc(p, rd->cat, version);
163 if (val < 0)
164 val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
165 if (val >= 0) {
166 if (DetectU8Match((uint8_t)val, &rd->du8))
167 return 1;
168 }
169 val = GetHostRepDst(p, rd->cat, version);
170 if (val < 0)
171 val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
172 if (val >= 0) {
173 return DetectU8Match((uint8_t)val, &rd->du8);
174 }
175 } else {
176 /* isnotset for any */
177
178 val = GetHostRepSrc(p, rd->cat, version);
179 if (val < 0)
180 val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
181 if (val < 0) {
182 return 1;
183 }
184 val = GetHostRepDst(p, rd->cat, version);
185 if (val < 0)
186 val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
187 if (val < 0) {
188 return 1;
189 }
190 /* both have a value, so none 'isnotset' */
191 return 0;
192 }
193 break;
194
195 case IPRepCmdSrc:
196 val = GetHostRepSrc(p, rd->cat, version);
197 SCLogDebug("checking src -- val %d (looking for cat %u, val %u)", val, rd->cat,
198 rd->du8.arg1);
199 if (val < 0)
200 val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
201 if (val >= 0) {
202 return DetectU8Match((uint8_t)val, &rd->du8);
203 }
204 /* implied: no value found */
205 if (rd->isnotset) {
206 return 1;
207 }
208 break;
209
210 case IPRepCmdDst:
211 SCLogDebug("checking dst");
212 val = GetHostRepDst(p, rd->cat, version);
213 if (val < 0)
214 val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
215 if (val >= 0) {
216 return DetectU8Match((uint8_t)val, &rd->du8);
217 }
218 /* implied: no value found */
219 if (rd->isnotset) {
220 return 1;
221 }
222 break;
223
224 case IPRepCmdBoth:
225 if (!rd->isnotset) {
226 val = GetHostRepSrc(p, rd->cat, version);
227 if (val < 0)
228 val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
229 if (val < 0 || DetectU8Match((uint8_t)val, &rd->du8) == 0)
230 return 0;
231 val = GetHostRepDst(p, rd->cat, version);
232 if (val < 0)
233 val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
234 if (val >= 0) {
235 return DetectU8Match((uint8_t)val, &rd->du8);
236 }
237 } else {
238 val = GetHostRepSrc(p, rd->cat, version);
239 if (val >= 0)
240 return 0;
241 val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
242 if (val >= 0)
243 return 0;
244 val = GetHostRepDst(p, rd->cat, version);
245 if (val >= 0)
246 return 0;
247 val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version);
248 if (val >= 0)
249 return 0;
250 return 1;
251 }
252 break;
253 }
254
255 return 0;
256}
257
258int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
259{
260 DetectIPRepData *cd = SCDetectIPRepParse(rawstr);
261 if (cd == NULL) {
262 SCLogError("\"%s\" is not a valid setting for iprep", rawstr);
263 goto error;
264 }
265
266 SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->du8.mode, cd->du8.arg1);
267
268 /* Okay so far so good, lets get this into a SigMatch
269 * and put it in the Signature. */
270
271 if (SCSigMatchAppendSMToList(
272 de_ctx, s, DETECT_IPREP, (SigMatchCtx *)cd, DETECT_SM_LIST_MATCH) == NULL) {
273 goto error;
274 }
275
276 return 0;
277
278error:
279 if (cd != NULL)
280 DetectIPRepFree(de_ctx, cd);
281 return -1;
282}
283
284void DetectIPRepFree (DetectEngineCtx *de_ctx, void *ptr)
285{
286 DetectIPRepData *fd = (DetectIPRepData *)ptr;
287 if (fd == NULL)
288 return;
289
290 SCDetectIPRepFree(fd);
291}
292
293#ifdef UNITTESTS
294#include "packet.h"
295#include "action-globals.h"
296
297static FILE *DetectIPRepGenerateCategoriesDummy(void)
298{
299 FILE *fd = NULL;
300 const char *buffer = "1,BadHosts,Know bad hosts";
301
302 fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
303 if (fd == NULL)
304 SCLogDebug("Error with SCFmemopen()");
305
306 return fd;
307}
308
309static FILE *DetectIPRepGenerateCategoriesDummy2(void)
310{
311 FILE *fd = NULL;
312 const char *buffer =
313 "1,BadHosts,Know bad hosts\n"
314 "2,GoodHosts,Know good hosts\n";
315
316 fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
317 if (fd == NULL)
318 SCLogDebug("Error with SCFmemopen()");
319
320 return fd;
321}
322
323static FILE *DetectIPRepGenerateNetworksDummy(void)
324{
325 FILE *fd = NULL;
326 const char *buffer = "10.0.0.0/24,1,20";
327
328 fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
329 if (fd == NULL)
330 SCLogDebug("Error with SCFmemopen()");
331
332 return fd;
333}
334
335static FILE *DetectIPRepGenerateNetworksDummy2(void)
336{
337 FILE *fd = NULL;
338 const char *buffer =
339 "0.0.0.0/0,1,10\n"
340 "192.168.0.0/16,2,127";
341
342 fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
343 if (fd == NULL)
344 SCLogDebug("Error with SCFmemopen()");
345
346 return fd;
347}
348
349static int DetectIPRepTest01(void)
350{
351 ThreadVars th_v;
352 DetectEngineThreadCtx *det_ctx = NULL;
353 Signature *sig = NULL;
354 FILE *fd = NULL;
355 int r = 0;
356 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
357 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
358
359 HostInitConfig(HOST_QUIET);
360 memset(&th_v, 0, sizeof(th_v));
361
362 FAIL_IF_NULL(de_ctx);
363 FAIL_IF_NULL(p);
364
365 p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
366 de_ctx->flags |= DE_QUIET;
367
368 SRepInit(de_ctx);
369 SRepResetVersion();
370
371 fd = DetectIPRepGenerateCategoriesDummy();
372 r = SRepLoadCatFileFromFD(fd);
373 FAIL_IF(r < 0);
374
375 fd = DetectIPRepGenerateNetworksDummy();
376 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
377 FAIL_IF(r < 0);
378
379 sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
380 "badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)");
381 FAIL_IF_NULL(sig);
382
383 SigGroupBuild(de_ctx);
384 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
385
386 p->alerts.cnt = 0;
387 p->action = 0;
388 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
389
390 FAIL_IF(p->alerts.cnt != 1);
391 FAIL_IF(PacketTestAction(p, ACTION_DROP));
392
393 UTHFreePacket(p);
394
395 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
396 DetectEngineCtxFree(de_ctx);
397
398 HostShutdown();
399 PASS;
400}
401
402static int DetectIPRepTest02(void)
403{
404 ThreadVars th_v;
405 DetectEngineThreadCtx *det_ctx = NULL;
406 Signature *sig = NULL;
407 FILE *fd = NULL;
408 int r = 0;
409 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
410 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
411
412 HostInitConfig(HOST_QUIET);
413 memset(&th_v, 0, sizeof(th_v));
414
415 FAIL_IF_NULL(de_ctx);
416 FAIL_IF_NULL(p);
417
418 p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
419 de_ctx->flags |= DE_QUIET;
420
421 SRepInit(de_ctx);
422 SRepResetVersion();
423
424 fd = DetectIPRepGenerateCategoriesDummy();
425 r = SRepLoadCatFileFromFD(fd);
426 FAIL_IF(r < 0);
427
428 fd = DetectIPRepGenerateNetworksDummy();
429 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
430 FAIL_IF(r < 0);
431
432 sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
433 "badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)");
434 FAIL_IF_NULL(sig);
435
436 SigGroupBuild(de_ctx);
437 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
438
439 p->alerts.cnt = 0;
440 p->action = 0;
441 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
442 FAIL_IF(p->alerts.cnt != 1);
443 FAIL_IF(PacketTestAction(p, ACTION_DROP));
444
445 UTHFreePacket(p);
446
447 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
448 DetectEngineCtxFree(de_ctx);
449
450 HostShutdown();
451 PASS;
452}
453
454static int DetectIPRepTest03(void)
455{
456 ThreadVars th_v;
457 DetectEngineThreadCtx *det_ctx = NULL;
458 Signature *sig = NULL;
459 FILE *fd = NULL;
460 int r = 0;
461 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
462 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
463
464 HostInitConfig(HOST_QUIET);
465 memset(&th_v, 0, sizeof(th_v));
466
467 FAIL_IF_NULL(de_ctx);
468 FAIL_IF_NULL(p);
469
470 p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
471 de_ctx->flags |= DE_QUIET;
472
473 SRepInit(de_ctx);
474 SRepResetVersion();
475
476 fd = DetectIPRepGenerateCategoriesDummy();
477 r = SRepLoadCatFileFromFD(fd);
478 FAIL_IF(r < 0);
479
480 fd = DetectIPRepGenerateNetworksDummy();
481 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
482 FAIL_IF(r < 0);
483
484 sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
485 "badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)");
486 FAIL_IF_NULL(sig);
487
488 SigGroupBuild(de_ctx);
489 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
490
491 p->alerts.cnt = 0;
492 p->action = 0;
493 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
494 FAIL_IF(p->alerts.cnt != 1);
495 FAIL_IF(PacketTestAction(p, ACTION_DROP));
496
497 UTHFreePacket(p);
498
499 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
500 DetectEngineCtxFree(de_ctx);
501
502 HostShutdown();
503 PASS;
504}
505
506static int DetectIPRepTest04(void)
507{
508 ThreadVars th_v;
509 DetectEngineThreadCtx *det_ctx = NULL;
510 Signature *sig = NULL;
511 FILE *fd = NULL;
512 int r = 0;
513 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
514 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
515
516 HostInitConfig(HOST_QUIET);
517 memset(&th_v, 0, sizeof(th_v));
518
519 FAIL_IF_NULL(de_ctx);
520 FAIL_IF_NULL(p);
521
522 p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
523 p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
524 de_ctx->flags |= DE_QUIET;
525
526 SRepInit(de_ctx);
527 SRepResetVersion();
528
529 fd = DetectIPRepGenerateCategoriesDummy();
530 r = SRepLoadCatFileFromFD(fd);
531 FAIL_IF(r < 0);
532
533 fd = DetectIPRepGenerateNetworksDummy();
534 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
535 FAIL_IF(r < 0);
536
537 sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
538 "badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)");
539 FAIL_IF_NULL(sig);
540
541 SigGroupBuild(de_ctx);
542 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
543
544 p->alerts.cnt = 0;
545 p->action = 0;
546 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
547 FAIL_IF(p->alerts.cnt != 1);
548 FAIL_IF(PacketTestAction(p, ACTION_DROP));
549
550 UTHFreePacket(p);
551
552 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
553 DetectEngineCtxFree(de_ctx);
554
555 HostShutdown();
556 PASS;
557}
558
559static int DetectIPRepTest05(void)
560{
561 ThreadVars th_v;
562 DetectEngineThreadCtx *det_ctx = NULL;
563 Signature *sig = NULL;
564 FILE *fd = NULL;
565 int r = 0;
566 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
567 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
568
569 HostInitConfig(HOST_QUIET);
570 memset(&th_v, 0, sizeof(th_v));
571
572 FAIL_IF_NULL(de_ctx);
573 FAIL_IF_NULL(p);
574
575 p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
576 de_ctx->flags |= DE_QUIET;
577
578 SRepInit(de_ctx);
579 SRepResetVersion();
580
581 fd = DetectIPRepGenerateCategoriesDummy();
582 r = SRepLoadCatFileFromFD(fd);
583 FAIL_IF(r < 0);
584
585 fd = DetectIPRepGenerateNetworksDummy();
586 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
587 FAIL_IF(r < 0);
588
589 sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
590 "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
591 FAIL_IF_NULL(sig);
592
593 SigGroupBuild(de_ctx);
594 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
595
596 p->alerts.cnt = 0;
597 p->action = 0;
598 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
599 FAIL_IF(p->alerts.cnt != 0);
600 FAIL_IF(PacketTestAction(p, ACTION_DROP));
601
602 UTHFreePacket(p);
603
604 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
605 DetectEngineCtxFree(de_ctx);
606
607 HostShutdown();
608 PASS;
609}
610
611static int DetectIPRepTest06(void)
612{
613 ThreadVars th_v;
614 DetectEngineThreadCtx *det_ctx = NULL;
615 Signature *sig = NULL;
616 FILE *fd = NULL;
617 int r = 0;
618 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
619 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
620
621 HostInitConfig(HOST_QUIET);
622 memset(&th_v, 0, sizeof(th_v));
623
624 FAIL_IF_NULL(de_ctx);
625 FAIL_IF_NULL(p);
626
627 p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
628 de_ctx->flags |= DE_QUIET;
629
630 SRepInit(de_ctx);
631 SRepResetVersion();
632
633 fd = DetectIPRepGenerateCategoriesDummy();
634 r = SRepLoadCatFileFromFD(fd);
635 FAIL_IF(r < 0);
636
637 fd = DetectIPRepGenerateNetworksDummy2();
638 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
639 FAIL_IF(r < 0);
640
641 sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
642 "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
643 FAIL_IF_NULL(sig);
644
645 SigGroupBuild(de_ctx);
646 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
647
648 p->alerts.cnt = 0;
649 p->action = 0;
650 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
651 FAIL_IF(p->alerts.cnt != 1);
652 FAIL_IF(PacketTestAction(p, ACTION_DROP));
653
654 UTHFreePacket(p);
655
656 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
657 DetectEngineCtxFree(de_ctx);
658
659 HostShutdown();
660 PASS;
661}
662
663static int DetectIPRepTest07(void)
664{
665 ThreadVars th_v;
666 DetectEngineThreadCtx *det_ctx = NULL;
667 Signature *sig = NULL;
668 FILE *fd = NULL;
669 int r = 0;
670 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
671 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
672
673 HostInitConfig(HOST_QUIET);
674 memset(&th_v, 0, sizeof(th_v));
675
676 FAIL_IF_NULL(de_ctx);
677 FAIL_IF_NULL(p);
678
679 p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
680 de_ctx->flags |= DE_QUIET;
681
682 SRepInit(de_ctx);
683 SRepResetVersion();
684
685 fd = DetectIPRepGenerateCategoriesDummy();
686 r = SRepLoadCatFileFromFD(fd);
687 FAIL_IF(r < 0);
688
689 fd = DetectIPRepGenerateNetworksDummy2();
690 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
691 FAIL_IF(r < 0);
692
693 sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
694 "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
695 FAIL_IF_NULL(sig);
696
697 SigGroupBuild(de_ctx);
698 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
699
700 p->alerts.cnt = 0;
701 p->action = 0;
702 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
703 FAIL_IF(p->alerts.cnt != 1);
704 FAIL_IF(PacketTestAction(p, ACTION_DROP));
705
706 UTHFreePacket(p);
707
708 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
709 DetectEngineCtxFree(de_ctx);
710
711 HostShutdown();
712 PASS;
713}
714
715static int DetectIPRepTest08(void)
716{
717 ThreadVars th_v;
718 DetectEngineThreadCtx *det_ctx = NULL;
719 Signature *sig = NULL;
720 FILE *fd = NULL;
721 int r = 0;
722 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
723 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
724
725 HostInitConfig(HOST_QUIET);
726 memset(&th_v, 0, sizeof(th_v));
727
728 FAIL_IF_NULL(de_ctx);
729 FAIL_IF_NULL(p);
730
731 p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1");
732 p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2");
733 de_ctx->flags |= DE_QUIET;
734
735 SRepInit(de_ctx);
736 SRepResetVersion();
737
738 fd = DetectIPRepGenerateCategoriesDummy();
739 r = SRepLoadCatFileFromFD(fd);
740 FAIL_IF(r < 0);
741
742 fd = DetectIPRepGenerateNetworksDummy();
743 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
744 FAIL_IF(r < 0);
745
746 sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value "
747 "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)");
748 FAIL_IF_NULL(sig);
749
750 SigGroupBuild(de_ctx);
751 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
752
753 p->alerts.cnt = 0;
754 p->action = 0;
755 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
756 FAIL_IF(p->alerts.cnt != 0);
757 FAIL_IF(PacketTestAction(p, ACTION_DROP));
758
759 UTHFreePacket(p);
760
761 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
762 DetectEngineCtxFree(de_ctx);
763
764 HostShutdown();
765 PASS;
766}
767
768static int DetectIPRepTest09(void)
769{
770 ThreadVars th_v;
771 DetectEngineThreadCtx *det_ctx = NULL;
772 Signature *sig = NULL;
773 FILE *fd = NULL;
774 int r = 0;
775 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
776 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
777
778 HostInitConfig(HOST_QUIET);
779 memset(&th_v, 0, sizeof(th_v));
780
781 FAIL_IF_NULL(de_ctx);
782 FAIL_IF_NULL(p);
783
784 p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
785 p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
786 de_ctx->flags |= DE_QUIET;
787
788 SRepInit(de_ctx);
789 SRepResetVersion();
790
791 fd = DetectIPRepGenerateCategoriesDummy2();
792 r = SRepLoadCatFileFromFD(fd);
793 FAIL_IF(r < 0);
794
795 fd = DetectIPRepGenerateNetworksDummy2();
796 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
797 FAIL_IF(r < 0);
798
799 sig = DetectEngineAppendSig(de_ctx,
800 "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)");
801 FAIL_IF_NULL(sig);
802
803 SigGroupBuild(de_ctx);
804 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
805
806 p->alerts.cnt = 0;
807 p->action = 0;
808 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
809 FAIL_IF(p->alerts.cnt != 1);
810 FAIL_IF(PacketTestAction(p, ACTION_DROP));
811
812 UTHFreePacket(p);
813
814 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
815 DetectEngineCtxFree(de_ctx);
816
817 HostShutdown();
818 PASS;
819}
820
821static FILE *DetectIPRepGenerateNetworksDummy3(void)
822{
823 FILE *fd = NULL;
824 const char *buffer = "192.168.0.0/16,1,127"; // BadHosts
825
826 fd = SCFmemopen((void *)buffer, strlen(buffer), "r");
827 if (fd == NULL)
828 SCLogDebug("Error with SCFmemopen()");
829
830 return fd;
831}
832
833static int DetectIPRepTest10(void)
834{
835 ThreadVars th_v;
836 DetectEngineThreadCtx *det_ctx = NULL;
837 Signature *sig = NULL;
838 FILE *fd = NULL;
839 int r = 0;
840 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
841 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
842
843 HostInitConfig(HOST_QUIET);
844 memset(&th_v, 0, sizeof(th_v));
845
846 FAIL_IF_NULL(de_ctx);
847 FAIL_IF_NULL(p);
848
849 p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
850 p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2");
851 de_ctx->flags |= DE_QUIET;
852
853 SRepInit(de_ctx);
854 SRepResetVersion();
855
856 fd = DetectIPRepGenerateCategoriesDummy2();
857 r = SRepLoadCatFileFromFD(fd);
858 FAIL_IF(r < 0);
859
860 fd = DetectIPRepGenerateNetworksDummy3();
861 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
862 FAIL_IF(r < 0);
863
864 sig = DetectEngineAppendSig(de_ctx,
865 "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,isset; sid:1; rev:1;)");
866 FAIL_IF_NULL(sig);
867
868 SigGroupBuild(de_ctx);
869 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
870
871 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
872 FAIL_IF_NOT(p->alerts.cnt == 1);
873
874 UTHFreePacket(p);
875
876 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
877 DetectEngineCtxFree(de_ctx);
878
879 HostShutdown();
880 PASS;
881}
882
883static int DetectIPRepTest11(void)
884{
885 ThreadVars th_v;
886 DetectEngineThreadCtx *det_ctx = NULL;
887 Signature *sig = NULL;
888 FILE *fd = NULL;
889 int r = 0;
890 Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP);
891 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
892
893 HostInitConfig(HOST_QUIET);
894 memset(&th_v, 0, sizeof(th_v));
895
896 FAIL_IF_NULL(de_ctx);
897 FAIL_IF_NULL(p);
898
899 p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1");
900 p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2");
901 de_ctx->flags |= DE_QUIET;
902
903 SRepInit(de_ctx);
904 SRepResetVersion();
905
906 fd = DetectIPRepGenerateCategoriesDummy2();
907 r = SRepLoadCatFileFromFD(fd);
908 FAIL_IF(r < 0);
909
910 fd = DetectIPRepGenerateNetworksDummy3();
911 r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd);
912 FAIL_IF(r < 0);
913
914 sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"test\"; "
915 "iprep:src,BadHosts,isnotset; sid:1; rev:1;)");
916 FAIL_IF_NULL(sig);
917
918 SigGroupBuild(de_ctx);
919 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
920
921 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
922 FAIL_IF_NOT(p->alerts.cnt == 1);
923
924 UTHFreePacket(p);
925
926 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
927 DetectEngineCtxFree(de_ctx);
928
929 HostShutdown();
930 PASS;
931}
932
933/**
934 * \brief this function registers unit tests for IPRep
935 */
936void IPRepRegisterTests(void)
937{
938 UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01);
939 UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02);
940 UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03);
941 UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04);
942 UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05);
943 UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06);
944 UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07);
945 UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08);
946 UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09);
947 UtRegisterTest("DetectIPRepTest10 -- isset", DetectIPRepTest10);
948 UtRegisterTest("DetectIPRepTest11 -- isnotset", DetectIPRepTest11);
949}
950#endif /* UNITTESTS */
ACTION_DROP
#define ACTION_DROP
Definition action-globals.h:30
version
uint8_t version
Definition decode-gre.h:1
PKT_HOST_DST_LOOKED_UP
#define PKT_HOST_DST_LOOKED_UP
Definition decode.h:1287
PKT_HOST_SRC_LOOKED_UP
#define PKT_HOST_SRC_LOOKED_UP
Definition decode.h:1286
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectUintData_u8 *du8)
Definition detect-engine-uint.c:71
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition detect-engine.c:3608
DetectIPRepFree
void DetectIPRepFree(DetectEngineCtx *, void *)
Definition detect-iprep.c:284
DetectIPRepRegister
void DetectIPRepRegister(void)
Definition detect-iprep.c:63
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition detect-parse.c:388
sigmatch_table
SigTableElmt * sigmatch_table
Definition detect-parse.c:79
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition detect.h:1653
DE_QUIET
#define DE_QUIET
Definition detect.h:330
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition detect.h:117
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition util-unittest.h:82
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
ctx
struct Thresholds ctx
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition host.c:585
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition host.c:296
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition host.c:168
HostLock
void HostLock(Host *h)
Definition host.c:467
HostUnlock
void HostUnlock(Host *h)
Definition host.c:472
HostRelease
void HostRelease(Host *h)
Definition host.c:461
HOST_QUIET
#define HOST_QUIET
Definition host.h:93
HostReference
#define HostReference(dst_h_ptr, h)
Definition host.h:117
SRepLoadCatFileFromFD
int SRepLoadCatFileFromFD(FILE *fp)
Definition reputation.c:357
SRepCIDRGetIPRepDst
int8_t SRepCIDRGetIPRepDst(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition reputation.c:147
SRepCIDRGetIPRepSrc
int8_t SRepCIDRGetIPRepSrc(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition reputation.c:135
SRepInit
int SRepInit(DetectEngineCtx *de_ctx)
init reputation
Definition reputation.c:566
SRepResetVersion
void SRepResetVersion(void)
Definition reputation.c:64
SRepLoadFileFromFD
int SRepLoadFileFromFD(SRepCIDRTree *cidr_ctx, FILE *fp)
Definition reputation.c:423
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::srep_version
uint32_t srep_version
Definition detect.h:945
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineCtx_::srepCIDR_ctx
SRepCIDRTree * srepCIDR_ctx
Definition detect.h:948
DetectEngineThreadCtx_
Definition detect.h:1244
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition detect.h:1364
Host_
Definition host.h:58
Host_::iprep
void * iprep
Definition host.h:69
PacketAlerts_::cnt
uint16_t cnt
Definition decode.h:287
Packet_
Definition decode.h:501
Packet_::action
uint8_t action
Definition decode.h:609
Packet_::src
Address src
Definition decode.h:505
Packet_::alerts
PacketAlerts alerts
Definition decode.h:620
Packet_::host_dst
struct Host_ * host_dst
Definition decode.h:623
Packet_::flags
uint32_t flags
Definition decode.h:544
Packet_::dst
Address dst
Definition decode.h:506
Packet_::host_src
struct Host_ * host_src
Definition decode.h:622
SReputation_
Definition reputation.h:41
SReputation_::version
uint32_t version
Definition reputation.h:42
SReputation_::rep
uint8_t rep[SREP_MAX_CATS]
Definition reputation.h:43
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition detect.h:351
SigTableElmt_::url
const char * url
Definition detect.h:1462
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition detect.h:1446
SigTableElmt_::flags
uint16_t flags
Definition detect.h:1450
SigTableElmt_::desc
const char * desc
Definition detect.h:1461
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition detect.h:1448
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition detect.h:1421
SigTableElmt_::name
const char * name
Definition detect.h:1459
Signature_
Signature container.
Definition detect.h:668
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition util-atomic.h:375
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267
SCFmemopen
#define SCFmemopen
Definition util-fmemopen.h:52
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition util-unittest-helper.c:365
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:473
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition util-unittest-helper.c:148
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition util-validate.h:102