suricata
detect-xbits.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2020 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 *
23 * Implements the xbits keyword
24 */
25
26#include "suricata-common.h"
27#include "decode.h"
28#include "action-globals.h"
29#include "detect.h"
30#include "threads.h"
31#include "flow.h"
32#include "flow-util.h"
33#include "detect-xbits.h"
34#include "detect-hostbits.h"
35#include "util-spm.h"
36#include "util-byte.h"
37
39
40#include "app-layer-parser.h"
41
42#include "detect-parse.h"
43#include "detect-engine.h"
44#include "detect-engine-mpm.h"
45#include "detect-engine-state.h"
46#include "detect-engine-build.h"
47
48#include "flow-bit.h"
49#include "host-bit.h"
50#include "ippair-bit.h"
51#include "tx-bit.h"
52
53#include "util-var-name.h"
54#include "util-unittest.h"
55#include "util-debug.h"
56
57/*
58 xbits:set,bitname,track ip_pair,expire 60
59 */
60
61#define PARSE_REGEX "^([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
62static DetectParseRegex parse_regex;
63
64static int DetectXbitTxMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state,
65 void *txv, const Signature *s, const SigMatchCtx *ctx);
66static int DetectXbitMatch (DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
67static int DetectXbitSetup (DetectEngineCtx *, Signature *, const char *);
68#ifdef UNITTESTS
69static void XBitsRegisterTests(void);
70#endif
71static void DetectXbitFree (DetectEngineCtx *, void *);
72
74{
76 sigmatch_table[DETECT_XBITS].desc = "operate on bits";
77 sigmatch_table[DETECT_XBITS].url = "/rules/xbits.html";
78 sigmatch_table[DETECT_XBITS].AppLayerTxMatch = DetectXbitTxMatch;
79 sigmatch_table[DETECT_XBITS].Match = DetectXbitMatch;
80 sigmatch_table[DETECT_XBITS].Setup = DetectXbitSetup;
81 sigmatch_table[DETECT_XBITS].Free = DetectXbitFree;
82#ifdef UNITTESTS
83 sigmatch_table[DETECT_XBITS].RegisterTests = XBitsRegisterTests;
84#endif
85 /* this is compatible to ip-only signatures */
87
89}
90
91static int DetectIPPairbitMatchToggle (Packet *p, const DetectXbitsData *fd)
92{
93 IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
94 if (pair == NULL)
95 return 0;
96
97 IPPairBitToggle(pair, fd->idx, SCTIME_ADD_SECS(p->ts, fd->expire));
98 IPPairRelease(pair);
99 return 1;
100}
101
102/* return true even if bit not found */
103static int DetectIPPairbitMatchUnset (Packet *p, const DetectXbitsData *fd)
104{
105 IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
106 if (pair == NULL)
107 return 1;
108
109 IPPairBitUnset(pair,fd->idx);
110 IPPairRelease(pair);
111 return 1;
112}
113
114static int DetectIPPairbitMatchSet (Packet *p, const DetectXbitsData *fd)
115{
116 IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
117 if (pair == NULL)
118 return 0;
119
120 IPPairBitSet(pair, fd->idx, SCTIME_ADD_SECS(p->ts, fd->expire));
121 IPPairRelease(pair);
122 return 1;
123}
124
125static int DetectIPPairbitMatchIsset (Packet *p, const DetectXbitsData *fd)
126{
127 int r = 0;
128 IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
129 if (pair == NULL)
130 return 0;
131
132 r = IPPairBitIsset(pair, fd->idx, p->ts);
133 IPPairRelease(pair);
134 return r;
135}
136
137static int DetectIPPairbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
138{
139 int r = 0;
140 IPPair *pair = IPPairLookupIPPairFromHash(&p->src, &p->dst);
141 if (pair == NULL)
142 return 1;
143
144 r = IPPairBitIsnotset(pair, fd->idx, p->ts);
145 IPPairRelease(pair);
146 return r;
147}
148
149static int DetectXbitMatchIPPair(Packet *p, const DetectXbitsData *xd)
150{
151 switch (xd->cmd) {
153 return DetectIPPairbitMatchIsset(p,xd);
155 return DetectIPPairbitMatchIsnotset(p,xd);
157 return DetectIPPairbitMatchSet(p,xd);
159 return DetectIPPairbitMatchUnset(p,xd);
161 return DetectIPPairbitMatchToggle(p,xd);
162 }
163 return 0;
164}
165
166static int DetectXbitPostMatchTx(
167 DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const DetectXbitsData *xd)
168{
169 if (p->flow == NULL)
170 return 0;
171 if (!det_ctx->tx_id_set)
172 return 0;
173 Flow *f = p->flow;
174 void *txv = AppLayerParserGetTx(f->proto, f->alproto, f->alstate, det_ctx->tx_id);
175 if (txv == NULL)
176 return 0;
178
179 if (xd->cmd != DETECT_XBITS_CMD_SET)
180 return 0;
181
182 SCLogDebug("sid %u: post-match SET for bit %u on tx:%" PRIu64 ", txd:%p", s->id, xd->idx,
183 det_ctx->tx_id, txd);
184
185 return TxBitSet(txd, xd->idx);
186}
187
188/*
189 * returns 0: no match
190 * 1: match
191 * -1: error
192 */
193
194static int DetectXbitMatch (DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
195{
196 const DetectXbitsData *fd = (const DetectXbitsData *)ctx;
197 if (fd == NULL)
198 return 0;
199
200 switch (fd->type) {
202 return DetectXbitMatchHost(p, (const DetectXbitsData *)fd);
203 break;
205 return DetectXbitMatchIPPair(p, (const DetectXbitsData *)fd);
206 break;
207 case VAR_TYPE_TX_BIT:
208 // TODO this is for PostMatch only. Can we validate somehow?
209 return DetectXbitPostMatchTx(det_ctx, p, s, fd);
210 break;
211 default:
212 break;
213 }
214 return 0;
215}
216
217static int DetectXbitTxMatch(DetectEngineThreadCtx *det_ctx, Flow *f, uint8_t flags, void *state,
218 void *txv, const Signature *s, const SigMatchCtx *ctx)
219{
220 const DetectXbitsData *xd = (const DetectXbitsData *)ctx;
221 DEBUG_VALIDATE_BUG_ON(xd == NULL);
222
224
225 SCLogDebug("sid:%u: tx:%" PRIu64 ", txd->txbits:%p", s->id, det_ctx->tx_id, txd->txbits);
226 int r = TxBitIsset(txd, xd->idx);
227 if (r == 1) {
229 }
231}
232
233/** \internal
234 * \brief parse xbits rule options
235 * \retval 0 ok
236 * \retval -1 bad
237 * \param[out] cdout return DetectXbitsData structure or NULL if noalert
238 */
239static int DetectXbitParse(DetectEngineCtx *de_ctx,
240 const char *rawstr, DetectXbitsData **cdout)
241{
242 DetectXbitsData *cd = NULL;
243 uint8_t fb_cmd = 0;
244 uint8_t hb_dir = 0;
245 size_t pcre2len;
246 char fb_cmd_str[16] = "", fb_name[256] = "";
247 char hb_dir_str[16] = "";
248 enum VarTypes var_type = VAR_TYPE_NOT_SET;
249 uint32_t expire = DETECT_XBITS_EXPIRE_DEFAULT;
250
251 pcre2_match_data *match = NULL;
252 int ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
253 if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
254 SCLogError("\"%s\" is not a valid setting for xbits.", rawstr);
255 if (match) {
256 pcre2_match_data_free(match);
257 }
258 return -1;
259 }
260 SCLogDebug("ret %d, %s", ret, rawstr);
261 pcre2len = sizeof(fb_cmd_str);
262 int res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)fb_cmd_str, &pcre2len);
263 if (res < 0) {
264 SCLogError("pcre2_substring_copy_bynumber failed");
265 pcre2_match_data_free(match);
266 return -1;
267 }
268
269 if (ret >= 3) {
270 pcre2len = sizeof(fb_name);
271 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)fb_name, &pcre2len);
272 if (res < 0) {
273 SCLogError("pcre2_substring_copy_bynumber failed");
274 pcre2_match_data_free(match);
275 return -1;
276 }
277 if (ret >= 4) {
278 pcre2len = sizeof(hb_dir_str);
279 res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)hb_dir_str, &pcre2len);
280 if (res < 0) {
281 SCLogError("pcre2_substring_copy_bynumber failed");
282 pcre2_match_data_free(match);
283 return -1;
284 }
285 SCLogDebug("hb_dir_str %s", hb_dir_str);
286 if (strlen(hb_dir_str) > 0) {
287 if (strcmp(hb_dir_str, "ip_src") == 0) {
289 var_type = VAR_TYPE_HOST_BIT;
290 } else if (strcmp(hb_dir_str, "ip_dst") == 0) {
292 var_type = VAR_TYPE_HOST_BIT;
293 } else if (strcmp(hb_dir_str, "ip_pair") == 0) {
295 var_type = VAR_TYPE_IPPAIR_BIT;
296 } else if (strcmp(hb_dir_str, "tx") == 0) {
297 hb_dir = DETECT_XBITS_TRACK_TX;
298 var_type = VAR_TYPE_TX_BIT;
299 } else {
300 // TODO
301 pcre2_match_data_free(match);
302 return -1;
303 }
304 }
305
306 if (ret >= 5) {
307 char expire_str[16] = "";
308 pcre2len = sizeof(expire_str);
309 res = pcre2_substring_copy_bynumber(
310 match, 4, (PCRE2_UCHAR8 *)expire_str, &pcre2len);
311 if (res < 0) {
312 SCLogError("pcre2_substring_copy_bynumber failed");
313 pcre2_match_data_free(match);
314 return -1;
315 }
316 SCLogDebug("expire_str %s", expire_str);
317 if (StringParseUint32(&expire, 10, 0, (const char *)expire_str) < 0) {
318 SCLogError("Invalid value for "
319 "expire: \"%s\"",
320 expire_str);
321 pcre2_match_data_free(match);
322 return -1;
323 }
324 if (expire == 0) {
325 SCLogError("expire must be bigger than 0");
326 pcre2_match_data_free(match);
327 return -1;
328 }
329 SCLogDebug("expire %d", expire);
330 }
331 }
332 }
333
334 pcre2_match_data_free(match);
335 if (strcmp(fb_cmd_str,"noalert") == 0) {
337 } else if (strcmp(fb_cmd_str,"isset") == 0) {
338 fb_cmd = DETECT_XBITS_CMD_ISSET;
339 } else if (strcmp(fb_cmd_str,"isnotset") == 0) {
341 } else if (strcmp(fb_cmd_str,"set") == 0) {
342 fb_cmd = DETECT_XBITS_CMD_SET;
343 } else if (strcmp(fb_cmd_str,"unset") == 0) {
344 fb_cmd = DETECT_XBITS_CMD_UNSET;
345 } else if (strcmp(fb_cmd_str,"toggle") == 0) {
347 } else {
348 SCLogError("xbits action \"%s\" is not supported.", fb_cmd_str);
349 return -1;
350 }
351
352 switch (fb_cmd) {
354 if (strlen(fb_name) != 0)
355 return -1;
356 /* return ok, cd is NULL. Flag sig. */
357 *cdout = NULL;
358 return 0;
359 }
365 if (strlen(fb_name) == 0)
366 return -1;
367 break;
368 }
369
370 if (hb_dir == DETECT_XBITS_TRACK_TX) {
371 if (fb_cmd != DETECT_XBITS_CMD_ISSET && fb_cmd != DETECT_XBITS_CMD_SET) {
372 SCLogError("tx xbits only support set and isset");
373 return -1;
374 }
375 }
376
377 cd = SCMalloc(sizeof(DetectXbitsData));
378 if (unlikely(cd == NULL))
379 return -1;
380
381 cd->idx = VarNameStoreRegister(fb_name, var_type);
382 cd->cmd = fb_cmd;
383 cd->tracker = hb_dir;
384 cd->type = var_type;
385 cd->expire = expire;
386
387 SCLogDebug("idx %" PRIu32 ", cmd %s, name %s", cd->idx, fb_cmd_str,
388 strlen(fb_name) ? fb_name : "(none)");
389
390 *cdout = cd;
391 return 0;
392}
393
394int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
395{
396 DetectXbitsData *cd = NULL;
397
398 int result = DetectXbitParse(de_ctx, rawstr, &cd);
399 if (result < 0) {
400 return -1;
401 } else if (cd == NULL) {
402 /* noalert doesn't use a cd/sm struct. It flags the sig. We're done. */
403 s->action &= ~ACTION_ALERT;
404 return 0;
405 }
406
407 /* Okay so far so good, lets get this into a SigMatch
408 * and put it in the Signature. */
409 switch (cd->cmd) {
410 /* case DETECT_XBITS_CMD_NOALERT can't happen here */
413 int list = DETECT_SM_LIST_MATCH;
414 if (cd->tracker == DETECT_XBITS_TRACK_TX) {
415 SCLogDebug("tx xbit isset");
417 SCLogError("tx xbits require an explicit rule hook");
418 SCFree(cd);
419 return -1;
420 }
421 list = s->init_data->hook.sm_list;
422 SCLogDebug("setting list %d", list);
423
424 if (list == -1) {
425 SCLogError("tx xbits failed to set up"); // TODO how would we get here?
426 SCFree(cd);
427 return -1;
428 }
429 }
430
431 SCLogDebug("adding match/txmatch");
432 /* checks, so packet list */
434 NULL) {
435 SCFree(cd);
436 return -1;
437 }
438 break;
439 }
440 // all other cases
441 // DETECT_XBITS_CMD_SET, DETECT_XBITS_CMD_UNSET, DETECT_XBITS_CMD_TOGGLE:
442 default:
443 SCLogDebug("adding post-match");
444 /* modifiers, only run when entire sig has matched */
446 DETECT_SM_LIST_POSTMATCH) == NULL) {
447 SCFree(cd);
448 return -1;
449 }
450 break;
451 }
452
453 return 0;
454}
455
456static void DetectXbitFree (DetectEngineCtx *de_ctx, void *ptr)
457{
458 DetectXbitsData *fd = (DetectXbitsData *)ptr;
459
460 if (fd == NULL)
461 return;
463
464 SCFree(fd);
465}
466
467#ifdef UNITTESTS
468
469static void XBitsTestSetup(void)
470{
471 StorageInit();
475 HostInitConfig(true);
476 IPPairInitConfig(true);
477}
478
479static void XBitsTestShutdown(void)
480{
481 HostCleanup();
484}
485
486
487static int XBitsTestParse01(void)
488{
489 DetectEngineCtx *de_ctx = NULL;
493 DetectXbitsData *cd = NULL;
494
495#define BAD_INPUT(str) \
496 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == -1);
497
498 BAD_INPUT("alert");
499 BAD_INPUT("n0alert");
500 BAD_INPUT("nOalert");
501 BAD_INPUT("set,abc,track nonsense, expire 3600");
502 BAD_INPUT("set,abc,track ip_source, expire 3600");
503 BAD_INPUT("set,abc,track ip_src, expire -1");
504 BAD_INPUT("set,abc,track ip_src, expire 0");
505
506#undef BAD_INPUT
507
508#define GOOD_INPUT(str, command, trk, typ, exp) \
509 FAIL_IF_NOT(DetectXbitParse(de_ctx, (str), &cd) == 0); \
510 FAIL_IF_NULL(cd); \
511 FAIL_IF_NOT(cd->cmd == (command)); \
512 FAIL_IF_NOT(cd->tracker == (trk)); \
513 FAIL_IF_NOT(cd->type == (typ)); \
514 FAIL_IF_NOT(cd->expire == (exp)); \
515 DetectXbitFree(NULL, cd); \
516 cd = NULL;
517
518 GOOD_INPUT("set,abc,track ip_pair",
522 GOOD_INPUT("set,abc,track ip_pair, expire 3600",
525 3600);
526 GOOD_INPUT("set,abc,track ip_src, expire 1234",
529 1234);
530
531#undef GOOD_INPUT
532
534 PASS;
535}
536
537/**
538 * \test
539 */
540
541static int XBitsTestSig01(void)
542{
543 uint8_t *buf = (uint8_t *)
544 "GET /one/ HTTP/1.1\r\n"
545 "Host: one.example.org\r\n"
546 "\r\n";
547 uint16_t buflen = strlen((char *)buf);
549 FAIL_IF_NULL(p);
550 Signature *s = NULL;
551 ThreadVars th_v;
552 DetectEngineThreadCtx *det_ctx = NULL;
553 DetectEngineCtx *de_ctx = NULL;
554
555 memset(&th_v, 0, sizeof(th_v));
556 p->src.family = AF_INET;
557 p->dst.family = AF_INET;
558 p->payload = buf;
559 p->payload_len = buflen;
560 p->proto = IPPROTO_TCP;
561
562 XBitsTestSetup();
563
567
569 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:1;)");
570 FAIL_IF_NULL(s);
571
573 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
574 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
575 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
577 XBitsTestShutdown();
578 SCFree(p);
579 StatsThreadCleanup(&th_v);
581 PASS;
582}
583
584/**
585 * \test various options
586 *
587 * \retval 1 on success
588 * \retval 0 on failure
589 */
590
591static int XBitsTestSig02(void)
592{
593 Signature *s = NULL;
594 DetectEngineCtx *de_ctx = NULL;
598
600 "alert ip any any -> any any (xbits:isset,abc,track ip_src; content:\"GET \"; sid:1;)");
601 FAIL_IF_NULL(s);
602
604 "alert ip any any -> any any (xbits:isnotset,abc,track ip_dst; content:\"GET \"; sid:2;)");
605 FAIL_IF_NULL(s);
606
608 "alert ip any any -> any any (xbits:set,abc,track ip_pair; content:\"GET \"; sid:3;)");
609 FAIL_IF_NULL(s);
610
612 "alert ip any any -> any any (xbits:unset,abc,track ip_src; content:\"GET \"; sid:4;)");
613 FAIL_IF_NULL(s);
614
616 "alert ip any any -> any any (xbits:toggle,abc,track ip_dst; content:\"GET \"; sid:5;)");
617 FAIL_IF_NULL(s);
618
620 "alert ip any any -> any any (xbits:!set,abc,track ip_dst; content:\"GET \"; sid:6;)");
622
624 PASS;
625}
626
627/**
628 * \brief this function registers unit tests for XBits
629 */
630static void XBitsRegisterTests(void)
631{
632 UtRegisterTest("XBitsTestParse01", XBitsTestParse01);
633 UtRegisterTest("XBitsTestSig01", XBitsTestSig01);
634 UtRegisterTest("XBitsTestSig02", XBitsTestSig02);
635}
636#endif /* UNITTESTS */
AppLayerTxData * AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx)
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
struct AppLayerTxData AppLayerTxData
void StatsThreadCleanup(ThreadVars *tv)
Definition counters.c:1308
void StatsReleaseResources(void)
Releases the resources allotted by the Stats API.
Definition counters.c:1267
uint8_t flags
Definition decode-gre.h:0
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Data structures and function prototypes for keeping state for the detection engine.
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
int DetectXbitMatchHost(Packet *p, const DetectXbitsData *xd)
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
SigTableElmt * sigmatch_table
void DetectXbitsRegister(void)
#define GOOD_INPUT(str, command, trk, typ, exp)
#define BAD_INPUT(str)
#define PARSE_REGEX
#define DETECT_XBITS_CMD_NOALERT
#define DETECT_XBITS_EXPIRE_DEFAULT
#define DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_TRACK_IPSRC
#define DETECT_XBITS_TRACK_IPDST
#define DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_TRACK_IPPAIR
#define DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_TRACK_TX
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
#define SIGMATCH_IPONLY_COMPAT
Definition detect.h:1653
#define DE_QUIET
Definition detect.h:330
#define SIGMATCH_SUPPORT_FIREWALL
Definition detect.h:1682
@ DETECT_SM_LIST_MATCH
Definition detect.h:117
@ DETECT_SM_LIST_POSTMATCH
Definition detect.h:127
@ SIGNATURE_HOOK_TYPE_APP
Definition detect.h:549
DetectEngineCtx * de_ctx
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define PASS
Pass the test.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition decode.c:258
struct Thresholds ctx
void HostBitInitCtx(void)
Definition host-bit.c:49
void HostCleanup(void)
Cleanup the host engine.
Definition host.c:332
void HostInitConfig(bool quiet)
initialize the configuration
Definition host.c:168
void IPPairBitUnset(IPPair *h, uint32_t idx)
Definition ippair-bit.c:139
void IPPairBitInitCtx(void)
Definition ippair-bit.c:49
int IPPairBitIsset(IPPair *h, uint32_t idx, SCTime_t ts)
Definition ippair-bit.c:157
void IPPairBitSet(IPPair *h, uint32_t idx, SCTime_t expire)
Definition ippair-bit.c:131
void IPPairBitToggle(IPPair *h, uint32_t idx, SCTime_t expire)
Definition ippair-bit.c:147
int IPPairBitIsnotset(IPPair *h, uint32_t idx, SCTime_t ts)
Definition ippair-bit.c:171
void IPPairCleanup(void)
Cleanup the ippair engine.
Definition ippair.c:327
void IPPairRelease(IPPair *h)
Definition ippair.c:502
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition ippair.c:162
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
Definition ippair.c:521
IPPair * IPPairLookupIPPairFromHash(Address *a, Address *b)
look up a ippair in the hash
Definition ippair.c:620
char family
Definition decode.h:113
main detection engine ctx
Definition detect.h:932
uint8_t flags
Definition detect.h:934
enum VarTypes type
Flow data structure.
Definition flow.h:356
uint8_t proto
Definition flow.h:378
AppProto alproto
application level protocol
Definition flow.h:450
void * alstate
Definition flow.h:479
SCTime_t ts
Definition decode.h:555
Address src
Definition decode.h:505
struct Flow_ * flow
Definition decode.h:546
uint8_t * payload
Definition decode.h:605
uint16_t payload_len
Definition decode.h:606
Address dst
Definition decode.h:506
uint8_t proto
Definition decode.h:523
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition detect.h:351
const char * url
Definition detect.h:1462
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
void(* Free)(DetectEngineCtx *, void *)
Definition detect.h:1446
uint16_t flags
Definition detect.h:1450
const char * desc
Definition detect.h:1461
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition detect.h:1424
void(* RegisterTests)(void)
Definition detect.h:1448
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition detect.h:1421
const char * name
Definition detect.h:1459
enum SignatureHookType type
Definition detect.h:572
SignatureHook hook
Definition detect.h:590
Signature container.
Definition detect.h:668
uint8_t action
Definition detect.h:683
SignatureInitData * init_data
Definition detect.h:747
uint32_t id
Definition detect.h:713
Per thread variable structure.
Definition threadvars.h:58
int TxBitIsset(AppLayerTxData *txd, uint32_t idx)
Definition tx-bit.c:69
int TxBitSet(AppLayerTxData *txd, uint32_t idx)
Definition tx-bit.c:80
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition util-byte.c:313
#define SCLogDebug(...)
Definition util-debug.h:275
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267
#define SCMalloc(sz)
Definition util-mem.h:47
#define SCFree(p)
Definition util-mem.h:61
#define unlikely(expr)
void StorageCleanup(void)
int StorageFinalize(void)
void StorageInit(void)
#define SCTIME_ADD_SECS(ts, s)
Definition util-time.h:64
#define DEBUG_VALIDATE_BUG_ON(exp)
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
VarTypes
Definition util-var.h:28
@ VAR_TYPE_IPPAIR_BIT
Definition util-var.h:45
@ VAR_TYPE_NOT_SET
Definition util-var.h:29
@ VAR_TYPE_TX_BIT
Definition util-var.h:49
@ VAR_TYPE_HOST_BIT
Definition util-var.h:41