aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Complete removal of global de_ctx. UtRuntests now returns the number of failed tests or 0 on none. Program exits with code 1 on failed tests, code 0 otherwise. Removal of broken http uri test.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent 1132ab635a
commit 85abc3ef62
6 changed files with 90 additions and 154 deletions
Show Stats Download Patch File Download Diff File

51
src/detect-uricontent.c
Unescape Escape View File

@ -65,34 +65,6 @@ void PktHttpUriFree(Packet *p) {
p->http_uri.cnt = 0;
}
/* Normalize http buffer
*
* Returns 0: on ok
* 1: normalized with events occurred.
*
* What we normalize:
* - ../ becomes
* example: /one/../two/ becomes /two/
* - // becomes /
* example: /one//two/ becomes /one/two/
* - '%20' becomes ' '
* example: '/one/%20/two/' becomes '/one/ /two/'
*/
static inline int
HttpUriNormalize(uint8_t *raw, uint16_t rawlen, uint8_t *norm, uint16_t *normlen) {
uint16_t i,x;
for (i = 0, x = 0; i < rawlen; i++) {
/* check for ../ */
/* check for // */
norm[x] = raw[i];
x++;
}
*normlen = x;
return 0;
}
static inline int
TestOffsetDepth(MpmMatch *m, DetectUricontentData *co) {
if (co->offset == 0 ||
@ -382,28 +354,7 @@ error:
* TESTS
*/
int HttpUriTest01 (void) {
uint8_t *raw = (uint8_t *)"/one/../two/";
uint16_t rawlen = strlen((char *)raw);
uint8_t *norm = (uint8_t *)"/two/";
uint16_t normlen = strlen((char *)norm);
int result = 0, r = 0;
uint8_t buf[1024];
uint16_t buflen = 0;
r = HttpUriNormalize(raw, rawlen, buf, &buflen);
if (buflen == normlen && memcmp(norm, buf, normlen) == 0)
result = 1;
//printf("HttpUriTest01: buflen %" PRIu32 ", %s\n", buflen, buf);
//end:
return result;
}
void HttpUriRegisterTests(void) {
UtRegisterTest("HttpUriTest01", HttpUriTest01, 1);
/** none atm */
}

91
src/detect.c
Unescape Escape View File

@ -140,137 +140,134 @@ void DetectExitPrintStats(ThreadVars *tv, void *data) {
(float)(det_ctx->pkts_uri_searched/(float)(det_ctx->pkts_uri_scanned)*100));
}
void SigLoadSignatures (char *sig_file)
void SigLoadSignatures (DetectEngineCtx *de_ctx, char *sig_file)
{
Signature *prevsig = NULL, *sig;
/* intialize the de_ctx */
g_de_ctx = DetectEngineCtxInit();
/* The next 3 rules handle HTTP header capture. */
/* http_uri -- for uricontent */
sig = SigInit(g_de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)");
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)");
if (sig) {
prevsig = sig;
g_de_ctx->sig_list = sig;
de_ctx->sig_list = sig;
}
sig = SigInit(g_de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server; content:\"POST \"; depth:5; pcre:\"/^POST (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)");
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server; content:\"POST \"; depth:5; pcre:\"/^POST (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
/* http_host -- for the log-httplog module */
sig = SigInit(g_de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server; content:\"|0d 0a|Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:3;)");
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server; content:\"|0d 0a|Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:3;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
/* http_ua -- for the log-httplog module */
sig = SigInit(g_de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server; content:\"|0d 0a|User-Agent:\"; pcre:\"/^User-Agent: (?P<pkt_http_ua>.*)\\r\\n/m\"; noalert; sid:4;)");
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server; content:\"|0d 0a|User-Agent:\"; pcre:\"/^User-Agent: (?P<pkt_http_ua>.*)\\r\\n/m\"; noalert; sid:4;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx, "alert tcp any any -> any any (msg:\"ipv4 pkt too small\"; decode-event:ipv4.pkt_too_small; sid:5;)");
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"ipv4 pkt too small\"; decode-event:ipv4.pkt_too_small; sid:5;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
/*
sig = SigInit(g_de_ctx,"alert udp any any -> any any (msg:\"ViCtOr nocase test\"; sid:4; rev:13; content:\"ViCtOr!!\"; offset:100; depth:150; nocase; content:\"ViCtOr!!\"; nocase; offset:99; depth:150;)");
sig = SigInit(de_ctx,"alert udp any any -> any any (msg:\"ViCtOr nocase test\"; sid:4; rev:13; content:\"ViCtOr!!\"; offset:100; depth:150; nocase; content:\"ViCtOr!!\"; nocase; offset:99; depth:150;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert ip any any -> 1.2.3.4 any (msg:\"ViCtOr case test\"; sid:2001; content:\"ViCtOr\"; depth:150;)");
sig = SigInit(de_ctx,"alert ip any any -> 1.2.3.4 any (msg:\"ViCtOr case test\"; sid:2001; content:\"ViCtOr\"; depth:150;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert ip any any -> 1.2.3.4 any (msg:\"IP ONLY\"; sid:2002;)");
sig = SigInit(de_ctx,"alert ip any any -> 1.2.3.4 any (msg:\"IP ONLY\"; sid:2002;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert ip ANY any -> 192.168.0.0/16 any (msg:\"offset, depth, within test\"; flow:to_client; sid:2002; content:HTTP; depth:4; content:Server:; offset:15; within:100; depth:200;)");
sig = SigInit(de_ctx,"alert ip ANY any -> 192.168.0.0/16 any (msg:\"offset, depth, within test\"; flow:to_client; sid:2002; content:HTTP; depth:4; content:Server:; offset:15; within:100; depth:200;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert ip 1.2.3.4 any -> any any (msg:\"Inliniac blog within test\"; flow:to_client; sid:2003; content:inliniac; content:blog; within:9;)");
sig = SigInit(de_ctx,"alert ip 1.2.3.4 any -> any any (msg:\"Inliniac blog within test\"; flow:to_client; sid:2003; content:inliniac; content:blog; within:9;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert ip 2001::1 any -> 2001::3 any (msg:\"abcdefg distance 1 test\"; flow:to_server; sid:2004; content:abcd; content:efgh; within:4; distance:0; content:ijkl; within:4; distance:0;)");
sig = SigInit(de_ctx,"alert ip 2001::1 any -> 2001::3 any (msg:\"abcdefg distance 1 test\"; flow:to_server; sid:2004; content:abcd; content:efgh; within:4; distance:0; content:ijkl; within:4; distance:0;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert ip 2001::5 any -> 2001::7 any (msg:\"abcdef distance 0 test\"; flow:to_server; sid:2005; content:abcdef; content:ghijklmnop; distance:0;)");
sig = SigInit(de_ctx,"alert ip 2001::5 any -> 2001::7 any (msg:\"abcdef distance 0 test\"; flow:to_server; sid:2005; content:abcdef; content:ghijklmnop; distance:0;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert ip 10.0.0.0/8 any -> 4.3.2.1 any (msg:\"abcdefg distance 1 test\"; flow:to_server; sid:2006; content:abcdef; content:ghijklmnop; distance:1;)");
sig = SigInit(de_ctx,"alert ip 10.0.0.0/8 any -> 4.3.2.1 any (msg:\"abcdefg distance 1 test\"; flow:to_server; sid:2006; content:abcdef; content:ghijklmnop; distance:1;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert tcp 172.16.1.0/24 any -> 0.0.0.0/0 any (msg:\"HTTP response code cap\"; flow:to_client; content:HTTP; depth:4; pcre:\"/^HTTP\\/\\d\\.\\d (?<http_response>[0-9]+) [A-z\\s]+\\r\\n/\"; depth:50; sid:3;)");
sig = SigInit(de_ctx,"alert tcp 172.16.1.0/24 any -> 0.0.0.0/0 any (msg:\"HTTP response code cap\"; flow:to_client; content:HTTP; depth:4; pcre:\"/^HTTP\\/\\d\\.\\d (?<http_response>[0-9]+) [A-z\\s]+\\r\\n/\"; depth:50; sid:3;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert tcp 172.16.2.0/24 any -> 10.10.10.10 any (msg:\"HTTP server code cap\"; flow:to_client; content:Server:; depth:500; pcre:\"/^Server: (?<http_server>.*)\\r\\n/m\"; sid:4;)");
sig = SigInit(de_ctx,"alert tcp 172.16.2.0/24 any -> 10.10.10.10 any (msg:\"HTTP server code cap\"; flow:to_client; content:Server:; depth:500; pcre:\"/^Server: (?<http_server>.*)\\r\\n/m\"; sid:4;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert tcp 192.168.0.1 any -> 1.0.2.1 any (msg:\"\to_client nocase test\"; flow:to_client; content:Servere:; nocase; sid:400;)");
sig = SigInit(de_ctx,"alert tcp 192.168.0.1 any -> 1.0.2.1 any (msg:\"\to_client nocase test\"; flow:to_client; content:Servere:; nocase; sid:400;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert tcp 192.168.0.4 any -> 1.2.0.1 any (msg:\"HTTP UA code cap\"; flow:to_server; content:User-Agent:; depth:300; pcre:\"/^User-Agent: (?<http_ua>.*)\\r\\n/m\"; sid:5;)");
sig = SigInit(de_ctx,"alert tcp 192.168.0.4 any -> 1.2.0.1 any (msg:\"HTTP UA code cap\"; flow:to_server; content:User-Agent:; depth:300; pcre:\"/^User-Agent: (?<http_ua>.*)\\r\\n/m\"; sid:5;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
sig = SigInit(g_de_ctx,"alert tcp 192.168.0.12 any -> 0.0.0.0/0 any (msg:\"HTTP http_host flowvar www.inliniac.net\"; flow:to_server; flowvar:http_host,\"www.inliniac.net\"; sid:7;)");
sig = SigInit(de_ctx,"alert tcp 192.168.0.12 any -> 0.0.0.0/0 any (msg:\"HTTP http_host flowvar www.inliniac.net\"; flow:to_server; flowvar:http_host,\"www.inliniac.net\"; sid:7;)");
if (sig) {
prevsig->next = sig;
prevsig = sig;
}
sig = SigInit(g_de_ctx,"alert tcp 192.168.0.0/16 any -> 0.0.0.0/0 any (msg:\"HTTP http_uri flowvar MattJonkman\"; flow:to_server; flowvar:http_uri,\"MattJonkman\"; sid:8;)");
sig = SigInit(de_ctx,"alert tcp 192.168.0.0/16 any -> 0.0.0.0/0 any (msg:\"HTTP http_uri flowvar MattJonkman\"; flow:to_server; flowvar:http_uri,\"MattJonkman\"; sid:8;)");
if (sig) {
prevsig->next = sig;
prevsig = sig;
}
sig = SigInit(g_de_ctx,"alert tcp 0.0.0.0/0 any -> 0.0.0.0/0 any (msg:\"HTTP uricontent VictorJulien\"; flow:to_server; uricontent:\"VictorJulien\"; nocase; sid:9;)");
sig = SigInit(de_ctx,"alert tcp 0.0.0.0/0 any -> 0.0.0.0/0 any (msg:\"HTTP uricontent VictorJulien\"; flow:to_server; uricontent:\"VictorJulien\"; nocase; sid:9;)");
if (sig) {
prevsig->next = sig;
prevsig = sig;
}
sig = SigInit(g_de_ctx,"alert tcp 0.0.0.0/0 any -> 10.0.0.0/8 any (msg:\"HTTP uricontent VictorJulien\"; flow:to_server; uricontent:\"VictorJulien\"; nocase; sid:5;)");
sig = SigInit(de_ctx,"alert tcp 0.0.0.0/0 any -> 10.0.0.0/8 any (msg:\"HTTP uricontent VictorJulien\"; flow:to_server; uricontent:\"VictorJulien\"; nocase; sid:5;)");
if (sig) {
prevsig->next = sig;
prevsig = sig;
@ -292,7 +289,7 @@ void SigLoadSignatures (char *sig_file)
//if (i > 1000) break;
sig = SigInit(g_de_ctx, line);
sig = SigInit(de_ctx, line);
if (sig) {
prevsig->next = sig;
prevsig = sig;
@ -311,7 +308,7 @@ void SigLoadSignatures (char *sig_file)
//DetectSigGroupPrintMemory();
//DetectPortPrintMemory();
SigGroupBuild(g_de_ctx);
SigGroupBuild(de_ctx);
//SigGroupCleanup(de_ctx);
//DetectAddressGroupPrintMemory();
//DetectSigGroupPrintMemory();
@ -2188,7 +2185,7 @@ int SigAddressCleanupStage1(DetectEngineCtx *de_ctx) {
return 0;
}
void DbgPrintSigs(SigGroupHead *sgh) {
void DbgPrintSigs(DetectEngineCtx *de_ctx, SigGroupHead *sgh) {
if (sgh == NULL) {
printf("\n");
return;
@ -2196,21 +2193,21 @@ void DbgPrintSigs(SigGroupHead *sgh) {
uint32_t sig;
for (sig = 0; sig < sgh->sig_cnt; sig++) {
printf("%" PRIu32 " ", g_de_ctx->sig_array[sgh->match_array[sig]]->id);
printf("%" PRIu32 " ", de_ctx->sig_array[sgh->match_array[sig]]->id);
}
printf("\n");
}
void DbgPrintSigs2(SigGroupHead *sgh) {
void DbgPrintSigs2(DetectEngineCtx *de_ctx, SigGroupHead *sgh) {
if (sgh == NULL) {
printf("\n");
return;
}
uint32_t sig;
for (sig = 0; sig < DetectEngineGetMaxSigId(g_de_ctx); sig++) {
for (sig = 0; sig < DetectEngineGetMaxSigId(de_ctx); sig++) {
if (sgh->sig_array[(sig/8)] & (1<<(sig%8))) {
printf("%" PRIu32 " ", g_de_ctx->sig_array[sig]->id);
printf("%" PRIu32 " ", de_ctx->sig_array[sig]->id);
}
}
printf("\n");
@ -2223,7 +2220,7 @@ void DbgSghContainsSig(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid)
}
uint32_t sig;
for (sig = 0; sig < DetectEngineGetMaxSigId(g_de_ctx); sig++) {
for (sig = 0; sig < DetectEngineGetMaxSigId(de_ctx); sig++) {
if (!(sgh->sig_array[(sig/8)] & (1<<(sig%8))))
continue;
@ -2232,7 +2229,7 @@ void DbgSghContainsSig(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid)
continue;
if (sid == s->id) {
printf("%" PRIu32 " ", g_de_ctx->sig_array[sig]->id);
printf("%" PRIu32 " ", de_ctx->sig_array[sig]->id);
}
}
printf("\n");
@ -2243,7 +2240,7 @@ void DbgSghContainsSig(DetectEngineCtx *de_ctx, SigGroupHead *sgh, uint32_t sid)
//#define PRINTSIGS
/* just printing */
int SigAddressPrepareStage5(void) {
int SigAddressPrepareStage5(DetectEngineCtx *de_ctx) {
DetectAddressGroupsHead *global_dst_gh = NULL;
DetectAddressGroup *global_src_gr = NULL, *global_dst_gr = NULL;
int i;
@ -2257,7 +2254,7 @@ int SigAddressPrepareStage5(void) {
if (proto != 6)
continue;
for (global_src_gr = g_de_ctx->dsize_gh[ds].flow_gh[f].src_gh[proto]->ipv4_head; global_src_gr != NULL;
for (global_src_gr = de_ctx->dsize_gh[ds].flow_gh[f].src_gh[proto]->ipv4_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
printf("1 Src Addr: "); DetectAddressDataPrint(global_src_gr->ad);
@ -2293,13 +2290,13 @@ int SigAddressPrepareStage5(void) {
#ifdef PRINTSIGS
printf(" - ");
for (i = 0; i < dp->sh->sig_cnt; i++) {
Signature *s = g_de_ctx->sig_array[dp->sh->match_array[i]];
Signature *s = de_ctx->sig_array[dp->sh->match_array[i]];
printf("%" PRIu32 " ", s->id);
}
#endif
printf(" - ");
for (i = 0; i < dp->sh->sig_cnt; i++) {
Signature *s = g_de_ctx->sig_array[dp->sh->match_array[i]];
Signature *s = de_ctx->sig_array[dp->sh->match_array[i]];
if (s->id == 2008335 || s->id == 2001329 || s->id == 2001330 ||
s->id == 2001331 || s->id == 2003321 || s->id == 2003322)
printf("%" PRIu32 " ", s->id);
@ -2331,7 +2328,7 @@ int SigAddressPrepareStage5(void) {
#ifdef PRINTSIGS
printf(" - ");
for (i = 0; i < dp->sh->sig_cnt; i++) {
Signature *s = g_de_ctx->sig_array[dp->sh->match_array[i]];
Signature *s = de_ctx->sig_array[dp->sh->match_array[i]];
printf("%" PRIu32 " ", s->id);
}
#endif
@ -2341,7 +2338,7 @@ int SigAddressPrepareStage5(void) {
}
}
#if 0
for (global_src_gr = g_de_ctx->src_gh[proto]->ipv6_head; global_src_gr != NULL;
for (global_src_gr = de_ctx->src_gh[proto]->ipv6_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
printf("- "); DetectAddressDataPrint(global_src_gr->ad);
@ -2374,7 +2371,7 @@ int SigAddressPrepareStage5(void) {
#ifdef PRINTSIGS
printf(" - ");
for (i = 0; i < dp->sh->sig_cnt; i++) {
Signature *s = g_de_ctx->sig_array[dp->sh->match_array[i]];
Signature *s = de_ctx->sig_array[dp->sh->match_array[i]];
printf("%" PRIu32 " ", s->id);
}
#endif
@ -2405,7 +2402,7 @@ int SigAddressPrepareStage5(void) {
#ifdef PRINTSIGS
printf(" - ");
for (i = 0; i < dp->sh->sig_cnt; i++) {
Signature *s = g_de_ctx->sig_array[dp->sh->match_array[i]];
Signature *s = de_ctx->sig_array[dp->sh->match_array[i]];
printf("%" PRIu32 " ", s->id);
}
#endif
@ -2415,7 +2412,7 @@ int SigAddressPrepareStage5(void) {
}
}
for (global_src_gr = g_de_ctx->src_gh[proto]->any_head; global_src_gr != NULL;
for (global_src_gr = de_ctx->src_gh[proto]->any_head; global_src_gr != NULL;
global_src_gr = global_src_gr->next)
{
printf("- "); DetectAddressDataPrint(global_src_gr->ad);
@ -2448,7 +2445,7 @@ int SigAddressPrepareStage5(void) {
#ifdef PRINTSIGS
printf(" - ");
for (i = 0; i < dp->sh->sig_cnt; i++) {
Signature *s = g_de_ctx->sig_array[dp->sh->match_array[i]];
Signature *s = de_ctx->sig_array[dp->sh->match_array[i]];
printf("%" PRIu32 " ", s->id);
}
#endif
@ -2479,7 +2476,7 @@ int SigAddressPrepareStage5(void) {
#ifdef PRINTSIGS
printf(" - ");
for (i = 0; i < dp->sh->sig_cnt; i++) {
Signature *s = g_de_ctx->sig_array[dp->sh->match_array[i]];
Signature *s = de_ctx->sig_array[dp->sh->match_array[i]];
printf("%" PRIu32 " ", s->id);
}
#endif
@ -2510,7 +2507,7 @@ int SigAddressPrepareStage5(void) {
#ifdef PRINTSIGS
printf(" - ");
for (i = 0; i < dp->sh->sig_cnt; i++) {
Signature *s = g_de_ctx->sig_array[dp->sh->match_array[i]];
Signature *s = de_ctx->sig_array[dp->sh->match_array[i]];
printf("%" PRIu32 " ", s->id);
}
#endif

17
src/detect.h
Unescape Escape View File

@ -120,6 +120,7 @@ typedef struct DetectPort_ {
#define SIG_FLAG_NOALERT 0x0020 /**< no alert flag is set */
#define SIG_FLAG_IPONLY 0x0040 /**< ip only signature */
#define SIG_FLAG_MPM 0x0080 /**< sig has mpm portion (content, uricontent, etc) */
#define SIG_FLAG_DEONLY 0x0100 /**< decode event only signature */
/* Detection Engine flags */
#define DE_QUIET 0x01 /**< DE is quiet (esp for unittests) */
@ -368,10 +369,12 @@ typedef struct SigGroupHead_ {
uint16_t mpm_len4; /* 4+ */
} SigGroupHead;
#define SIGMATCH_NOOPT 0x01
void SigLoadSignatures (char *);
void SigTableSetup(void);
/** sigmatch has no options, so the parser shouldn't expect any */
#define SIGMATCH_NOOPT 0x01
/** sigmatch is compatible with a ip only rule */
#define SIGMATCH_IPONLY_COMPAT 0x02
/** sigmatch is compatible with a decode event only rule */
#define SIGMATCH_DEONLY_COMPAT 0x04
enum {
DETECT_SID,
@ -424,11 +427,9 @@ int SigGroupBuild(DetectEngineCtx *);
int SigGroupCleanup();
int PacketAlertAppend(Packet *, uint8_t, uint32_t, uint8_t, uint8_t, char *);
/*
* XXX globals, remove
*/
DetectEngineCtx *g_de_ctx;
void SigLoadSignatures (DetectEngineCtx *, char *);
void SigTableSetup(void);
#endif /* __DETECT_H__ */

72
src/eidps.c
Unescape Escape View File

@ -31,6 +31,7 @@
#include "util-pool.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "tm-queuehandlers.h"
@ -215,7 +216,7 @@ void EngineKill(void) {
sigflags |= EIDPS_KILL;
}
int RunModeIdsPcap(char *iface) {
int RunModeIdsPcap(DetectEngineCtx *de_ctx, char *iface) {
TimeModeSetLive();
/* create the threads */
@ -280,7 +281,7 @@ int RunModeIdsPcap(char *iface) {
printf("ERROR: TmModuleGetByName Detect failed\n");
exit(1);
}
Tm1SlotSetFunc(tv_detect1,tm_module,(void *)g_de_ctx);
Tm1SlotSetFunc(tv_detect1,tm_module,(void *)de_ctx);
if (TmThreadSpawn(tv_detect1, TVT_PPT, THV_USE | THV_PAUSE) != 0) {
printf("ERROR: TmThreadSpawn failed\n");
@ -297,7 +298,7 @@ int RunModeIdsPcap(char *iface) {
printf("ERROR: TmModuleGetByName Detect failed\n");
exit(1);
}
Tm1SlotSetFunc(tv_detect2,tm_module,(void *)g_de_ctx);
Tm1SlotSetFunc(tv_detect2,tm_module,(void *)de_ctx);
if (TmThreadSpawn(tv_detect2, TVT_PPT, THV_USE | THV_PAUSE) != 0) {
printf("ERROR: TmThreadSpawn failed\n");
@ -390,7 +391,7 @@ int RunModeIdsPcap(char *iface) {
return 0;
}
int RunModeIpsNFQ(void) {
int RunModeIpsNFQ(DetectEngineCtx *de_ctx) {
TimeModeSetLive();
/* create the threads */
@ -455,7 +456,7 @@ int RunModeIpsNFQ(void) {
printf("ERROR: TmModuleGetByName Detect failed\n");
exit(1);
}
Tm1SlotSetFunc(tv_detect1,tm_module,(void *)g_de_ctx);
Tm1SlotSetFunc(tv_detect1,tm_module,(void *)de_ctx);
if (TmThreadSpawn(tv_detect1, TVT_PPT, THV_USE | THV_PAUSE) != 0) {
printf("ERROR: TmThreadSpawn failed\n");
@ -472,7 +473,7 @@ int RunModeIpsNFQ(void) {
printf("ERROR: TmModuleGetByName Detect failed\n");
exit(1);
}
Tm1SlotSetFunc(tv_detect2,tm_module,(void *)g_de_ctx);
Tm1SlotSetFunc(tv_detect2,tm_module,(void *)de_ctx);
if (TmThreadSpawn(tv_detect2, TVT_PPT, THV_USE | THV_PAUSE) != 0) {
printf("ERROR: TmThreadSpawn failed\n");
@ -582,7 +583,7 @@ int RunModeIpsNFQ(void) {
return 0;
}
int RunModeFilePcap(char *file) {
int RunModeFilePcap(DetectEngineCtx *de_ctx, char *file) {
printf("RunModeFilePcap: file %s\n", file);
TimeModeSetOffline();
@ -650,7 +651,7 @@ int RunModeFilePcap(char *file) {
printf("ERROR: TmModuleGetByName Detect failed\n");
exit(1);
}
Tm1SlotSetFunc(tv_detect1,tm_module,(void *)g_de_ctx);
Tm1SlotSetFunc(tv_detect1,tm_module,(void *)de_ctx);
if (TmThreadSpawn(tv_detect1, TVT_PPT, THV_USE | THV_PAUSE) != 0) {
printf("ERROR: TmThreadSpawn failed\n");
@ -667,7 +668,7 @@ int RunModeFilePcap(char *file) {
printf("ERROR: TmModuleGetByName Detect failed\n");
exit(1);
}
Tm1SlotSetFunc(tv_detect2,tm_module,(void *)g_de_ctx);
Tm1SlotSetFunc(tv_detect2,tm_module,(void *)de_ctx);
if (TmThreadSpawn(tv_detect2, TVT_PPT, THV_USE | THV_PAUSE) != 0) {
printf("ERROR: TmThreadSpawn failed\n");
@ -745,7 +746,7 @@ int RunModeFilePcap(char *file) {
/**
* \brief Single thread version of the Pcap file processing.
*/
int RunModeFilePcap2(char *file) {
int RunModeFilePcap2(DetectEngineCtx *de_ctx, char *file) {
printf("RunModeFilePcap2: file %s\n", file);
TimeModeSetOffline();
@ -782,7 +783,7 @@ int RunModeFilePcap2(char *file) {
printf("ERROR: TmModuleGetByName Detect failed\n");
exit(1);
}
TmVarSlotSetFuncAppend(tv,tm_module,(void *)g_de_ctx);
TmVarSlotSetFuncAppend(tv,tm_module,(void *)de_ctx);
tm_module = TmModuleGetByName("AlertFastlog");
if (tm_module == NULL) {
@ -926,7 +927,7 @@ int main(int argc, char **argv)
PatternMatchPrepare(mpm_ctx, MPM_B2G);
PerfInitCounterApi();
/** \todo we need an api for this */
/** \todo we need an api for these */
AppLayerDetectProtoThreadInit();
RegisterAppLayerParsers();
RegisterHTTPParsers();
@ -977,15 +978,13 @@ int main(int argc, char **argv)
DecodeGRERegisterTests();
AlpDetectRegisterTests();
ConfRegisterTests();
UtRunTests();
uint32_t failed = UtRunTests();
UtCleanup();
exit(0);
if (failed) exit(EXIT_FAILURE);
else exit(EXIT_SUCCESS);
}
#endif /* UNITTESTS */
//LoadConfig();
//exit(1);
/* initialize packet queues */
memset(&packet_q,0,sizeof(packet_q));
memset(&trans_q, 0,sizeof(trans_q));
@ -1008,21 +1007,23 @@ int main(int argc, char **argv)
FlowInitConfig(FLOW_VERBOSE);
SigLoadSignatures(sig_file);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
SigLoadSignatures(de_ctx, sig_file);
struct timeval start_time;
memset(&start_time, 0, sizeof(start_time));
gettimeofday(&start_time, NULL);
if (mode == MODE_PCAP_DEV) {
RunModeIdsPcap(pcap_dev);
RunModeIdsPcap(de_ctx, pcap_dev);
}
else if (mode == MODE_PCAP_FILE) {
RunModeFilePcap(pcap_file);
//RunModeFilePcap2(pcap_file);
RunModeFilePcap(de_ctx, pcap_file);
//RunModeFilePcap2(de_ctx, pcap_file);
}
else if (mode == MODE_NFQ) {
RunModeIpsNFQ();
RunModeIpsNFQ(de_ctx);
}
else {
printf("ERROR: Unknown runtime mode.\n");
@ -1078,28 +1079,9 @@ int main(int argc, char **argv)
printf("time elapsed %" PRIuMAX "s\n", (uintmax_t)(end_time.tv_sec - start_time.tv_sec));
TmThreadKillThreads();
PerfReleaseResources();
#if 0
#ifdef DBG_PERF
printf("th_v[0].nfq_t->dbg_maxreadsize %" PRId32 "\n", th_v[0].nfq_t->dbg_maxreadsize);
//printf("th_v[1].nfq_t->dbg_maxreadsize %" PRId32 "\n", th_v[1].nfq_t->dbg_maxreadsize);
#endif /* DBG_PERF */
printf("NFQ Stats 0: pkts %" PRIu32 ", errs %" PRIu32 "\n", th_v[0].nfq_t->pkts, th_v[0].nfq_t->errs);
//printf("NFQ Stats 1: pkts %" PRIu32 ", errs %" PRIu32 "\n", th_v[1].nfq_t->pkts, th_v[1].nfq_t->errs);
PatternMatcherThreadInfo(&th_v[3]);
PatternMatcherThreadInfo(&th_v[4]);
#ifdef DBG_PERF
printf("trans_q[0].dbg_maxlen %" PRIu32 "\n", trans_q[0].dbg_maxlen);
printf("trans_q[1].dbg_maxlen %" PRIu32 "\n", trans_q[1].dbg_maxlen);
printf("trans_q[2].dbg_maxlen %" PRIu32 "\n", trans_q[2].dbg_maxlen);
printf("trans_q[3].dbg_maxlen %" PRIu32 "\n", trans_q[3].dbg_maxlen);
printf("trans_q[4].dbg_maxlen %" PRIu32 "\n", trans_q[4].dbg_maxlen);
printf("dbg_maxpending %" PRIu32 "\n", dbg_maxpending);
#endif /* DBG_PERF */
#endif
break;//pthread_exit(NULL);
break;
}
usleep(100);
@ -1108,8 +1090,10 @@ int main(int argc, char **argv)
FlowShutdown();
FlowPrintFlows();
SigGroupCleanup(g_de_ctx);
SigCleanSignatures(g_de_ctx);
/** \todo review whats needed here */
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
pthread_exit(NULL);
}

11
src/util-unittest.c
Unescape Escape View File

@ -48,9 +48,13 @@ void UtRegisterTest(char *name, int(*TestFn)(void), int evalue) {
UtAppendTest(&ut_list, ut);
}
int UtRunTests(void) {
/** \brief Run all registered unittests.
*
* \retval 0 all successful
* \retval result number of tests that failed
*/
uint32_t UtRunTests(void) {
UtTest *ut;
int result = 0;
uint32_t good = 0, bad = 0;
for (ut = ut_list; ut != NULL; ut = ut->next) {
@ -59,7 +63,6 @@ int UtRunTests(void) {
int ret = ut->TestFn();
printf("%s\n", (ret == ut->evalue) ? "pass" : "FAILED");
if (ret != ut->evalue) {
result = 1;
bad++;
} else {
good++;
@ -70,7 +73,7 @@ int UtRunTests(void) {
printf("PASSED: %" PRIu32 "\n", good);
printf("FAILED: %" PRIu32 "\n", bad);
printf("======================\n");
return result;
return bad;
}
void UtInitialize(void) {

2
src/util-unittest.h
Unescape Escape View File

@ -15,7 +15,7 @@ typedef struct UtTest_ {
void UtRegisterTest(char *name, int(*TestFn)(void), int evalue);
int UtRunTests(void);
uint32_t UtRunTests(void);
void UtInitialize(void);
void UtCleanup(void);
int UtRunSelftest (void);

Write Preview
Loading…
Cancel
Save