/* Copyright (C) 2007-2020 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
/**
* \file
#include "util-debug.h"
#include "detect-engine-build.h"
-#define TRACK_DST 1
-#define TRACK_SRC 2
+#define TRACK_DST 1
+#define TRACK_SRC 2
/**
*\brief Regex for parsing our detection_filter options
*/
-#define PARSE_REGEX "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$"
+#define PARSE_REGEX \
+ "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|" \
+ "by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$"
static DetectParseRegex parse_regex;
-static int DetectDetectionFilterMatch(DetectEngineThreadCtx *,
- Packet *, const Signature *, const SigMatchCtx *);
+static int DetectDetectionFilterMatch(
+ DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *);
static int DetectDetectionFilterSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectDetectionFilterRegisterTests(void);
/**
* \brief Registration function for detection_filter: keyword
*/
-void DetectDetectionFilterRegister (void)
+void DetectDetectionFilterRegister(void)
{
sigmatch_table[DETECT_DETECTION_FILTER].name = "detection_filter";
- sigmatch_table[DETECT_DETECTION_FILTER].desc = "alert on every match after a threshold has been reached";
+ sigmatch_table[DETECT_DETECTION_FILTER].desc =
+ "alert on every match after a threshold has been reached";
sigmatch_table[DETECT_DETECTION_FILTER].url = "/rules/thresholding.html#detection-filter";
sigmatch_table[DETECT_DETECTION_FILTER].Match = DetectDetectionFilterMatch;
sigmatch_table[DETECT_DETECTION_FILTER].Setup = DetectDetectionFilterSetup;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
}
-static int DetectDetectionFilterMatch (DetectEngineThreadCtx *det_ctx,
- Packet *p, const Signature *s, const SigMatchCtx *ctx)
+static int DetectDetectionFilterMatch(
+ DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx)
{
return 1;
}
/**
* \internal
- * \brief This function is used to parse detection_filter options passed via detection_filter: keyword
+ * \brief This function is used to parse detection_filter options passed via detection_filter:
+ * keyword
*
* \param rawstr Pointer to the user provided detection_filter options
*
* \retval df pointer to DetectThresholdData on success
* \retval NULL on failure
*/
-static DetectThresholdData *DetectDetectionFilterParse (const char *rawstr)
+static DetectThresholdData *DetectDetectionFilterParse(const char *rawstr)
{
DetectThresholdData *df = NULL;
int ret = 0, res = 0;
size_t pcre2_len;
const char *str_ptr = NULL;
- char *args[6] = { NULL, NULL, NULL, NULL, NULL, NULL};
+ char *args[6] = { NULL, NULL, NULL, NULL, NULL, NULL };
char *copy_str = NULL, *df_opt = NULL;
int seconds_found = 0, count_found = 0, track_found = 0;
int seconds_pos = 0, count_pos = 0;
goto error;
}
- for (pos = 0, df_opt = strtok_r(copy_str,",", &saveptr);
- pos < strlen(copy_str) && df_opt != NULL;
- pos++, df_opt = strtok_r(NULL,",", &saveptr))
- {
- if(strstr(df_opt,"count"))
+ for (pos = 0, df_opt = strtok_r(copy_str, ",", &saveptr);
+ pos < strlen(copy_str) && df_opt != NULL;
+ pos++, df_opt = strtok_r(NULL, ",", &saveptr)) {
+ if (strstr(df_opt, "count"))
count_found++;
- if(strstr(df_opt,"second"))
+ if (strstr(df_opt, "second"))
seconds_found++;
- if(strstr(df_opt,"track"))
+ if (strstr(df_opt, "track"))
track_found++;
}
SCFree(copy_str);
ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0);
if (ret < 5) {
- SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
+ SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret,
+ rawstr);
goto error;
}
if (unlikely(df == NULL))
goto error;
- memset(df,0,sizeof(DetectThresholdData));
+ memset(df, 0, sizeof(DetectThresholdData));
df->type = TYPE_DETECTION;
args[i] = (char *)str_ptr;
- if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
+ if (strncasecmp(args[i], "by_dst", strlen("by_dst")) == 0)
df->track = TRACK_DST;
- if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
+ if (strncasecmp(args[i], "by_src", strlen("by_src")) == 0)
df->track = TRACK_SRC;
- if (strncasecmp(args[i],"count",strlen("count")) == 0)
- count_pos = i+1;
- if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
- seconds_pos = i+1;
+ if (strncasecmp(args[i], "count", strlen("count")) == 0)
+ count_pos = i + 1;
+ if (strncasecmp(args[i], "seconds", strlen("seconds")) == 0)
+ seconds_pos = i + 1;
}
if (args[count_pos] == NULL || args[seconds_pos] == NULL) {
goto error;
}
- if (StringParseUint32(&df->count, 10, strlen(args[count_pos]),
- args[count_pos]) <= 0) {
+ if (StringParseUint32(&df->count, 10, strlen(args[count_pos]), args[count_pos]) <= 0) {
goto error;
}
- if (StringParseUint32(&df->seconds, 10, strlen(args[seconds_pos]),
- args[seconds_pos]) <= 0) {
+ if (StringParseUint32(&df->seconds, 10, strlen(args[seconds_pos]), args[seconds_pos]) <= 0) {
goto error;
}
goto error;
}
- for (i = 0; i < 6; i++){
+ for (i = 0; i < 6; i++) {
if (args[i] != NULL)
pcre2_substring_free((PCRE2_UCHAR *)args[i]);
}
return df;
error:
- for (i = 0; i < 6; i++){
+ for (i = 0; i < 6; i++) {
if (args[i] != NULL)
pcre2_substring_free((PCRE2_UCHAR *)args[i]);
}
* \retval 0 on Success
* \retval -1 on Failure
*/
-static int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
+static int DetectDetectionFilterSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
{
SCEnter();
DetectThresholdData *df = NULL;
/* checks if there's a previous instance of threshold */
tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, -1);
if (tmpm != NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
+ SCLogError(SC_ERR_INVALID_SIGNATURE,
+ "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
SCReturnInt(-1);
}
/* checks there's no previous instance of detection_filter */
tmpm = DetectGetLastSMFromLists(s, DETECT_DETECTION_FILTER, -1);
if (tmpm != NULL) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule");
+ SCLogError(
+ SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule");
SCReturnInt(-1);
}
* \retval 1 on succces
* \retval 0 on failure
*/
-static int DetectDetectionFilterTestParse01 (void)
+static int DetectDetectionFilterTestParse01(void)
{
DetectThresholdData *df = NULL;
df = DetectDetectionFilterParse("track by_dst,count 10,seconds 60");
* \retval 1 on succces
* \retval 0 on failure
*/
-static int DetectDetectionFilterTestParse02 (void)
+static int DetectDetectionFilterTestParse02(void)
{
DetectThresholdData *df = NULL;
df = DetectDetectionFilterParse("track both,count 10,seconds 60");
}
/**
- * \test DetectDetectionfilterTestParse03 is a test for a valid detection_filter options in any order
+ * \test DetectDetectionfilterTestParse03 is a test for a valid detection_filter options in any
+ * order
*
* \retval 1 on succces
* \retval 0 on failure
*/
-static int DetectDetectionFilterTestParse03 (void)
+static int DetectDetectionFilterTestParse03(void)
{
DetectThresholdData *df = NULL;
df = DetectDetectionFilterParse("track by_dst, seconds 60, count 10");
return 0;
}
-
/**
- * \test DetectDetectionFilterTestParse04 is a test for an invalid detection_filter options in any order
+ * \test DetectDetectionFilterTestParse04 is a test for an invalid detection_filter options in any
+ * order
*
* \retval 1 on succces
* \retval 0 on failure
*/
-static int DetectDetectionFilterTestParse04 (void)
+static int DetectDetectionFilterTestParse04(void)
{
DetectThresholdData *df = NULL;
df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60, count 10");
}
/**
- * \test DetectDetectionFilterTestParse05 is a test for a valid detection_filter options in any order
+ * \test DetectDetectionFilterTestParse05 is a test for a valid detection_filter options in any
+ * order
*
* \retval 1 on succces
* \retval 0 on failure
*/
-static int DetectDetectionFilterTestParse05 (void)
+static int DetectDetectionFilterTestParse05(void)
{
DetectThresholdData *df = NULL;
df = DetectDetectionFilterParse("count 10, track by_dst, seconds 60");
* \retval 1 on succces
* \retval 0 on failure
*/
-static int DetectDetectionFilterTestParse06 (void)
+static int DetectDetectionFilterTestParse06(void)
{
DetectThresholdData *df = NULL;
df = DetectDetectionFilterParse("count 10, track by_dst, seconds 0");
}
/**
- * \test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword
- * by setting up the signature and later testing its working by matching
- * the received packet against the sig.
+ * \test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter
+ * keyword by setting up the signature and later testing its working by matching the received packet
+ * against the sig.
*
* \retval 1 on succces
* \retval 0 on failure
}
/**
- * \test DetectDetectionFilterTestSig2 is a test for checking the working of detection_filter keyword
- * by setting up the signature and later testing its working by matching
- * the received packet against the sig.
+ * \test DetectDetectionFilterTestSig2 is a test for checking the working of detection_filter
+ * keyword by setting up the signature and later testing its working by matching the received packet
+ * against the sig.
*
* \retval 1 on succces
* \retval 0 on failure
HostInitConfig(HOST_QUIET);
- memset (&ts, 0, sizeof(struct timeval));
+ memset(&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
HostInitConfig(HOST_QUIET);
- memset (&ts, 0, sizeof(struct timeval));
+ memset(&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
static void DetectDetectionFilterRegisterTests(void)
{
- UtRegisterTest("DetectDetectionFilterTestParse01",
- DetectDetectionFilterTestParse01);
- UtRegisterTest("DetectDetectionFilterTestParse02",
- DetectDetectionFilterTestParse02);
- UtRegisterTest("DetectDetectionFilterTestParse03",
- DetectDetectionFilterTestParse03);
- UtRegisterTest("DetectDetectionFilterTestParse04",
- DetectDetectionFilterTestParse04);
- UtRegisterTest("DetectDetectionFilterTestParse05",
- DetectDetectionFilterTestParse05);
- UtRegisterTest("DetectDetectionFilterTestParse06",
- DetectDetectionFilterTestParse06);
- UtRegisterTest("DetectDetectionFilterTestSig1",
- DetectDetectionFilterTestSig1);
- UtRegisterTest("DetectDetectionFilterTestSig2",
- DetectDetectionFilterTestSig2);
- UtRegisterTest("DetectDetectionFilterTestSig3",
- DetectDetectionFilterTestSig3);
+ UtRegisterTest("DetectDetectionFilterTestParse01", DetectDetectionFilterTestParse01);
+ UtRegisterTest("DetectDetectionFilterTestParse02", DetectDetectionFilterTestParse02);
+ UtRegisterTest("DetectDetectionFilterTestParse03", DetectDetectionFilterTestParse03);
+ UtRegisterTest("DetectDetectionFilterTestParse04", DetectDetectionFilterTestParse04);
+ UtRegisterTest("DetectDetectionFilterTestParse05", DetectDetectionFilterTestParse05);
+ UtRegisterTest("DetectDetectionFilterTestParse06", DetectDetectionFilterTestParse06);
+ UtRegisterTest("DetectDetectionFilterTestSig1", DetectDetectionFilterTestSig1);
+ UtRegisterTest("DetectDetectionFilterTestSig2", DetectDetectionFilterTestSig2);
+ UtRegisterTest("DetectDetectionFilterTestSig3", DetectDetectionFilterTestSig3);
}
#endif /* UNITTESTS */
projects / thirdparty / suricata.git / commitdiff
