#include "suricata-common.h"
#include "detect.h"
-#include "detect-hostbits.h"
+#include "detect-xbits.h"
#include "detect-flowbits.h"
#include "detect-flowint.h"
#include "detect-parse.h"
#define DETECT_FLOWINT_TYPE_SET_READ 3
#define DETECT_FLOWINT_TYPE_SET 4
-#define DETECT_HOSTBITS_NOT_USED 1
-#define DETECT_HOSTBITS_TYPE_READ 2
-#define DETECT_HOSTBITS_TYPE_SET_READ 3
-#define DETECT_HOSTBITS_TYPE_SET 4
+#define DETECT_XBITS_NOT_USED 1
+#define DETECT_XBITS_TYPE_READ 2
+#define DETECT_XBITS_TYPE_SET_READ 3
+#define DETECT_XBITS_TYPE_SET 4
/**
}
/**
- * \brief Returns the hostbit type set for this signature. If more than one
- * hostbit has been set for the same rule, we return the hostbit type of
+ * \brief Returns the xbit type set for this signature. If more than one
+ * xbit has been set for the same rule, we return the xbit type of
* the maximum priority/value, where priority/value is maximum for the
* ones that set the value and the lowest for ones that read the value.
- * If no hostbit has been set for the rule, we return 0, which indicates
- * the least value amongst hostbit types.
+ * If no xbit has been set for the rule, we return 0, which indicates
+ * the least value amongst xbit types.
*
- * \param sig Pointer to the Signature from which the hostbit value has to be
+ * \param sig Pointer to the Signature from which the xbit value has to be
* returned.
*
- * \retval hostbits The hostbits type for this signature if it is set; if it is
+ * \retval xbits The xbits type for this signature if it is set; if it is
* not set, return 0
*/
-static inline int SCSigGetHostbitsType(Signature *sig)
+static inline int SCSigGetXbitsType(Signature *sig, enum VarTypes type)
{
- DetectHostbitsData *fb = NULL;
- int hostbits_user_type = DETECT_HOSTBITS_NOT_USED;
+ DetectXbitsData *fb = NULL;
+ int xbits_user_type = DETECT_XBITS_NOT_USED;
int read = 0;
int write = 0;
SigMatch *sm = sig->sm_lists[DETECT_SM_LIST_MATCH];
while (sm != NULL) {
- if (sm->type == DETECT_HOSTBITS) {
- fb = (DetectHostbitsData *)sm->ctx;
- if (fb->cmd == DETECT_HOSTBITS_CMD_ISNOTSET ||
- fb->cmd == DETECT_HOSTBITS_CMD_ISSET) {
- read++;
- } else {
+ if (sm->type == DETECT_XBITS) {
+ fb = (DetectXbitsData *)sm->ctx;
+ if (fb->type == type) {
+ if (fb->cmd == DETECT_XBITS_CMD_ISNOTSET ||
+ fb->cmd == DETECT_XBITS_CMD_ISSET) {
+ read++;
+ } else {
#ifdef DEBUG
- BUG_ON(1);
+ BUG_ON(1);
#endif
+ }
}
}
sm = sig->sm_lists[DETECT_SM_LIST_POSTMATCH];
while (sm != NULL) {
if (sm->type == DETECT_HOSTBITS) {
- fb = (DetectHostbitsData *)sm->ctx;
- if (fb->cmd == DETECT_HOSTBITS_CMD_SET ||
- fb->cmd == DETECT_HOSTBITS_CMD_UNSET ||
- fb->cmd == DETECT_HOSTBITS_CMD_TOGGLE) {
- write++;
- } else {
+ fb = (DetectXbitsData *)sm->ctx;
+ if (fb->type == type) {
+ if (fb->cmd == DETECT_XBITS_CMD_SET ||
+ fb->cmd == DETECT_XBITS_CMD_UNSET ||
+ fb->cmd == DETECT_XBITS_CMD_TOGGLE) {
+ write++;
+ } else {
#ifdef DEBUG
- BUG_ON(1);
+ BUG_ON(1);
#endif
+ }
}
}
}
if (read > 0 && write == 0) {
- hostbits_user_type = DETECT_HOSTBITS_TYPE_READ;
+ xbits_user_type = DETECT_XBITS_TYPE_READ;
} else if (read == 0 && write > 0) {
- hostbits_user_type = DETECT_HOSTBITS_TYPE_SET;
+ xbits_user_type = DETECT_XBITS_TYPE_SET;
} else if (read > 0 && write > 0) {
- hostbits_user_type = DETECT_HOSTBITS_TYPE_SET_READ;
+ xbits_user_type = DETECT_XBITS_TYPE_SET_READ;
}
- SCLogDebug("Sig %s typeval %d", sig->msg, hostbits_user_type);
+ SCLogDebug("Sig %s typeval %d", sig->msg, xbits_user_type);
- return hostbits_user_type;
+ return xbits_user_type;
}
/**
}
/**
- * \brief Processes the flowbits data for this signature and caches it for
+ * \brief Processes the hostbits data for this signature and caches it for
* future use. This is needed to optimize the sig_ordering module.
*
- * \param sw The sigwrapper/signature for which the flowbits data has to be
+ * \param sw The sigwrapper/signature for which the hostbits data has to be
* cached
*/
static inline void SCSigProcessUserDataForHostbits(SCSigSignatureWrapper *sw)
{
- sw->user[SC_RADIX_USER_DATA_HOSTBITS] = SCSigGetHostbitsType(sw->sig);
+ sw->user[SC_RADIX_USER_DATA_HOSTBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_HOST_BIT);
+}
+
+/**
+ * \brief Processes the hostbits data for this signature and caches it for
+ * future use. This is needed to optimize the sig_ordering module.
+ *
+ * \param sw The sigwrapper/signature for which the hostbits data has to be
+ * cached
+ */
+static inline void SCSigProcessUserDataForIPPairbits(SCSigSignatureWrapper *sw)
+{
+ sw->user[SC_RADIX_USER_DATA_IPPAIRBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_IPPAIR_BIT);
}
/* Return 1 if sw1 comes before sw2 in the final list. */
sw2->user[SC_RADIX_USER_DATA_HOSTBITS];
}
+/**
+ * \brief Orders an incoming Signature based on its ippairbits (xbits) type
+ *
+ * \param de_ctx Pointer to the detection engine context from which the
+ * signatures have to be ordered.
+ * \param sw The new signature that has to be ordered based on its bits
+ */
+static int SCSigOrderByIPPairbitsCompare(SCSigSignatureWrapper *sw1,
+ SCSigSignatureWrapper *sw2)
+{
+ return sw1->user[SC_RADIX_USER_DATA_IPPAIRBITS] -
+ sw2->user[SC_RADIX_USER_DATA_IPPAIRBITS];
+}
+
/**
* \brief Orders an incoming Signature based on its priority type
*
SCSigProcessUserDataForFlowint(sw);
SCSigProcessUserDataForPktvar(sw);
SCSigProcessUserDataForHostbits(sw);
+ SCSigProcessUserDataForIPPairbits(sw);
return sw;
}
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByHostbitsCompare);
+ SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByIPPairbitsCompare);
SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
}
SC_RADIX_USER_DATA_PKTVAR,
SC_RADIX_USER_DATA_FLOWINT,
SC_RADIX_USER_DATA_HOSTBITS,
+ SC_RADIX_USER_DATA_IPPAIRBITS,
SC_RADIX_USER_DATA_MAX
} SCRadixUserDataType;
if (unlikely(cd == NULL))
goto error;
- cd->idx = VariableNameGetIdx(de_ctx, fb_name, DETECT_FLOWBITS);
+ cd->idx = VariableNameGetIdx(de_ctx, fb_name, VAR_TYPE_FLOW_BIT);
cd->cmd = fb_cmd;
SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; flowbits:isset,fbt; content:\"GET \"; sid:1;)");
- idx = VariableNameGetIdx(de_ctx, "fbt", DETECT_FLOWBITS);
+ idx = VariableNameGetIdx(de_ctx, "fbt", VAR_TYPE_FLOW_BIT);
if (s == NULL || idx != 1) {
goto end;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_FLOWBITS);
+ idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT);
gv = p->flow->flowvar;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_FLOWBITS);
+ idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT);
gv = p->flow->flowvar;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_FLOWBITS);
+ idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_FLOW_BIT);
gv = p->flow->flowvar;
* return zero(not match).
*/
if (sfd->targettype == FLOWINT_TARGET_VAR) {
- uint16_t tvar_idx = VariableNameGetIdx(det_ctx->de_ctx, sfd->target.tvar.name, DETECT_FLOWINT);
+ uint16_t tvar_idx = VariableNameGetIdx(det_ctx->de_ctx, sfd->target.tvar.name, VAR_TYPE_FLOW_INT);
fvt = FlowVarGet(p->flow, tvar_idx);
/* We don't have that variable initialized yet */
goto error;
}
if (de_ctx != NULL)
- sfd->idx = VariableNameGetIdx(de_ctx, varname, DETECT_FLOWINT);
+ sfd->idx = VariableNameGetIdx(de_ctx, varname, VAR_TYPE_FLOW_INT);
sfd->modifier = modifier;
pcre_free_substring(varname);
fd->name = SCStrdup(varname);
if (unlikely(fd->name == NULL))
goto error;
- fd->idx = VariableNameGetIdx(de_ctx, varname, DETECT_FLOWVAR);
+ fd->idx = VariableNameGetIdx(de_ctx, varname, VAR_TYPE_FLOW_VAR);
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
return;
}
-static int DetectHostbitMatchToggle (Packet *p, const DetectHostbitsData *fd)
+static int DetectHostbitMatchToggle (Packet *p, const DetectXbitsData *fd)
{
- switch (fd->dir) {
- case DETECT_HOSTBITS_DIR_SRC:
+ switch (fd->tracker) {
+ case DETECT_XBITS_TRACK_IPSRC:
if (p->host_src == NULL) {
p->host_src = HostGetHostFromHash(&p->src);
if (p->host_src == NULL)
HostBitToggle(p->host_src,fd->idx);
HostUnlock(p->host_src);
break;
- case DETECT_HOSTBITS_DIR_DST:
+ case DETECT_XBITS_TRACK_IPDST:
if (p->host_dst == NULL) {
p->host_dst = HostGetHostFromHash(&p->dst);
if (p->host_dst == NULL)
}
/* return true even if bit not found */
-static int DetectHostbitMatchUnset (Packet *p, const DetectHostbitsData *fd)
+static int DetectHostbitMatchUnset (Packet *p, const DetectXbitsData *fd)
{
- switch (fd->dir) {
- case DETECT_HOSTBITS_DIR_SRC:
+ switch (fd->tracker) {
+ case DETECT_XBITS_TRACK_IPSRC:
if (p->host_src == NULL) {
p->host_src = HostLookupHostFromHash(&p->src);
if (p->host_src == NULL)
HostBitUnset(p->host_src,fd->idx);
HostUnlock(p->host_src);
break;
- case DETECT_HOSTBITS_DIR_DST:
+ case DETECT_XBITS_TRACK_IPDST:
if (p->host_dst == NULL) {
p->host_dst = HostLookupHostFromHash(&p->dst);
if (p->host_dst == NULL)
return 1;
}
-static int DetectHostbitMatchSet (Packet *p, const DetectHostbitsData *fd)
+static int DetectHostbitMatchSet (Packet *p, const DetectXbitsData *fd)
{
- switch (fd->dir) {
- case DETECT_HOSTBITS_DIR_SRC:
+ switch (fd->tracker) {
+ case DETECT_XBITS_TRACK_IPSRC:
if (p->host_src == NULL) {
p->host_src = HostGetHostFromHash(&p->src);
if (p->host_src == NULL)
HostBitSet(p->host_src,fd->idx);
HostUnlock(p->host_src);
break;
- case DETECT_HOSTBITS_DIR_DST:
+ case DETECT_XBITS_TRACK_IPDST:
if (p->host_dst == NULL) {
p->host_dst = HostGetHostFromHash(&p->dst);
if (p->host_dst == NULL)
return 1;
}
-static int DetectHostbitMatchIsset (Packet *p, const DetectHostbitsData *fd)
+static int DetectHostbitMatchIsset (Packet *p, const DetectXbitsData *fd)
{
int r = 0;
- switch (fd->dir) {
- case DETECT_HOSTBITS_DIR_SRC:
+ switch (fd->tracker) {
+ case DETECT_XBITS_TRACK_IPSRC:
if (p->host_src == NULL) {
p->host_src = HostLookupHostFromHash(&p->src);
if (p->host_src == NULL)
} else
HostLock(p->host_src);
- HostLock(p->host_src);
r = HostBitIsset(p->host_src,fd->idx);
HostUnlock(p->host_src);
return r;
- case DETECT_HOSTBITS_DIR_DST:
+ case DETECT_XBITS_TRACK_IPDST:
if (p->host_dst == NULL) {
p->host_dst = HostLookupHostFromHash(&p->dst);
if (p->host_dst == NULL)
} else
HostLock(p->host_dst);
- HostLock(p->host_dst);
r = HostBitIsset(p->host_dst,fd->idx);
HostUnlock(p->host_dst);
return r;
return 0;
}
-static int DetectHostbitMatchIsnotset (Packet *p, const DetectHostbitsData *fd)
+static int DetectHostbitMatchIsnotset (Packet *p, const DetectXbitsData *fd)
{
int r = 0;
- switch (fd->dir) {
- case DETECT_HOSTBITS_DIR_SRC:
+ switch (fd->tracker) {
+ case DETECT_XBITS_TRACK_IPSRC:
if (p->host_src == NULL) {
p->host_src = HostLookupHostFromHash(&p->src);
if (p->host_src == NULL)
} else
HostLock(p->host_src);
- HostLock(p->host_src);
r = HostBitIsnotset(p->host_src,fd->idx);
HostUnlock(p->host_src);
return r;
- case DETECT_HOSTBITS_DIR_DST:
+ case DETECT_XBITS_TRACK_IPDST:
if (p->host_dst == NULL) {
p->host_dst = HostLookupHostFromHash(&p->dst);
if (p->host_dst == NULL)
} else
HostLock(p->host_dst);
- HostLock(p->host_dst);
r = HostBitIsnotset(p->host_dst,fd->idx);
HostUnlock(p->host_dst);
return r;
int DetectHostbitMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, const SigMatchCtx *ctx)
{
- const DetectHostbitsData *fd = (const DetectHostbitsData *)ctx;
+ const DetectXbitsData *fd = (const DetectXbitsData *)ctx;
if (fd == NULL)
return 0;
switch (fd->cmd) {
- case DETECT_HOSTBITS_CMD_ISSET:
+ case DETECT_XBITS_CMD_ISSET:
return DetectHostbitMatchIsset(p,fd);
- case DETECT_HOSTBITS_CMD_ISNOTSET:
+ case DETECT_XBITS_CMD_ISNOTSET:
return DetectHostbitMatchIsnotset(p,fd);
- case DETECT_HOSTBITS_CMD_SET:
+ case DETECT_XBITS_CMD_SET:
return DetectHostbitMatchSet(p,fd);
- case DETECT_HOSTBITS_CMD_UNSET:
+ case DETECT_XBITS_CMD_UNSET:
return DetectHostbitMatchUnset(p,fd);
- case DETECT_HOSTBITS_CMD_TOGGLE:
+ case DETECT_XBITS_CMD_TOGGLE:
return DetectHostbitMatchToggle(p,fd);
default:
SCLogError(SC_ERR_UNKNOWN_VALUE, "unknown cmd %" PRIu32 "", fd->cmd);
int DetectHostbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
{
- DetectHostbitsData *cd = NULL;
+ DetectXbitsData *cd = NULL;
SigMatch *sm = NULL;
uint8_t fb_cmd = 0;
uint8_t hb_dir = 0;
SCLogInfo("hb_dir_str %s", hb_dir_str);
if (strlen(hb_dir_str) > 0) {
if (strcmp(hb_dir_str, "src") == 0)
- hb_dir = DETECT_HOSTBITS_DIR_SRC;
+ hb_dir = DETECT_XBITS_TRACK_IPSRC;
else if (strcmp(hb_dir_str, "dst") == 0)
- hb_dir = DETECT_HOSTBITS_DIR_DST;
+ hb_dir = DETECT_XBITS_TRACK_IPDST;
else if (strcmp(hb_dir_str, "both") == 0) {
- hb_dir = DETECT_HOSTBITS_DIR_BOTH;
+ //hb_dir = DETECT_XBITS_TRACK_IPBOTH;
SCLogError(SC_ERR_UNIMPLEMENTED, "'both' not implemented");
goto error;
} else {
}
if (strcmp(fb_cmd_str,"noalert") == 0) {
- fb_cmd = DETECT_HOSTBITS_CMD_NOALERT;
+ fb_cmd = DETECT_XBITS_CMD_NOALERT;
} else if (strcmp(fb_cmd_str,"isset") == 0) {
- fb_cmd = DETECT_HOSTBITS_CMD_ISSET;
+ fb_cmd = DETECT_XBITS_CMD_ISSET;
} else if (strcmp(fb_cmd_str,"isnotset") == 0) {
- fb_cmd = DETECT_HOSTBITS_CMD_ISNOTSET;
+ fb_cmd = DETECT_XBITS_CMD_ISNOTSET;
} else if (strcmp(fb_cmd_str,"set") == 0) {
- fb_cmd = DETECT_HOSTBITS_CMD_SET;
+ fb_cmd = DETECT_XBITS_CMD_SET;
} else if (strcmp(fb_cmd_str,"unset") == 0) {
- fb_cmd = DETECT_HOSTBITS_CMD_UNSET;
+ fb_cmd = DETECT_XBITS_CMD_UNSET;
} else if (strcmp(fb_cmd_str,"toggle") == 0) {
- fb_cmd = DETECT_HOSTBITS_CMD_TOGGLE;
+ fb_cmd = DETECT_XBITS_CMD_TOGGLE;
} else {
SCLogError(SC_ERR_UNKNOWN_VALUE, "ERROR: flowbits action \"%s\" is not supported.", fb_cmd_str);
goto error;
}
switch (fb_cmd) {
- case DETECT_HOSTBITS_CMD_NOALERT:
+ case DETECT_XBITS_CMD_NOALERT:
if (strlen(fb_name) != 0)
goto error;
s->flags |= SIG_FLAG_NOALERT;
return 0;
- case DETECT_HOSTBITS_CMD_ISNOTSET:
- case DETECT_HOSTBITS_CMD_ISSET:
- case DETECT_HOSTBITS_CMD_SET:
- case DETECT_HOSTBITS_CMD_UNSET:
- case DETECT_HOSTBITS_CMD_TOGGLE:
+ case DETECT_XBITS_CMD_ISNOTSET:
+ case DETECT_XBITS_CMD_ISSET:
+ case DETECT_XBITS_CMD_SET:
+ case DETECT_XBITS_CMD_UNSET:
+ case DETECT_XBITS_CMD_TOGGLE:
default:
if (strlen(fb_name) == 0)
goto error;
break;
}
- cd = SCMalloc(sizeof(DetectHostbitsData));
+ cd = SCMalloc(sizeof(DetectXbitsData));
if (unlikely(cd == NULL))
goto error;
- cd->idx = VariableNameGetIdx(de_ctx, fb_name, DETECT_HOSTBITS);
+ cd->idx = VariableNameGetIdx(de_ctx, fb_name, VAR_TYPE_HOST_BIT);
cd->cmd = fb_cmd;
- cd->dir = hb_dir;
+ cd->tracker = hb_dir;
+ cd->type = VAR_TYPE_HOST_BIT;
SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
sm->ctx = (void *)cd;
switch (fb_cmd) {
- case DETECT_HOSTBITS_CMD_NOALERT:
+ case DETECT_XBITS_CMD_NOALERT:
/* nothing to do */
break;
- case DETECT_HOSTBITS_CMD_ISNOTSET:
- case DETECT_HOSTBITS_CMD_ISSET:
+ case DETECT_XBITS_CMD_ISNOTSET:
+ case DETECT_XBITS_CMD_ISSET:
/* checks, so packet list */
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
break;
- case DETECT_HOSTBITS_CMD_SET:
- case DETECT_HOSTBITS_CMD_UNSET:
- case DETECT_HOSTBITS_CMD_TOGGLE:
+ case DETECT_XBITS_CMD_SET:
+ case DETECT_XBITS_CMD_UNSET:
+ case DETECT_XBITS_CMD_TOGGLE:
/* modifiers, only run when entire sig has matched */
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
break;
void DetectHostbitFree (void *ptr)
{
- DetectHostbitsData *fd = (DetectHostbitsData *)ptr;
+ DetectXbitsData *fd = (DetectXbitsData *)ptr;
if (fd == NULL)
return;
s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"isset option\"; hostbits:isset,fbt; content:\"GET \"; sid:1;)");
- idx = VariableNameGetIdx(de_ctx, "fbt", DETECT_HOSTBITS);
+ idx = VariableNameGetIdx(de_ctx, "fbt", VAR_TYPE_HOST_BIT);
if (s == NULL || idx != 1) {
goto end;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_HOSTBITS);
+ idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT);
gv = p->flow->flowvar;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- idx = VariableNameGetIdx(de_ctx, "myflow", DETECT_HOSTBITS);
+ idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT);
gv = p->flow->flowvar;
#ifndef __DETECT_HOSTBITS_H__
#define __DETECT_HOSTBITS_H__
-#define DETECT_HOSTBITS_CMD_SET 0
-#define DETECT_HOSTBITS_CMD_TOGGLE 1
-#define DETECT_HOSTBITS_CMD_UNSET 2
-#define DETECT_HOSTBITS_CMD_ISNOTSET 3
-#define DETECT_HOSTBITS_CMD_ISSET 4
-#define DETECT_HOSTBITS_CMD_NOALERT 5
-#define DETECT_HOSTBITS_CMD_MAX 6
-
-#define DETECT_HOSTBITS_DIR_SRC 0
-#define DETECT_HOSTBITS_DIR_DST 1
-#define DETECT_HOSTBITS_DIR_BOTH 2
-
-typedef struct DetectHostbitsData_ {
- uint16_t idx;
- uint8_t cmd;
- uint8_t dir;
-} DetectHostbitsData;
+#include "detect-xbits.h"
/* prototypes */
void DetectHostbitsRegister (void);
goto error;
}
- uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, DETECT_FLOWVAR);
+ uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, VAR_TYPE_FLOW_VAR);
ld->flowvar[ld->flowvars++] = idx;
SCLogDebug("script uses flowvar %u with script id %u", idx, ld->flowvars - 1);
}
goto error;
}
- uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, DETECT_FLOWINT);
+ uint16_t idx = VariableNameGetIdx(de_ctx, (char *)value, VAR_TYPE_FLOW_INT);
ld->flowint[ld->flowints++] = idx;
SCLogDebug("script uses flowint %u with script id %u", idx, ld->flowints - 1);
}
}
if (pd->capname != NULL) {
if (pd->flags & DETECT_PCRE_CAPTURE_PKT)
- pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, DETECT_PKTVAR);
+ pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, VAR_TYPE_PKT_VAR);
else if (pd->flags & DETECT_PCRE_CAPTURE_FLOW)
- pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, DETECT_FLOWVAR);
+ pd->capidx = VariableNameGetIdx(de_ctx, (char *)pd->capname, VAR_TYPE_FLOW_VAR);
}
SCLogDebug("pd->capname %s", pd->capname);
int ov[MAX_SUBSTRINGS];
char fb_cmd_str[16] = "", fb_name[256] = "";
char hb_dir_str[16] = "";
+ enum VarTypes var_type = VAR_TYPE_NOT_SET;
ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret != 2 && ret != 3 && ret != 4) {
}
SCLogDebug("hb_dir_str %s", hb_dir_str);
if (strlen(hb_dir_str) > 0) {
- if (strcmp(hb_dir_str, "ip_src") == 0)
+ if (strcmp(hb_dir_str, "ip_src") == 0) {
hb_dir = DETECT_XBITS_TRACK_IPSRC;
- else if (strcmp(hb_dir_str, "ip_dst") == 0)
+ var_type = VAR_TYPE_HOST_BIT;
+ } else if (strcmp(hb_dir_str, "ip_dst") == 0) {
hb_dir = DETECT_XBITS_TRACK_IPDST;
- else if (strcmp(hb_dir_str, "ip_pair") == 0) {
+ var_type = VAR_TYPE_HOST_BIT;
+ } else if (strcmp(hb_dir_str, "ip_pair") == 0) {
hb_dir = DETECT_XBITS_TRACK_IPPAIR;
+ var_type = VAR_TYPE_IPPAIR_BIT;
} else {
// TODO
goto error;
if (unlikely(cd == NULL))
goto error;
- cd->idx = VariableNameGetIdx(de_ctx, fb_name, DETECT_XBITS);
+ cd->idx = VariableNameGetIdx(de_ctx, fb_name, var_type);
cd->cmd = fb_cmd;
cd->tracker = hb_dir;
+ cd->type = var_type;
SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");
uint16_t idx;
uint8_t cmd;
uint8_t tracker;
+ /** data type: host/ippair/flow used for sig sorting in sigorder */
+ enum VarTypes type;
} DetectXbitsData;
/* prototypes */
}
FlowBit *fb = (FlowBit *) gv;
- char *name = VariableIdxGetName(de_ctx, fb->idx, fb->type);
+ char *name = VariableIdxGetName(de_ctx, fb->idx, VAR_TYPE_FLOW_BIT);
if (name != NULL) {
p->debuglog_flowbits_names[i] = SCStrdup(name);
if (p->debuglog_flowbits_names[i] == NULL) {
/** \brief Get a name idx for a name. If the name is already used reuse the idx.
* \param name nul terminated string with the name
- * \param type variable type (DETECT_FLOWBITS, DETECT_PKTVAR, etc)
+ * \param type variable type
* \retval 0 in case of error
- * \retval _ the idx.
+ * \retval idx the idx or 0
*/
-uint16_t VariableNameGetIdx(DetectEngineCtx *de_ctx, char *name, uint8_t type)
+uint16_t VariableNameGetIdx(DetectEngineCtx *de_ctx, char *name, enum VarTypes type)
{
uint16_t idx = 0;
/** \brief Get a name from the idx.
* \param idx index of the variable whose name is to be fetched
- * \param type variable type (DETECT_FLOWBITS, DETECT_PKTVAR, etc)
+ * \param type variable type
* \retval NULL in case of error
* \retval name of the variable if successful.
*/
-char *VariableIdxGetName(DetectEngineCtx *de_ctx, uint16_t idx, uint8_t type)
+char *VariableIdxGetName(DetectEngineCtx *de_ctx, uint16_t idx, enum VarTypes type)
{
VariableName *fn = SCMalloc(sizeof(VariableName));
if (unlikely(fn == NULL))
int VariableNameInitHash(DetectEngineCtx *);
void VariableNameFreeHash(DetectEngineCtx *);
-uint16_t VariableNameGetIdx(DetectEngineCtx *, char *, uint8_t);
-char * VariableIdxGetName(DetectEngineCtx *, uint16_t , uint8_t);
+uint16_t VariableNameGetIdx(DetectEngineCtx *, char *, enum VarTypes);
+char * VariableIdxGetName(DetectEngineCtx *, uint16_t , enum VarTypes);
#endif
#ifndef __UTIL_VAR_H__
#define __UTIL_VAR_H__
+enum VarTypes {
+ VAR_TYPE_NOT_SET,
+
+ VAR_TYPE_PKT_BIT,
+ VAR_TYPE_PKT_INT,
+ VAR_TYPE_PKT_VAR,
+
+ VAR_TYPE_FLOW_BIT,
+ VAR_TYPE_FLOW_INT,
+ VAR_TYPE_FLOW_VAR,
+
+ VAR_TYPE_HOST_BIT,
+ VAR_TYPE_HOST_INT,
+ VAR_TYPE_HOST_VAR,
+
+ VAR_TYPE_IPPAIR_BIT,
+ VAR_TYPE_IPPAIR_INT,
+ VAR_TYPE_IPPAIR_VAR,
+};
+
typedef struct GenericVar_ {
uint8_t type;
uint16_t idx;
projects / thirdparty / suricata.git / commitdiff
