/**
* \brief Search for a threshold data into threshold hash table
*
* \param de_ctx Dectection Context
* \param tsh_ptr Threshold element
* \param p Packet structure
*
* \retval lookup_tsh Return the threshold element
*/
DetectThresholdEntry *ThresholdHashSearch(DetectEngineCtx *de_ctx, DetectThresholdEntry *tsh_ptr, Packet *p)
{
SCEnter();
DetectThresholdEntry *lookup_tsh = NULL;
SCLogDebug("tsh_ptr->track %u", tsh_ptr->track);
if (tsh_ptr->track == TRACK_DST) {
if (PKT_IS_IPV4(p)) {
SCLogDebug("ipv4 dst");
lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst, tsh_ptr, sizeof(DetectThresholdEntry));
} else if (PKT_IS_IPV6(p)) {
lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst_ipv6, tsh_ptr, sizeof(DetectThresholdEntry));
}
} else if (tsh_ptr->track == TRACK_SRC) {
if (PKT_IS_IPV4(p)) {
SCLogDebug("ipv4 src");
lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_src, tsh_ptr, sizeof(DetectThresholdEntry));
} else if (PKT_IS_IPV6(p))
lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_src_ipv6, tsh_ptr, sizeof(DetectThresholdEntry));
} else {
SCLogDebug("no track, weird");
}
SCReturnPtr(lookup_tsh, "DetectThresholdEntry");
}
static int HashListTableTestFull02 (void)
{
int result = 0;
HashListTable *ht = HashListTableInit(32, HashListTableGenericHash, NULL, NULL);
if (ht == NULL)
goto end;
int r = HashListTableAdd(ht, "test", 4);
if (r != 0)
goto end;
char *rp = HashListTableLookup(ht, "test", 4);
if (rp == NULL)
goto end;
r = HashListTableRemove(ht, "test2", 5);
if (r == 0)
goto end;
/* all is good! */
result = 1;
end:
if (ht != NULL) HashListTableFree(ht);
return result;
}
/**
* \brief Used to lookup a SigGroupHead hash from the detection engine context
* SigGroupHead hash table.
*
* \param de_ctx Pointer to the detection engine context.
* \param sgh Pointer to the SigGroupHead.
*
* \retval rsgh On success a pointer to the SigGroupHead if the SigGroupHead is
* found in the hash table; NULL on failure.
*/
SigGroupHead *SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
{
SCEnter();
SigGroupHead *rsgh = HashListTableLookup(de_ctx->sgh_hash_table,
(void *)sgh, 0);
SCReturnPtr(rsgh, "SigGroupHead");
}
static int HashListTableTestAdd04 (void)
{
int result = 0;
HashListTable *ht = HashListTableInit(32, HashListTableGenericHash, NULL, NULL);
if (ht == NULL)
goto end;
int r = HashListTableAdd(ht, "test", 4);
if (r != 0)
goto end;
char *rp = HashListTableLookup(ht, "test", 4);
if (rp == NULL)
goto end;
HashListTableBucket *htb = HashListTableGetListHead(ht);
if (htb == NULL) {
printf("htb == NULL: ");
goto end;
}
char *rp2 = HashListTableGetListData(htb);
if (rp2 == NULL) {
printf("rp2 == NULL: ");
goto end;
}
if (rp != rp2) {
printf("rp != rp2: ");
goto end;
}
/* all is good! */
result = 1;
end:
if (ht != NULL) HashListTableFree(ht);
return result;
}
static int DetectThresholdTestSig3(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
struct timeval ts;
DetectThresholdData *td = NULL;
DetectThresholdEntry *lookup_tsh = NULL;
DetectThresholdEntry *ste = NULL;
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
td = SigGetThresholdType(s,p);
/* setup the Entry we use to search our hash with */
ste = SCMalloc(sizeof(DetectThresholdEntry));
if (ste == NULL)
goto end;
memset(ste, 0x00, sizeof(ste));
if (PKT_IS_IPV4(p))
ste->ipv = 4;
else if (PKT_IS_IPV6(p))
ste->ipv = 6;
ste->sid = s->id;
ste->gid = s->gid;
if (td->track == TRACK_DST) {
COPY_ADDRESS(&p->dst, &ste->addr);
} else if (td->track == TRACK_SRC) {
COPY_ADDRESS(&p->src, &ste->addr);
}
ste->track = td->track;
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
lookup_tsh = (DetectThresholdEntry *)HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst, ste, sizeof(DetectThresholdEntry));
if (lookup_tsh == NULL) {
printf("lookup_tsh is NULL: ");
goto cleanup;
}
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (lookup_tsh)
alerts = lookup_tsh->current_count;
if (alerts == 3)
result = 1;
else {
printf("alerts %u != 3: ", alerts);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
return result;
}
static int PrefilterSetupPacketHeaderCommon(SigGroupHead *sgh, int sm_type,
void (*Set)(PrefilterPacketHeaderValue *v, void *),
_Bool (*Compare)(PrefilterPacketHeaderValue v, void *),
void (*Match)(DetectEngineThreadCtx *det_ctx,
Packet *p, const void *pectx),
_Bool u8hash)
{
Signature *s = NULL;
uint32_t sig = 0;
if (sgh == NULL)
return 0;
/* first count how many engines we will need */
HashListTable *hash_table = HashListTableInit(4096,
PrefilterPacketHeaderHashFunc,
PrefilterPacketHeaderCompareFunc,
PrefilterPacketHeaderFreeFunc);
if (hash_table == NULL)
return -1;
for (sig = 0; sig < sgh->sig_cnt; sig++) {
s = sgh->match_array[sig];
if (s == NULL)
continue;
if (s->prefilter_sm == NULL || s->prefilter_sm->type != sm_type)
continue;
PrefilterPacketHeaderHashCtx ctx;
memset(&ctx, 0, sizeof(ctx));
Set(&ctx.v1, s->prefilter_sm->ctx);
GetExtraMatch(s, &ctx.type, &ctx.value);
PrefilterPacketHeaderHashCtx *rctx = HashListTableLookup(hash_table, (void *)&ctx, 0);
if (rctx != 0) {
rctx->cnt++;
} else {
PrefilterPacketHeaderHashCtx *actx = SCCalloc(1, sizeof(*actx));
if (actx == NULL)
goto error;
Set(&actx->v1, s->prefilter_sm->ctx);
actx->cnt = 1;
actx->type = ctx.type;
actx->value = ctx.value;
int ret = HashListTableAdd(hash_table, actx, 0);
if (ret != 0) {
SCFree(actx);
goto error;
}
}
}
if (u8hash == FALSE) {
SetupSingle(hash_table, sgh, sm_type, Compare, Match);
} else {
SetupU8Hash(hash_table, sgh, sm_type, Set, Compare, Match);
}
HashListTableFree(hash_table);
return 0;
error:
HashListTableFree(hash_table);
return -1;
}
/**
* \brief Used to lookup a MpmStore from the MpmStore
*
* \param de_ctx Pointer to the detection engine context.
* \param sgh Pointer to the MpmStore.
*
* \retval rsgh On success a pointer to the MpmStore if the MpmStore is
* found in the hash table; NULL on failure.
*/
static MpmStore *MpmStoreLookup(DetectEngineCtx *de_ctx, MpmStore *s)
{
MpmStore *rs = HashListTableLookup(de_ctx->mpm_hash_table,
(void *)s, 0);
return rs;
}