/** * \brief Search for a threshold data into threshold hash table * * \param de_ctx Dectection Context * \param tsh_ptr Threshold element * \param p Packet structure * * \retval lookup_tsh Return the threshold element */ DetectThresholdEntry *ThresholdHashSearch(DetectEngineCtx *de_ctx, DetectThresholdEntry *tsh_ptr, Packet *p) { SCEnter(); DetectThresholdEntry *lookup_tsh = NULL; SCLogDebug("tsh_ptr->track %u", tsh_ptr->track); if (tsh_ptr->track == TRACK_DST) { if (PKT_IS_IPV4(p)) { SCLogDebug("ipv4 dst"); lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst, tsh_ptr, sizeof(DetectThresholdEntry)); } else if (PKT_IS_IPV6(p)) { lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst_ipv6, tsh_ptr, sizeof(DetectThresholdEntry)); } } else if (tsh_ptr->track == TRACK_SRC) { if (PKT_IS_IPV4(p)) { SCLogDebug("ipv4 src"); lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_src, tsh_ptr, sizeof(DetectThresholdEntry)); } else if (PKT_IS_IPV6(p)) lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_src_ipv6, tsh_ptr, sizeof(DetectThresholdEntry)); } else { SCLogDebug("no track, weird"); } SCReturnPtr(lookup_tsh, "DetectThresholdEntry"); }
static int HashListTableTestFull02 (void) { int result = 0; HashListTable *ht = HashListTableInit(32, HashListTableGenericHash, NULL, NULL); if (ht == NULL) goto end; int r = HashListTableAdd(ht, "test", 4); if (r != 0) goto end; char *rp = HashListTableLookup(ht, "test", 4); if (rp == NULL) goto end; r = HashListTableRemove(ht, "test2", 5); if (r == 0) goto end; /* all is good! */ result = 1; end: if (ht != NULL) HashListTableFree(ht); return result; }
/** * \brief Used to lookup a SigGroupHead hash from the detection engine context * SigGroupHead hash table. * * \param de_ctx Pointer to the detection engine context. * \param sgh Pointer to the SigGroupHead. * * \retval rsgh On success a pointer to the SigGroupHead if the SigGroupHead is * found in the hash table; NULL on failure. */ SigGroupHead *SigGroupHeadHashLookup(DetectEngineCtx *de_ctx, SigGroupHead *sgh) { SCEnter(); SigGroupHead *rsgh = HashListTableLookup(de_ctx->sgh_hash_table, (void *)sgh, 0); SCReturnPtr(rsgh, "SigGroupHead"); }
static int HashListTableTestAdd04 (void) { int result = 0; HashListTable *ht = HashListTableInit(32, HashListTableGenericHash, NULL, NULL); if (ht == NULL) goto end; int r = HashListTableAdd(ht, "test", 4); if (r != 0) goto end; char *rp = HashListTableLookup(ht, "test", 4); if (rp == NULL) goto end; HashListTableBucket *htb = HashListTableGetListHead(ht); if (htb == NULL) { printf("htb == NULL: "); goto end; } char *rp2 = HashListTableGetListData(htb); if (rp2 == NULL) { printf("rp2 == NULL: "); goto end; } if (rp != rp2) { printf("rp != rp2: "); goto end; } /* all is good! */ result = 1; end: if (ht != NULL) HashListTableFree(ht); return result; }
static int DetectThresholdTestSig3(void) { Packet *p = NULL; Signature *s = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx; int result = 0; int alerts = 0; struct timeval ts; DetectThresholdData *td = NULL; DetectThresholdEntry *lookup_tsh = NULL; DetectThresholdEntry *ste = NULL; memset (&ts, 0, sizeof(struct timeval)); TimeGet(&ts); memset(&th_v, 0, sizeof(th_v)); p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { goto end; } de_ctx->flags |= DE_QUIET; s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)"); if (s == NULL) { goto end; } SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); td = SigGetThresholdType(s,p); /* setup the Entry we use to search our hash with */ ste = SCMalloc(sizeof(DetectThresholdEntry)); if (ste == NULL) goto end; memset(ste, 0x00, sizeof(ste)); if (PKT_IS_IPV4(p)) ste->ipv = 4; else if (PKT_IS_IPV6(p)) ste->ipv = 6; ste->sid = s->id; ste->gid = s->gid; if (td->track == TRACK_DST) { COPY_ADDRESS(&p->dst, &ste->addr); } else if (td->track == TRACK_SRC) { COPY_ADDRESS(&p->src, &ste->addr); } ste->track = td->track; TimeGet(&p->ts); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); lookup_tsh = (DetectThresholdEntry *)HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst, ste, sizeof(DetectThresholdEntry)); if (lookup_tsh == NULL) { printf("lookup_tsh is NULL: "); goto cleanup; } TimeSetIncrementTime(200); TimeGet(&p->ts); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); if (lookup_tsh) alerts = lookup_tsh->current_count; if (alerts == 3) result = 1; else { printf("alerts %u != 3: ", alerts); goto cleanup; } cleanup: SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineCtxFree(de_ctx); end: UTHFreePackets(&p, 1); return result; }
static int PrefilterSetupPacketHeaderCommon(SigGroupHead *sgh, int sm_type, void (*Set)(PrefilterPacketHeaderValue *v, void *), _Bool (*Compare)(PrefilterPacketHeaderValue v, void *), void (*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), _Bool u8hash) { Signature *s = NULL; uint32_t sig = 0; if (sgh == NULL) return 0; /* first count how many engines we will need */ HashListTable *hash_table = HashListTableInit(4096, PrefilterPacketHeaderHashFunc, PrefilterPacketHeaderCompareFunc, PrefilterPacketHeaderFreeFunc); if (hash_table == NULL) return -1; for (sig = 0; sig < sgh->sig_cnt; sig++) { s = sgh->match_array[sig]; if (s == NULL) continue; if (s->prefilter_sm == NULL || s->prefilter_sm->type != sm_type) continue; PrefilterPacketHeaderHashCtx ctx; memset(&ctx, 0, sizeof(ctx)); Set(&ctx.v1, s->prefilter_sm->ctx); GetExtraMatch(s, &ctx.type, &ctx.value); PrefilterPacketHeaderHashCtx *rctx = HashListTableLookup(hash_table, (void *)&ctx, 0); if (rctx != 0) { rctx->cnt++; } else { PrefilterPacketHeaderHashCtx *actx = SCCalloc(1, sizeof(*actx)); if (actx == NULL) goto error; Set(&actx->v1, s->prefilter_sm->ctx); actx->cnt = 1; actx->type = ctx.type; actx->value = ctx.value; int ret = HashListTableAdd(hash_table, actx, 0); if (ret != 0) { SCFree(actx); goto error; } } } if (u8hash == FALSE) { SetupSingle(hash_table, sgh, sm_type, Compare, Match); } else { SetupU8Hash(hash_table, sgh, sm_type, Set, Compare, Match); } HashListTableFree(hash_table); return 0; error: HashListTableFree(hash_table); return -1; }
/** * \brief Used to lookup a MpmStore from the MpmStore * * \param de_ctx Pointer to the detection engine context. * \param sgh Pointer to the MpmStore. * * \retval rsgh On success a pointer to the MpmStore if the MpmStore is * found in the hash table; NULL on failure. */ static MpmStore *MpmStoreLookup(DetectEngineCtx *de_ctx, MpmStore *s) { MpmStore *rs = HashListTableLookup(de_ctx->mpm_hash_table, (void *)s, 0); return rs; }