detect: tcp.seq is now a generic integer

Ticket: 7889

doc/userguide/rules/header-keywords.rst

@@ -378,6 +378,8 @@ keeping track of to what place in a data-stream a byte belongs. If the
 SYN flag is set at 1, then the sequence number of the first byte of
 the data is this number plus 1 (so, 2).
 
+seq uses an :ref:`unsigned 32-bits integer <rules-integer-keywords>`.
+
 Example::
 
   seq:0;

src/detect-engine-analyzer.c

@@ -923,13 +923,11 @@ static void DumpMatches(RuleAnalyzer *ctx, SCJsonBuilder *js, const SigMatchData
                 SCDetectU32ToJson(js, cd);
                 SCJbClose(js);
                 break;
-
-                break;
             }
             case DETECT_SEQ: {
-                const DetectSeqData *cd = (const DetectSeqData *)smd->ctx;
+                const DetectU32Data *cd = (const DetectU32Data *)smd->ctx;
                 SCJbOpenObject(js, "seq");
-                SCJbSetUint(js, "number", cd->seq);
+                SCDetectU32ToJson(js, cd);
                 SCJbClose(js);
                 break;
             }

src/detect-fragoffset.c

@@ -40,7 +40,6 @@
 #include "util-unittest.h"
 #include "util-debug.h"
 
-
 static int DetectFragOffsetMatch(DetectEngineThreadCtx *,
         Packet *, const Signature *, const SigMatchCtx *);
 static int DetectFragOffsetSetup(DetectEngineCtx *, Signature *, const char *);
@@ -71,7 +70,6 @@ void DetectFragOffsetRegister (void)
     sigmatch_table[DETECT_FRAGOFFSET].SetupPrefilter = PrefilterSetupFragOffset;
 }
 
-
 /**
  * \brief This function is used to match fragoffset rule option set on a packet
  *

src/detect-icmp-id.c

@@ -40,7 +40,6 @@
 #include "util-unittest-helper.h"
 #include "util-debug.h"
 
-
 static int DetectIcmpIdMatch(DetectEngineThreadCtx *, Packet *,
         const Signature *, const SigMatchCtx *);
 static int DetectIcmpIdSetup(DetectEngineCtx *, Signature *, const char *);

src/detect-tcp-seq.c

@@ -32,6 +32,7 @@
 #include "detect-engine-prefilter.h"
 #include "detect-engine-prefilter-common.h"
 #include "detect-engine-build.h"
+#include "detect-engine-uint.h"
 
 #include "detect-tcp-seq.h"
 
@@ -59,6 +60,7 @@ void DetectSeqRegister(void)
     sigmatch_table[DETECT_SEQ].Match = DetectSeqMatch;
     sigmatch_table[DETECT_SEQ].Setup = DetectSeqSetup;
     sigmatch_table[DETECT_SEQ].Free = DetectSeqFree;
+    sigmatch_table[DETECT_SEQ].flags = SIGMATCH_INFO_UINT32;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_SEQ].RegisterTests = DetectSeqRegisterTests;
 #endif
@@ -81,7 +83,7 @@ void DetectSeqRegister(void)
 static int DetectSeqMatch(DetectEngineThreadCtx *det_ctx,
                           Packet *p, const Signature *s, const SigMatchCtx *ctx)
 {
-    const DetectSeqData *data = (const DetectSeqData *)ctx;
+    const DetectU32Data *data = (const DetectU32Data *)ctx;
 
     DEBUG_VALIDATE_BUG_ON(PKT_IS_PSEUDOPKT(p));
     /* This is only needed on TCP packets */
@@ -89,7 +91,7 @@ static int DetectSeqMatch(DetectEngineThreadCtx *det_ctx,
         return 0;
     }
 
-    return (data->seq == TCP_GET_RAW_SEQ(PacketGetTCP(p))) ? 1 : 0;
+    return DetectU32Match(TCP_GET_RAW_SEQ(PacketGetTCP(p)), data);
 }
 
 /**
@@ -105,29 +107,17 @@ static int DetectSeqMatch(DetectEngineThreadCtx *det_ctx,
  */
 static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
 {
-    DetectSeqData *data = NULL;
-
-    data = SCMalloc(sizeof(DetectSeqData));
-    if (unlikely(data == NULL))
-        goto error;
-
-    if (StringParseUint32(&data->seq, 10, 0, optstr) < 0) {
-        goto error;
-    }
+    DetectU32Data *data = SCDetectU32Parse(optstr);
+    if (data == NULL)
+        return -1;
 
     if (SCSigMatchAppendSMToList(
                 de_ctx, s, DETECT_SEQ, (SigMatchCtx *)data, DETECT_SM_LIST_MATCH) == NULL) {
-        goto error;
+        DetectSeqFree(de_ctx, data);
+        return -1;
     }
     s->flags |= SIG_FLAG_REQUIRE_PACKET;
-
     return 0;
-
-error:
-    if (data)
-        SCFree(data);
-    return -1;
-
 }
 
 /**
@@ -138,8 +128,7 @@ error:
  */
 static void DetectSeqFree(DetectEngineCtx *de_ctx, void *ptr)
 {
-    DetectSeqData *data = (DetectSeqData *)ptr;
-    SCFree(data);
+    SCDetectU32Free(ptr);
 }
 
 /* prefilter code */
@@ -153,33 +142,22 @@ PrefilterPacketSeqMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *p
     if (!PrefilterPacketHeaderExtraMatch(ctx, p))
         return;
 
-    if (p->proto == IPPROTO_TCP && PacketIsTCP(p) &&
-            (TCP_GET_RAW_SEQ(PacketGetTCP(p)) == ctx->v1.u32[0])) {
-        SCLogDebug("packet matches TCP seq %u", ctx->v1.u32[0]);
-        PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
+    if (p->proto == IPPROTO_TCP && PacketIsTCP(p)) {
+        DetectU32Data du32;
+        du32.mode = ctx->v1.u8[0];
+        du32.arg1 = ctx->v1.u32[1];
+        du32.arg2 = ctx->v1.u32[2];
+        if (DetectU32Match(TCP_GET_RAW_SEQ(PacketGetTCP(p)), &du32)) {
+            SCLogDebug("packet matches TCP seq %u", ctx->v1.u32[0]);
+            PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
+        }
     }
 }
 
-static void
-PrefilterPacketSeqSet(PrefilterPacketHeaderValue *v, void *smctx)
-{
-    const DetectSeqData *a = smctx;
-    v->u32[0] = a->seq;
-}
-
-static bool
-PrefilterPacketSeqCompare(PrefilterPacketHeaderValue v, void *smctx)
-{
-    const DetectSeqData *a = smctx;
-    if (v.u32[0] == a->seq)
-        return true;
-    return false;
-}
-
 static int PrefilterSetupTcpSeq(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
     return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_SEQ, SIG_MASK_REQUIRE_REAL_PKT,
-            PrefilterPacketSeqSet, PrefilterPacketSeqCompare, PrefilterPacketSeqMatch);
+            PrefilterPacketU32Set, PrefilterPacketU32Compare, PrefilterPacketSeqMatch);
 }
 
 static bool PrefilterTcpSeqIsPrefilterable(const Signature *s)

src/detect-tcp-seq.h

@@ -24,13 +24,6 @@
 #ifndef SURICATA_DETECT_SEQ_H
 #define SURICATA_DETECT_SEQ_H
 
-/**
- * \brief seq data
- */
-typedef struct DetectSeqData_ {
-    uint32_t seq;                    /**< seq to match */
-} DetectSeqData;
-
 /**
  * \brief Registration function for ack: keyword
  */