suricata
detect-base64-decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "detect.h"
20 #include "detect-parse.h"
21 #include "detect-base64-decode.h"
22 #include "util-base64.h"
23 #include "util-byte.h"
24 #include "util-print.h"
25 
26 /* Arbitrary maximum buffer size for decoded base64 data. */
27 #define BASE64_DECODE_MAX 65535
28 
29 static const char decode_pattern[] = "\\s*(bytes\\s+(\\d+),?)?"
30  "\\s*(offset\\s+(\\d+),?)?"
31  "\\s*(\\w+)?";
32 
33 static DetectParseRegex decode_pcre;
34 
35 static int DetectBase64DecodeSetup(DetectEngineCtx *, Signature *, const char *);
36 static void DetectBase64DecodeFree(DetectEngineCtx *, void *);
37 #ifdef UNITTESTS
38 static void DetectBase64DecodeRegisterTests(void);
39 #endif
40 
42 {
43  sigmatch_table[DETECT_BASE64_DECODE].name = "base64_decode";
45  "Decodes base64 encoded data.";
47  "/rules/base64-keywords.html#base64-decode";
48  sigmatch_table[DETECT_BASE64_DECODE].Setup = DetectBase64DecodeSetup;
49  sigmatch_table[DETECT_BASE64_DECODE].Free = DetectBase64DecodeFree;
50 #ifdef UNITTESTS
52  DetectBase64DecodeRegisterTests;
53 #endif
55 
56  DetectSetupParseRegexes(decode_pattern, &decode_pcre);
57 }
58 
60  const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
61 {
63  int decode_len;
64 
65 #if 0
66  printf("Input data:\n");
67  PrintRawDataFp(stdout, payload, payload_len);
68 #endif
69 
70  if (data->relative) {
71  payload += det_ctx->buffer_offset;
72  payload_len -= det_ctx->buffer_offset;
73  }
74 
75  if (data->offset) {
76  if (data->offset >= payload_len) {
77  return 0;
78  }
79  payload = payload + data->offset;
80  payload_len -= data->offset;
81  }
82 
83  decode_len = MIN(payload_len, data->bytes);
84 
85 #if 0
86  printf("Decoding:\n");
87  PrintRawDataFp(stdout, payload, decode_len);
88 #endif
89 
91  payload, decode_len, 0);
92  SCLogDebug("Decoded %d bytes from base64 data.",
93  det_ctx->base64_decoded_len);
94 #if 0
95  if (det_ctx->base64_decoded_len) {
96  printf("Decoded data:\n");
97  PrintRawDataFp(stdout, det_ctx->base64_decoded,
98  det_ctx->base64_decoded_len);
99  }
100 #endif
101 
102  return det_ctx->base64_decoded_len > 0;
103 }
104 
105 static int DetectBase64DecodeParse(const char *str, uint32_t *bytes,
106  uint32_t *offset, uint8_t *relative)
107 {
108  static const int max = 30;
109  int ov[max];
110  int pcre_rc;
111  const char *bytes_str = NULL;
112  const char *offset_str = NULL;
113  const char *relative_str = NULL;
114  int retval = 0;
115 
116  *bytes = 0;
117  *offset = 0;
118  *relative = 0;
119 
120  pcre_rc = DetectParsePcreExec(&decode_pcre, str, 0, 0, ov, max);
121  if (pcre_rc < 3) {
122  goto error;
123  }
124 
125  if (pcre_rc >= 3) {
126  if (pcre_get_substring((char *)str, ov, max, 2, &bytes_str) > 0) {
127  if (StringParseUint32(bytes, 10, 0, bytes_str) <= 0) {
129  "Bad value for bytes: \"%s\"", bytes_str);
130  goto error;
131  }
132  }
133  }
134 
135  if (pcre_rc >= 5) {
136  if (pcre_get_substring((char *)str, ov, max, 4, &offset_str)) {
137  if (StringParseUint32(offset, 10, 0, offset_str) <= 0) {
139  "Bad value for offset: \"%s\"", offset_str);
140  goto error;
141  }
142  }
143  }
144 
145  if (pcre_rc >= 6) {
146  if (pcre_get_substring((char *)str, ov, max, 5, &relative_str)) {
147  if (strcmp(relative_str, "relative") == 0) {
148  *relative = 1;
149  }
150  else {
152  "Invalid argument: \"%s\"", relative_str);
153  goto error;
154  }
155  }
156  }
157 
158  retval = 1;
159 error:
160  if (bytes_str != NULL) {
161  pcre_free_substring(bytes_str);
162  }
163  if (offset_str != NULL) {
164  pcre_free_substring(offset_str);
165  }
166  if (relative_str != NULL) {
167  pcre_free_substring(relative_str);
168  }
169  return retval;
170 }
171 
172 static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
173  const char *str)
174 {
175  uint32_t bytes = 0;
176  uint32_t offset = 0;
177  uint8_t relative = 0;
178  DetectBase64Decode *data = NULL;
179  int sm_list;
180  SigMatch *sm = NULL;
181  SigMatch *pm = NULL;
182 
183  if (str != NULL) {
184  if (!DetectBase64DecodeParse(str, &bytes, &offset, &relative)) {
185  goto error;
186  }
187  }
188  data = SCCalloc(1, sizeof(DetectBase64Decode));
189  if (unlikely(data == NULL)) {
190  goto error;
191  }
192  data->bytes = bytes;
193  data->offset = offset;
194  data->relative = relative;
195 
196  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
197  sm_list = s->init_data->list;
198 #if 0
199  if (data->relative) {
200  pm = SigMatchGetLastSMFromLists(s, 4,
201  DETECT_CONTENT, s->sm_lists_tail[sm_list],
202  DETECT_PCRE, s->sm_lists_tail[sm_list]);
203  }
204 #endif
205  }
206  else {
210  DETECT_ISDATAAT, -1);
211  if (pm == NULL) {
212  sm_list = DETECT_SM_LIST_PMATCH;
213  }
214  else {
215  sm_list = SigMatchListSMBelongsTo(s, pm);
216  if (sm_list < 0) {
217  goto error;
218  }
219  }
220  }
221 
222  sm = SigMatchAlloc();
223  if (sm == NULL) {
224  goto error;
225  }
227  sm->ctx = (SigMatchCtx *)data;
228  SigMatchAppendSMToList(s, sm, sm_list);
229 
230  if (!data->bytes) {
231  data->bytes = BASE64_DECODE_MAX;
232  }
233  if (data->bytes > de_ctx->base64_decode_max_len) {
235  }
236 
237  return 0;
238 error:
239  if (data != NULL) {
240  SCFree(data);
241  }
242  return -1;
243 }
244 
245 static void DetectBase64DecodeFree(DetectEngineCtx *de_ctx, void *ptr)
246 {
247  DetectBase64Decode *data = ptr;
248  SCFree(data);
249 }
250 
251 
252 #ifdef UNITTESTS
253 #include "detect-engine.h"
254 #include "util-unittest.h"
255 #include "util-unittest-helper.h"
256 #include "app-layer-parser.h"
257 #include "flow-util.h"
258 #include "stream-tcp.h"
259 
260 static int g_http_header_buffer_id = 0;
261 
262 static int DetectBase64TestDecodeParse(void)
263 {
264  int retval = 0;
265  uint32_t bytes = 0;
266  uint32_t offset = 0;
267  uint8_t relative = 0;
268 
269  if (!DetectBase64DecodeParse("bytes 1", &bytes, &offset, &relative)) {
270  goto end;
271  }
272  if (bytes != 1 || offset != 0 || relative != 0) {
273  goto end;
274  }
275 
276  if (!DetectBase64DecodeParse("offset 9", &bytes, &offset, &relative)) {
277  goto end;
278  }
279  if (bytes != 0 || offset != 9 || relative != 0) {
280  goto end;
281  }
282 
283  if (!DetectBase64DecodeParse("relative", &bytes, &offset, &relative)) {
284  goto end;
285  }
286  if (bytes != 0 || offset != 0 || relative != 1) {
287  goto end;
288  }
289 
290  if (!DetectBase64DecodeParse("bytes 1, offset 2", &bytes, &offset,
291  &relative)) {
292  goto end;
293  }
294  if (bytes != 1 || offset != 2 || relative != 0) {
295  goto end;
296  }
297 
298  if (!DetectBase64DecodeParse("bytes 1, offset 2, relative", &bytes, &offset,
299  &relative)) {
300  goto end;
301  }
302  if (bytes != 1 || offset != 2 || relative != 1) {
303  goto end;
304  }
305 
306  if (!DetectBase64DecodeParse("offset 2, relative", &bytes, &offset,
307  &relative)) {
308  goto end;
309  }
310  if (bytes != 0 || offset != 2 || relative != 1) {
311  goto end;
312  }
313 
314  /* Misspelled relative. */
315  if (DetectBase64DecodeParse("bytes 1, offset 2, relatve", &bytes, &offset,
316  &relative)) {
317  goto end;
318  }
319 
320  /* Misspelled bytes. */
321  if (DetectBase64DecodeParse("byts 1, offset 2, relatve", &bytes, &offset,
322  &relative)) {
323  goto end;
324  }
325 
326  /* Misspelled offset. */
327  if (DetectBase64DecodeParse("bytes 1, offst 2, relatve", &bytes, &offset,
328  &relative)) {
329  goto end;
330  }
331 
332  /* Misspelled empty string. */
333  if (DetectBase64DecodeParse("", &bytes, &offset, &relative)) {
334  goto end;
335  }
336 
337  retval = 1;
338 end:
339  return retval;
340 }
341 
342 /**
343  * Test keyword setup on basic content.
344  */
345 static int DetectBase64DecodeTestSetup(void)
346 {
347  DetectEngineCtx *de_ctx = NULL;
348  Signature *s;
349  int retval = 0;
350 
352  if (de_ctx == NULL) {
353  goto end;
354  }
355 
357  "alert tcp any any -> any any ("
358  "msg:\"DetectBase64DecodeTestSetup\"; "
359  "base64_decode; content:\"content\"; "
360  "sid:1; rev:1;)");
361  if (de_ctx->sig_list == NULL) {
362  goto end;
363  }
364  s = de_ctx->sig_list;
365  if (s == NULL) {
366  goto end;
367  }
368  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
369  goto end;
370  }
371 
372  retval = 1;
373 end:
374  if (de_ctx != NULL) {
378  }
379  return retval;
380 }
381 
382 /**
383  * Test keyword setup when the prior rule has a content modifier on
384  * it.
385  */
386 static int DetectBase64DecodeHttpHeaderTestSetup(void)
387 {
388  DetectEngineCtx *de_ctx = NULL;
389  Signature *s;
390  int retval = 0;
391 
393  if (de_ctx == NULL) {
394  goto end;
395  }
396 
398  "alert tcp any any -> any any ("
399  "msg:\"DetectBase64DecodeTestSetup\"; "
400  "content:\"Authorization: basic \"; http_header; "
401  "base64_decode; content:\"content\"; "
402  "sid:1; rev:1;)");
403  if (de_ctx->sig_list == NULL) {
404  goto end;
405  }
406  s = de_ctx->sig_list;
407  if (s == NULL) {
408  goto end;
409  }
410 
411  /* I'm not complete sure if this list should not be NULL. */
412  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
413  goto end;
414  }
415 
416  /* Test that the http header list is not NULL. */
417  if (s->sm_lists_tail[g_http_header_buffer_id] == NULL) {
418  goto end;
419  }
420 
421  retval = 1;
422 end:
423  if (de_ctx != NULL) {
427  }
428  return retval;
429 }
430 
431 static int DetectBase64DecodeTestDecode(void)
432 {
433  ThreadVars tv;
434  DetectEngineCtx *de_ctx = NULL;
435  DetectEngineThreadCtx *det_ctx = NULL;
436  Packet *p = NULL;
437  int retval = 0;
438 
439  uint8_t payload[] = {
440  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
441  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
442  };
443 
444  memset(&tv, 0, sizeof(tv));
445 
446  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
447  goto end;
448  }
449 
451  "alert tcp any any -> any any (msg:\"base64 test\"; "
452  "base64_decode; "
453  "sid:1; rev:1;)");
454  if (de_ctx->sig_list == NULL) {
455  goto end;
456  }
458  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
459 
460  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
461  if (p == NULL) {
462  goto end;
463  }
464 
465  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
466  if (det_ctx->base64_decoded_len == 0) {
467  goto end;
468  }
469 
470  retval = 1;
471 end:
472  if (det_ctx != NULL) {
473  DetectEngineThreadCtxDeinit(&tv, det_ctx);
474  }
475  if (de_ctx != NULL) {
479  }
480  if (p != NULL) {
481  UTHFreePacket(p);
482  }
483  return retval;
484 }
485 
486 static int DetectBase64DecodeTestDecodeWithOffset(void)
487 {
488  ThreadVars tv;
489  DetectEngineCtx *de_ctx = NULL;
490  DetectEngineThreadCtx *det_ctx = NULL;
491  Packet *p = NULL;
492  int retval = 0;
493 
494  uint8_t payload[] = {
495  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
496  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
497  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
498  };
499  char decoded[] = "Hello World";
500 
501  memset(&tv, 0, sizeof(tv));
502 
503  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
504  goto end;
505  }
506 
508  "alert tcp any any -> any any (msg:\"base64 test\"; "
509  "base64_decode: offset 8; "
510  "sid:1; rev:1;)");
511  if (de_ctx->sig_list == NULL) {
512  goto end;
513  }
515  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
516 
517  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
518  if (p == NULL) {
519  goto end;
520  }
521 
522  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
523  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
524  goto end;
525  }
526  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
527  goto end;
528  }
529 
530  retval = 1;
531 end:
532  if (det_ctx != NULL) {
533  DetectEngineThreadCtxDeinit(&tv, det_ctx);
534  }
535  if (de_ctx != NULL) {
539  }
540  if (p != NULL) {
541  UTHFreePacket(p);
542  }
543  return retval;
544 }
545 
546 static int DetectBase64DecodeTestDecodeLargeOffset(void)
547 {
548  ThreadVars tv;
549  DetectEngineCtx *de_ctx = NULL;
550  DetectEngineThreadCtx *det_ctx = NULL;
551  Packet *p = NULL;
552  int retval = 0;
553 
554  uint8_t payload[] = {
555  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
556  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
557  };
558 
559  memset(&tv, 0, sizeof(tv));
560 
561  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
562  goto end;
563  }
564 
565  /* Offset is out of range. */
567  "alert tcp any any -> any any (msg:\"base64 test\"; "
568  "base64_decode: bytes 16, offset 32; "
569  "sid:1; rev:1;)");
570  if (de_ctx->sig_list == NULL) {
571  goto end;
572  }
574  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
575 
576  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
577  if (p == NULL) {
578  goto end;
579  }
580 
581  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
582  if (det_ctx->base64_decoded_len != 0) {
583  goto end;
584  }
585 
586  retval = 1;
587 end:
588  if (det_ctx != NULL) {
589  DetectEngineThreadCtxDeinit(&tv, det_ctx);
590  }
591  if (de_ctx != NULL) {
595  }
596  if (p != NULL) {
597  UTHFreePacket(p);
598  }
599  return retval;
600 }
601 
602 static int DetectBase64DecodeTestDecodeRelative(void)
603 {
604  ThreadVars tv;
605  DetectEngineCtx *de_ctx = NULL;
606  DetectEngineThreadCtx *det_ctx = NULL;
607  Packet *p = NULL;
608  int retval = 0;
609 
610  uint8_t payload[] = {
611  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
612  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
613  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
614  };
615  char decoded[] = "Hello World";
616 
617  memset(&tv, 0, sizeof(tv));
618 
619  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
620  goto end;
621  }
622 
624  "alert tcp any any -> any any (msg:\"base64 test\"; "
625  "content:\"aaaaaaaa\"; "
626  "base64_decode: relative; "
627  "sid:1; rev:1;)");
628  if (de_ctx->sig_list == NULL) {
629  goto end;
630  }
632  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
633 
634  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
635  if (p == NULL) {
636  goto end;
637  }
638 
639  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
640  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
641  goto end;
642  }
643  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
644  goto end;
645  }
646 
647  retval = 1;
648 end:
649  if (det_ctx != NULL) {
650  DetectEngineThreadCtxDeinit(&tv, det_ctx);
651  }
652  if (de_ctx != NULL) {
656  }
657  if (p != NULL) {
658  UTHFreePacket(p);
659  }
660  return retval;
661 }
662 
663 static void DetectBase64DecodeRegisterTests(void)
664 {
665  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
666 
667  UtRegisterTest("DetectBase64TestDecodeParse", DetectBase64TestDecodeParse);
668  UtRegisterTest("DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup);
669  UtRegisterTest("DetectBase64DecodeHttpHeaderTestSetup",
670  DetectBase64DecodeHttpHeaderTestSetup);
671  UtRegisterTest("DetectBase64DecodeTestDecode",
672  DetectBase64DecodeTestDecode);
673  UtRegisterTest("DetectBase64DecodeTestDecodeWithOffset",
674  DetectBase64DecodeTestDecodeWithOffset);
675  UtRegisterTest("DetectBase64DecodeTestDecodeLargeOffset",
676  DetectBase64DecodeTestDecodeLargeOffset);
677  UtRegisterTest("DetectBase64DecodeTestDecodeRelative",
678  DetectBase64DecodeTestDecodeRelative);
679 }
680 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1041
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1211
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:73
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectBase64DecodeDoMatch
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
Definition: detect-base64-decode.c:59
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SC_ERR_INVALID_RULE_ARGUMENT
@ SC_ERR_INVALID_RULE_ARGUMENT
Definition: util-error.h:302
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:332
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2051
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1205
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
util-base64.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:377
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DecodeBase64
uint32_t DecodeBase64(uint8_t *dest, const uint8_t *src, uint32_t len, int strict)
Decodes a base64-encoded string buffer into an ascii-encoded byte buffer.
Definition: util-base64.c:91
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
DetectBase64Decode_::offset
uint32_t offset
Definition: detect-base64-decode.h:25
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectBase64Decode_
Definition: detect-base64-decode.h:23
DetectEngineThreadCtx_
Definition: detect.h:1010
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2488
SignatureInitData_::list
int list
Definition: detect.h:505
util-print.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1145
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1949
BASE64_DECODE_MAX
#define BASE64_DECODE_MAX
Definition: detect-base64-decode.c:27
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2418
Packet_
Definition: decode.h:414
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:597
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:61
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1884
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:115
DetectBase64Decode_::relative
uint8_t relative
Definition: detect-base64-decode.h:26
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:72
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
DetectBase64Decode_::bytes
uint32_t bytes
Definition: detect-base64-decode.h:24
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1389
detect-base64-decode.h
str
#define str(s)
Definition: suricata-common.h:273
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:625
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:170
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:79
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1144
DETECT_BASE64_DECODE
@ DETECT_BASE64_DECODE
Definition: detect-engine-register.h:237
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectBase64DecodeRegister
void DetectBase64DecodeRegister(void)
Definition: detect-base64-decode.c:41
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::base64_decode_max_len
uint32_t base64_decode_max_len
Definition: detect.h:868
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203