suricata
detect-base64-decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "detect.h"
20 #include "detect-parse.h"
21 #include "detect-base64-decode.h"
22 #include "util-base64.h"
23 #include "util-byte.h"
24 #include "util-print.h"
25 
26 /* Arbitrary maximum buffer size for decoded base64 data. */
27 #define BASE64_DECODE_MAX 65535
28 
29 static const char decode_pattern[] = "\\s*(bytes\\s+(\\d+),?)?"
30  "\\s*(offset\\s+(\\d+),?)?"
31  "\\s*(\\w+)?";
32 
33 static DetectParseRegex decode_pcre;
34 
35 static int DetectBase64DecodeSetup(DetectEngineCtx *, Signature *, const char *);
36 static void DetectBase64DecodeFree(DetectEngineCtx *, void *);
37 static void DetectBase64DecodeRegisterTests(void);
38 
40 {
41  sigmatch_table[DETECT_BASE64_DECODE].name = "base64_decode";
43  "Decodes base64 encoded data.";
45  "/rules/base64-keywords.html#base64-decode";
46  sigmatch_table[DETECT_BASE64_DECODE].Setup = DetectBase64DecodeSetup;
47  sigmatch_table[DETECT_BASE64_DECODE].Free = DetectBase64DecodeFree;
49  DetectBase64DecodeRegisterTests;
50 
52 
53  DetectSetupParseRegexes(decode_pattern, &decode_pcre);
54 }
55 
57  const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
58 {
60  int decode_len;
61 
62 #if 0
63  printf("Input data:\n");
64  PrintRawDataFp(stdout, payload, payload_len);
65 #endif
66 
67  if (data->relative) {
68  payload += det_ctx->buffer_offset;
69  payload_len -= det_ctx->buffer_offset;
70  }
71 
72  if (data->offset) {
73  if (data->offset >= payload_len) {
74  return 0;
75  }
76  payload = payload + data->offset;
77  payload_len -= data->offset;
78  }
79 
80  decode_len = MIN(payload_len, data->bytes);
81 
82 #if 0
83  printf("Decoding:\n");
84  PrintRawDataFp(stdout, payload, decode_len);
85 #endif
86 
88  payload, decode_len, 0);
89  SCLogDebug("Decoded %d bytes from base64 data.",
90  det_ctx->base64_decoded_len);
91 #if 0
92  if (det_ctx->base64_decoded_len) {
93  printf("Decoded data:\n");
94  PrintRawDataFp(stdout, det_ctx->base64_decoded,
95  det_ctx->base64_decoded_len);
96  }
97 #endif
98 
99  return det_ctx->base64_decoded_len > 0;
100 }
101 
102 static int DetectBase64DecodeParse(const char *str, uint32_t *bytes,
103  uint32_t *offset, uint8_t *relative)
104 {
105  static const int max = 30;
106  int ov[max];
107  int pcre_rc;
108  const char *bytes_str = NULL;
109  const char *offset_str = NULL;
110  const char *relative_str = NULL;
111  int retval = 0;
112 
113  *bytes = 0;
114  *offset = 0;
115  *relative = 0;
116 
117  pcre_rc = DetectParsePcreExec(&decode_pcre, str, 0, 0, ov, max);
118  if (pcre_rc < 3) {
119  goto error;
120  }
121 
122  if (pcre_rc >= 3) {
123  if (pcre_get_substring((char *)str, ov, max, 2, &bytes_str) > 0) {
124  if (StringParseUint32(bytes, 10, 0, bytes_str) <= 0) {
126  "Bad value for bytes: \"%s\"", bytes_str);
127  goto error;
128  }
129  }
130  }
131 
132  if (pcre_rc >= 5) {
133  if (pcre_get_substring((char *)str, ov, max, 4, &offset_str)) {
134  if (StringParseUint32(offset, 10, 0, offset_str) <= 0) {
136  "Bad value for offset: \"%s\"", offset_str);
137  goto error;
138  }
139  }
140  }
141 
142  if (pcre_rc >= 6) {
143  if (pcre_get_substring((char *)str, ov, max, 5, &relative_str)) {
144  if (strcmp(relative_str, "relative") == 0) {
145  *relative = 1;
146  }
147  else {
149  "Invalid argument: \"%s\"", relative_str);
150  goto error;
151  }
152  }
153  }
154 
155  retval = 1;
156 error:
157  if (bytes_str != NULL) {
158  pcre_free_substring(bytes_str);
159  }
160  if (offset_str != NULL) {
161  pcre_free_substring(offset_str);
162  }
163  if (relative_str != NULL) {
164  pcre_free_substring(relative_str);
165  }
166  return retval;
167 }
168 
169 static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
170  const char *str)
171 {
172  uint32_t bytes = 0;
173  uint32_t offset = 0;
174  uint8_t relative = 0;
175  DetectBase64Decode *data = NULL;
176  int sm_list;
177  SigMatch *sm = NULL;
178  SigMatch *pm = NULL;
179 
180  if (str != NULL) {
181  if (!DetectBase64DecodeParse(str, &bytes, &offset, &relative)) {
182  goto error;
183  }
184  }
185  data = SCCalloc(1, sizeof(DetectBase64Decode));
186  if (unlikely(data == NULL)) {
187  goto error;
188  }
189  data->bytes = bytes;
190  data->offset = offset;
191  data->relative = relative;
192 
193  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
194  sm_list = s->init_data->list;
195 #if 0
196  if (data->relative) {
197  pm = SigMatchGetLastSMFromLists(s, 4,
198  DETECT_CONTENT, s->sm_lists_tail[sm_list],
199  DETECT_PCRE, s->sm_lists_tail[sm_list]);
200  }
201 #endif
202  }
203  else {
207  DETECT_ISDATAAT, -1);
208  if (pm == NULL) {
209  sm_list = DETECT_SM_LIST_PMATCH;
210  }
211  else {
212  sm_list = SigMatchListSMBelongsTo(s, pm);
213  if (sm_list < 0) {
214  goto error;
215  }
216  }
217  }
218 
219  sm = SigMatchAlloc();
220  if (sm == NULL) {
221  goto error;
222  }
224  sm->ctx = (SigMatchCtx *)data;
225  SigMatchAppendSMToList(s, sm, sm_list);
226 
227  if (!data->bytes) {
228  data->bytes = BASE64_DECODE_MAX;
229  }
230  if (data->bytes > de_ctx->base64_decode_max_len) {
232  }
233 
234  return 0;
235 error:
236  if (data != NULL) {
237  SCFree(data);
238  }
239  return -1;
240 }
241 
242 static void DetectBase64DecodeFree(DetectEngineCtx *de_ctx, void *ptr)
243 {
244  DetectBase64Decode *data = ptr;
245  SCFree(data);
246 }
247 
248 
249 #ifdef UNITTESTS
250 #include "detect-engine.h"
251 #include "util-unittest.h"
252 #include "util-unittest-helper.h"
253 #include "app-layer-parser.h"
254 #include "flow-util.h"
255 #include "stream-tcp.h"
256 
257 static int g_http_header_buffer_id = 0;
258 
259 static int DetectBase64TestDecodeParse(void)
260 {
261  int retval = 0;
262  uint32_t bytes = 0;
263  uint32_t offset = 0;
264  uint8_t relative = 0;
265 
266  if (!DetectBase64DecodeParse("bytes 1", &bytes, &offset, &relative)) {
267  goto end;
268  }
269  if (bytes != 1 || offset != 0 || relative != 0) {
270  goto end;
271  }
272 
273  if (!DetectBase64DecodeParse("offset 9", &bytes, &offset, &relative)) {
274  goto end;
275  }
276  if (bytes != 0 || offset != 9 || relative != 0) {
277  goto end;
278  }
279 
280  if (!DetectBase64DecodeParse("relative", &bytes, &offset, &relative)) {
281  goto end;
282  }
283  if (bytes != 0 || offset != 0 || relative != 1) {
284  goto end;
285  }
286 
287  if (!DetectBase64DecodeParse("bytes 1, offset 2", &bytes, &offset,
288  &relative)) {
289  goto end;
290  }
291  if (bytes != 1 || offset != 2 || relative != 0) {
292  goto end;
293  }
294 
295  if (!DetectBase64DecodeParse("bytes 1, offset 2, relative", &bytes, &offset,
296  &relative)) {
297  goto end;
298  }
299  if (bytes != 1 || offset != 2 || relative != 1) {
300  goto end;
301  }
302 
303  if (!DetectBase64DecodeParse("offset 2, relative", &bytes, &offset,
304  &relative)) {
305  goto end;
306  }
307  if (bytes != 0 || offset != 2 || relative != 1) {
308  goto end;
309  }
310 
311  /* Misspelled relative. */
312  if (DetectBase64DecodeParse("bytes 1, offset 2, relatve", &bytes, &offset,
313  &relative)) {
314  goto end;
315  }
316 
317  /* Misspelled bytes. */
318  if (DetectBase64DecodeParse("byts 1, offset 2, relatve", &bytes, &offset,
319  &relative)) {
320  goto end;
321  }
322 
323  /* Misspelled offset. */
324  if (DetectBase64DecodeParse("bytes 1, offst 2, relatve", &bytes, &offset,
325  &relative)) {
326  goto end;
327  }
328 
329  /* Misspelled empty string. */
330  if (DetectBase64DecodeParse("", &bytes, &offset, &relative)) {
331  goto end;
332  }
333 
334  retval = 1;
335 end:
336  return retval;
337 }
338 
339 /**
340  * Test keyword setup on basic content.
341  */
342 static int DetectBase64DecodeTestSetup(void)
343 {
344  DetectEngineCtx *de_ctx = NULL;
345  Signature *s;
346  int retval = 0;
347 
349  if (de_ctx == NULL) {
350  goto end;
351  }
352 
354  "alert tcp any any -> any any ("
355  "msg:\"DetectBase64DecodeTestSetup\"; "
356  "base64_decode; content:\"content\"; "
357  "sid:1; rev:1;)");
358  if (de_ctx->sig_list == NULL) {
359  goto end;
360  }
361  s = de_ctx->sig_list;
362  if (s == NULL) {
363  goto end;
364  }
365  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
366  goto end;
367  }
368 
369  retval = 1;
370 end:
371  if (de_ctx != NULL) {
375  }
376  return retval;
377 }
378 
379 /**
380  * Test keyword setup when the prior rule has a content modifier on
381  * it.
382  */
383 static int DetectBase64DecodeHttpHeaderTestSetup(void)
384 {
385  DetectEngineCtx *de_ctx = NULL;
386  Signature *s;
387  int retval = 0;
388 
390  if (de_ctx == NULL) {
391  goto end;
392  }
393 
395  "alert tcp any any -> any any ("
396  "msg:\"DetectBase64DecodeTestSetup\"; "
397  "content:\"Authorization: basic \"; http_header; "
398  "base64_decode; content:\"content\"; "
399  "sid:1; rev:1;)");
400  if (de_ctx->sig_list == NULL) {
401  goto end;
402  }
403  s = de_ctx->sig_list;
404  if (s == NULL) {
405  goto end;
406  }
407 
408  /* I'm not complete sure if this list should not be NULL. */
409  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
410  goto end;
411  }
412 
413  /* Test that the http header list is not NULL. */
414  if (s->sm_lists_tail[g_http_header_buffer_id] == NULL) {
415  goto end;
416  }
417 
418  retval = 1;
419 end:
420  if (de_ctx != NULL) {
424  }
425  return retval;
426 }
427 
428 static int DetectBase64DecodeTestDecode(void)
429 {
430  ThreadVars tv;
431  DetectEngineCtx *de_ctx = NULL;
432  DetectEngineThreadCtx *det_ctx = NULL;
433  Packet *p = NULL;
434  int retval = 0;
435 
436  uint8_t payload[] = {
437  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
438  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
439  };
440 
441  memset(&tv, 0, sizeof(tv));
442 
443  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
444  goto end;
445  }
446 
448  "alert tcp any any -> any any (msg:\"base64 test\"; "
449  "base64_decode; "
450  "sid:1; rev:1;)");
451  if (de_ctx->sig_list == NULL) {
452  goto end;
453  }
455  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
456 
457  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
458  if (p == NULL) {
459  goto end;
460  }
461 
462  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
463  if (det_ctx->base64_decoded_len == 0) {
464  goto end;
465  }
466 
467  retval = 1;
468 end:
469  if (det_ctx != NULL) {
470  DetectEngineThreadCtxDeinit(&tv, det_ctx);
471  }
472  if (de_ctx != NULL) {
476  }
477  if (p != NULL) {
478  UTHFreePacket(p);
479  }
480  return retval;
481 }
482 
483 static int DetectBase64DecodeTestDecodeWithOffset(void)
484 {
485  ThreadVars tv;
486  DetectEngineCtx *de_ctx = NULL;
487  DetectEngineThreadCtx *det_ctx = NULL;
488  Packet *p = NULL;
489  int retval = 0;
490 
491  uint8_t payload[] = {
492  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
493  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
494  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
495  };
496  char decoded[] = "Hello World";
497 
498  memset(&tv, 0, sizeof(tv));
499 
500  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
501  goto end;
502  }
503 
505  "alert tcp any any -> any any (msg:\"base64 test\"; "
506  "base64_decode: offset 8; "
507  "sid:1; rev:1;)");
508  if (de_ctx->sig_list == NULL) {
509  goto end;
510  }
512  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
513 
514  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
515  if (p == NULL) {
516  goto end;
517  }
518 
519  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
520  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
521  goto end;
522  }
523  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
524  goto end;
525  }
526 
527  retval = 1;
528 end:
529  if (det_ctx != NULL) {
530  DetectEngineThreadCtxDeinit(&tv, det_ctx);
531  }
532  if (de_ctx != NULL) {
536  }
537  if (p != NULL) {
538  UTHFreePacket(p);
539  }
540  return retval;
541 }
542 
543 static int DetectBase64DecodeTestDecodeLargeOffset(void)
544 {
545  ThreadVars tv;
546  DetectEngineCtx *de_ctx = NULL;
547  DetectEngineThreadCtx *det_ctx = NULL;
548  Packet *p = NULL;
549  int retval = 0;
550 
551  uint8_t payload[] = {
552  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
553  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
554  };
555 
556  memset(&tv, 0, sizeof(tv));
557 
558  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
559  goto end;
560  }
561 
562  /* Offset is out of range. */
564  "alert tcp any any -> any any (msg:\"base64 test\"; "
565  "base64_decode: bytes 16, offset 32; "
566  "sid:1; rev:1;)");
567  if (de_ctx->sig_list == NULL) {
568  goto end;
569  }
571  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
572 
573  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
574  if (p == NULL) {
575  goto end;
576  }
577 
578  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
579  if (det_ctx->base64_decoded_len != 0) {
580  goto end;
581  }
582 
583  retval = 1;
584 end:
585  if (det_ctx != NULL) {
586  DetectEngineThreadCtxDeinit(&tv, det_ctx);
587  }
588  if (de_ctx != NULL) {
592  }
593  if (p != NULL) {
594  UTHFreePacket(p);
595  }
596  return retval;
597 }
598 
599 static int DetectBase64DecodeTestDecodeRelative(void)
600 {
601  ThreadVars tv;
602  DetectEngineCtx *de_ctx = NULL;
603  DetectEngineThreadCtx *det_ctx = NULL;
604  Packet *p = NULL;
605  int retval = 0;
606 
607  uint8_t payload[] = {
608  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
609  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
610  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
611  };
612  char decoded[] = "Hello World";
613 
614  memset(&tv, 0, sizeof(tv));
615 
616  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
617  goto end;
618  }
619 
621  "alert tcp any any -> any any (msg:\"base64 test\"; "
622  "content:\"aaaaaaaa\"; "
623  "base64_decode: relative; "
624  "sid:1; rev:1;)");
625  if (de_ctx->sig_list == NULL) {
626  goto end;
627  }
629  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
630 
631  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
632  if (p == NULL) {
633  goto end;
634  }
635 
636  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
637  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
638  goto end;
639  }
640  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
641  goto end;
642  }
643 
644  retval = 1;
645 end:
646  if (det_ctx != NULL) {
647  DetectEngineThreadCtxDeinit(&tv, det_ctx);
648  }
649  if (de_ctx != NULL) {
653  }
654  if (p != NULL) {
655  UTHFreePacket(p);
656  }
657  return retval;
658 }
659 
660 #endif
661 
662 static void DetectBase64DecodeRegisterTests(void)
663 {
664 #ifdef UNITTESTS
665  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
666 
667  UtRegisterTest("DetectBase64TestDecodeParse", DetectBase64TestDecodeParse);
668  UtRegisterTest("DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup);
669  UtRegisterTest("DetectBase64DecodeHttpHeaderTestSetup",
670  DetectBase64DecodeHttpHeaderTestSetup);
671  UtRegisterTest("DetectBase64DecodeTestDecode",
672  DetectBase64DecodeTestDecode);
673  UtRegisterTest("DetectBase64DecodeTestDecodeWithOffset",
674  DetectBase64DecodeTestDecodeWithOffset);
675  UtRegisterTest("DetectBase64DecodeTestDecodeLargeOffset",
676  DetectBase64DecodeTestDecodeLargeOffset);
677  UtRegisterTest("DetectBase64DecodeTestDecodeRelative",
678  DetectBase64DecodeTestDecodeRelative);
679 #endif /* UNITTESTS */
680 }
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1212
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1040
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1209
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:73
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectBase64DecodeDoMatch
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
Definition: detect-base64-decode.c:56
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SC_ERR_INVALID_RULE_ARGUMENT
@ SC_ERR_INVALID_RULE_ARGUMENT
Definition: util-error.h:302
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:331
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2033
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1203
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
util-base64.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:377
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DecodeBase64
uint32_t DecodeBase64(uint8_t *dest, const uint8_t *src, uint32_t len, int strict)
Decodes a base64-encoded string buffer into an ascii-encoded byte buffer.
Definition: util-base64.c:91
SigMatchData_
Data needed for Match()
Definition: detect.h:328
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:876
DetectBase64Decode_::offset
uint32_t offset
Definition: detect-base64-decode.h:25
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectBase64Decode_
Definition: detect-base64-decode.h:23
DetectEngineThreadCtx_
Definition: detect.h:1009
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2456
SignatureInitData_::list
int list
Definition: detect.h:504
util-print.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1144
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
BASE64_DECODE_MAX
#define BASE64_DECODE_MAX
Definition: detect-base64-decode.c:27
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2388
Packet_
Definition: decode.h:411
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:61
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:115
DetectBase64Decode_::relative
uint8_t relative
Definition: detect-base64-decode.h:26
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:72
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3001
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
DetectBase64Decode_::bytes
uint32_t bytes
Definition: detect-base64-decode.h:24
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1387
detect-base64-decode.h
str
#define str(s)
Definition: suricata-common.h:273
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:622
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:484
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:165
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:78
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1143
DETECT_BASE64_DECODE
@ DETECT_BASE64_DECODE
Definition: detect-engine-register.h:221
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectBase64DecodeRegister
void DetectBase64DecodeRegister(void)
Definition: detect-base64-decode.c:39
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::base64_decode_max_len
uint32_t base64_decode_max_len
Definition: detect.h:867
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201