suricata
detect-base64-decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "detect.h"
20 #include "detect-parse.h"
21 #include "detect-base64-decode.h"
22 #include "util-base64.h"
23 #include "util-byte.h"
24 #include "util-print.h"
25 #include "detect-engine-build.h"
26 
27 /* Arbitrary maximum buffer size for decoded base64 data. */
28 #define BASE64_DECODE_MAX 65535
29 
30 typedef struct DetectBase64Decode_ {
31  uint32_t bytes;
32  uint32_t offset;
33  uint8_t relative;
35 
36 static const char decode_pattern[] = "\\s*(bytes\\s+(\\d+),?)?"
37  "\\s*(offset\\s+(\\d+),?)?"
38  "\\s*(\\w+)?";
39 
40 static DetectParseRegex decode_pcre;
41 
42 static int DetectBase64DecodeSetup(DetectEngineCtx *, Signature *, const char *);
43 static void DetectBase64DecodeFree(DetectEngineCtx *, void *);
44 #ifdef UNITTESTS
45 static void DetectBase64DecodeRegisterTests(void);
46 #endif
47 
49 {
50  sigmatch_table[DETECT_BASE64_DECODE].name = "base64_decode";
52  "Decodes base64 encoded data.";
54  "/rules/base64-keywords.html#base64-decode";
55  sigmatch_table[DETECT_BASE64_DECODE].Setup = DetectBase64DecodeSetup;
56  sigmatch_table[DETECT_BASE64_DECODE].Free = DetectBase64DecodeFree;
57 #ifdef UNITTESTS
59  DetectBase64DecodeRegisterTests;
60 #endif
62 
63  DetectSetupParseRegexes(decode_pattern, &decode_pcre);
64 }
65 
67  const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
68 {
70  int decode_len;
71 
72 #if 0
73  printf("Input data:\n");
74  PrintRawDataFp(stdout, payload, payload_len);
75 #endif
76 
77  if (data->relative) {
78  payload += det_ctx->buffer_offset;
79  payload_len -= det_ctx->buffer_offset;
80  }
81 
82  if (data->offset) {
83  if (data->offset >= payload_len) {
84  return 0;
85  }
86  payload = payload + data->offset;
87  payload_len -= data->offset;
88  }
89 
90  decode_len = MIN(payload_len, data->bytes);
91 
92 #if 0
93  printf("Decoding:\n");
94  PrintRawDataFp(stdout, payload, decode_len);
95 #endif
96 
97  uint32_t consumed = 0, num_decoded = 0;
98  (void)DecodeBase64(det_ctx->base64_decoded, det_ctx->base64_decoded_len_max, payload,
99  decode_len, &consumed, &num_decoded, BASE64_MODE_RFC4648);
100  det_ctx->base64_decoded_len = num_decoded;
101  SCLogDebug("Decoded %d bytes from base64 data.",
102  det_ctx->base64_decoded_len);
103 #if 0
104  if (det_ctx->base64_decoded_len) {
105  printf("Decoded data:\n");
106  PrintRawDataFp(stdout, det_ctx->base64_decoded,
107  det_ctx->base64_decoded_len);
108  }
109 #endif
110 
111  return det_ctx->base64_decoded_len > 0;
112 }
113 
114 static int DetectBase64DecodeParse(const char *str, uint32_t *bytes,
115  uint32_t *offset, uint8_t *relative)
116 {
117  int pcre_rc;
118  const char *bytes_str = NULL;
119  const char *offset_str = NULL;
120  const char *relative_str = NULL;
121  int retval = 0;
122 
123  *bytes = 0;
124  *offset = 0;
125  *relative = 0;
126  size_t pcre2_len;
127 
128  pcre_rc = DetectParsePcreExec(&decode_pcre, str, 0, 0);
129  if (pcre_rc < 3) {
130  goto error;
131  }
132 
133  if (pcre_rc >= 3) {
134  if (pcre2_substring_get_bynumber(
135  decode_pcre.match, 2, (PCRE2_UCHAR8 **)&bytes_str, &pcre2_len) == 0) {
136  if (StringParseUint32(bytes, 10, 0, bytes_str) <= 0) {
138  "Bad value for bytes: \"%s\"", bytes_str);
139  goto error;
140  }
141  }
142  }
143 
144  if (pcre_rc >= 5) {
145  if (pcre2_substring_get_bynumber(
146  decode_pcre.match, 4, (PCRE2_UCHAR8 **)&offset_str, &pcre2_len) == 0) {
147  if (StringParseUint32(offset, 10, 0, offset_str) <= 0) {
149  "Bad value for offset: \"%s\"", offset_str);
150  goto error;
151  }
152  }
153  }
154 
155  if (pcre_rc >= 6) {
156  if (pcre2_substring_get_bynumber(
157  decode_pcre.match, 5, (PCRE2_UCHAR8 **)&relative_str, &pcre2_len) == 0) {
158  if (strcmp(relative_str, "relative") == 0) {
159  *relative = 1;
160  }
161  else {
163  "Invalid argument: \"%s\"", relative_str);
164  goto error;
165  }
166  }
167  }
168 
169  retval = 1;
170 error:
171  if (bytes_str != NULL) {
172  pcre2_substring_free((PCRE2_UCHAR8 *)bytes_str);
173  }
174  if (offset_str != NULL) {
175  pcre2_substring_free((PCRE2_UCHAR8 *)offset_str);
176  }
177  if (relative_str != NULL) {
178  pcre2_substring_free((PCRE2_UCHAR8 *)relative_str);
179  }
180  return retval;
181 }
182 
183 static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
184  const char *str)
185 {
186  uint32_t bytes = 0;
187  uint32_t offset = 0;
188  uint8_t relative = 0;
189  DetectBase64Decode *data = NULL;
190  int sm_list;
191  SigMatch *sm = NULL;
192  SigMatch *pm = NULL;
193 
194  if (str != NULL) {
195  if (!DetectBase64DecodeParse(str, &bytes, &offset, &relative)) {
196  goto error;
197  }
198  }
199  data = SCCalloc(1, sizeof(DetectBase64Decode));
200  if (unlikely(data == NULL)) {
201  goto error;
202  }
203  data->bytes = bytes;
204  data->offset = offset;
205  data->relative = relative;
206 
207  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
208  sm_list = s->init_data->list;
209 #if 0
210  if (data->relative) {
211  pm = SigMatchGetLastSMFromLists(s, 4,
212  DETECT_CONTENT, s->sm_lists_tail[sm_list],
213  DETECT_PCRE, s->sm_lists_tail[sm_list]);
214  }
215 #endif
216  }
217  else {
221  DETECT_ISDATAAT, -1);
222  if (pm == NULL) {
223  sm_list = DETECT_SM_LIST_PMATCH;
224  }
225  else {
226  sm_list = SigMatchListSMBelongsTo(s, pm);
227  if (sm_list < 0) {
228  goto error;
229  }
230  }
231  }
232 
233  sm = SigMatchAlloc();
234  if (sm == NULL) {
235  goto error;
236  }
238  sm->ctx = (SigMatchCtx *)data;
239  SigMatchAppendSMToList(s, sm, sm_list);
240 
241  if (!data->bytes) {
242  data->bytes = BASE64_DECODE_MAX;
243  }
244  if (data->bytes > de_ctx->base64_decode_max_len) {
245 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
246  data->bytes = BASE64_DECODE_MAX;
247 #endif
249  }
250 
251  return 0;
252 error:
253  if (data != NULL) {
254  SCFree(data);
255  }
256  return -1;
257 }
258 
259 static void DetectBase64DecodeFree(DetectEngineCtx *de_ctx, void *ptr)
260 {
261  DetectBase64Decode *data = ptr;
262  SCFree(data);
263 }
264 
265 
266 #ifdef UNITTESTS
267 #include "detect-engine.h"
268 #include "util-unittest.h"
269 #include "util-unittest-helper.h"
270 #include "app-layer-parser.h"
271 #include "flow-util.h"
272 #include "stream-tcp.h"
273 
274 static int g_http_header_buffer_id = 0;
275 
276 static int DetectBase64TestDecodeParse(void)
277 {
278  int retval = 0;
279  uint32_t bytes = 0;
280  uint32_t offset = 0;
281  uint8_t relative = 0;
282 
283  if (!DetectBase64DecodeParse("bytes 1", &bytes, &offset, &relative)) {
284  goto end;
285  }
286  if (bytes != 1 || offset != 0 || relative != 0) {
287  goto end;
288  }
289 
290  if (!DetectBase64DecodeParse("offset 9", &bytes, &offset, &relative)) {
291  goto end;
292  }
293  if (bytes != 0 || offset != 9 || relative != 0) {
294  goto end;
295  }
296 
297  if (!DetectBase64DecodeParse("relative", &bytes, &offset, &relative)) {
298  goto end;
299  }
300  if (bytes != 0 || offset != 0 || relative != 1) {
301  goto end;
302  }
303 
304  if (!DetectBase64DecodeParse("bytes 1, offset 2", &bytes, &offset,
305  &relative)) {
306  goto end;
307  }
308  if (bytes != 1 || offset != 2 || relative != 0) {
309  goto end;
310  }
311 
312  if (!DetectBase64DecodeParse("bytes 1, offset 2, relative", &bytes, &offset,
313  &relative)) {
314  goto end;
315  }
316  if (bytes != 1 || offset != 2 || relative != 1) {
317  goto end;
318  }
319 
320  if (!DetectBase64DecodeParse("offset 2, relative", &bytes, &offset,
321  &relative)) {
322  goto end;
323  }
324  if (bytes != 0 || offset != 2 || relative != 1) {
325  goto end;
326  }
327 
328  /* Misspelled relative. */
329  if (DetectBase64DecodeParse("bytes 1, offset 2, relatve", &bytes, &offset,
330  &relative)) {
331  goto end;
332  }
333 
334  /* Misspelled bytes. */
335  if (DetectBase64DecodeParse("byts 1, offset 2, relatve", &bytes, &offset,
336  &relative)) {
337  goto end;
338  }
339 
340  /* Misspelled offset. */
341  if (DetectBase64DecodeParse("bytes 1, offst 2, relatve", &bytes, &offset,
342  &relative)) {
343  goto end;
344  }
345 
346  /* Misspelled empty string. */
347  if (DetectBase64DecodeParse("", &bytes, &offset, &relative)) {
348  goto end;
349  }
350 
351  retval = 1;
352 end:
353  return retval;
354 }
355 
356 /**
357  * Test keyword setup on basic content.
358  */
359 static int DetectBase64DecodeTestSetup(void)
360 {
361  DetectEngineCtx *de_ctx = NULL;
362  Signature *s;
363  int retval = 0;
364 
366  if (de_ctx == NULL) {
367  goto end;
368  }
369 
371  "alert tcp any any -> any any ("
372  "msg:\"DetectBase64DecodeTestSetup\"; "
373  "base64_decode; content:\"content\"; "
374  "sid:1; rev:1;)");
375  if (de_ctx->sig_list == NULL) {
376  goto end;
377  }
378  s = de_ctx->sig_list;
379  if (s == NULL) {
380  goto end;
381  }
382  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
383  goto end;
384  }
385 
386  retval = 1;
387 end:
388  if (de_ctx != NULL) {
392  }
393  return retval;
394 }
395 
396 /**
397  * Test keyword setup when the prior rule has a content modifier on
398  * it.
399  */
400 static int DetectBase64DecodeHttpHeaderTestSetup(void)
401 {
402  DetectEngineCtx *de_ctx = NULL;
403  Signature *s;
404  int retval = 0;
405 
407  if (de_ctx == NULL) {
408  goto end;
409  }
410 
412  "alert tcp any any -> any any ("
413  "msg:\"DetectBase64DecodeTestSetup\"; "
414  "content:\"Authorization: basic \"; http_header; "
415  "base64_decode; content:\"content\"; "
416  "sid:1; rev:1;)");
417  if (de_ctx->sig_list == NULL) {
418  goto end;
419  }
420  s = de_ctx->sig_list;
421  if (s == NULL) {
422  goto end;
423  }
424 
425  /* I'm not complete sure if this list should not be NULL. */
426  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
427  goto end;
428  }
429 
430  /* Test that the http header list is not NULL. */
431  if (s->sm_lists_tail[g_http_header_buffer_id] == NULL) {
432  goto end;
433  }
434 
435  retval = 1;
436 end:
437  if (de_ctx != NULL) {
441  }
442  return retval;
443 }
444 
445 static int DetectBase64DecodeTestDecode(void)
446 {
447  ThreadVars tv;
448  DetectEngineCtx *de_ctx = NULL;
449  DetectEngineThreadCtx *det_ctx = NULL;
450  Packet *p = NULL;
451  int retval = 0;
452 
453  uint8_t payload[] = {
454  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
455  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
456  };
457 
458  memset(&tv, 0, sizeof(tv));
459 
460  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
461  goto end;
462  }
463 
465  "alert tcp any any -> any any (msg:\"base64 test\"; "
466  "base64_decode; "
467  "sid:1; rev:1;)");
468  if (de_ctx->sig_list == NULL) {
469  goto end;
470  }
472  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
473 
474  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
475  if (p == NULL) {
476  goto end;
477  }
478 
479  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
480  if (det_ctx->base64_decoded_len == 0) {
481  goto end;
482  }
483 
484  retval = 1;
485 end:
486  if (det_ctx != NULL) {
487  DetectEngineThreadCtxDeinit(&tv, det_ctx);
488  }
489  if (de_ctx != NULL) {
493  }
494  if (p != NULL) {
495  UTHFreePacket(p);
496  }
497  return retval;
498 }
499 
500 static int DetectBase64DecodeTestDecodeWithOffset(void)
501 {
502  ThreadVars tv;
503  DetectEngineCtx *de_ctx = NULL;
504  DetectEngineThreadCtx *det_ctx = NULL;
505  Packet *p = NULL;
506  int retval = 0;
507 
508  uint8_t payload[] = {
509  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
510  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
511  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
512  };
513  char decoded[] = "Hello World";
514 
515  memset(&tv, 0, sizeof(tv));
516 
517  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
518  goto end;
519  }
520 
522  "alert tcp any any -> any any (msg:\"base64 test\"; "
523  "base64_decode: offset 8; "
524  "sid:1; rev:1;)");
525  if (de_ctx->sig_list == NULL) {
526  goto end;
527  }
529  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
530 
531  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
532  if (p == NULL) {
533  goto end;
534  }
535 
536  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
537  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
538  goto end;
539  }
540  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
541  goto end;
542  }
543 
544  retval = 1;
545 end:
546  if (det_ctx != NULL) {
547  DetectEngineThreadCtxDeinit(&tv, det_ctx);
548  }
549  if (de_ctx != NULL) {
553  }
554  if (p != NULL) {
555  UTHFreePacket(p);
556  }
557  return retval;
558 }
559 
560 static int DetectBase64DecodeTestDecodeLargeOffset(void)
561 {
562  ThreadVars tv;
563  DetectEngineCtx *de_ctx = NULL;
564  DetectEngineThreadCtx *det_ctx = NULL;
565  Packet *p = NULL;
566  int retval = 0;
567 
568  uint8_t payload[] = {
569  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
570  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
571  };
572 
573  memset(&tv, 0, sizeof(tv));
574 
575  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
576  goto end;
577  }
578 
579  /* Offset is out of range. */
581  "alert tcp any any -> any any (msg:\"base64 test\"; "
582  "base64_decode: bytes 16, offset 32; "
583  "sid:1; rev:1;)");
584  if (de_ctx->sig_list == NULL) {
585  goto end;
586  }
588  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
589 
590  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
591  if (p == NULL) {
592  goto end;
593  }
594 
595  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
596  if (det_ctx->base64_decoded_len != 0) {
597  goto end;
598  }
599 
600  retval = 1;
601 end:
602  if (det_ctx != NULL) {
603  DetectEngineThreadCtxDeinit(&tv, det_ctx);
604  }
605  if (de_ctx != NULL) {
609  }
610  if (p != NULL) {
611  UTHFreePacket(p);
612  }
613  return retval;
614 }
615 
616 static int DetectBase64DecodeTestDecodeRelative(void)
617 {
618  ThreadVars tv;
619  DetectEngineCtx *de_ctx = NULL;
620  DetectEngineThreadCtx *det_ctx = NULL;
621  Packet *p = NULL;
622  int retval = 0;
623 
624  uint8_t payload[] = {
625  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
626  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
627  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
628  };
629  char decoded[] = "Hello World";
630 
631  memset(&tv, 0, sizeof(tv));
632 
633  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
634  goto end;
635  }
636 
638  "alert tcp any any -> any any (msg:\"base64 test\"; "
639  "content:\"aaaaaaaa\"; "
640  "base64_decode: relative; "
641  "sid:1; rev:1;)");
642  if (de_ctx->sig_list == NULL) {
643  goto end;
644  }
646  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
647 
648  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
649  if (p == NULL) {
650  goto end;
651  }
652 
653  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
654  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
655  goto end;
656  }
657  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
658  goto end;
659  }
660 
661  retval = 1;
662 end:
663  if (det_ctx != NULL) {
664  DetectEngineThreadCtxDeinit(&tv, det_ctx);
665  }
666  if (de_ctx != NULL) {
670  }
671  if (p != NULL) {
672  UTHFreePacket(p);
673  }
674  return retval;
675 }
676 
677 static void DetectBase64DecodeRegisterTests(void)
678 {
679  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
680 
681  UtRegisterTest("DetectBase64TestDecodeParse", DetectBase64TestDecodeParse);
682  UtRegisterTest("DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup);
683  UtRegisterTest("DetectBase64DecodeHttpHeaderTestSetup",
684  DetectBase64DecodeHttpHeaderTestSetup);
685  UtRegisterTest("DetectBase64DecodeTestDecode",
686  DetectBase64DecodeTestDecode);
687  UtRegisterTest("DetectBase64DecodeTestDecodeWithOffset",
688  DetectBase64DecodeTestDecodeWithOffset);
689  UtRegisterTest("DetectBase64DecodeTestDecodeLargeOffset",
690  DetectBase64DecodeTestDecodeLargeOffset);
691  UtRegisterTest("DetectBase64DecodeTestDecodeRelative",
692  DetectBase64DecodeTestDecodeRelative);
693 }
694 #endif /* UNITTESTS */
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1238
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1052
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:79
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1225
flow-util.h
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1235
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:76
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectBase64DecodeDoMatch
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
Definition: detect-base64-decode.c:66
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
SC_ERR_INVALID_RULE_ARGUMENT
@ SC_ERR_INVALID_RULE_ARGUMENT
Definition: util-error.h:302
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:325
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1229
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2444
util-base64.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:380
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:339
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1788
DetectBase64Decode
struct DetectBase64Decode_ DetectBase64Decode
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
SigMatchData_
Data needed for Match()
Definition: detect.h:322
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1085
DetectBase64Decode_::offset
uint32_t offset
Definition: detect-base64-decode.c:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectBase64Decode_
Definition: detect-base64-decode.c:30
DetectEngineThreadCtx_
Definition: detect.h:1024
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2611
SignatureInitData_::list
int list
Definition: detect.h:516
util-print.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
BASE64_MODE_RFC4648
@ BASE64_MODE_RFC4648
Definition: util-base64.h:68
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:143
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1165
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2022
BASE64_DECODE_MAX
#define BASE64_DECODE_MAX
Definition: detect-base64-decode.c:28
Packet_
Definition: decode.h:428
detect-engine-build.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:610
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:238
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:104
DetectBase64Decode_::relative
uint8_t relative
Definition: detect-base64-decode.c:33
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:75
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:790
DetectBase64Decode_::bytes
uint32_t bytes
Definition: detect-base64-decode.c:31
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1429
detect-base64-decode.h
str
#define str(s)
Definition: suricata-common.h:280
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:628
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:487
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:178
DetectEngineThreadCtx_::base64_decoded_len_max
int base64_decoded_len_max
Definition: detect.h:1166
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2405
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1164
DETECT_BASE64_DECODE
@ DETECT_BASE64_DECODE
Definition: detect-engine-register.h:250
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:471
DetectBase64DecodeRegister
void DetectBase64DecodeRegister(void)
Definition: detect-base64-decode.c:48
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::base64_decode_max_len
uint32_t base64_decode_max_len
Definition: detect.h:886
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:352
DecodeBase64
Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, uint32_t len, uint32_t *consumed_bytes, uint32_t *decoded_bytes, Base64Mode mode)
Decodes a base64-encoded string buffer into an ascii-encoded byte buffer.
Definition: util-base64.c:94
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227