suricata
detect-base64-decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2015 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "detect.h"
20 #include "detect-parse.h"
21 #include "detect-base64-decode.h"
22 #include "util-base64.h"
23 #include "util-byte.h"
24 #include "util-print.h"
25 
26 /* Arbitrary maximum buffer size for decoded base64 data. */
27 #define BASE64_DECODE_MAX 65535
28 
29 static const char decode_pattern[] = "\\s*(bytes\\s+(\\d+),?)?"
30  "\\s*(offset\\s+(\\d+),?)?"
31  "\\s*(\\w+)?";
32 static pcre *decode_pcre = NULL;
33 static pcre_extra *decode_pcre_study = NULL;
34 
35 static int DetectBase64DecodeSetup(DetectEngineCtx *, Signature *, const char *);
36 static void DetectBase64DecodeFree(void *);
37 static void DetectBase64DecodeRegisterTests(void);
38 
40 {
41  sigmatch_table[DETECT_BASE64_DECODE].name = "base64_decode";
43  "Decodes base64 encoded data.";
45  DOC_URL DOC_VERSION "/rules/payload-keywords.html#base64-decode";
46  sigmatch_table[DETECT_BASE64_DECODE].Setup = DetectBase64DecodeSetup;
47  sigmatch_table[DETECT_BASE64_DECODE].Free = DetectBase64DecodeFree;
49  DetectBase64DecodeRegisterTests;
50 
52 
53  DetectSetupParseRegexes(decode_pattern, &decode_pcre, &decode_pcre_study);
54 }
55 
57  const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
58 {
60  int decode_len;
61 
62 #if 0
63  printf("Input data:\n");
64  PrintRawDataFp(stdout, payload, payload_len);
65 #endif
66 
67  if (data->relative) {
68  payload += det_ctx->buffer_offset;
69  payload_len -= det_ctx->buffer_offset;
70  }
71 
72  if (data->offset) {
73  if (data->offset >= payload_len) {
74  return 0;
75  }
76  payload = payload + data->offset;
77  payload_len -= data->offset;
78  }
79 
80  decode_len = MIN(payload_len, data->bytes);
81 
82 #if 0
83  printf("Decoding:\n");
84  PrintRawDataFp(stdout, payload, decode_len);
85 #endif
86 
88  payload, decode_len, 0);
89  SCLogDebug("Decoded %d bytes from base64 data.",
90  det_ctx->base64_decoded_len);
91 #if 0
92  if (det_ctx->base64_decoded_len) {
93  printf("Decoded data:\n");
94  PrintRawDataFp(stdout, det_ctx->base64_decoded,
95  det_ctx->base64_decoded_len);
96  }
97 #endif
98 
99  return det_ctx->base64_decoded_len > 0;
100 }
101 
102 static int DetectBase64DecodeParse(const char *str, uint32_t *bytes,
103  uint32_t *offset, uint8_t *relative)
104 {
105  static const int max = 30;
106  int ov[max];
107  int pcre_rc;
108  const char *bytes_str = NULL;
109  const char *offset_str = NULL;
110  const char *relative_str = NULL;
111  int retval = 0;
112 
113  *bytes = 0;
114  *offset = 0;
115  *relative = 0;
116 
117  pcre_rc = pcre_exec(decode_pcre, decode_pcre_study, str, strlen(str), 0, 0,
118  ov, max);
119  if (pcre_rc < 3) {
120  goto error;
121  }
122 
123  if (pcre_rc >= 3) {
124  if (pcre_get_substring((char *)str, ov, max, 2, &bytes_str) > 0) {
125  if (ByteExtractStringUint32(bytes, 10, 0, bytes_str) <= 0) {
127  "Bad value for bytes: \"%s\"", bytes_str);
128  goto error;
129  }
130  }
131  }
132 
133  if (pcre_rc >= 5) {
134  if (pcre_get_substring((char *)str, ov, max, 4, &offset_str)) {
135  if (ByteExtractStringUint32(offset, 10, 0, offset_str) <= 0) {
137  "Bad value for offset: \"%s\"", offset_str);
138  goto error;
139  }
140  }
141  }
142 
143  if (pcre_rc >= 6) {
144  if (pcre_get_substring((char *)str, ov, max, 5, &relative_str)) {
145  if (strcmp(relative_str, "relative") == 0) {
146  *relative = 1;
147  }
148  else {
150  "Invalid argument: \"%s\"", relative_str);
151  goto error;
152  }
153  }
154  }
155 
156  retval = 1;
157 error:
158  if (bytes_str != NULL) {
159  pcre_free_substring(bytes_str);
160  }
161  if (offset_str != NULL) {
162  pcre_free_substring(offset_str);
163  }
164  if (relative_str != NULL) {
165  pcre_free_substring(relative_str);
166  }
167  return retval;
168 }
169 
170 static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
171  const char *str)
172 {
173  uint32_t bytes = 0;
174  uint32_t offset = 0;
175  uint8_t relative = 0;
176  DetectBase64Decode *data = NULL;
177  int sm_list;
178  SigMatch *sm = NULL;
179  SigMatch *pm = NULL;
180 
181  if (str != NULL) {
182  if (!DetectBase64DecodeParse(str, &bytes, &offset, &relative)) {
183  goto error;
184  }
185  }
186  data = SCCalloc(1, sizeof(DetectBase64Decode));
187  if (unlikely(data == NULL)) {
188  goto error;
189  }
190  data->bytes = bytes;
191  data->offset = offset;
192  data->relative = relative;
193 
194  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
195  sm_list = s->init_data->list;
196 #if 0
197  if (data->relative) {
198  pm = SigMatchGetLastSMFromLists(s, 4,
199  DETECT_CONTENT, s->sm_lists_tail[sm_list],
200  DETECT_PCRE, s->sm_lists_tail[sm_list]);
201  }
202 #endif
203  }
204  else {
208  DETECT_ISDATAAT, -1);
209  if (pm == NULL) {
210  sm_list = DETECT_SM_LIST_PMATCH;
211  }
212  else {
213  sm_list = SigMatchListSMBelongsTo(s, pm);
214  if (sm_list < 0) {
215  goto error;
216  }
217  }
218  }
219 
220  sm = SigMatchAlloc();
221  if (sm == NULL) {
222  goto error;
223  }
225  sm->ctx = (SigMatchCtx *)data;
226  SigMatchAppendSMToList(s, sm, sm_list);
227 
228  if (!data->bytes) {
229  data->bytes = BASE64_DECODE_MAX;
230  }
231  if (data->bytes > de_ctx->base64_decode_max_len) {
232  de_ctx->base64_decode_max_len = data->bytes;
233  }
234 
235  return 0;
236 error:
237  if (data != NULL) {
238  SCFree(data);
239  }
240  return -1;
241 }
242 
243 static void DetectBase64DecodeFree(void *ptr)
244 {
245  DetectBase64Decode *data = ptr;
246  SCFree(data);
247 }
248 
249 
250 #ifdef UNITTESTS
251 #include "detect-engine.h"
252 #include "util-unittest.h"
253 #include "util-unittest-helper.h"
254 #include "app-layer-parser.h"
255 #include "flow-util.h"
256 #include "stream-tcp.h"
257 
258 static int g_http_header_buffer_id = 0;
259 
260 static int DetectBase64TestDecodeParse(void)
261 {
262  int retval = 0;
263  uint32_t bytes = 0;
264  uint32_t offset = 0;
265  uint8_t relative = 0;
266 
267  if (!DetectBase64DecodeParse("bytes 1", &bytes, &offset, &relative)) {
268  goto end;
269  }
270  if (bytes != 1 || offset != 0 || relative != 0) {
271  goto end;
272  }
273 
274  if (!DetectBase64DecodeParse("offset 9", &bytes, &offset, &relative)) {
275  goto end;
276  }
277  if (bytes != 0 || offset != 9 || relative != 0) {
278  goto end;
279  }
280 
281  if (!DetectBase64DecodeParse("relative", &bytes, &offset, &relative)) {
282  goto end;
283  }
284  if (bytes != 0 || offset != 0 || relative != 1) {
285  goto end;
286  }
287 
288  if (!DetectBase64DecodeParse("bytes 1, offset 2", &bytes, &offset,
289  &relative)) {
290  goto end;
291  }
292  if (bytes != 1 || offset != 2 || relative != 0) {
293  goto end;
294  }
295 
296  if (!DetectBase64DecodeParse("bytes 1, offset 2, relative", &bytes, &offset,
297  &relative)) {
298  goto end;
299  }
300  if (bytes != 1 || offset != 2 || relative != 1) {
301  goto end;
302  }
303 
304  if (!DetectBase64DecodeParse("offset 2, relative", &bytes, &offset,
305  &relative)) {
306  goto end;
307  }
308  if (bytes != 0 || offset != 2 || relative != 1) {
309  goto end;
310  }
311 
312  /* Misspelled relative. */
313  if (DetectBase64DecodeParse("bytes 1, offset 2, relatve", &bytes, &offset,
314  &relative)) {
315  goto end;
316  }
317 
318  /* Misspelled bytes. */
319  if (DetectBase64DecodeParse("byts 1, offset 2, relatve", &bytes, &offset,
320  &relative)) {
321  goto end;
322  }
323 
324  /* Misspelled offset. */
325  if (DetectBase64DecodeParse("bytes 1, offst 2, relatve", &bytes, &offset,
326  &relative)) {
327  goto end;
328  }
329 
330  /* Misspelled empty string. */
331  if (DetectBase64DecodeParse("", &bytes, &offset, &relative)) {
332  goto end;
333  }
334 
335  retval = 1;
336 end:
337  return retval;
338 }
339 
340 /**
341  * Test keyword setup on basic content.
342  */
343 static int DetectBase64DecodeTestSetup(void)
344 {
345  DetectEngineCtx *de_ctx = NULL;
346  Signature *s;
347  int retval = 0;
348 
349  de_ctx = DetectEngineCtxInit();
350  if (de_ctx == NULL) {
351  goto end;
352  }
353 
354  de_ctx->sig_list = SigInit(de_ctx,
355  "alert tcp any any -> any any ("
356  "msg:\"DetectBase64DecodeTestSetup\"; "
357  "base64_decode; content:\"content\"; "
358  "sid:1; rev:1;)");
359  if (de_ctx->sig_list == NULL) {
360  goto end;
361  }
362  s = de_ctx->sig_list;
363  if (s == NULL) {
364  goto end;
365  }
366  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
367  goto end;
368  }
369 
370  retval = 1;
371 end:
372  if (de_ctx != NULL) {
373  SigGroupCleanup(de_ctx);
374  SigCleanSignatures(de_ctx);
375  DetectEngineCtxFree(de_ctx);
376  }
377  return retval;
378 }
379 
380 /**
381  * Test keyword setup when the prior rule has a content modifier on
382  * it.
383  */
384 static int DetectBase64DecodeHttpHeaderTestSetup(void)
385 {
386  DetectEngineCtx *de_ctx = NULL;
387  Signature *s;
388  int retval = 0;
389 
390  de_ctx = DetectEngineCtxInit();
391  if (de_ctx == NULL) {
392  goto end;
393  }
394 
395  de_ctx->sig_list = SigInit(de_ctx,
396  "alert tcp any any -> any any ("
397  "msg:\"DetectBase64DecodeTestSetup\"; "
398  "content:\"Authorization: basic \"; http_header; "
399  "base64_decode; content:\"content\"; "
400  "sid:1; rev:1;)");
401  if (de_ctx->sig_list == NULL) {
402  goto end;
403  }
404  s = de_ctx->sig_list;
405  if (s == NULL) {
406  goto end;
407  }
408 
409  /* I'm not complete sure if this list should not be NULL. */
410  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
411  goto end;
412  }
413 
414  /* Test that the http header list is not NULL. */
415  if (s->sm_lists_tail[g_http_header_buffer_id] == NULL) {
416  goto end;
417  }
418 
419  retval = 1;
420 end:
421  if (de_ctx != NULL) {
422  SigGroupCleanup(de_ctx);
423  SigCleanSignatures(de_ctx);
424  DetectEngineCtxFree(de_ctx);
425  }
426  return retval;
427 }
428 
429 static int DetectBase64DecodeTestDecode(void)
430 {
431  ThreadVars tv;
432  DetectEngineCtx *de_ctx = NULL;
433  DetectEngineThreadCtx *det_ctx = NULL;
434  Packet *p = NULL;
435  int retval = 0;
436 
437  uint8_t payload[] = {
438  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
439  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
440  };
441 
442  memset(&tv, 0, sizeof(tv));
443 
444  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
445  goto end;
446  }
447 
448  de_ctx->sig_list = SigInit(de_ctx,
449  "alert tcp any any -> any any (msg:\"base64 test\"; "
450  "base64_decode; "
451  "sid:1; rev:1;)");
452  if (de_ctx->sig_list == NULL) {
453  goto end;
454  }
455  SigGroupBuild(de_ctx);
456  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
457 
458  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
459  if (p == NULL) {
460  goto end;
461  }
462 
463  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
464  if (det_ctx->base64_decoded_len == 0) {
465  goto end;
466  }
467 
468  retval = 1;
469 end:
470  if (det_ctx != NULL) {
471  DetectEngineThreadCtxDeinit(&tv, det_ctx);
472  }
473  if (de_ctx != NULL) {
474  SigCleanSignatures(de_ctx);
475  SigGroupCleanup(de_ctx);
476  DetectEngineCtxFree(de_ctx);
477  }
478  if (p != NULL) {
479  UTHFreePacket(p);
480  }
481  return retval;
482 }
483 
484 static int DetectBase64DecodeTestDecodeWithOffset(void)
485 {
486  ThreadVars tv;
487  DetectEngineCtx *de_ctx = NULL;
488  DetectEngineThreadCtx *det_ctx = NULL;
489  Packet *p = NULL;
490  int retval = 0;
491 
492  uint8_t payload[] = {
493  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
494  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
495  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
496  };
497  char decoded[] = "Hello World";
498 
499  memset(&tv, 0, sizeof(tv));
500 
501  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
502  goto end;
503  }
504 
505  de_ctx->sig_list = SigInit(de_ctx,
506  "alert tcp any any -> any any (msg:\"base64 test\"; "
507  "base64_decode: offset 8; "
508  "sid:1; rev:1;)");
509  if (de_ctx->sig_list == NULL) {
510  goto end;
511  }
512  SigGroupBuild(de_ctx);
513  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
514 
515  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
516  if (p == NULL) {
517  goto end;
518  }
519 
520  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
521  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
522  goto end;
523  }
524  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
525  goto end;
526  }
527 
528  retval = 1;
529 end:
530  if (det_ctx != NULL) {
531  DetectEngineThreadCtxDeinit(&tv, det_ctx);
532  }
533  if (de_ctx != NULL) {
534  SigCleanSignatures(de_ctx);
535  SigGroupCleanup(de_ctx);
536  DetectEngineCtxFree(de_ctx);
537  }
538  if (p != NULL) {
539  UTHFreePacket(p);
540  }
541  return retval;
542 }
543 
544 static int DetectBase64DecodeTestDecodeLargeOffset(void)
545 {
546  ThreadVars tv;
547  DetectEngineCtx *de_ctx = NULL;
548  DetectEngineThreadCtx *det_ctx = NULL;
549  Packet *p = NULL;
550  int retval = 0;
551 
552  uint8_t payload[] = {
553  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
554  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
555  };
556 
557  memset(&tv, 0, sizeof(tv));
558 
559  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
560  goto end;
561  }
562 
563  /* Offset is out of range. */
564  de_ctx->sig_list = SigInit(de_ctx,
565  "alert tcp any any -> any any (msg:\"base64 test\"; "
566  "base64_decode: bytes 16, offset 32; "
567  "sid:1; rev:1;)");
568  if (de_ctx->sig_list == NULL) {
569  goto end;
570  }
571  SigGroupBuild(de_ctx);
572  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
573 
574  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
575  if (p == NULL) {
576  goto end;
577  }
578 
579  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
580  if (det_ctx->base64_decoded_len != 0) {
581  goto end;
582  }
583 
584  retval = 1;
585 end:
586  if (det_ctx != NULL) {
587  DetectEngineThreadCtxDeinit(&tv, det_ctx);
588  }
589  if (de_ctx != NULL) {
590  SigCleanSignatures(de_ctx);
591  SigGroupCleanup(de_ctx);
592  DetectEngineCtxFree(de_ctx);
593  }
594  if (p != NULL) {
595  UTHFreePacket(p);
596  }
597  return retval;
598 }
599 
600 static int DetectBase64DecodeTestDecodeRelative(void)
601 {
602  ThreadVars tv;
603  DetectEngineCtx *de_ctx = NULL;
604  DetectEngineThreadCtx *det_ctx = NULL;
605  Packet *p = NULL;
606  int retval = 0;
607 
608  uint8_t payload[] = {
609  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
610  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
611  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
612  };
613  char decoded[] = "Hello World";
614 
615  memset(&tv, 0, sizeof(tv));
616 
617  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
618  goto end;
619  }
620 
621  de_ctx->sig_list = SigInit(de_ctx,
622  "alert tcp any any -> any any (msg:\"base64 test\"; "
623  "content:\"aaaaaaaa\"; "
624  "base64_decode: relative; "
625  "sid:1; rev:1;)");
626  if (de_ctx->sig_list == NULL) {
627  goto end;
628  }
629  SigGroupBuild(de_ctx);
630  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
631 
632  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
633  if (p == NULL) {
634  goto end;
635  }
636 
637  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
638  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
639  goto end;
640  }
641  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
642  goto end;
643  }
644 
645  retval = 1;
646 end:
647  if (det_ctx != NULL) {
648  DetectEngineThreadCtxDeinit(&tv, det_ctx);
649  }
650  if (de_ctx != NULL) {
651  SigCleanSignatures(de_ctx);
652  SigGroupCleanup(de_ctx);
653  DetectEngineCtxFree(de_ctx);
654  }
655  if (p != NULL) {
656  UTHFreePacket(p);
657  }
658  return retval;
659 }
660 
661 #endif
662 
663 static void DetectBase64DecodeRegisterTests(void)
664 {
665 #ifdef UNITTESTS
666  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
667 
668  UtRegisterTest("DetectBase64TestDecodeParse", DetectBase64TestDecodeParse);
669  UtRegisterTest("DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup);
670  UtRegisterTest("DetectBase64DecodeHttpHeaderTestSetup",
671  DetectBase64DecodeHttpHeaderTestSetup);
672  UtRegisterTest("DetectBase64DecodeTestDecode",
673  DetectBase64DecodeTestDecode);
674  UtRegisterTest("DetectBase64DecodeTestDecodeWithOffset",
675  DetectBase64DecodeTestDecodeWithOffset);
676  UtRegisterTest("DetectBase64DecodeTestDecodeLargeOffset",
677  DetectBase64DecodeTestDecodeLargeOffset);
678  UtRegisterTest("DetectBase64DecodeTestDecodeRelative",
679  DetectBase64DecodeTestDecodeRelative);
680 #endif /* UNITTESTS */
681 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
SignatureInitData * init_data
Definition: detect.h:591
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define SCLogDebug(...)
Definition: util-debug.h:335
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
void DetectBase64DecodeRegister(void)
Signature * sig_list
Definition: detect.h:767
#define MIN(x, y)
uint64_t offset
Data needed for Match()
Definition: detect.h:327
void SigCleanSignatures(DetectEngineCtx *de_ctx)
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:244
uint32_t buffer_offset
Definition: detect.h:1032
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1200
Signature container.
Definition: detect.h:522
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
main detection engine ctx
Definition: detect.h:761
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SCCalloc(nm, a)
Definition: util-mem.h:253
void(* Free)(void *)
Definition: detect.h:1191
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1669
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:115
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:319
const char * desc
Definition: detect.h:1202
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:346
SigMatchCtx * ctx
Definition: detect.h:321
uint16_t payload_len
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
#define SCFree(a)
Definition: util-mem.h:322
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us. ...
Definition: detect-parse.c:465
const char * url
Definition: detect.h:1203
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1378
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
uint8_t * base64_decoded
Definition: detect.h:1135
#define BASE64_DECODE_MAX
#define DOC_URL
Definition: suricata.h:86
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Per thread variable structure.
Definition: threadvars.h:57
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:619
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1194
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
uint32_t DecodeBase64(uint8_t *dest, const uint8_t *src, uint32_t len, int strict)
Decodes a base64-encoded string buffer into an ascii-encoded byte buffer.
Definition: util-base64.c:91
uint32_t base64_decode_max_len
Definition: detect.h:862
void(* RegisterTests)(void)
Definition: detect.h:1192
a single match condition for a signature
Definition: detect.h:318
SigMatchCtx * ctx
Definition: detect.h:330
DetectEngineCtx * DetectEngineCtxInit(void)