suricata
detect-base64-decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "detect.h"
20 #include "detect-parse.h"
21 #include "detect-base64-decode.h"
22 #include "util-base64.h"
23 #include "util-byte.h"
24 #include "util-print.h"
25 
26 /* Arbitrary maximum buffer size for decoded base64 data. */
27 #define BASE64_DECODE_MAX 65535
28 
29 static const char decode_pattern[] = "\\s*(bytes\\s+(\\d+),?)?"
30  "\\s*(offset\\s+(\\d+),?)?"
31  "\\s*(\\w+)?";
32 
33 static DetectParseRegex decode_pcre;
34 
35 static int DetectBase64DecodeSetup(DetectEngineCtx *, Signature *, const char *);
36 static void DetectBase64DecodeFree(DetectEngineCtx *, void *);
37 #ifdef UNITTESTS
38 static void DetectBase64DecodeRegisterTests(void);
39 #endif
40 
42 {
43  sigmatch_table[DETECT_BASE64_DECODE].name = "base64_decode";
45  "Decodes base64 encoded data.";
47  "/rules/base64-keywords.html#base64-decode";
48  sigmatch_table[DETECT_BASE64_DECODE].Setup = DetectBase64DecodeSetup;
49  sigmatch_table[DETECT_BASE64_DECODE].Free = DetectBase64DecodeFree;
50 #ifdef UNITTESTS
52  DetectBase64DecodeRegisterTests;
53 #endif
55 
56  DetectSetupParseRegexes(decode_pattern, &decode_pcre);
57 }
58 
60  const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
61 {
63  int decode_len;
64 
65 #if 0
66  printf("Input data:\n");
67  PrintRawDataFp(stdout, payload, payload_len);
68 #endif
69 
70  if (data->relative) {
71  payload += det_ctx->buffer_offset;
72  payload_len -= det_ctx->buffer_offset;
73  }
74 
75  if (data->offset) {
76  if (data->offset >= payload_len) {
77  return 0;
78  }
79  payload = payload + data->offset;
80  payload_len -= data->offset;
81  }
82 
83  decode_len = MIN(payload_len, data->bytes);
84 
85 #if 0
86  printf("Decoding:\n");
87  PrintRawDataFp(stdout, payload, decode_len);
88 #endif
89 
91  payload, decode_len, 0);
92  SCLogDebug("Decoded %d bytes from base64 data.",
93  det_ctx->base64_decoded_len);
94 #if 0
95  if (det_ctx->base64_decoded_len) {
96  printf("Decoded data:\n");
97  PrintRawDataFp(stdout, det_ctx->base64_decoded,
98  det_ctx->base64_decoded_len);
99  }
100 #endif
101 
102  return det_ctx->base64_decoded_len > 0;
103 }
104 
105 static int DetectBase64DecodeParse(const char *str, uint32_t *bytes,
106  uint32_t *offset, uint8_t *relative)
107 {
108  int pcre_rc;
109  const char *bytes_str = NULL;
110  const char *offset_str = NULL;
111  const char *relative_str = NULL;
112  int retval = 0;
113 
114  *bytes = 0;
115  *offset = 0;
116  *relative = 0;
117  size_t pcre2_len;
118 
119  pcre_rc = DetectParsePcreExec(&decode_pcre, str, 0, 0);
120  if (pcre_rc < 3) {
121  goto error;
122  }
123 
124  if (pcre_rc >= 3) {
125  if (pcre2_substring_get_bynumber(
126  decode_pcre.match, 2, (PCRE2_UCHAR8 **)&bytes_str, &pcre2_len) == 0) {
127  if (StringParseUint32(bytes, 10, 0, bytes_str) <= 0) {
129  "Bad value for bytes: \"%s\"", bytes_str);
130  goto error;
131  }
132  }
133  }
134 
135  if (pcre_rc >= 5) {
136  if (pcre2_substring_get_bynumber(
137  decode_pcre.match, 4, (PCRE2_UCHAR8 **)&offset_str, &pcre2_len) == 0) {
138  if (StringParseUint32(offset, 10, 0, offset_str) <= 0) {
140  "Bad value for offset: \"%s\"", offset_str);
141  goto error;
142  }
143  }
144  }
145 
146  if (pcre_rc >= 6) {
147  if (pcre2_substring_get_bynumber(
148  decode_pcre.match, 5, (PCRE2_UCHAR8 **)&relative_str, &pcre2_len) == 0) {
149  if (strcmp(relative_str, "relative") == 0) {
150  *relative = 1;
151  }
152  else {
154  "Invalid argument: \"%s\"", relative_str);
155  goto error;
156  }
157  }
158  }
159 
160  retval = 1;
161 error:
162  if (bytes_str != NULL) {
163  pcre2_substring_free((PCRE2_UCHAR8 *)bytes_str);
164  }
165  if (offset_str != NULL) {
166  pcre2_substring_free((PCRE2_UCHAR8 *)offset_str);
167  }
168  if (relative_str != NULL) {
169  pcre2_substring_free((PCRE2_UCHAR8 *)relative_str);
170  }
171  return retval;
172 }
173 
174 static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
175  const char *str)
176 {
177  uint32_t bytes = 0;
178  uint32_t offset = 0;
179  uint8_t relative = 0;
180  DetectBase64Decode *data = NULL;
181  int sm_list;
182  SigMatch *sm = NULL;
183  SigMatch *pm = NULL;
184 
185  if (str != NULL) {
186  if (!DetectBase64DecodeParse(str, &bytes, &offset, &relative)) {
187  goto error;
188  }
189  }
190  data = SCCalloc(1, sizeof(DetectBase64Decode));
191  if (unlikely(data == NULL)) {
192  goto error;
193  }
194  data->bytes = bytes;
195  data->offset = offset;
196  data->relative = relative;
197 
198  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
199  sm_list = s->init_data->list;
200 #if 0
201  if (data->relative) {
202  pm = SigMatchGetLastSMFromLists(s, 4,
203  DETECT_CONTENT, s->sm_lists_tail[sm_list],
204  DETECT_PCRE, s->sm_lists_tail[sm_list]);
205  }
206 #endif
207  }
208  else {
212  DETECT_ISDATAAT, -1);
213  if (pm == NULL) {
214  sm_list = DETECT_SM_LIST_PMATCH;
215  }
216  else {
217  sm_list = SigMatchListSMBelongsTo(s, pm);
218  if (sm_list < 0) {
219  goto error;
220  }
221  }
222  }
223 
224  sm = SigMatchAlloc();
225  if (sm == NULL) {
226  goto error;
227  }
229  sm->ctx = (SigMatchCtx *)data;
230  SigMatchAppendSMToList(s, sm, sm_list);
231 
232  if (!data->bytes) {
233  data->bytes = BASE64_DECODE_MAX;
234  }
235  if (data->bytes > de_ctx->base64_decode_max_len) {
237  }
238 
239  return 0;
240 error:
241  if (data != NULL) {
242  SCFree(data);
243  }
244  return -1;
245 }
246 
247 static void DetectBase64DecodeFree(DetectEngineCtx *de_ctx, void *ptr)
248 {
249  DetectBase64Decode *data = ptr;
250  SCFree(data);
251 }
252 
253 
254 #ifdef UNITTESTS
255 #include "detect-engine.h"
256 #include "util-unittest.h"
257 #include "util-unittest-helper.h"
258 #include "app-layer-parser.h"
259 #include "flow-util.h"
260 #include "stream-tcp.h"
261 
262 static int g_http_header_buffer_id = 0;
263 
264 static int DetectBase64TestDecodeParse(void)
265 {
266  int retval = 0;
267  uint32_t bytes = 0;
268  uint32_t offset = 0;
269  uint8_t relative = 0;
270 
271  if (!DetectBase64DecodeParse("bytes 1", &bytes, &offset, &relative)) {
272  goto end;
273  }
274  if (bytes != 1 || offset != 0 || relative != 0) {
275  goto end;
276  }
277 
278  if (!DetectBase64DecodeParse("offset 9", &bytes, &offset, &relative)) {
279  goto end;
280  }
281  if (bytes != 0 || offset != 9 || relative != 0) {
282  goto end;
283  }
284 
285  if (!DetectBase64DecodeParse("relative", &bytes, &offset, &relative)) {
286  goto end;
287  }
288  if (bytes != 0 || offset != 0 || relative != 1) {
289  goto end;
290  }
291 
292  if (!DetectBase64DecodeParse("bytes 1, offset 2", &bytes, &offset,
293  &relative)) {
294  goto end;
295  }
296  if (bytes != 1 || offset != 2 || relative != 0) {
297  goto end;
298  }
299 
300  if (!DetectBase64DecodeParse("bytes 1, offset 2, relative", &bytes, &offset,
301  &relative)) {
302  goto end;
303  }
304  if (bytes != 1 || offset != 2 || relative != 1) {
305  goto end;
306  }
307 
308  if (!DetectBase64DecodeParse("offset 2, relative", &bytes, &offset,
309  &relative)) {
310  goto end;
311  }
312  if (bytes != 0 || offset != 2 || relative != 1) {
313  goto end;
314  }
315 
316  /* Misspelled relative. */
317  if (DetectBase64DecodeParse("bytes 1, offset 2, relatve", &bytes, &offset,
318  &relative)) {
319  goto end;
320  }
321 
322  /* Misspelled bytes. */
323  if (DetectBase64DecodeParse("byts 1, offset 2, relatve", &bytes, &offset,
324  &relative)) {
325  goto end;
326  }
327 
328  /* Misspelled offset. */
329  if (DetectBase64DecodeParse("bytes 1, offst 2, relatve", &bytes, &offset,
330  &relative)) {
331  goto end;
332  }
333 
334  /* Misspelled empty string. */
335  if (DetectBase64DecodeParse("", &bytes, &offset, &relative)) {
336  goto end;
337  }
338 
339  retval = 1;
340 end:
341  return retval;
342 }
343 
344 /**
345  * Test keyword setup on basic content.
346  */
347 static int DetectBase64DecodeTestSetup(void)
348 {
349  DetectEngineCtx *de_ctx = NULL;
350  Signature *s;
351  int retval = 0;
352 
354  if (de_ctx == NULL) {
355  goto end;
356  }
357 
359  "alert tcp any any -> any any ("
360  "msg:\"DetectBase64DecodeTestSetup\"; "
361  "base64_decode; content:\"content\"; "
362  "sid:1; rev:1;)");
363  if (de_ctx->sig_list == NULL) {
364  goto end;
365  }
366  s = de_ctx->sig_list;
367  if (s == NULL) {
368  goto end;
369  }
370  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
371  goto end;
372  }
373 
374  retval = 1;
375 end:
376  if (de_ctx != NULL) {
380  }
381  return retval;
382 }
383 
384 /**
385  * Test keyword setup when the prior rule has a content modifier on
386  * it.
387  */
388 static int DetectBase64DecodeHttpHeaderTestSetup(void)
389 {
390  DetectEngineCtx *de_ctx = NULL;
391  Signature *s;
392  int retval = 0;
393 
395  if (de_ctx == NULL) {
396  goto end;
397  }
398 
400  "alert tcp any any -> any any ("
401  "msg:\"DetectBase64DecodeTestSetup\"; "
402  "content:\"Authorization: basic \"; http_header; "
403  "base64_decode; content:\"content\"; "
404  "sid:1; rev:1;)");
405  if (de_ctx->sig_list == NULL) {
406  goto end;
407  }
408  s = de_ctx->sig_list;
409  if (s == NULL) {
410  goto end;
411  }
412 
413  /* I'm not complete sure if this list should not be NULL. */
414  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
415  goto end;
416  }
417 
418  /* Test that the http header list is not NULL. */
419  if (s->sm_lists_tail[g_http_header_buffer_id] == NULL) {
420  goto end;
421  }
422 
423  retval = 1;
424 end:
425  if (de_ctx != NULL) {
429  }
430  return retval;
431 }
432 
433 static int DetectBase64DecodeTestDecode(void)
434 {
435  ThreadVars tv;
436  DetectEngineCtx *de_ctx = NULL;
437  DetectEngineThreadCtx *det_ctx = NULL;
438  Packet *p = NULL;
439  int retval = 0;
440 
441  uint8_t payload[] = {
442  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
443  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
444  };
445 
446  memset(&tv, 0, sizeof(tv));
447 
448  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
449  goto end;
450  }
451 
453  "alert tcp any any -> any any (msg:\"base64 test\"; "
454  "base64_decode; "
455  "sid:1; rev:1;)");
456  if (de_ctx->sig_list == NULL) {
457  goto end;
458  }
460  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
461 
462  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
463  if (p == NULL) {
464  goto end;
465  }
466 
467  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
468  if (det_ctx->base64_decoded_len == 0) {
469  goto end;
470  }
471 
472  retval = 1;
473 end:
474  if (det_ctx != NULL) {
475  DetectEngineThreadCtxDeinit(&tv, det_ctx);
476  }
477  if (de_ctx != NULL) {
481  }
482  if (p != NULL) {
483  UTHFreePacket(p);
484  }
485  return retval;
486 }
487 
488 static int DetectBase64DecodeTestDecodeWithOffset(void)
489 {
490  ThreadVars tv;
491  DetectEngineCtx *de_ctx = NULL;
492  DetectEngineThreadCtx *det_ctx = NULL;
493  Packet *p = NULL;
494  int retval = 0;
495 
496  uint8_t payload[] = {
497  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
498  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
499  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
500  };
501  char decoded[] = "Hello World";
502 
503  memset(&tv, 0, sizeof(tv));
504 
505  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
506  goto end;
507  }
508 
510  "alert tcp any any -> any any (msg:\"base64 test\"; "
511  "base64_decode: offset 8; "
512  "sid:1; rev:1;)");
513  if (de_ctx->sig_list == NULL) {
514  goto end;
515  }
517  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
518 
519  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
520  if (p == NULL) {
521  goto end;
522  }
523 
524  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
525  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
526  goto end;
527  }
528  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
529  goto end;
530  }
531 
532  retval = 1;
533 end:
534  if (det_ctx != NULL) {
535  DetectEngineThreadCtxDeinit(&tv, det_ctx);
536  }
537  if (de_ctx != NULL) {
541  }
542  if (p != NULL) {
543  UTHFreePacket(p);
544  }
545  return retval;
546 }
547 
548 static int DetectBase64DecodeTestDecodeLargeOffset(void)
549 {
550  ThreadVars tv;
551  DetectEngineCtx *de_ctx = NULL;
552  DetectEngineThreadCtx *det_ctx = NULL;
553  Packet *p = NULL;
554  int retval = 0;
555 
556  uint8_t payload[] = {
557  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
558  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
559  };
560 
561  memset(&tv, 0, sizeof(tv));
562 
563  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
564  goto end;
565  }
566 
567  /* Offset is out of range. */
569  "alert tcp any any -> any any (msg:\"base64 test\"; "
570  "base64_decode: bytes 16, offset 32; "
571  "sid:1; rev:1;)");
572  if (de_ctx->sig_list == NULL) {
573  goto end;
574  }
576  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
577 
578  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
579  if (p == NULL) {
580  goto end;
581  }
582 
583  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
584  if (det_ctx->base64_decoded_len != 0) {
585  goto end;
586  }
587 
588  retval = 1;
589 end:
590  if (det_ctx != NULL) {
591  DetectEngineThreadCtxDeinit(&tv, det_ctx);
592  }
593  if (de_ctx != NULL) {
597  }
598  if (p != NULL) {
599  UTHFreePacket(p);
600  }
601  return retval;
602 }
603 
604 static int DetectBase64DecodeTestDecodeRelative(void)
605 {
606  ThreadVars tv;
607  DetectEngineCtx *de_ctx = NULL;
608  DetectEngineThreadCtx *det_ctx = NULL;
609  Packet *p = NULL;
610  int retval = 0;
611 
612  uint8_t payload[] = {
613  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
614  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
615  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
616  };
617  char decoded[] = "Hello World";
618 
619  memset(&tv, 0, sizeof(tv));
620 
621  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
622  goto end;
623  }
624 
626  "alert tcp any any -> any any (msg:\"base64 test\"; "
627  "content:\"aaaaaaaa\"; "
628  "base64_decode: relative; "
629  "sid:1; rev:1;)");
630  if (de_ctx->sig_list == NULL) {
631  goto end;
632  }
634  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
635 
636  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
637  if (p == NULL) {
638  goto end;
639  }
640 
641  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
642  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
643  goto end;
644  }
645  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
646  goto end;
647  }
648 
649  retval = 1;
650 end:
651  if (det_ctx != NULL) {
652  DetectEngineThreadCtxDeinit(&tv, det_ctx);
653  }
654  if (de_ctx != NULL) {
658  }
659  if (p != NULL) {
660  UTHFreePacket(p);
661  }
662  return retval;
663 }
664 
665 static void DetectBase64DecodeRegisterTests(void)
666 {
667  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
668 
669  UtRegisterTest("DetectBase64TestDecodeParse", DetectBase64TestDecodeParse);
670  UtRegisterTest("DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup);
671  UtRegisterTest("DetectBase64DecodeHttpHeaderTestSetup",
672  DetectBase64DecodeHttpHeaderTestSetup);
673  UtRegisterTest("DetectBase64DecodeTestDecode",
674  DetectBase64DecodeTestDecode);
675  UtRegisterTest("DetectBase64DecodeTestDecodeWithOffset",
676  DetectBase64DecodeTestDecodeWithOffset);
677  UtRegisterTest("DetectBase64DecodeTestDecodeLargeOffset",
678  DetectBase64DecodeTestDecodeLargeOffset);
679  UtRegisterTest("DetectBase64DecodeTestDecodeRelative",
680  DetectBase64DecodeTestDecodeRelative);
681 }
682 #endif /* UNITTESTS */
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
SigTableElmt_::url
const char * url
Definition: detect.h:1204
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1031
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2435
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1191
flow-util.h
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1201
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:74
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectBase64DecodeDoMatch
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
Definition: detect-base64-decode.c:59
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SC_ERR_INVALID_RULE_ARGUMENT
@ SC_ERR_INVALID_RULE_ARGUMENT
Definition: util-error.h:302
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:332
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2076
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1195
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:758
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2069
util-base64.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:372
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1653
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:41
DecodeBase64
uint32_t DecodeBase64(uint8_t *dest, const uint8_t *src, uint32_t len, int strict)
Decodes a base64-encoded string buffer into an ascii-encoded byte buffer.
Definition: util-base64.c:91
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:829
DetectBase64Decode_::offset
uint32_t offset
Definition: detect-base64-decode.h:25
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectBase64Decode_
Definition: detect-base64-decode.h:23
DetectEngineThreadCtx_
Definition: detect.h:1003
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2558
SignatureInitData_::list
int list
Definition: detect.h:494
util-print.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1135
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1999
BASE64_DECODE_MAX
#define BASE64_DECODE_MAX
Definition: detect-base64-decode.c:27
Packet_
Definition: decode.h:414
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:587
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:62
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1932
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:115
DetectBase64Decode_::relative
uint8_t relative
Definition: detect-base64-decode.h:26
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:73
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2773
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2981
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:764
DetectBase64Decode_::bytes
uint32_t bytes
Definition: detect-base64-decode.h:24
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1382
detect-base64-decode.h
str
#define str(s)
Definition: suricata-common.h:272
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:625
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:171
detect-parse.h
Signature_
Signature container.
Definition: detect.h:517
SigMatch_
a single match condition for a signature
Definition: detect.h:320
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:80
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2024
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1134
DETECT_BASE64_DECODE
@ DETECT_BASE64_DECODE
Definition: detect-engine-register.h:238
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectBase64DecodeRegister
void DetectBase64DecodeRegister(void)
Definition: detect-base64-decode.c:41
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::base64_decode_max_len
uint32_t base64_decode_max_len
Definition: detect.h:860
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193