suricata
detect-base64-decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "detect.h"
20 #include "detect-parse.h"
21 #include "detect-base64-decode.h"
22 #include "util-base64.h"
23 #include "util-byte.h"
24 #include "util-print.h"
25 #include "detect-engine-build.h"
26 
27 /* Arbitrary maximum buffer size for decoded base64 data. */
28 #define BASE64_DECODE_MAX 65535
29 
30 typedef struct DetectBase64Decode_ {
31  uint32_t bytes;
32  uint32_t offset;
33  uint8_t relative;
34 } DetectBase64Decode;
35 
36 static const char decode_pattern[] = "\\s*(bytes\\s+(\\d+),?)?"
37  "\\s*(offset\\s+(\\d+),?)?"
38  "\\s*(\\w+)?";
39 
40 static DetectParseRegex decode_pcre;
41 
42 static int DetectBase64DecodeSetup(DetectEngineCtx *, Signature *, const char *);
43 static void DetectBase64DecodeFree(DetectEngineCtx *, void *);
44 #ifdef UNITTESTS
45 static void DetectBase64DecodeRegisterTests(void);
46 #endif
47 
48 void DetectBase64DecodeRegister(void)
49 {
50  sigmatch_table[DETECT_BASE64_DECODE].name = "base64_decode";
51  sigmatch_table[DETECT_BASE64_DECODE].desc =
52  "Decodes base64 encoded data.";
53  sigmatch_table[DETECT_BASE64_DECODE].url =
54  "/rules/base64-keywords.html#base64-decode";
55  sigmatch_table[DETECT_BASE64_DECODE].Setup = DetectBase64DecodeSetup;
56  sigmatch_table[DETECT_BASE64_DECODE].Free = DetectBase64DecodeFree;
57 #ifdef UNITTESTS
58  sigmatch_table[DETECT_BASE64_DECODE].RegisterTests =
59  DetectBase64DecodeRegisterTests;
60 #endif
61  sigmatch_table[DETECT_BASE64_DECODE].flags |= SIGMATCH_OPTIONAL_OPT;
62 
63  DetectSetupParseRegexes(decode_pattern, &decode_pcre);
64 }
65 
66 int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s,
67  const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
68 {
69  DetectBase64Decode *data = (DetectBase64Decode *)smd->ctx;
70  int decode_len;
71 
72 #if 0
73  printf("Input data:\n");
74  PrintRawDataFp(stdout, payload, payload_len);
75 #endif
76 
77  if (data->relative) {
78  payload += det_ctx->buffer_offset;
79  payload_len -= det_ctx->buffer_offset;
80  }
81 
82  if (data->offset) {
83  if (data->offset >= payload_len) {
84  return 0;
85  }
86  payload = payload + data->offset;
87  payload_len -= data->offset;
88  }
89 
90  decode_len = MIN(payload_len, data->bytes);
91 
92 #if 0
93  printf("Decoding:\n");
94  PrintRawDataFp(stdout, payload, decode_len);
95 #endif
96 
97  uint32_t consumed = 0, num_decoded = 0;
98  (void)DecodeBase64(det_ctx->base64_decoded, det_ctx->base64_decoded_len_max, payload,
99  decode_len, &consumed, &num_decoded, BASE64_MODE_RFC4648);
100  det_ctx->base64_decoded_len = num_decoded;
101  SCLogDebug("Decoded %d bytes from base64 data.",
102  det_ctx->base64_decoded_len);
103 #if 0
104  if (det_ctx->base64_decoded_len) {
105  printf("Decoded data:\n");
106  PrintRawDataFp(stdout, det_ctx->base64_decoded,
107  det_ctx->base64_decoded_len);
108  }
109 #endif
110 
111  return det_ctx->base64_decoded_len > 0;
112 }
113 
114 static int DetectBase64DecodeParse(const char *str, uint32_t *bytes,
115  uint32_t *offset, uint8_t *relative)
116 {
117  int pcre_rc;
118  const char *bytes_str = NULL;
119  const char *offset_str = NULL;
120  const char *relative_str = NULL;
121  int retval = 0;
122 
123  *bytes = 0;
124  *offset = 0;
125  *relative = 0;
126  size_t pcre2_len;
127 
128  pcre_rc = DetectParsePcreExec(&decode_pcre, str, 0, 0);
129  if (pcre_rc < 3) {
130  goto error;
131  }
132 
133  if (pcre_rc >= 3) {
134  if (pcre2_substring_get_bynumber(
135  decode_pcre.match, 2, (PCRE2_UCHAR8 **)&bytes_str, &pcre2_len) == 0) {
136  if (StringParseUint32(bytes, 10, 0, bytes_str) <= 0) {
137  SCLogError("Bad value for bytes: \"%s\"", bytes_str);
138  goto error;
139  }
140  }
141  }
142 
143  if (pcre_rc >= 5) {
144  if (pcre2_substring_get_bynumber(
145  decode_pcre.match, 4, (PCRE2_UCHAR8 **)&offset_str, &pcre2_len) == 0) {
146  if (StringParseUint32(offset, 10, 0, offset_str) <= 0) {
147  SCLogError("Bad value for offset: \"%s\"", offset_str);
148  goto error;
149  }
150  }
151  }
152 
153  if (pcre_rc >= 6) {
154  if (pcre2_substring_get_bynumber(
155  decode_pcre.match, 5, (PCRE2_UCHAR8 **)&relative_str, &pcre2_len) == 0) {
156  if (strcmp(relative_str, "relative") == 0) {
157  *relative = 1;
158  }
159  else {
160  SCLogError("Invalid argument: \"%s\"", relative_str);
161  goto error;
162  }
163  }
164  }
165 
166  retval = 1;
167 error:
168  if (bytes_str != NULL) {
169  pcre2_substring_free((PCRE2_UCHAR8 *)bytes_str);
170  }
171  if (offset_str != NULL) {
172  pcre2_substring_free((PCRE2_UCHAR8 *)offset_str);
173  }
174  if (relative_str != NULL) {
175  pcre2_substring_free((PCRE2_UCHAR8 *)relative_str);
176  }
177  return retval;
178 }
179 
180 static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
181  const char *str)
182 {
183  uint32_t bytes = 0;
184  uint32_t offset = 0;
185  uint8_t relative = 0;
186  DetectBase64Decode *data = NULL;
187  int sm_list;
188  SigMatch *sm = NULL;
189  SigMatch *pm = NULL;
190 
191  if (str != NULL) {
192  if (!DetectBase64DecodeParse(str, &bytes, &offset, &relative)) {
193  goto error;
194  }
195  }
196  data = SCCalloc(1, sizeof(DetectBase64Decode));
197  if (unlikely(data == NULL)) {
198  goto error;
199  }
200  data->bytes = bytes;
201  data->offset = offset;
202  data->relative = relative;
203 
204  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
205  sm_list = s->init_data->list;
206 #if 0
207  if (data->relative) {
208  pm = SigMatchGetLastSMFromLists(s, 4,
209  DETECT_CONTENT, s->sm_lists_tail[sm_list],
210  DETECT_PCRE, s->sm_lists_tail[sm_list]);
211  }
212 #endif
213  }
214  else {
215  pm = DetectGetLastSMFromLists(s,
216  DETECT_CONTENT, DETECT_PCRE,
217  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
218  DETECT_ISDATAAT, -1);
219  if (pm == NULL) {
220  sm_list = DETECT_SM_LIST_PMATCH;
221  }
222  else {
223  sm_list = SigMatchListSMBelongsTo(s, pm);
224  if (sm_list < 0) {
225  goto error;
226  }
227  }
228  }
229 
230  sm = SigMatchAlloc();
231  if (sm == NULL) {
232  goto error;
233  }
234  sm->type = DETECT_BASE64_DECODE;
235  sm->ctx = (SigMatchCtx *)data;
236  SigMatchAppendSMToList(s, sm, sm_list);
237 
238  if (!data->bytes) {
239  data->bytes = BASE64_DECODE_MAX;
240  }
241  if (data->bytes > de_ctx->base64_decode_max_len) {
242 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
243  data->bytes = BASE64_DECODE_MAX;
244 #endif
245  de_ctx->base64_decode_max_len = data->bytes;
246  }
247 
248  return 0;
249 error:
250  if (data != NULL) {
251  SCFree(data);
252  }
253  return -1;
254 }
255 
256 static void DetectBase64DecodeFree(DetectEngineCtx *de_ctx, void *ptr)
257 {
258  DetectBase64Decode *data = ptr;
259  SCFree(data);
260 }
261 
262 
263 #ifdef UNITTESTS
264 #include "detect-engine.h"
265 #include "util-unittest.h"
266 #include "util-unittest-helper.h"
267 #include "app-layer-parser.h"
268 #include "flow-util.h"
269 #include "stream-tcp.h"
270 
271 static int g_http_header_buffer_id = 0;
272 
273 static int DetectBase64TestDecodeParse(void)
274 {
275  int retval = 0;
276  uint32_t bytes = 0;
277  uint32_t offset = 0;
278  uint8_t relative = 0;
279 
280  if (!DetectBase64DecodeParse("bytes 1", &bytes, &offset, &relative)) {
281  goto end;
282  }
283  if (bytes != 1 || offset != 0 || relative != 0) {
284  goto end;
285  }
286 
287  if (!DetectBase64DecodeParse("offset 9", &bytes, &offset, &relative)) {
288  goto end;
289  }
290  if (bytes != 0 || offset != 9 || relative != 0) {
291  goto end;
292  }
293 
294  if (!DetectBase64DecodeParse("relative", &bytes, &offset, &relative)) {
295  goto end;
296  }
297  if (bytes != 0 || offset != 0 || relative != 1) {
298  goto end;
299  }
300 
301  if (!DetectBase64DecodeParse("bytes 1, offset 2", &bytes, &offset,
302  &relative)) {
303  goto end;
304  }
305  if (bytes != 1 || offset != 2 || relative != 0) {
306  goto end;
307  }
308 
309  if (!DetectBase64DecodeParse("bytes 1, offset 2, relative", &bytes, &offset,
310  &relative)) {
311  goto end;
312  }
313  if (bytes != 1 || offset != 2 || relative != 1) {
314  goto end;
315  }
316 
317  if (!DetectBase64DecodeParse("offset 2, relative", &bytes, &offset,
318  &relative)) {
319  goto end;
320  }
321  if (bytes != 0 || offset != 2 || relative != 1) {
322  goto end;
323  }
324 
325  /* Misspelled relative. */
326  if (DetectBase64DecodeParse("bytes 1, offset 2, relatve", &bytes, &offset,
327  &relative)) {
328  goto end;
329  }
330 
331  /* Misspelled bytes. */
332  if (DetectBase64DecodeParse("byts 1, offset 2, relatve", &bytes, &offset,
333  &relative)) {
334  goto end;
335  }
336 
337  /* Misspelled offset. */
338  if (DetectBase64DecodeParse("bytes 1, offst 2, relatve", &bytes, &offset,
339  &relative)) {
340  goto end;
341  }
342 
343  /* Misspelled empty string. */
344  if (DetectBase64DecodeParse("", &bytes, &offset, &relative)) {
345  goto end;
346  }
347 
348  retval = 1;
349 end:
350  return retval;
351 }
352 
353 /**
354  * Test keyword setup on basic content.
355  */
356 static int DetectBase64DecodeTestSetup(void)
357 {
358  DetectEngineCtx *de_ctx = NULL;
359  Signature *s;
360  int retval = 0;
361 
362  de_ctx = DetectEngineCtxInit();
363  if (de_ctx == NULL) {
364  goto end;
365  }
366 
367  de_ctx->sig_list = SigInit(de_ctx,
368  "alert tcp any any -> any any ("
369  "msg:\"DetectBase64DecodeTestSetup\"; "
370  "base64_decode; content:\"content\"; "
371  "sid:1; rev:1;)");
372  if (de_ctx->sig_list == NULL) {
373  goto end;
374  }
375  s = de_ctx->sig_list;
376  if (s == NULL) {
377  goto end;
378  }
379  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
380  goto end;
381  }
382 
383  retval = 1;
384 end:
385  if (de_ctx != NULL) {
386  SigGroupCleanup(de_ctx);
387  SigCleanSignatures(de_ctx);
388  DetectEngineCtxFree(de_ctx);
389  }
390  return retval;
391 }
392 
393 /**
394  * Test keyword setup when the prior rule has a content modifier on
395  * it.
396  */
397 static int DetectBase64DecodeHttpHeaderTestSetup(void)
398 {
399  DetectEngineCtx *de_ctx = NULL;
400  Signature *s;
401  int retval = 0;
402 
403  de_ctx = DetectEngineCtxInit();
404  if (de_ctx == NULL) {
405  goto end;
406  }
407 
408  de_ctx->sig_list = SigInit(de_ctx,
409  "alert tcp any any -> any any ("
410  "msg:\"DetectBase64DecodeTestSetup\"; "
411  "content:\"Authorization: basic \"; http_header; "
412  "base64_decode; content:\"content\"; "
413  "sid:1; rev:1;)");
414  if (de_ctx->sig_list == NULL) {
415  goto end;
416  }
417  s = de_ctx->sig_list;
418  if (s == NULL) {
419  goto end;
420  }
421 
422  /* I'm not complete sure if this list should not be NULL. */
423  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
424  goto end;
425  }
426 
427  /* Test that the http header list is not NULL. */
428  if (s->sm_lists_tail[g_http_header_buffer_id] == NULL) {
429  goto end;
430  }
431 
432  retval = 1;
433 end:
434  if (de_ctx != NULL) {
435  SigGroupCleanup(de_ctx);
436  SigCleanSignatures(de_ctx);
437  DetectEngineCtxFree(de_ctx);
438  }
439  return retval;
440 }
441 
442 static int DetectBase64DecodeTestDecode(void)
443 {
444  ThreadVars tv;
445  DetectEngineCtx *de_ctx = NULL;
446  DetectEngineThreadCtx *det_ctx = NULL;
447  Packet *p = NULL;
448  int retval = 0;
449 
450  uint8_t payload[] = {
451  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
452  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
453  };
454 
455  memset(&tv, 0, sizeof(tv));
456 
457  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
458  goto end;
459  }
460 
461  de_ctx->sig_list = SigInit(de_ctx,
462  "alert tcp any any -> any any (msg:\"base64 test\"; "
463  "base64_decode; "
464  "sid:1; rev:1;)");
465  if (de_ctx->sig_list == NULL) {
466  goto end;
467  }
468  SigGroupBuild(de_ctx);
469  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
470 
471  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
472  if (p == NULL) {
473  goto end;
474  }
475 
476  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
477  if (det_ctx->base64_decoded_len == 0) {
478  goto end;
479  }
480 
481  retval = 1;
482 end:
483  if (det_ctx != NULL) {
484  DetectEngineThreadCtxDeinit(&tv, det_ctx);
485  }
486  if (de_ctx != NULL) {
487  SigCleanSignatures(de_ctx);
488  SigGroupCleanup(de_ctx);
489  DetectEngineCtxFree(de_ctx);
490  }
491  if (p != NULL) {
492  UTHFreePacket(p);
493  }
494  return retval;
495 }
496 
497 static int DetectBase64DecodeTestDecodeWithOffset(void)
498 {
499  ThreadVars tv;
500  DetectEngineCtx *de_ctx = NULL;
501  DetectEngineThreadCtx *det_ctx = NULL;
502  Packet *p = NULL;
503  int retval = 0;
504 
505  uint8_t payload[] = {
506  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
507  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
508  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
509  };
510  char decoded[] = "Hello World";
511 
512  memset(&tv, 0, sizeof(tv));
513 
514  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
515  goto end;
516  }
517 
518  de_ctx->sig_list = SigInit(de_ctx,
519  "alert tcp any any -> any any (msg:\"base64 test\"; "
520  "base64_decode: offset 8; "
521  "sid:1; rev:1;)");
522  if (de_ctx->sig_list == NULL) {
523  goto end;
524  }
525  SigGroupBuild(de_ctx);
526  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
527 
528  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
529  if (p == NULL) {
530  goto end;
531  }
532 
533  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
534  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
535  goto end;
536  }
537  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
538  goto end;
539  }
540 
541  retval = 1;
542 end:
543  if (det_ctx != NULL) {
544  DetectEngineThreadCtxDeinit(&tv, det_ctx);
545  }
546  if (de_ctx != NULL) {
547  SigCleanSignatures(de_ctx);
548  SigGroupCleanup(de_ctx);
549  DetectEngineCtxFree(de_ctx);
550  }
551  if (p != NULL) {
552  UTHFreePacket(p);
553  }
554  return retval;
555 }
556 
557 static int DetectBase64DecodeTestDecodeLargeOffset(void)
558 {
559  ThreadVars tv;
560  DetectEngineCtx *de_ctx = NULL;
561  DetectEngineThreadCtx *det_ctx = NULL;
562  Packet *p = NULL;
563  int retval = 0;
564 
565  uint8_t payload[] = {
566  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
567  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
568  };
569 
570  memset(&tv, 0, sizeof(tv));
571 
572  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
573  goto end;
574  }
575 
576  /* Offset is out of range. */
577  de_ctx->sig_list = SigInit(de_ctx,
578  "alert tcp any any -> any any (msg:\"base64 test\"; "
579  "base64_decode: bytes 16, offset 32; "
580  "sid:1; rev:1;)");
581  if (de_ctx->sig_list == NULL) {
582  goto end;
583  }
584  SigGroupBuild(de_ctx);
585  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
586 
587  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
588  if (p == NULL) {
589  goto end;
590  }
591 
592  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
593  if (det_ctx->base64_decoded_len != 0) {
594  goto end;
595  }
596 
597  retval = 1;
598 end:
599  if (det_ctx != NULL) {
600  DetectEngineThreadCtxDeinit(&tv, det_ctx);
601  }
602  if (de_ctx != NULL) {
603  SigCleanSignatures(de_ctx);
604  SigGroupCleanup(de_ctx);
605  DetectEngineCtxFree(de_ctx);
606  }
607  if (p != NULL) {
608  UTHFreePacket(p);
609  }
610  return retval;
611 }
612 
613 static int DetectBase64DecodeTestDecodeRelative(void)
614 {
615  ThreadVars tv;
616  DetectEngineCtx *de_ctx = NULL;
617  DetectEngineThreadCtx *det_ctx = NULL;
618  Packet *p = NULL;
619  int retval = 0;
620 
621  uint8_t payload[] = {
622  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
623  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
624  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
625  };
626  char decoded[] = "Hello World";
627 
628  memset(&tv, 0, sizeof(tv));
629 
630  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
631  goto end;
632  }
633 
634  de_ctx->sig_list = SigInit(de_ctx,
635  "alert tcp any any -> any any (msg:\"base64 test\"; "
636  "content:\"aaaaaaaa\"; "
637  "base64_decode: relative; "
638  "sid:1; rev:1;)");
639  if (de_ctx->sig_list == NULL) {
640  goto end;
641  }
642  SigGroupBuild(de_ctx);
643  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
644 
645  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
646  if (p == NULL) {
647  goto end;
648  }
649 
650  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
651  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
652  goto end;
653  }
654  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
655  goto end;
656  }
657 
658  retval = 1;
659 end:
660  if (det_ctx != NULL) {
661  DetectEngineThreadCtxDeinit(&tv, det_ctx);
662  }
663  if (de_ctx != NULL) {
664  SigCleanSignatures(de_ctx);
665  SigGroupCleanup(de_ctx);
666  DetectEngineCtxFree(de_ctx);
667  }
668  if (p != NULL) {
669  UTHFreePacket(p);
670  }
671  return retval;
672 }
673 
674 static void DetectBase64DecodeRegisterTests(void)
675 {
676  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
677 
678  UtRegisterTest("DetectBase64TestDecodeParse", DetectBase64TestDecodeParse);
679  UtRegisterTest("DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup);
680  UtRegisterTest("DetectBase64DecodeHttpHeaderTestSetup",
681  DetectBase64DecodeHttpHeaderTestSetup);
682  UtRegisterTest("DetectBase64DecodeTestDecode",
683  DetectBase64DecodeTestDecode);
684  UtRegisterTest("DetectBase64DecodeTestDecodeWithOffset",
685  DetectBase64DecodeTestDecodeWithOffset);
686  UtRegisterTest("DetectBase64DecodeTestDecodeLargeOffset",
687  DetectBase64DecodeTestDecodeLargeOffset);
688  UtRegisterTest("DetectBase64DecodeTestDecodeRelative",
689  DetectBase64DecodeTestDecodeRelative);
690 }
691 #endif /* UNITTESTS */
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1243
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1055
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:81
SigTableElmt_::desc
const char * desc
Definition: detect.h:1242
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2477
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1230
flow-util.h
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1240
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:76
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectBase64DecodeDoMatch
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
Definition: detect-base64-decode.c:66
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:327
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1234
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:787
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2455
util-base64.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:380
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
DetectBase64Decode
struct DetectBase64Decode_ DetectBase64Decode
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
SigMatchData_
Data needed for Match()
Definition: detect.h:324
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1225
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
DetectBase64Decode_::offset
uint32_t offset
Definition: detect-base64-decode.c:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectBase64Decode_
Definition: detect-base64-decode.c:30
DetectEngineThreadCtx_
Definition: detect.h:1027
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2598
SignatureInitData_::list
int list
Definition: detect.h:519
util-print.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
BASE64_MODE_RFC4648
@ BASE64_MODE_RFC4648
Definition: util-base64.h:68
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2118
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:143
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:318
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1170
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2019
BASE64_DECODE_MAX
#define BASE64_DECODE_MAX
Definition: detect-base64-decode.c:28
Packet_
Definition: decode.h:428
detect-engine-build.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:613
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:241
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:310
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:106
DetectBase64Decode_::relative
uint8_t relative
Definition: detect-base64-decode.c:33
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:75
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3166
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3380
SigMatch_::type
uint16_t type
Definition: detect.h:316
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:793
DetectBase64Decode_::bytes
uint32_t bytes
Definition: detect-base64-decode.c:31
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1434
detect-base64-decode.h
str
#define str(s)
Definition: suricata-common.h:280
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:633
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:178
DetectEngineThreadCtx_::base64_decoded_len_max
int base64_decoded_len_max
Definition: detect.h:1171
detect-parse.h
Signature_
Signature container.
Definition: detect.h:542
SigMatch_
a single match condition for a signature
Definition: detect.h:315
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2416
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1169
DETECT_BASE64_DECODE
@ DETECT_BASE64_DECODE
Definition: detect-engine-register.h:250
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:476
DetectBase64DecodeRegister
void DetectBase64DecodeRegister(void)
Definition: detect-base64-decode.c:48
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::base64_decode_max_len
uint32_t base64_decode_max_len
Definition: detect.h:889
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:356
DecodeBase64
Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, uint32_t len, uint32_t *consumed_bytes, uint32_t *decoded_bytes, Base64Mode mode)
Decodes a base64-encoded string buffer into an ascii-encoded byte buffer.
Definition: util-base64.c:94
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1232