suricata
detect-base64-decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "detect.h"
20 #include "detect-parse.h"
21 #include "detect-base64-decode.h"
22 #include "util-byte.h"
23 #include "util-print.h"
24 #include "detect-engine-build.h"
25 #include "rust.h"
26 
27 /* Arbitrary maximum buffer size for decoded base64 data. */
28 #define BASE64_DECODE_MAX 65535
29 
30 typedef struct DetectBase64Decode_ {
31  uint16_t bytes;
32  uint32_t offset;
33  uint8_t relative;
34 } DetectBase64Decode;
35 
36 static const char decode_pattern[] = "\\s*(bytes\\s+(\\d+),?)?"
37  "\\s*(offset\\s+(\\d+),?)?"
38  "\\s*(\\w+)?";
39 
40 static DetectParseRegex decode_pcre;
41 
42 static int DetectBase64DecodeSetup(DetectEngineCtx *, Signature *, const char *);
43 static void DetectBase64DecodeFree(DetectEngineCtx *, void *);
44 #ifdef UNITTESTS
45 static void DetectBase64DecodeRegisterTests(void);
46 #endif
47 
48 void DetectBase64DecodeRegister(void)
49 {
50  sigmatch_table[DETECT_BASE64_DECODE].name = "base64_decode";
51  sigmatch_table[DETECT_BASE64_DECODE].desc =
52  "Decodes base64 encoded data.";
53  sigmatch_table[DETECT_BASE64_DECODE].url =
54  "/rules/base64-keywords.html#base64-decode";
55  sigmatch_table[DETECT_BASE64_DECODE].Setup = DetectBase64DecodeSetup;
56  sigmatch_table[DETECT_BASE64_DECODE].Free = DetectBase64DecodeFree;
57 #ifdef UNITTESTS
58  sigmatch_table[DETECT_BASE64_DECODE].RegisterTests =
59  DetectBase64DecodeRegisterTests;
60 #endif
61  sigmatch_table[DETECT_BASE64_DECODE].flags |= SIGMATCH_OPTIONAL_OPT;
62 
63  DetectSetupParseRegexes(decode_pattern, &decode_pcre);
64 }
65 
66 int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s,
67  const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
68 {
69  DetectBase64Decode *data = (DetectBase64Decode *)smd->ctx;
70 
71 #if 0
72  printf("Input data:\n");
73  PrintRawDataFp(stdout, payload, payload_len);
74 #endif
75 
76  if (data->relative) {
77  payload += det_ctx->buffer_offset;
78  DEBUG_VALIDATE_BUG_ON(det_ctx->buffer_offset > payload_len);
79  payload_len -= det_ctx->buffer_offset;
80  }
81 
82  if (data->offset) {
83  if (data->offset >= payload_len) {
84  return 0;
85  }
86  payload = payload + data->offset;
87  payload_len -= data->offset;
88  }
89 
90  uint32_t decode_len = MIN(payload_len, data->bytes);
91 #if 0
92  printf("Decoding:\n");
93  PrintRawDataFp(stdout, payload, decode_len);
94 #endif
95 
96  if (decode_len > 0) {
97  uint32_t num_decoded =
98  SCBase64Decode(payload, decode_len, SCBase64ModeRFC4648, det_ctx->base64_decoded);
99  det_ctx->base64_decoded_len = num_decoded;
100  SCLogDebug("Decoded %d bytes from base64 data.", det_ctx->base64_decoded_len);
101  }
102 #if 0
103  if (det_ctx->base64_decoded_len) {
104  printf("Decoded data:\n");
105  PrintRawDataFp(stdout, det_ctx->base64_decoded,
106  det_ctx->base64_decoded_len);
107  }
108 #endif
109 
110  return det_ctx->base64_decoded_len > 0;
111 }
112 
113 static int DetectBase64DecodeParse(
114  const char *str, uint16_t *bytes, uint32_t *offset, uint8_t *relative)
115 {
116  const char *bytes_str = NULL;
117  const char *offset_str = NULL;
118  const char *relative_str = NULL;
119  int retval = 0;
120 
121  *bytes = 0;
122  *offset = 0;
123  *relative = 0;
124  size_t pcre2_len;
125  pcre2_match_data *match = NULL;
126 
127  int pcre_rc = DetectParsePcreExec(&decode_pcre, &match, str, 0, 0);
128  if (pcre_rc < 3) {
129  goto error;
130  }
131 
132  if (pcre_rc >= 3) {
133  if (pcre2_substring_get_bynumber(match, 2, (PCRE2_UCHAR8 **)&bytes_str, &pcre2_len) == 0) {
134  if (StringParseUint16(bytes, 10, 0, bytes_str) <= 0) {
135  SCLogError("Bad value for bytes: \"%s\"", bytes_str);
136  goto error;
137  }
138  }
139  }
140 
141  if (pcre_rc >= 5) {
142  if (pcre2_substring_get_bynumber(match, 4, (PCRE2_UCHAR8 **)&offset_str, &pcre2_len) == 0) {
143  if (StringParseUint32(offset, 10, 0, offset_str) <= 0) {
144  SCLogError("Bad value for offset: \"%s\"", offset_str);
145  goto error;
146  }
147  }
148  }
149 
150  if (pcre_rc >= 6) {
151  if (pcre2_substring_get_bynumber(match, 5, (PCRE2_UCHAR8 **)&relative_str, &pcre2_len) ==
152  0) {
153  if (strcmp(relative_str, "relative") == 0) {
154  *relative = 1;
155  }
156  else {
157  SCLogError("Invalid argument: \"%s\"", relative_str);
158  goto error;
159  }
160  }
161  }
162 
163  retval = 1;
164 
165  pcre2_match_data_free(match);
166  match = NULL;
167 
168 error:
169 
170  if (bytes_str != NULL) {
171  pcre2_substring_free((PCRE2_UCHAR8 *)bytes_str);
172  }
173  if (offset_str != NULL) {
174  pcre2_substring_free((PCRE2_UCHAR8 *)offset_str);
175  }
176  if (relative_str != NULL) {
177  pcre2_substring_free((PCRE2_UCHAR8 *)relative_str);
178  }
179  if (match) {
180  pcre2_match_data_free(match);
181  }
182  return retval;
183 }
184 
185 static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
186  const char *str)
187 {
188  uint16_t bytes = 0;
189  uint32_t offset = 0;
190  uint8_t relative = 0;
191  DetectBase64Decode *data = NULL;
192  int sm_list;
193  SigMatch *pm = NULL;
194 
195  if (str != NULL) {
196  if (!DetectBase64DecodeParse(str, &bytes, &offset, &relative)) {
197  goto error;
198  }
199  }
200  data = SCCalloc(1, sizeof(DetectBase64Decode));
201  if (unlikely(data == NULL)) {
202  goto error;
203  }
204  data->bytes = bytes;
205  data->offset = offset;
206  data->relative = relative;
207 
208  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
209  sm_list = s->init_data->list;
210  }
211  else {
212  pm = SCDetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, DETECT_BYTETEST,
213  DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT, DETECT_ISDATAAT, -1);
214  if (pm == NULL) {
215  sm_list = DETECT_SM_LIST_PMATCH;
216  }
217  else {
218  sm_list = SigMatchListSMBelongsTo(s, pm);
219  if (sm_list < 0) {
220  goto error;
221  }
222  }
223  }
224 
225  if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_BASE64_DECODE, (SigMatchCtx *)data, sm_list) ==
226  NULL) {
227  goto error;
228  }
229 
230  if (!data->bytes) {
231  data->bytes = BASE64_DECODE_MAX;
232  }
233  if (data->bytes > de_ctx->base64_decode_max_len) {
234  de_ctx->base64_decode_max_len = data->bytes;
235  }
236 
237  return 0;
238 error:
239  if (data != NULL) {
240  SCFree(data);
241  }
242  return -1;
243 }
244 
245 static void DetectBase64DecodeFree(DetectEngineCtx *de_ctx, void *ptr)
246 {
247  DetectBase64Decode *data = ptr;
248  SCFree(data);
249 }
250 
251 
252 #ifdef UNITTESTS
253 #include "detect-engine.h"
254 #include "util-unittest.h"
255 #include "util-unittest-helper.h"
256 #include "app-layer-parser.h"
257 #include "flow-util.h"
258 #include "stream-tcp.h"
259 
260 static int g_http_header_buffer_id = 0;
261 
262 static int DetectBase64TestDecodeParse(void)
263 {
264  int retval = 0;
265  uint16_t bytes = 0;
266  uint32_t offset = 0;
267  uint8_t relative = 0;
268 
269  if (!DetectBase64DecodeParse("bytes 1", &bytes, &offset, &relative)) {
270  goto end;
271  }
272  if (bytes != 1 || offset != 0 || relative != 0) {
273  goto end;
274  }
275 
276  if (!DetectBase64DecodeParse("offset 9", &bytes, &offset, &relative)) {
277  goto end;
278  }
279  if (bytes != 0 || offset != 9 || relative != 0) {
280  goto end;
281  }
282 
283  if (!DetectBase64DecodeParse("relative", &bytes, &offset, &relative)) {
284  goto end;
285  }
286  if (bytes != 0 || offset != 0 || relative != 1) {
287  goto end;
288  }
289 
290  if (!DetectBase64DecodeParse("bytes 1, offset 2", &bytes, &offset,
291  &relative)) {
292  goto end;
293  }
294  if (bytes != 1 || offset != 2 || relative != 0) {
295  goto end;
296  }
297 
298  if (!DetectBase64DecodeParse("bytes 1, offset 2, relative", &bytes, &offset,
299  &relative)) {
300  goto end;
301  }
302  if (bytes != 1 || offset != 2 || relative != 1) {
303  goto end;
304  }
305 
306  if (!DetectBase64DecodeParse("offset 2, relative", &bytes, &offset,
307  &relative)) {
308  goto end;
309  }
310  if (bytes != 0 || offset != 2 || relative != 1) {
311  goto end;
312  }
313 
314  /* Misspelled relative. */
315  if (DetectBase64DecodeParse("bytes 1, offset 2, relatve", &bytes, &offset,
316  &relative)) {
317  goto end;
318  }
319 
320  /* Misspelled bytes. */
321  if (DetectBase64DecodeParse("byts 1, offset 2, relatve", &bytes, &offset,
322  &relative)) {
323  goto end;
324  }
325 
326  /* Misspelled offset. */
327  if (DetectBase64DecodeParse("bytes 1, offst 2, relatve", &bytes, &offset,
328  &relative)) {
329  goto end;
330  }
331 
332  /* Misspelled empty string. */
333  if (DetectBase64DecodeParse("", &bytes, &offset, &relative)) {
334  goto end;
335  }
336 
337  retval = 1;
338 end:
339  return retval;
340 }
341 
342 /**
343  * Test keyword setup on basic content.
344  */
345 static int DetectBase64DecodeTestSetup(void)
346 {
347  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
348  FAIL_IF_NULL(de_ctx);
349 
350  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
351  "base64_decode; content:\"content\"; "
352  "sid:1; rev:1;)");
353  FAIL_IF_NULL(s);
354  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
355 
356  DetectEngineCtxFree(de_ctx);
357  PASS;
358 }
359 
360 static int DetectBase64DecodeTestDecode(void)
361 {
362  ThreadVars tv;
363  DetectEngineCtx *de_ctx = NULL;
364  DetectEngineThreadCtx *det_ctx = NULL;
365  Packet *p = NULL;
366  int retval = 0;
367 
368  uint8_t payload[] = {
369  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
370  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
371  };
372 
373  memset(&tv, 0, sizeof(tv));
374  StatsThreadInit(&tv.stats);
375 
376  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
377  goto end;
378  }
379 
380  de_ctx->sig_list = SigInit(de_ctx,
381  "alert tcp any any -> any any (msg:\"base64 test\"; "
382  "base64_decode; "
383  "sid:1; rev:1;)");
384  if (de_ctx->sig_list == NULL) {
385  goto end;
386  }
387  SigGroupBuild(de_ctx);
388  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
389 
390  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
391  if (p == NULL) {
392  goto end;
393  }
394 
395  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
396  if (det_ctx->base64_decoded_len == 0) {
397  goto end;
398  }
399 
400  retval = 1;
401 end:
402  if (det_ctx != NULL) {
403  DetectEngineThreadCtxDeinit(&tv, det_ctx);
404  }
405  if (de_ctx != NULL) {
406  DetectEngineCtxFree(de_ctx);
407  }
408  if (p != NULL) {
409  UTHFreePacket(p);
410  }
411  StatsThreadCleanup(&tv.stats);
412  return retval;
413 }
414 
415 static int DetectBase64DecodeTestDecodeWithOffset(void)
416 {
417  ThreadVars tv;
418  DetectEngineCtx *de_ctx = NULL;
419  DetectEngineThreadCtx *det_ctx = NULL;
420  Packet *p = NULL;
421  int retval = 0;
422 
423  uint8_t payload[] = {
424  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
425  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
426  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
427  };
428  char decoded[] = "Hello World";
429 
430  memset(&tv, 0, sizeof(tv));
431  StatsThreadInit(&tv.stats);
432 
433  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
434  goto end;
435  }
436 
437  de_ctx->sig_list = SigInit(de_ctx,
438  "alert tcp any any -> any any (msg:\"base64 test\"; "
439  "base64_decode: offset 8; "
440  "sid:1; rev:1;)");
441  if (de_ctx->sig_list == NULL) {
442  goto end;
443  }
444  SigGroupBuild(de_ctx);
445  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
446 
447  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
448  if (p == NULL) {
449  goto end;
450  }
451 
452  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
453  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
454  goto end;
455  }
456  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
457  goto end;
458  }
459 
460  retval = 1;
461 end:
462  if (det_ctx != NULL) {
463  DetectEngineThreadCtxDeinit(&tv, det_ctx);
464  }
465  if (de_ctx != NULL) {
466  SigCleanSignatures(de_ctx);
467  SigGroupCleanup(de_ctx);
468  DetectEngineCtxFree(de_ctx);
469  }
470  if (p != NULL) {
471  UTHFreePacket(p);
472  }
473  StatsThreadCleanup(&tv.stats);
474  return retval;
475 }
476 
477 static int DetectBase64DecodeTestDecodeLargeOffset(void)
478 {
479  ThreadVars tv;
480  DetectEngineCtx *de_ctx = NULL;
481  DetectEngineThreadCtx *det_ctx = NULL;
482  Packet *p = NULL;
483  int retval = 0;
484 
485  uint8_t payload[] = {
486  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
487  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
488  };
489 
490  memset(&tv, 0, sizeof(tv));
491  StatsThreadInit(&tv.stats);
492 
493  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
494  goto end;
495  }
496 
497  /* Offset is out of range. */
498  de_ctx->sig_list = SigInit(de_ctx,
499  "alert tcp any any -> any any (msg:\"base64 test\"; "
500  "base64_decode: bytes 16, offset 32; "
501  "sid:1; rev:1;)");
502  if (de_ctx->sig_list == NULL) {
503  goto end;
504  }
505  SigGroupBuild(de_ctx);
506  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
507 
508  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
509  if (p == NULL) {
510  goto end;
511  }
512 
513  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
514  if (det_ctx->base64_decoded_len != 0) {
515  goto end;
516  }
517 
518  retval = 1;
519 end:
520  if (det_ctx != NULL) {
521  DetectEngineThreadCtxDeinit(&tv, det_ctx);
522  }
523  if (de_ctx != NULL) {
524  DetectEngineCtxFree(de_ctx);
525  }
526  if (p != NULL) {
527  UTHFreePacket(p);
528  }
529  StatsThreadCleanup(&tv.stats);
530  return retval;
531 }
532 
533 static int DetectBase64DecodeTestDecodeRelative(void)
534 {
535  ThreadVars tv;
536  DetectEngineCtx *de_ctx = NULL;
537  DetectEngineThreadCtx *det_ctx = NULL;
538  Packet *p = NULL;
539  int retval = 0;
540 
541  uint8_t payload[] = {
542  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
543  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
544  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
545  };
546  char decoded[] = "Hello World";
547 
548  memset(&tv, 0, sizeof(tv));
549  StatsThreadInit(&tv.stats);
550 
551  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
552  goto end;
553  }
554 
555  de_ctx->sig_list = SigInit(de_ctx,
556  "alert tcp any any -> any any (msg:\"base64 test\"; "
557  "content:\"aaaaaaaa\"; "
558  "base64_decode: relative; "
559  "sid:1; rev:1;)");
560  if (de_ctx->sig_list == NULL) {
561  goto end;
562  }
563  SigGroupBuild(de_ctx);
564  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
565 
566  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
567  if (p == NULL) {
568  goto end;
569  }
570 
571  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
572  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
573  goto end;
574  }
575  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
576  goto end;
577  }
578 
579  retval = 1;
580 end:
581  if (det_ctx != NULL) {
582  DetectEngineThreadCtxDeinit(&tv, det_ctx);
583  }
584  if (de_ctx != NULL) {
585  DetectEngineCtxFree(de_ctx);
586  }
587  if (p != NULL) {
588  UTHFreePacket(p);
589  }
590  StatsThreadCleanup(&tv.stats);
591  return retval;
592 }
593 
594 static void DetectBase64DecodeRegisterTests(void)
595 {
596  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
597 
598  UtRegisterTest("DetectBase64TestDecodeParse", DetectBase64TestDecodeParse);
599  UtRegisterTest("DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup);
600  UtRegisterTest("DetectBase64DecodeTestDecode",
601  DetectBase64DecodeTestDecode);
602  UtRegisterTest("DetectBase64DecodeTestDecodeWithOffset",
603  DetectBase64DecodeTestDecodeWithOffset);
604  UtRegisterTest("DetectBase64DecodeTestDecodeLargeOffset",
605  DetectBase64DecodeTestDecodeLargeOffset);
606  UtRegisterTest("DetectBase64DecodeTestDecodeRelative",
607  DetectBase64DecodeTestDecodeRelative);
608 }
609 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1461
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1269
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1460
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1445
flow-util.h
DetectParseRegex
Definition: detect-parse.h:92
SigTableElmt_::name
const char * name
Definition: detect.h:1458
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:644
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:83
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectBase64DecodeDoMatch
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
Definition: detect-base64-decode.c:66
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1449
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:367
SCDetectGetLastSMFromLists
SigMatch * SCDetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:563
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:296
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2684
rust.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:408
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2420
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:3500
DetectBase64Decode
struct DetectBase64Decode_ DetectBase64Decode
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3446
SigMatchData_
Data needed for Match()
Definition: detect.h:364
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1440
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1278
DetectEngineCtx_::base64_decode_max_len
uint16_t base64_decode_max_len
Definition: detect.h:1021
DetectBase64Decode_::offset
uint32_t offset
Definition: detect-base64-decode.c:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
DetectBase64Decode_
Definition: detect-base64-decode.c:30
DetectEngineThreadCtx_
Definition: detect.h:1245
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:3626
SignatureInitData_::list
int list
Definition: detect.h:628
util-print.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:387
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3414
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:269
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3104
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:112
app-layer-parser.h
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1326
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2278
BASE64_DECODE_MAX
#define BASE64_DECODE_MAX
Definition: detect-base64-decode.c:28
Packet_
Definition: decode.h:501
detect-engine-build.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
DetectBase64Decode_::bytes
uint16_t bytes
Definition: detect-base64-decode.c:31
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:71
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2207
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1331
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:350
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:144
DetectBase64Decode_::relative
uint8_t relative
Definition: detect-base64-decode.c:33
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:82
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3651
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:942
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1660
detect-base64-decode.h
str
#define str(s)
Definition: suricata-common.h:308
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:274
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:762
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:85
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:355
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:93
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2645
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1325
DETECT_BASE64_DECODE
@ DETECT_BASE64_DECODE
Definition: detect-engine-register.h:88
DetectBase64DecodeRegister
void DetectBase64DecodeRegister(void)
Definition: detect-base64-decode.c:48
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1427
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1447