suricata
detect-base64-decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2020-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "suricata-common.h"
19 #include "detect.h"
20 #include "detect-parse.h"
21 #include "detect-base64-decode.h"
22 #include "util-base64.h"
23 #include "util-byte.h"
24 #include "util-print.h"
25 #include "detect-engine-build.h"
26 
27 /* Arbitrary maximum buffer size for decoded base64 data. */
28 #define BASE64_DECODE_MAX 65535
29 
30 typedef struct DetectBase64Decode_ {
31  uint32_t bytes;
32  uint32_t offset;
33  uint8_t relative;
34 } DetectBase64Decode;
35 
36 static const char decode_pattern[] = "\\s*(bytes\\s+(\\d+),?)?"
37  "\\s*(offset\\s+(\\d+),?)?"
38  "\\s*(\\w+)?";
39 
40 static DetectParseRegex decode_pcre;
41 
42 static int DetectBase64DecodeSetup(DetectEngineCtx *, Signature *, const char *);
43 static void DetectBase64DecodeFree(DetectEngineCtx *, void *);
44 #ifdef UNITTESTS
45 static void DetectBase64DecodeRegisterTests(void);
46 #endif
47 
48 void DetectBase64DecodeRegister(void)
49 {
50  sigmatch_table[DETECT_BASE64_DECODE].name = "base64_decode";
51  sigmatch_table[DETECT_BASE64_DECODE].desc =
52  "Decodes base64 encoded data.";
53  sigmatch_table[DETECT_BASE64_DECODE].url =
54  "/rules/base64-keywords.html#base64-decode";
55  sigmatch_table[DETECT_BASE64_DECODE].Setup = DetectBase64DecodeSetup;
56  sigmatch_table[DETECT_BASE64_DECODE].Free = DetectBase64DecodeFree;
57 #ifdef UNITTESTS
58  sigmatch_table[DETECT_BASE64_DECODE].RegisterTests =
59  DetectBase64DecodeRegisterTests;
60 #endif
61  sigmatch_table[DETECT_BASE64_DECODE].flags |= SIGMATCH_OPTIONAL_OPT;
62 
63  DetectSetupParseRegexes(decode_pattern, &decode_pcre);
64 }
65 
66 int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s,
67  const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
68 {
69  DetectBase64Decode *data = (DetectBase64Decode *)smd->ctx;
70  int decode_len;
71 
72 #if 0
73  printf("Input data:\n");
74  PrintRawDataFp(stdout, payload, payload_len);
75 #endif
76 
77  if (data->relative) {
78  payload += det_ctx->buffer_offset;
79  payload_len -= det_ctx->buffer_offset;
80  }
81 
82  if (data->offset) {
83  if (data->offset >= payload_len) {
84  return 0;
85  }
86  payload = payload + data->offset;
87  payload_len -= data->offset;
88  }
89 
90  decode_len = MIN(payload_len, data->bytes);
91 
92 #if 0
93  printf("Decoding:\n");
94  PrintRawDataFp(stdout, payload, decode_len);
95 #endif
96 
97  uint32_t consumed = 0, num_decoded = 0;
98  (void)DecodeBase64(det_ctx->base64_decoded, det_ctx->base64_decoded_len_max, payload,
99  decode_len, &consumed, &num_decoded, BASE64_MODE_RFC4648);
100  det_ctx->base64_decoded_len = num_decoded;
101  SCLogDebug("Decoded %d bytes from base64 data.",
102  det_ctx->base64_decoded_len);
103 #if 0
104  if (det_ctx->base64_decoded_len) {
105  printf("Decoded data:\n");
106  PrintRawDataFp(stdout, det_ctx->base64_decoded,
107  det_ctx->base64_decoded_len);
108  }
109 #endif
110 
111  return det_ctx->base64_decoded_len > 0;
112 }
113 
114 static int DetectBase64DecodeParse(const char *str, uint32_t *bytes,
115  uint32_t *offset, uint8_t *relative)
116 {
117  const char *bytes_str = NULL;
118  const char *offset_str = NULL;
119  const char *relative_str = NULL;
120  int retval = 0;
121 
122  *bytes = 0;
123  *offset = 0;
124  *relative = 0;
125  size_t pcre2_len;
126  pcre2_match_data *match = NULL;
127 
128  int pcre_rc = DetectParsePcreExec(&decode_pcre, &match, str, 0, 0);
129  if (pcre_rc < 3) {
130  goto error;
131  }
132 
133  if (pcre_rc >= 3) {
134  if (pcre2_substring_get_bynumber(match, 2, (PCRE2_UCHAR8 **)&bytes_str, &pcre2_len) == 0) {
135  if (StringParseUint32(bytes, 10, 0, bytes_str) <= 0) {
136  SCLogError("Bad value for bytes: \"%s\"", bytes_str);
137  goto error;
138  }
139  }
140  }
141 
142  if (pcre_rc >= 5) {
143  if (pcre2_substring_get_bynumber(match, 4, (PCRE2_UCHAR8 **)&offset_str, &pcre2_len) == 0) {
144  if (StringParseUint32(offset, 10, 0, offset_str) <= 0) {
145  SCLogError("Bad value for offset: \"%s\"", offset_str);
146  goto error;
147  }
148  }
149  }
150 
151  if (pcre_rc >= 6) {
152  if (pcre2_substring_get_bynumber(match, 5, (PCRE2_UCHAR8 **)&relative_str, &pcre2_len) ==
153  0) {
154  if (strcmp(relative_str, "relative") == 0) {
155  *relative = 1;
156  }
157  else {
158  SCLogError("Invalid argument: \"%s\"", relative_str);
159  goto error;
160  }
161  }
162  }
163 
164  retval = 1;
165 
166  pcre2_match_data_free(match);
167  match = NULL;
168 
169 error:
170 
171  if (bytes_str != NULL) {
172  pcre2_substring_free((PCRE2_UCHAR8 *)bytes_str);
173  }
174  if (offset_str != NULL) {
175  pcre2_substring_free((PCRE2_UCHAR8 *)offset_str);
176  }
177  if (relative_str != NULL) {
178  pcre2_substring_free((PCRE2_UCHAR8 *)relative_str);
179  }
180  if (match) {
181  pcre2_match_data_free(match);
182  }
183  return retval;
184 }
185 
186 static int DetectBase64DecodeSetup(DetectEngineCtx *de_ctx, Signature *s,
187  const char *str)
188 {
189  uint32_t bytes = 0;
190  uint32_t offset = 0;
191  uint8_t relative = 0;
192  DetectBase64Decode *data = NULL;
193  int sm_list;
194  SigMatch *pm = NULL;
195 
196  if (str != NULL) {
197  if (!DetectBase64DecodeParse(str, &bytes, &offset, &relative)) {
198  goto error;
199  }
200  }
201  data = SCCalloc(1, sizeof(DetectBase64Decode));
202  if (unlikely(data == NULL)) {
203  goto error;
204  }
205  data->bytes = bytes;
206  data->offset = offset;
207  data->relative = relative;
208 
209  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
210  sm_list = s->init_data->list;
211  }
212  else {
213  pm = DetectGetLastSMFromLists(s,
214  DETECT_CONTENT, DETECT_PCRE,
215  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
216  DETECT_ISDATAAT, -1);
217  if (pm == NULL) {
218  sm_list = DETECT_SM_LIST_PMATCH;
219  }
220  else {
221  sm_list = SigMatchListSMBelongsTo(s, pm);
222  if (sm_list < 0) {
223  goto error;
224  }
225  }
226  }
227 
228  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BASE64_DECODE, (SigMatchCtx *)data, sm_list) ==
229  NULL) {
230  goto error;
231  }
232 
233  if (!data->bytes) {
234  data->bytes = BASE64_DECODE_MAX;
235  }
236  if (data->bytes > de_ctx->base64_decode_max_len) {
237 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
238  data->bytes = BASE64_DECODE_MAX;
239 #endif
240  de_ctx->base64_decode_max_len = data->bytes;
241  }
242 
243  return 0;
244 error:
245  if (data != NULL) {
246  SCFree(data);
247  }
248  return -1;
249 }
250 
251 static void DetectBase64DecodeFree(DetectEngineCtx *de_ctx, void *ptr)
252 {
253  DetectBase64Decode *data = ptr;
254  SCFree(data);
255 }
256 
257 
258 #ifdef UNITTESTS
259 #include "detect-engine.h"
260 #include "util-unittest.h"
261 #include "util-unittest-helper.h"
262 #include "app-layer-parser.h"
263 #include "flow-util.h"
264 #include "stream-tcp.h"
265 
266 static int g_http_header_buffer_id = 0;
267 
268 static int DetectBase64TestDecodeParse(void)
269 {
270  int retval = 0;
271  uint32_t bytes = 0;
272  uint32_t offset = 0;
273  uint8_t relative = 0;
274 
275  if (!DetectBase64DecodeParse("bytes 1", &bytes, &offset, &relative)) {
276  goto end;
277  }
278  if (bytes != 1 || offset != 0 || relative != 0) {
279  goto end;
280  }
281 
282  if (!DetectBase64DecodeParse("offset 9", &bytes, &offset, &relative)) {
283  goto end;
284  }
285  if (bytes != 0 || offset != 9 || relative != 0) {
286  goto end;
287  }
288 
289  if (!DetectBase64DecodeParse("relative", &bytes, &offset, &relative)) {
290  goto end;
291  }
292  if (bytes != 0 || offset != 0 || relative != 1) {
293  goto end;
294  }
295 
296  if (!DetectBase64DecodeParse("bytes 1, offset 2", &bytes, &offset,
297  &relative)) {
298  goto end;
299  }
300  if (bytes != 1 || offset != 2 || relative != 0) {
301  goto end;
302  }
303 
304  if (!DetectBase64DecodeParse("bytes 1, offset 2, relative", &bytes, &offset,
305  &relative)) {
306  goto end;
307  }
308  if (bytes != 1 || offset != 2 || relative != 1) {
309  goto end;
310  }
311 
312  if (!DetectBase64DecodeParse("offset 2, relative", &bytes, &offset,
313  &relative)) {
314  goto end;
315  }
316  if (bytes != 0 || offset != 2 || relative != 1) {
317  goto end;
318  }
319 
320  /* Misspelled relative. */
321  if (DetectBase64DecodeParse("bytes 1, offset 2, relatve", &bytes, &offset,
322  &relative)) {
323  goto end;
324  }
325 
326  /* Misspelled bytes. */
327  if (DetectBase64DecodeParse("byts 1, offset 2, relatve", &bytes, &offset,
328  &relative)) {
329  goto end;
330  }
331 
332  /* Misspelled offset. */
333  if (DetectBase64DecodeParse("bytes 1, offst 2, relatve", &bytes, &offset,
334  &relative)) {
335  goto end;
336  }
337 
338  /* Misspelled empty string. */
339  if (DetectBase64DecodeParse("", &bytes, &offset, &relative)) {
340  goto end;
341  }
342 
343  retval = 1;
344 end:
345  return retval;
346 }
347 
348 /**
349  * Test keyword setup on basic content.
350  */
351 static int DetectBase64DecodeTestSetup(void)
352 {
353  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
354  FAIL_IF_NULL(de_ctx);
355 
356  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
357  "base64_decode; content:\"content\"; "
358  "sid:1; rev:1;)");
359  FAIL_IF_NULL(s);
360  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
361 
362  DetectEngineCtxFree(de_ctx);
363  PASS;
364 }
365 
366 static int DetectBase64DecodeTestDecode(void)
367 {
368  ThreadVars tv;
369  DetectEngineCtx *de_ctx = NULL;
370  DetectEngineThreadCtx *det_ctx = NULL;
371  Packet *p = NULL;
372  int retval = 0;
373 
374  uint8_t payload[] = {
375  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
376  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
377  };
378 
379  memset(&tv, 0, sizeof(tv));
380 
381  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
382  goto end;
383  }
384 
385  de_ctx->sig_list = SigInit(de_ctx,
386  "alert tcp any any -> any any (msg:\"base64 test\"; "
387  "base64_decode; "
388  "sid:1; rev:1;)");
389  if (de_ctx->sig_list == NULL) {
390  goto end;
391  }
392  SigGroupBuild(de_ctx);
393  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
394 
395  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
396  if (p == NULL) {
397  goto end;
398  }
399 
400  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
401  if (det_ctx->base64_decoded_len == 0) {
402  goto end;
403  }
404 
405  retval = 1;
406 end:
407  if (det_ctx != NULL) {
408  DetectEngineThreadCtxDeinit(&tv, det_ctx);
409  }
410  if (de_ctx != NULL) {
411  SigCleanSignatures(de_ctx);
412  SigGroupCleanup(de_ctx);
413  DetectEngineCtxFree(de_ctx);
414  }
415  if (p != NULL) {
416  UTHFreePacket(p);
417  }
418  return retval;
419 }
420 
421 static int DetectBase64DecodeTestDecodeWithOffset(void)
422 {
423  ThreadVars tv;
424  DetectEngineCtx *de_ctx = NULL;
425  DetectEngineThreadCtx *det_ctx = NULL;
426  Packet *p = NULL;
427  int retval = 0;
428 
429  uint8_t payload[] = {
430  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
431  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
432  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
433  };
434  char decoded[] = "Hello World";
435 
436  memset(&tv, 0, sizeof(tv));
437 
438  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
439  goto end;
440  }
441 
442  de_ctx->sig_list = SigInit(de_ctx,
443  "alert tcp any any -> any any (msg:\"base64 test\"; "
444  "base64_decode: offset 8; "
445  "sid:1; rev:1;)");
446  if (de_ctx->sig_list == NULL) {
447  goto end;
448  }
449  SigGroupBuild(de_ctx);
450  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
451 
452  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
453  if (p == NULL) {
454  goto end;
455  }
456 
457  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
458  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
459  goto end;
460  }
461  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
462  goto end;
463  }
464 
465  retval = 1;
466 end:
467  if (det_ctx != NULL) {
468  DetectEngineThreadCtxDeinit(&tv, det_ctx);
469  }
470  if (de_ctx != NULL) {
471  SigCleanSignatures(de_ctx);
472  SigGroupCleanup(de_ctx);
473  DetectEngineCtxFree(de_ctx);
474  }
475  if (p != NULL) {
476  UTHFreePacket(p);
477  }
478  return retval;
479 }
480 
481 static int DetectBase64DecodeTestDecodeLargeOffset(void)
482 {
483  ThreadVars tv;
484  DetectEngineCtx *de_ctx = NULL;
485  DetectEngineThreadCtx *det_ctx = NULL;
486  Packet *p = NULL;
487  int retval = 0;
488 
489  uint8_t payload[] = {
490  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
491  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
492  };
493 
494  memset(&tv, 0, sizeof(tv));
495 
496  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
497  goto end;
498  }
499 
500  /* Offset is out of range. */
501  de_ctx->sig_list = SigInit(de_ctx,
502  "alert tcp any any -> any any (msg:\"base64 test\"; "
503  "base64_decode: bytes 16, offset 32; "
504  "sid:1; rev:1;)");
505  if (de_ctx->sig_list == NULL) {
506  goto end;
507  }
508  SigGroupBuild(de_ctx);
509  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
510 
511  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
512  if (p == NULL) {
513  goto end;
514  }
515 
516  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
517  if (det_ctx->base64_decoded_len != 0) {
518  goto end;
519  }
520 
521  retval = 1;
522 end:
523  if (det_ctx != NULL) {
524  DetectEngineThreadCtxDeinit(&tv, det_ctx);
525  }
526  if (de_ctx != NULL) {
527  SigCleanSignatures(de_ctx);
528  SigGroupCleanup(de_ctx);
529  DetectEngineCtxFree(de_ctx);
530  }
531  if (p != NULL) {
532  UTHFreePacket(p);
533  }
534  return retval;
535 }
536 
537 static int DetectBase64DecodeTestDecodeRelative(void)
538 {
539  ThreadVars tv;
540  DetectEngineCtx *de_ctx = NULL;
541  DetectEngineThreadCtx *det_ctx = NULL;
542  Packet *p = NULL;
543  int retval = 0;
544 
545  uint8_t payload[] = {
546  'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a',
547  'S', 'G', 'V', 's', 'b', 'G', '8', 'g',
548  'V', '2', '9', 'y', 'b', 'G', 'Q', '=',
549  };
550  char decoded[] = "Hello World";
551 
552  memset(&tv, 0, sizeof(tv));
553 
554  if ((de_ctx = DetectEngineCtxInit()) == NULL) {
555  goto end;
556  }
557 
558  de_ctx->sig_list = SigInit(de_ctx,
559  "alert tcp any any -> any any (msg:\"base64 test\"; "
560  "content:\"aaaaaaaa\"; "
561  "base64_decode: relative; "
562  "sid:1; rev:1;)");
563  if (de_ctx->sig_list == NULL) {
564  goto end;
565  }
566  SigGroupBuild(de_ctx);
567  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
568 
569  p = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
570  if (p == NULL) {
571  goto end;
572  }
573 
574  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
575  if (det_ctx->base64_decoded_len != (int)strlen(decoded)) {
576  goto end;
577  }
578  if (memcmp(det_ctx->base64_decoded, decoded, strlen(decoded))) {
579  goto end;
580  }
581 
582  retval = 1;
583 end:
584  if (det_ctx != NULL) {
585  DetectEngineThreadCtxDeinit(&tv, det_ctx);
586  }
587  if (de_ctx != NULL) {
588  SigCleanSignatures(de_ctx);
589  SigGroupCleanup(de_ctx);
590  DetectEngineCtxFree(de_ctx);
591  }
592  if (p != NULL) {
593  UTHFreePacket(p);
594  }
595  return retval;
596 }
597 
598 static void DetectBase64DecodeRegisterTests(void)
599 {
600  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
601 
602  UtRegisterTest("DetectBase64TestDecodeParse", DetectBase64TestDecodeParse);
603  UtRegisterTest("DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup);
604  UtRegisterTest("DetectBase64DecodeTestDecode",
605  DetectBase64DecodeTestDecode);
606  UtRegisterTest("DetectBase64DecodeTestDecodeWithOffset",
607  DetectBase64DecodeTestDecodeWithOffset);
608  UtRegisterTest("DetectBase64DecodeTestDecodeLargeOffset",
609  DetectBase64DecodeTestDecodeLargeOffset);
610  UtRegisterTest("DetectBase64DecodeTestDecodeRelative",
611  DetectBase64DecodeTestDecodeRelative);
612 }
613 #endif /* UNITTESTS */
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1299
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1124
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:116
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1298
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1286
flow-util.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1296
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:583
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:76
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectBase64DecodeDoMatch
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
Definition: detect-base64-decode.c:66
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:362
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1290
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
util-base64.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1895
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2674
DetectBase64Decode
struct DetectBase64Decode_ DetectBase64Decode
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:54
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
SigMatchData_
Data needed for Match()
Definition: detect.h:359
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1281
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1072
DetectBase64Decode_::offset
uint32_t offset
Definition: detect-base64-decode.c:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectBase64Decode_
Definition: detect-base64-decode.c:30
DetectEngineThreadCtx_
Definition: detect.h:1095
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2791
SignatureInitData_::list
int list
Definition: detect.h:565
util-print.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
BASE64_MODE_RFC4648
@ BASE64_MODE_RFC4648
Definition: util-base64.h:68
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:114
app-layer-parser.h
DetectEngineThreadCtx_::base64_decoded_len
int base64_decoded_len
Definition: detect.h:1138
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2218
BASE64_DECODE_MAX
#define BASE64_DECODE_MAX
Definition: detect-base64-decode.c:28
Packet_
Definition: decode.h:437
detect-engine-build.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:665
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:345
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:141
DetectBase64Decode_::relative
uint8_t relative
Definition: detect-base64-decode.c:33
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:75
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:847
DetectBase64Decode_::bytes
uint32_t bytes
Definition: detect-base64-decode.c:31
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1485
detect-base64-decode.h
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:820
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:184
DetectEngineThreadCtx_::base64_decoded_len_max
int base64_decoded_len_max
Definition: detect.h:1139
detect-parse.h
Signature_
Signature container.
Definition: detect.h:596
SigMatch_
a single match condition for a signature
Definition: detect.h:350
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
DetectEngineThreadCtx_::base64_decoded
uint8_t * base64_decoded
Definition: detect.h:1137
DETECT_BASE64_DECODE
@ DETECT_BASE64_DECODE
Definition: detect-engine-register.h:262
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:619
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectBase64DecodeRegister
void DetectBase64DecodeRegister(void)
Definition: detect-base64-decode.c:48
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DetectEngineCtx_::base64_decode_max_len
uint32_t base64_decode_max_len
Definition: detect.h:925
DecodeBase64
Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, uint32_t len, uint32_t *consumed_bytes, uint32_t *decoded_bytes, Base64Mode mode)
Decodes a base64-encoded string buffer into an ascii-encoded byte buffer.
Definition: util-base64.c:109
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1288