suricata
detect-byte-extract.c File Reference
#include "suricata-common.h"
#include "threads.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-bytejump.h"
#include "detect-bytetest.h"
#include "detect-byte-extract.h"
#include "detect-isdataat.h"
#include "app-layer-protos.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "util-byte.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-spm.h"
Include dependency graph for detect-byte-extract.c:

Go to the source code of this file.

Macros

#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT   DETECT_BYTE_EXTRACT_ENDIAN_BIG
 
#define DETECT_BYTE_EXTRACT_BASE_NONE   0
 
#define DETECT_BYTE_EXTRACT_BASE_HEX   16
 
#define DETECT_BYTE_EXTRACT_BASE_DEC   10
 
#define DETECT_BYTE_EXTRACT_BASE_OCT   8
 
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT   1
 
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT   1
 
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT   65535
 
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT   23
 
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC   20
 
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX   14
 
#define NO_STRING_MAX_BYTES_TO_EXTRACT   8
 
#define PARSE_REGEX
 
#define MAX_SUBSTRINGS   100
 

Functions

void DetectByteExtractRegister (void)
 Registers the keyword handlers for the "byte_extract" keyword. More...
 
int DetectByteExtractDoMatch (DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint16_t payload_len, uint64_t *value, uint8_t endian)
 
SigMatchDetectByteExtractRetrieveSMVar (const char *arg, const Signature *s)
 Lookup the SigMatch for a named byte_extract variable. More...
 

Detailed Description

Macro Definition Documentation

◆ DETECT_BYTE_EXTRACT_BASE_DEC

#define DETECT_BYTE_EXTRACT_BASE_DEC   10

Definition at line 60 of file detect-byte-extract.c.

◆ DETECT_BYTE_EXTRACT_BASE_HEX

#define DETECT_BYTE_EXTRACT_BASE_HEX   16

Definition at line 59 of file detect-byte-extract.c.

◆ DETECT_BYTE_EXTRACT_BASE_NONE

#define DETECT_BYTE_EXTRACT_BASE_NONE   0

Definition at line 58 of file detect-byte-extract.c.

◆ DETECT_BYTE_EXTRACT_BASE_OCT

#define DETECT_BYTE_EXTRACT_BASE_OCT   8

Definition at line 61 of file detect-byte-extract.c.

◆ DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT

#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT   DETECT_BYTE_EXTRACT_ENDIAN_BIG

Definition at line 54 of file detect-byte-extract.c.

◆ DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT

#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT   1

Definition at line 66 of file detect-byte-extract.c.

◆ DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT

#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT   65535

Definition at line 69 of file detect-byte-extract.c.

◆ DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT

#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT   1

Definition at line 68 of file detect-byte-extract.c.

◆ MAX_SUBSTRINGS

#define MAX_SUBSTRINGS   100

◆ NO_STRING_MAX_BYTES_TO_EXTRACT

#define NO_STRING_MAX_BYTES_TO_EXTRACT   8

Definition at line 77 of file detect-byte-extract.c.

◆ PARSE_REGEX

#define PARSE_REGEX
Value:
"^" \
"\\s*([0-9]+)\\s*" \
",\\s*(-?[0-9]+)\\s*" \
",\\s*([^\\s,]+)\\s*" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"$"

Definition at line 79 of file detect-byte-extract.c.

◆ STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC

#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC   20

Definition at line 74 of file detect-byte-extract.c.

◆ STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX

#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX   14

Definition at line 75 of file detect-byte-extract.c.

◆ STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT

#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT   23

Definition at line 73 of file detect-byte-extract.c.

Function Documentation

◆ DetectByteExtractDoMatch()

◆ DetectByteExtractRegister()

void DetectByteExtractRegister ( void  )

Registers the keyword handlers for the "byte_extract" keyword.

Definition at line 98 of file detect-byte-extract.c.

References SigTableElmt_::desc, DETECT_BYTE_EXTRACT, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the caller graph for this function:

◆ DetectByteExtractRetrieveSMVar()

SigMatch* DetectByteExtractRetrieveSMVar ( const char *  arg,
const Signature s 
)

Lookup the SigMatch for a named byte_extract variable.

Parameters
argThe name of the byte_extract variable to lookup.
sPointer the signature to look in.
Return values
Apointer to the SigMatch if found, otherwise NULL.

Definition at line 645 of file detect-byte-extract.c.

References Signature_::init_data, and SignatureInitData_::smlists_array_size.