suricata
detect-byte-extract.c File Reference
#include "suricata-common.h"
#include "threads.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-bytejump.h"
#include "detect-bytetest.h"
#include "detect-byte-extract.h"
#include "detect-isdataat.h"
#include "app-layer-protos.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "util-byte.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-spm.h"
Include dependency graph for detect-byte-extract.c:

Go to the source code of this file.

Macros

#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT   DETECT_BYTE_EXTRACT_ENDIAN_BIG
 
#define DETECT_BYTE_EXTRACT_BASE_NONE   0
 
#define DETECT_BYTE_EXTRACT_BASE_HEX   16
 
#define DETECT_BYTE_EXTRACT_BASE_DEC   10
 
#define DETECT_BYTE_EXTRACT_BASE_OCT   8
 
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT   1
 
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT   1
 
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT   65535
 
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT   23
 
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC   20
 
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX   14
 
#define NO_STRING_MAX_BYTES_TO_EXTRACT   8
 
#define PARSE_REGEX
 
#define MAX_SUBSTRINGS   100
 

Functions

void DetectByteExtractRegister (void)
 Registers the keyword handlers for the "byte_extract" keyword. More...
 
int DetectByteExtractDoMatch (DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, uint8_t *payload, uint16_t payload_len, uint64_t *value, uint8_t endian)
 
SigMatchDetectByteExtractRetrieveSMVar (const char *arg, const Signature *s)
 Lookup the SigMatch for a named byte_extract variable. More...
 

Detailed Description

Macro Definition Documentation

#define DETECT_BYTE_EXTRACT_BASE_DEC   10
#define DETECT_BYTE_EXTRACT_BASE_HEX   16
#define DETECT_BYTE_EXTRACT_BASE_NONE   0
#define DETECT_BYTE_EXTRACT_BASE_OCT   8
#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT   DETECT_BYTE_EXTRACT_ENDIAN_BIG
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT   1
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT   65535

Definition at line 68 of file detect-byte-extract.c.

Referenced by DetectByteExtractDoMatch().

#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT   1

Definition at line 67 of file detect-byte-extract.c.

Referenced by DetectByteExtractDoMatch().

#define MAX_SUBSTRINGS   100
#define NO_STRING_MAX_BYTES_TO_EXTRACT   8

Definition at line 76 of file detect-byte-extract.c.

Referenced by DetectByteExtractDoMatch().

#define PARSE_REGEX
Value:
"^" \
"\\s*([0-9]+)\\s*" \
",\\s*(-?[0-9]+)\\s*" \
",\\s*([^\\s,]+)\\s*" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"$"

Definition at line 78 of file detect-byte-extract.c.

Referenced by DetectByteExtractRegister().

#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC   20

Definition at line 73 of file detect-byte-extract.c.

Referenced by DetectByteExtractDoMatch().

#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX   14

Definition at line 74 of file detect-byte-extract.c.

Referenced by DetectByteExtractDoMatch().

#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT   23

Definition at line 72 of file detect-byte-extract.c.

Referenced by DetectByteExtractDoMatch().

Function Documentation

int DetectByteExtractDoMatch ( DetectEngineThreadCtx det_ctx,
const SigMatchData smd,
const Signature s,
uint8_t *  payload,
uint16_t  payload_len,
uint64_t *  value,
uint8_t  endian 
)

Definition at line 110 of file detect-byte-extract.c.

References DetectByteExtractData_::align_value, Signature_::alproto, ALPROTO_DCERPC, DetectByteExtractData_::base, DetectEngineThreadCtx_::buffer_offset, BYTE_BIG_ENDIAN, DetectEngineCtx_::byte_extract_max_local_id, BYTE_LITTLE_ENDIAN, ByteExtractStringUint64(), ByteExtractUint64(), SigMatch_::ctx, SigMatchData_::ctx, DETECT_BYTE_EXTRACT, DETECT_BYTE_EXTRACT_BASE_DEC, DETECT_BYTE_EXTRACT_BASE_HEX, DETECT_BYTE_EXTRACT_BASE_NONE, DETECT_BYTE_EXTRACT_BASE_OCT, DETECT_BYTE_EXTRACT_ENDIAN_BIG, DETECT_BYTE_EXTRACT_ENDIAN_DCE, DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT, DETECT_BYTE_EXTRACT_ENDIAN_LITTLE, DETECT_BYTE_EXTRACT_ENDIAN_NONE, DETECT_BYTE_EXTRACT_FLAG_ALIGN, DETECT_BYTE_EXTRACT_FLAG_ENDIAN, DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER, DETECT_BYTE_EXTRACT_FLAG_RELATIVE, DETECT_BYTE_EXTRACT_FLAG_STRING, DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT, DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT, DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT, DETECT_BYTEJUMP, DETECT_BYTETEST, DETECT_CONTENT, DETECT_CONTENT_RELATIVE_NEXT, DETECT_ISDATAAT, DETECT_PCRE, DETECT_PCRE_RELATIVE_NEXT, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectGetLastSMByListId(), DetectGetLastSMFromLists(), DetectSignatureSetAppProto(), DetectByteExtractData_::endian, DetectPcreData_::flags, DetectByteExtractData_::flags, DetectContentData_::flags, Signature_::flags, Signature_::init_data, len, SignatureInitData_::list, DetectByteExtractData_::local_id, MAX_SUBSTRINGS, DetectByteExtractData_::multiplier_value, DetectByteExtractData_::name, DetectByteExtractData_::nbytes, NO_STRING_MAX_BYTES_TO_EXTRACT, DetectByteExtractData_::offset, offset, res, SC_ERR_CONFLICTING_RULE_KEYWORDS, SC_ERR_INVALID_SIGNATURE, SC_ERR_PCRE_GET_SUBSTRING, SC_ERR_PCRE_PARSE, SCFree, SCLogDebug, SCLogError, SCMalloc, SCStrdup, SIG_FLAG_APPLAYER, SigMatchAlloc(), SigMatchAppendSMToList(), SigMatchListSMBelongsTo(), STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC, STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX, STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT, SigMatch_::type, and unlikely.

Referenced by DetectEngineContentInspection().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectByteExtractRegister ( void  )

Registers the keyword handlers for the "byte_extract" keyword.

Definition at line 99 of file detect-byte-extract.c.

References DETECT_BYTE_EXTRACT, DetectSetupParseRegexes(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, PARSE_REGEX, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, and sigmatch_table.

Referenced by SigTableSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

SigMatch* DetectByteExtractRetrieveSMVar ( const char *  arg,
const Signature s 
)

Lookup the SigMatch for a named byte_extract variable.

Parameters
argThe name of the byte_extract variable to lookup.
sPointer the signature to look in.
Return values
Apointer to the SigMatch if found, otherwise NULL.

Definition at line 642 of file detect-byte-extract.c.

References DetectByteExtractData_::align_value, DetectByteExtractData_::base, DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, DetectIsdataatData_::dataat, DE_QUIET, DetectContentData_::depth, DETECT_BYTE_EXTRACT, DETECT_BYTE_EXTRACT_BASE_DEC, DETECT_BYTE_EXTRACT_BASE_HEX, DETECT_BYTE_EXTRACT_BASE_NONE, DETECT_BYTE_EXTRACT_BASE_OCT, DETECT_BYTE_EXTRACT_ENDIAN_BIG, DETECT_BYTE_EXTRACT_ENDIAN_DCE, DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT, DETECT_BYTE_EXTRACT_ENDIAN_LITTLE, DETECT_BYTE_EXTRACT_ENDIAN_NONE, DETECT_BYTE_EXTRACT_FLAG_ALIGN, DETECT_BYTE_EXTRACT_FLAG_ENDIAN, DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER, DETECT_BYTE_EXTRACT_FLAG_RELATIVE, DETECT_BYTE_EXTRACT_FLAG_STRING, DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT, DETECT_BYTEJUMP, DETECT_BYTEJUMP_OFFSET_BE, DETECT_BYTETEST, DETECT_BYTETEST_OFFSET_BE, DETECT_BYTETEST_VALUE_BE, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_DEPTH_BE, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_DISTANCE_BE, DETECT_CONTENT_DISTANCE_NEXT, DETECT_CONTENT_FAST_PATTERN, DETECT_CONTENT_NEGATED, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET, DETECT_CONTENT_OFFSET_BE, DETECT_CONTENT_RAWBYTES, DETECT_CONTENT_RELATIVE_NEXT, DETECT_CONTENT_WITHIN, DETECT_CONTENT_WITHIN_BE, DETECT_CONTENT_WITHIN_NEXT, DETECT_ISDATAAT, DETECT_PCRE, DETECT_PCRE_RELATIVE_NEXT, DETECT_SM_LIST_PMATCH, DetectBufferTypeGetByName(), DetectEngineCtxFree(), DetectEngineCtxInit(), DetectContentData_::distance, DetectByteExtractData_::endian, DetectIsdataatData_::flags, DetectPcreData_::flags, DetectBytejumpData_::flags, DetectByteExtractData_::flags, DetectBytetestData_::flags, DetectContentData_::flags, DetectEngineCtx_::flags, Signature_::init_data, ISDATAAT_OFFSET_BE, ISDATAAT_RELATIVE, DetectByteExtractData_::local_id, DetectByteExtractData_::multiplier_value, DetectByteExtractData_::name, DetectByteExtractData_::nbytes, SigMatch_::next, DetectBytejumpData_::offset, DetectByteExtractData_::offset, DetectBytetestData_::offset, DetectContentData_::offset, DetectEngineCtx_::sig_list, SigCleanSignatures(), SigGroupCleanup(), SigInit(), SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, SigMatch_::type, UtRegisterTest(), DetectBytetestData_::value, and DetectContentData_::within.

Referenced by DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectDepthRegister(), DetectDistanceRegister(), DetectIsdataatSetup(), DetectOffsetRegister(), and DetectWithinRegister().

Here is the call graph for this function:

Here is the caller graph for this function: