suricata
detect-byte-extract.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  DetectByteExtractData_
 Holds data related to byte_extract keyword. More...
 

Macros

#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE   0x01
 
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER   0x02
 
#define DETECT_BYTE_EXTRACT_FLAG_STRING   0x04
 
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN   0x08
 
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN   0x10
 
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE   0
 
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG   1
 
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE   2
 
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE   3
 

Typedefs

typedef struct DetectByteExtractData_ DetectByteExtractData
 Holds data related to byte_extract keyword. More...
 

Functions

void DetectByteExtractRegister (void)
 Registers the keyword handlers for the "byte_extract" keyword. More...
 
SigMatchDetectByteExtractRetrieveSMVar (const char *, const Signature *)
 Lookup the SigMatch for a named byte_extract variable. More...
 
int DetectByteExtractDoMatch (DetectEngineThreadCtx *, const SigMatchData *, const Signature *, const uint8_t *, uint16_t, uint64_t *, uint8_t)
 

Detailed Description

Macro Definition Documentation

#define DETECT_BYTE_EXTRACT_ENDIAN_BIG   1
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE   3
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE   2
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE   0
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN   0x08
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN   0x10
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER   0x02
#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE   0x01
#define DETECT_BYTE_EXTRACT_FLAG_STRING   0x04

Typedef Documentation

Holds data related to byte_extract keyword.

Function Documentation

int DetectByteExtractDoMatch ( DetectEngineThreadCtx ,
const SigMatchData ,
const Signature ,
const uint8_t *  ,
uint16_t  ,
uint64_t *  ,
uint8_t   
)

Definition at line 112 of file detect-byte-extract.c.

References DetectByteExtractData_::align_value, ALPROTO_DCERPC, DetectByteExtractData_::base, DetectEngineThreadCtx_::buffer_offset, BYTE_BIG_ENDIAN, DetectEngineCtx_::byte_extract_max_local_id, BYTE_LITTLE_ENDIAN, ByteExtractStringUint64(), ByteExtractUint64(), SigMatch_::ctx, SigMatchData_::ctx, DETECT_BYTE_EXTRACT, DETECT_BYTE_EXTRACT_BASE_DEC, DETECT_BYTE_EXTRACT_BASE_HEX, DETECT_BYTE_EXTRACT_BASE_NONE, DETECT_BYTE_EXTRACT_BASE_OCT, DETECT_BYTE_EXTRACT_ENDIAN_BIG, DETECT_BYTE_EXTRACT_ENDIAN_DCE, DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT, DETECT_BYTE_EXTRACT_ENDIAN_LITTLE, DETECT_BYTE_EXTRACT_ENDIAN_NONE, DETECT_BYTE_EXTRACT_FLAG_ALIGN, DETECT_BYTE_EXTRACT_FLAG_ENDIAN, DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER, DETECT_BYTE_EXTRACT_FLAG_RELATIVE, DETECT_BYTE_EXTRACT_FLAG_STRING, DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT, DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT, DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT, DETECT_BYTEJUMP, DETECT_BYTETEST, DETECT_CONTENT, DETECT_CONTENT_RELATIVE_NEXT, DETECT_ISDATAAT, DETECT_PCRE, DETECT_PCRE_RELATIVE_NEXT, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectGetLastSMByListId(), DetectGetLastSMFromLists(), DetectSignatureSetAppProto(), DetectByteExtractData_::endian, DetectPcreData_::flags, DetectByteExtractData_::flags, DetectContentData_::flags, Signature_::flags, Signature_::init_data, len, SignatureInitData_::list, DetectByteExtractData_::local_id, MAX_SUBSTRINGS, DetectByteExtractData_::multiplier_value, DetectByteExtractData_::name, DetectByteExtractData_::nbytes, NO_STRING_MAX_BYTES_TO_EXTRACT, DetectByteExtractData_::offset, offset, res, SC_ERR_CONFLICTING_RULE_KEYWORDS, SC_ERR_INVALID_SIGNATURE, SC_ERR_PCRE_GET_SUBSTRING, SC_ERR_PCRE_PARSE, SCFree, SCLogDebug, SCLogError, SCMalloc, SCStrdup, SIG_FLAG_APPLAYER, SigMatchAlloc(), SigMatchAppendSMToList(), SigMatchListSMBelongsTo(), STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC, STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX, STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT, SigMatch_::type, and unlikely.

Referenced by DetectEngineContentInspection().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectByteExtractRegister ( void  )

Registers the keyword handlers for the "byte_extract" keyword.

Definition at line 99 of file detect-byte-extract.c.

References SigTableElmt_::desc, DETECT_BYTE_EXTRACT, DetectSetupParseRegexes(), DOC_URL, DOC_VERSION, SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, PARSE_REGEX, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

SigMatch* DetectByteExtractRetrieveSMVar ( const char *  arg,
const Signature s 
)

Lookup the SigMatch for a named byte_extract variable.

Parameters
argThe name of the byte_extract variable to lookup.
sPointer the signature to look in.
Return values
Apointer to the SigMatch if found, otherwise NULL.

Definition at line 645 of file detect-byte-extract.c.

References DetectByteExtractData_::align_value, DetectByteExtractData_::base, DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, DetectIsdataatData_::dataat, DE_QUIET, DetectContentData_::depth, DETECT_BYTE_EXTRACT, DETECT_BYTE_EXTRACT_BASE_DEC, DETECT_BYTE_EXTRACT_BASE_HEX, DETECT_BYTE_EXTRACT_BASE_NONE, DETECT_BYTE_EXTRACT_BASE_OCT, DETECT_BYTE_EXTRACT_ENDIAN_BIG, DETECT_BYTE_EXTRACT_ENDIAN_DCE, DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT, DETECT_BYTE_EXTRACT_ENDIAN_LITTLE, DETECT_BYTE_EXTRACT_ENDIAN_NONE, DETECT_BYTE_EXTRACT_FLAG_ALIGN, DETECT_BYTE_EXTRACT_FLAG_ENDIAN, DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER, DETECT_BYTE_EXTRACT_FLAG_RELATIVE, DETECT_BYTE_EXTRACT_FLAG_STRING, DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT, DETECT_BYTEJUMP, DETECT_BYTEJUMP_OFFSET_BE, DETECT_BYTETEST, DETECT_BYTETEST_OFFSET_BE, DETECT_BYTETEST_VALUE_BE, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_DEPTH_BE, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_DISTANCE_BE, DETECT_CONTENT_DISTANCE_NEXT, DETECT_CONTENT_FAST_PATTERN, DETECT_CONTENT_NEGATED, DETECT_CONTENT_NOCASE, DETECT_CONTENT_OFFSET, DETECT_CONTENT_OFFSET_BE, DETECT_CONTENT_RAWBYTES, DETECT_CONTENT_RELATIVE_NEXT, DETECT_CONTENT_WITHIN, DETECT_CONTENT_WITHIN_BE, DETECT_CONTENT_WITHIN_NEXT, DETECT_ISDATAAT, DETECT_PCRE, DETECT_PCRE_RELATIVE_NEXT, DETECT_SM_LIST_PMATCH, DetectBufferTypeGetByName(), DetectEngineCtxFree(), DetectEngineCtxInit(), DetectContentData_::distance, DetectByteExtractData_::endian, DetectIsdataatData_::flags, DetectPcreData_::flags, DetectBytejumpData_::flags, DetectByteExtractData_::flags, DetectBytetestData_::flags, DetectContentData_::flags, DetectEngineCtx_::flags, Signature_::init_data, ISDATAAT_OFFSET_BE, ISDATAAT_RELATIVE, DetectByteExtractData_::local_id, DetectByteExtractData_::multiplier_value, DetectByteExtractData_::name, DetectByteExtractData_::nbytes, SigMatch_::next, DetectBytejumpData_::offset, DetectByteExtractData_::offset, DetectBytetestData_::offset, DetectContentData_::offset, DetectEngineCtx_::sig_list, SigCleanSignatures(), SigGroupCleanup(), SigInit(), SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, SigMatch_::type, UtRegisterTest(), DetectBytetestData_::value, and DetectContentData_::within.

Referenced by DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectDepthRegister(), DetectDistanceRegister(), DetectIsdataatSetup(), DetectOffsetRegister(), and DetectWithinRegister().

Here is the call graph for this function:

Here is the caller graph for this function: