suricata
detect-byte-extract.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #ifndef __DETECT_BYTEEXTRACT_H__
25 #define __DETECT_BYTEEXTRACT_H__
26 
27 /* flags */
28 #define DETECT_BYTE_EXTRACT_FLAG_RELATIVE 0x01
29 #define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER 0x02
30 #define DETECT_BYTE_EXTRACT_FLAG_STRING 0x04
31 #define DETECT_BYTE_EXTRACT_FLAG_ALIGN 0x08
32 #define DETECT_BYTE_EXTRACT_FLAG_ENDIAN 0x10
33 
34 /* endian value to be used. Would be stored in DetectByteParseData->endian */
35 #define DETECT_BYTE_EXTRACT_ENDIAN_NONE 0
36 #define DETECT_BYTE_EXTRACT_ENDIAN_BIG 1
37 #define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE 2
38 #define DETECT_BYTE_EXTRACT_ENDIAN_DCE 3
39 
40 /**
41  * \brief Holds data related to byte_extract keyword.
42  */
43 typedef struct DetectByteExtractData_ {
44  /* local id used by other keywords in the sig to reference this */
45  uint8_t local_id;
46 
47  uint8_t nbytes;
48  int16_t pad;
49  int32_t offset;
50  const char *name;
51  uint8_t flags;
52  uint8_t endian;
53  uint8_t base;
54  uint8_t align_value;
55 
56  uint16_t multiplier_value;
57  /* unique id used to reference this byte_extract keyword */
58  uint16_t id;
59 
61 
62 void DetectByteExtractRegister(void);
63 
64 SigMatch *DetectByteExtractRetrieveSMVar(const char *, const Signature *);
66  const uint8_t *, uint16_t, uint64_t *, uint8_t);
67 
68 #endif /* __DETECT_BYTEEXTRACT_H__ */
Data needed for Match()
Definition: detect.h:327
struct DetectByteExtractData_ DetectByteExtractData
Holds data related to byte_extract keyword.
Signature container.
Definition: detect.h:522
int DetectByteExtractDoMatch(DetectEngineThreadCtx *, const SigMatchData *, const Signature *, const uint8_t *, uint16_t, uint64_t *, uint8_t)
Holds data related to byte_extract keyword.
SigMatch * DetectByteExtractRetrieveSMVar(const char *, const Signature *)
Lookup the SigMatch for a named byte_extract variable.
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
a single match condition for a signature
Definition: detect.h:318