#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-buffer.h"
#include "app-layer.h"
#include "detect-byte.h"
#include "detect-byte-extract.h"
#include "detect-bytejump.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "util-byte.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "util-validate.h"
#include "detect-pcre.h"
#include "detect-engine-build.h"
#include "util-unittest-helper.h"

Include dependency graph for detect-bytejump.c:

Macros
#define	PARSE_REGEX
	Regex for parsing our options. More...

Functions
void	DetectBytejumpRegister (void)

bool	DetectBytejumpDoMatch (DetectEngineThreadCtx det_ctx, const Signature s, const SigMatchCtx ctx, const uint8_t payload, uint32_t payload_len, uint16_t flags, int32_t nbytes, int32_t offset)
	Byte jump match function. More...

Detailed Description

Author: Brian Rectanus brect.nosp@m.anu@.nosp@m.gmail.nosp@m..com

Implements byte_jump keyword.

Definition in file detect-bytejump.c.

Macro Definition Documentation

◆ PARSE_REGEX

#define PARSE_REGEX

Value:

                     "^\\s*" \
                     "([^\\s,]+\\s*,\\s*[^\\s,]+)" \
                     "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
                     "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
                     "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
                     "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
                     "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
                     "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
                     "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
                     "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
                     "(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
                     "\\s*$"

Regex for parsing our options.

Definition at line 51 of file detect-bytejump.c.

Function Documentation

◆ DetectBytejumpDoMatch()

bool DetectBytejumpDoMatch	(	DetectEngineThreadCtx *	det_ctx,
		const Signature *	s,
		const SigMatchCtx *	ctx,
		const uint8_t *	payload,
		uint32_t	payload_len,
		uint16_t	flags,
		int32_t	nbytes,
		int32_t	offset
	)

Byte jump match function.

Parameters

det_ctx	thread detect engine ctx
s	signature
m	byte jump sigmatch
payload	ptr to the payload
payload_len	length of the payload

Return values

true	match
false	no match

Definition at line 137 of file detect-bytejump.c.

References ctx, DETECT_BYTEJUMP_NBYTES_VAR, DetectBytejumpData_::flags, len, payload_len, SCEnter, and SCReturnBool.

◆ DetectBytejumpRegister()

void DetectBytejumpRegister ( void )

Registration function for byte_jump.

Todo:: add support for no_stream and stream_only

Definition at line 73 of file detect-bytejump.c.

References SigTableElmt_::desc, DETECT_BYTEJUMP, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the caller graph for this function: