suricata
Data Structures | Macros | Typedefs | Functions
detect-bytejump.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  DetectBytejumpData_
 

Macros

#define DETECT_BYTEJUMP_BASE_UNSET   0
 
#define DETECT_BYTEJUMP_BASE_OCT   8
 
#define DETECT_BYTEJUMP_BASE_DEC   10
 
#define DETECT_BYTEJUMP_BASE_HEX   16
 
#define DETECT_BYTEJUMP_BEGIN   BIT_U16(0)
 
#define DETECT_BYTEJUMP_LITTLE   BIT_U16(1)
 
#define DETECT_BYTEJUMP_BIG   BIT_U16(2)
 
#define DETECT_BYTEJUMP_STRING   BIT_U16(3)
 
#define DETECT_BYTEJUMP_RELATIVE   BIT_U16(4)
 
#define DETECT_BYTEJUMP_ALIGN   BIT_U16(5)
 
#define DETECT_BYTEJUMP_DCE   BIT_U16(6)
 
#define DETECT_BYTEJUMP_OFFSET_BE   BIT_U16(7)
 
#define DETECT_BYTEJUMP_END   BIT_U16(8)
 

Typedefs

typedef struct DetectBytejumpData_ DetectBytejumpData
 

Functions

void DetectBytejumpRegister (void)
 
int DetectBytejumpDoMatch (DetectEngineThreadCtx *, const Signature *, const SigMatchCtx *, const uint8_t *, uint32_t, uint16_t, int32_t)
 Byte jump match function. More...
 

Detailed Description

Author
Brian Rectanus brect.nosp@m.anu@.nosp@m.gmail.nosp@m..com

Definition in file detect-bytejump.h.

Macro Definition Documentation

◆ DETECT_BYTEJUMP_ALIGN

#define DETECT_BYTEJUMP_ALIGN   BIT_U16(5)

"align" offset

Definition at line 40 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_BASE_DEC

#define DETECT_BYTEJUMP_BASE_DEC   10

"dec" type value string

Definition at line 31 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_BASE_HEX

#define DETECT_BYTEJUMP_BASE_HEX   16

"hex" type value string

Definition at line 32 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_BASE_OCT

#define DETECT_BYTEJUMP_BASE_OCT   8

"oct" type value string

Definition at line 30 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_BASE_UNSET

#define DETECT_BYTEJUMP_BASE_UNSET   0

Bytejump Base Unset type value string (automatic)

Definition at line 29 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_BEGIN

#define DETECT_BYTEJUMP_BEGIN   BIT_U16(0)

Bytejump Flags "from_beginning" jump

Definition at line 35 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_BIG

#define DETECT_BYTEJUMP_BIG   BIT_U16(2)

"big" endian value

Definition at line 37 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_DCE

#define DETECT_BYTEJUMP_DCE   BIT_U16(6)

"dce" enabled

Definition at line 41 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_END

#define DETECT_BYTEJUMP_END   BIT_U16(8)

"from_end" jump

Definition at line 43 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_LITTLE

#define DETECT_BYTEJUMP_LITTLE   BIT_U16(1)

"little" endian value

Definition at line 36 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_OFFSET_BE

#define DETECT_BYTEJUMP_OFFSET_BE   BIT_U16(7)

"byte extract" enabled

Definition at line 42 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_RELATIVE

#define DETECT_BYTEJUMP_RELATIVE   BIT_U16(4)

"relative" offset

Definition at line 39 of file detect-bytejump.h.

◆ DETECT_BYTEJUMP_STRING

#define DETECT_BYTEJUMP_STRING   BIT_U16(3)

"string" value

Definition at line 38 of file detect-bytejump.h.

Typedef Documentation

◆ DetectBytejumpData

typedef struct DetectBytejumpData_ DetectBytejumpData

Function Documentation

◆ DetectBytejumpDoMatch()

int DetectBytejumpDoMatch ( DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchCtx ctx,
const uint8_t *  payload,
uint32_t  payload_len,
uint16_t  flags,
int32_t  offset 
)

Byte jump match function.

This function is used to match byte_jump

Parameters
tpointer to thread vars
det_ctxpointer to the pattern matcher thread
ppointer to the current packet
mpointer to the sigmatch that we will cast into DetectBytejumpData
Return values
-1error
0no match
1match
Todo:
The return seems backwards. We should return a non-zero error code. One of the error codes is "no match". As-is if someone accidentally does: if (DetectBytejumpMatch(...)) { match }, then they catch an error as a match.
Parameters
det_ctxthread detect engine ctx
ssignature
mbyte jump sigmatch
payloadptr to the payload
payload_lenlength of the payload
Return values
1match
0no match

Definition at line 96 of file detect-bytejump.c.

References DetectBytejumpData_::base, DetectEngineThreadCtx_::buffer_offset, BYTE_BIG_ENDIAN, BYTE_LITTLE_ENDIAN, ByteExtractStringUint64(), ByteExtractUint64(), DETECT_BYTEJUMP_ALIGN, DETECT_BYTEJUMP_BEGIN, DETECT_BYTEJUMP_END, DETECT_BYTEJUMP_LITTLE, DETECT_BYTEJUMP_RELATIVE, DETECT_BYTEJUMP_STRING, flags, len, DetectBytejumpData_::multiplier, DetectBytejumpData_::nbytes, offset, payload_len, DetectBytejumpData_::post_offset, SCEnter, SCLogDebug, SCLogDebugEnabled(), and SCReturnInt.

Here is the call graph for this function:

◆ DetectBytejumpRegister()

void DetectBytejumpRegister ( void  )

Registration function for byte_jump.

Todo:
add support for no_stream and stream_only

Definition at line 73 of file detect-bytejump.c.

References SigTableElmt_::desc, DETECT_BYTEJUMP, SigTableElmt_::Match, SigTableElmt_::name, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the caller graph for this function: