suricata
Macros | Functions
detect-bytetest.c File Reference
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-parse.h"
#include "detect-engine-build.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-byte.h"
#include "detect-bytetest.h"
#include "detect-bytejump.h"
#include "detect-byte-extract.h"
#include "app-layer.h"
#include "util-byte.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "detect-pcre.h"
#include "util-unittest-helper.h"
#include "app-layer-parser.h"
#include "flow-util.h"
Include dependency graph for detect-bytetest.c:

Go to the source code of this file.

Macros

#define VALID_KW   "relative|big|little|string|oct|dec|hex|dce|bitmask"
 Regex for parsing our options. More...
 
#define PARSE_REGEX
 

Functions

void DetectBytetestRegister (void)
 
int DetectBytetestDoMatch (DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchCtx *ctx, const uint8_t *payload, uint32_t payload_len, uint8_t flags, int32_t offset, uint64_t value)
 Bytetest detection code. More...
 

Detailed Description

Author
Brian Rectanus brect.nosp@m.anu@.nosp@m.gmail.nosp@m..com
Jeff Lucovsky jeff@.nosp@m.luco.nosp@m.vsky..nosp@m.org

Implements byte_test keyword.

Definition in file detect-bytetest.c.

Macro Definition Documentation

◆ PARSE_REGEX

#define PARSE_REGEX
Value:
"^\\s*" \
"([^\\s,]+)\\s*,\\s*" \
"(\\!?\\s*[^\\s,]*)" \
"\\s*,\\s*([^\\s,]+\\s*,\\s*[^\\s,]+)" \
"(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
"(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
"(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
"(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
"(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
"(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
"\\s*$"

Definition at line 58 of file detect-bytetest.c.

◆ VALID_KW

#define VALID_KW   "relative|big|little|string|oct|dec|hex|dce|bitmask"

Regex for parsing our options.

Todo:
We probably just need a simple tokenizer here

Definition at line 57 of file detect-bytetest.c.

Function Documentation

◆ DetectBytetestDoMatch()

int DetectBytetestDoMatch ( DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchCtx ctx,
const uint8_t *  payload,
uint32_t  payload_len,
uint8_t  flags,
int32_t  offset,
uint64_t  value 
)

Bytetest detection code.

Byte test works on the packet payload.

Parameters
det_ctxthread de ctx
ssignature
msigmatch for this bytettest
payloadptr to the start of the buffer to inspect
payload_lenlength of the payload
Return values
1match
0no match

Definition at line 105 of file detect-bytetest.c.

References DetectBytetestData_::base, DetectBytetestData_::bitmask, DetectBytetestData_::bitmask_shift_count, DetectEngineThreadCtx_::buffer_offset, BYTE_BIG_ENDIAN, BYTE_LITTLE_ENDIAN, ByteExtractStringUint64(), ByteExtractUint64(), DETECT_BYTETEST_BITMASK, DETECT_BYTETEST_LITTLE, DETECT_BYTETEST_OP_AND, DETECT_BYTETEST_OP_EQ, DETECT_BYTETEST_OP_GE, DETECT_BYTETEST_OP_GT, DETECT_BYTETEST_OP_LE, DETECT_BYTETEST_OP_LT, DETECT_BYTETEST_OP_OR, DETECT_BYTETEST_RELATIVE, DETECT_BYTETEST_STRING, flags, len, DetectBytetestData_::nbytes, DetectBytetestData_::neg_op, offset, DetectBytetestData_::offset, DetectBytetestData_::op, payload_len, SCEnter, SCLogDebug, SCReturnInt, and DetectBytetestData_::value.

Here is the call graph for this function:

◆ DetectBytetestRegister()

void DetectBytetestRegister ( void  )

Registration function for byte_test.

Todo:
add support for no_stream and stream_only

Definition at line 79 of file detect-bytetest.c.

References SigTableElmt_::desc, DETECT_BYTETEST, SigTableElmt_::Match, SigTableElmt_::name, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the caller graph for this function:
VALID_KW
#define VALID_KW
Regex for parsing our options.
Definition: detect-bytetest.c:56