suricata
Data Structures | Macros | Typedefs | Functions
detect-bytetest.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  DetectBytetestData_
 

Macros

#define DETECT_BYTETEST_OP_LT   1
 
#define DETECT_BYTETEST_OP_GT   2
 
#define DETECT_BYTETEST_OP_EQ   3
 
#define DETECT_BYTETEST_OP_AND   4
 
#define DETECT_BYTETEST_OP_OR   5
 
#define DETECT_BYTETEST_OP_GE   6
 
#define DETECT_BYTETEST_OP_LE   7
 
#define DETECT_BYTETEST_BASE_UNSET   0
 
#define DETECT_BYTETEST_BASE_OCT   8
 
#define DETECT_BYTETEST_BASE_DEC   10
 
#define DETECT_BYTETEST_BASE_HEX   16
 
#define DETECT_BYTETEST_NEGOP   0x01
 
#define DETECT_BYTETEST_LITTLE   0x02
 
#define DETECT_BYTETEST_BIG   0x04
 
#define DETECT_BYTETEST_STRING   0x08
 
#define DETECT_BYTETEST_RELATIVE   0x10
 
#define DETECT_BYTETEST_DCE   0x20
 
#define DETECT_BYTETEST_VALUE_BE   0x40
 
#define DETECT_BYTETEST_OFFSET_BE   0x80
 

Typedefs

typedef struct DetectBytetestData_ DetectBytetestData
 

Functions

void DetectBytetestRegister (void)
 
int DetectBytetestDoMatch (DetectEngineThreadCtx *, const Signature *, const SigMatchCtx *ctx, uint8_t *, uint32_t, uint8_t, int32_t, uint64_t)
 Bytetest detection code. More...
 

Detailed Description

Author
Brian Rectanus brect.nosp@m.anu@.nosp@m.gmail.nosp@m..com

Definition in file detect-bytetest.h.

Macro Definition Documentation

#define DETECT_BYTETEST_BASE_DEC   10

"dec" type value string

Definition at line 39 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_BASE_HEX   16

"hex" type value string

Definition at line 40 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_BASE_OCT   8

"oct" type value string

Definition at line 38 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_BASE_UNSET   0

Bytetest Base Unset type value string (automatic)

Definition at line 37 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_BIG   0x04

"bi" endian value

Definition at line 45 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_DCE   0x20

dce enabled

Definition at line 48 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch(), and DetectEngineContentInspection().

#define DETECT_BYTETEST_LITTLE   0x02

"little" endian value

Definition at line 44 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch(), and DetectEngineContentInspection().

#define DETECT_BYTETEST_NEGOP   0x01

Bytetest Flags "!" negated operator

Definition at line 43 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_OFFSET_BE   0x80

byte extract value enabled

Definition at line 50 of file detect-bytetest.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectBytetestDoMatch(), and DetectEngineContentInspection().

#define DETECT_BYTETEST_OP_AND   4

"bitwise and" operator

Definition at line 31 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_OP_EQ   3

"equals" operator

Definition at line 30 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_OP_GE   6

greater than equal operator

Definition at line 33 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_OP_GT   2

"greater than" operator

Definition at line 29 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_OP_LE   7

less than equal operator

Definition at line 34 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_OP_LT   1

Bytetest Operators "less than" operator

Definition at line 28 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_OP_OR   5

"bitwise or" operator

Definition at line 32 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_RELATIVE   0x10

"relative" offset

Definition at line 47 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_STRING   0x08

"string" value

Definition at line 46 of file detect-bytetest.h.

Referenced by DetectBytetestDoMatch().

#define DETECT_BYTETEST_VALUE_BE   0x40

byte extract value enabled

Definition at line 49 of file detect-bytetest.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectBytetestDoMatch(), and DetectEngineContentInspection().

Typedef Documentation

typedef struct DetectBytetestData_ DetectBytetestData

Function Documentation

int DetectBytetestDoMatch ( DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchCtx ctx,
uint8_t *  payload,
uint32_t  payload_len,
uint8_t  flags,
int32_t  offset,
uint64_t  value 
)

Bytetest detection code.

Byte test works on the packet payload.

Parameters
det_ctxthread de ctx
ssignature
msigmatch for this bytettest
payloadptr to the start of the buffer to inspect
payload_lenlength of the payload
Return values
1match
0no match

Definition at line 94 of file detect-bytetest.c.

References Signature_::alproto, ALPROTO_DCERPC, DetectBytetestData_::base, DetectEngineThreadCtx_::buffer_offset, BYTE_BIG_ENDIAN, BYTE_LITTLE_ENDIAN, ByteExtractStringInt32(), ByteExtractStringUint32(), ByteExtractStringUint64(), ByteExtractUint64(), SigMatch_::ctx, DE_QUIET, DETECT_BYTE_EXTRACT, DETECT_BYTEJUMP, DETECT_BYTETEST, DETECT_BYTETEST_BASE_DEC, DETECT_BYTETEST_BASE_HEX, DETECT_BYTETEST_BASE_OCT, DETECT_BYTETEST_BASE_UNSET, DETECT_BYTETEST_BIG, DETECT_BYTETEST_DCE, DETECT_BYTETEST_LITTLE, DETECT_BYTETEST_NEGOP, DETECT_BYTETEST_OFFSET_BE, DETECT_BYTETEST_OP_AND, DETECT_BYTETEST_OP_EQ, DETECT_BYTETEST_OP_GE, DETECT_BYTETEST_OP_GT, DETECT_BYTETEST_OP_LE, DETECT_BYTETEST_OP_LT, DETECT_BYTETEST_OP_OR, DETECT_BYTETEST_RELATIVE, DETECT_BYTETEST_STRING, DETECT_BYTETEST_VALUE_BE, DETECT_CONTENT, DETECT_CONTENT_RELATIVE_NEXT, DETECT_ISDATAAT, DETECT_PCRE, DETECT_PCRE_RELATIVE_NEXT, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectBufferTypeGetByName(), DetectByteExtractRetrieveSMVar(), DetectBytetestDoMatch(), DetectEngineCtxFree(), DetectEngineCtxInit(), DetectGetLastSMFromLists(), DetectSignatureSetAppProto(), DetectPcreData_::flags, DetectBytetestData_::flags, DetectContentData_::flags, DetectEngineCtx_::flags, Signature_::init_data, len, SignatureInitData_::list, MAX_SUBSTRINGS, DetectBytetestData_::nbytes, Signature_::next, DetectBytetestData_::offset, offset, DetectBytetestData_::op, Packet_::payload, Packet_::payload_len, res, SC_ERR_CONFLICTING_RULE_KEYWORDS, SC_ERR_INVALID_ARGUMENT, SC_ERR_INVALID_OPERATOR, SC_ERR_INVALID_SIGNATURE, SC_ERR_INVALID_VALUE, SC_ERR_PCRE_GET_SUBSTRING, SC_ERR_PCRE_PARSE, SC_ERR_UNKNOWN_VALUE, SCEnter, SCFree, SCLogDebug, SCLogError, SCMalloc, SCReturnInt, SCStrdup, DetectEngineCtx_::sig_list, SigAlloc(), SigCleanSignatures(), SigFree(), SigGroupCleanup(), SigInit(), SigMatchAlloc(), SigMatchAppendSMToList(), SigMatchListSMBelongsTo(), SigMatch_::type, unlikely, UTHBuildPacket(), UTHFreePacket(), UTHPacketMatchSig(), UtRegisterTest(), and DetectBytetestData_::value.

Referenced by DetectBytetestDoMatch(), and DetectEngineContentInspection().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectBytetestRegister ( void  )

Registration function for byte_test.

Todo:
add support for no_stream and stream_only

Definition at line 71 of file detect-bytetest.c.

References DETECT_BYTETEST, DetectSetupParseRegexes(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, PARSE_REGEX, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, and sigmatch_table.

Referenced by SigTableSetup().

Here is the call graph for this function:

Here is the caller graph for this function: