suricata
detect-bytetest.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  */
23 
24 #ifndef __DETECT_BYTETEST_H__
25 #define __DETECT_BYTETEST_H__
26 
27 /** Bytetest Operators */
28 #define DETECT_BYTETEST_OP_LT 1 /**< "less than" operator */
29 #define DETECT_BYTETEST_OP_GT 2 /**< "greater than" operator */
30 #define DETECT_BYTETEST_OP_EQ 3 /**< "equals" operator */
31 #define DETECT_BYTETEST_OP_AND 4 /**< "bitwise and" operator */
32 #define DETECT_BYTETEST_OP_OR 5 /**< "bitwise or" operator */
33 #define DETECT_BYTETEST_OP_GE 6 /**< greater than equal operator */
34 #define DETECT_BYTETEST_OP_LE 7 /**< less than equal operator */
35 
36 /** Bytetest Base */
37 #define DETECT_BYTETEST_BASE_UNSET 0 /**< Unset type value string (automatic)*/
38 #define DETECT_BYTETEST_BASE_OCT 8 /**< "oct" type value string */
39 #define DETECT_BYTETEST_BASE_DEC 10 /**< "dec" type value string */
40 #define DETECT_BYTETEST_BASE_HEX 16 /**< "hex" type value string */
41 
42 /** Bytetest Flags */
43 #define DETECT_BYTETEST_NEGOP 0x01 /**< "!" negated operator */
44 #define DETECT_BYTETEST_LITTLE 0x02 /**< "little" endian value */
45 #define DETECT_BYTETEST_BIG 0x04 /**< "bi" endian value */
46 #define DETECT_BYTETEST_STRING 0x08 /**< "string" value */
47 #define DETECT_BYTETEST_RELATIVE 0x10 /**< "relative" offset */
48 #define DETECT_BYTETEST_DCE 0x20 /**< dce enabled */
49 #define DETECT_BYTETEST_VALUE_BE 0x40 /**< byte extract value enabled */
50 #define DETECT_BYTETEST_OFFSET_BE 0x80 /**< byte extract value enabled */
51 
52 typedef struct DetectBytetestData_ {
53  uint8_t nbytes; /**< Number of bytes to compare */
54  uint8_t op; /**< Operator used to compare */
55  uint8_t base; /**< String value base (oct|dec|hex) */
56  uint8_t flags; /**< Flags (big|little|relative|string) */
57  int32_t offset; /**< Offset in payload */
58  uint64_t value; /**< Value to compare against */
60 
61 /* prototypes */
62 
63 /**
64  * Registration function for byte_test.
65  *
66  * \todo add support for no_stream and stream_only
67  */
68 void DetectBytetestRegister (void);
69 
71  const SigMatchCtx *ctx, const uint8_t *, uint32_t,
72  uint8_t, int32_t, uint64_t);
73 
74 #endif /* __DETECT_BYTETEST_H__ */
int DetectBytetestDoMatch(DetectEngineThreadCtx *, const Signature *, const SigMatchCtx *ctx, const uint8_t *, uint32_t, uint8_t, int32_t, uint64_t)
Bytetest detection code.
Signature container.
Definition: detect.h:522
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
struct DetectBytetestData_ DetectBytetestData
void DetectBytetestRegister(void)