detect-content.c File Reference
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-engine-mpm.h"
#include "detect-engine.h"
#include "detect-engine-build.h"
#include "detect-engine-state.h"
#include "detect-parse.h"
#include "detect-pcre.h"
#include "util-mpm.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "app-layer.h"
#include "util-unittest.h"
#include "util-print.h"
#include "util-debug.h"
#include "util-spm.h"
#include "threads.h"
#include "util-unittest-helper.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-dsize.h"
#include "detect-engine-alert.h"
#include "packet.h"
Include dependency graph for detect-content.c:

Go to the source code of this file.


#define VALIDATE(e)
#define TEST_RUN(sig, o, d)
#define TEST_DONE   PASS


void DetectContentRegister (void)
int DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
 Parse a content string, ie "abc|DE|fgh". More...
DetectContentDataDetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
 DetectContentParse \initonly. More...
DetectContentDataDetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
void DetectContentPrint (DetectContentData *cd)
 Helper function to print a DetectContentData. More...
int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
 Function to setup a content pattern. More...
void DetectContentFree (DetectEngineCtx *de_ctx, void *ptr)
 this function will SCFree memory associated with DetectContentData More...
void SigParseRequiredContentSize (const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
 Determine the size needed to accommodate the content elements of a signature. More...
bool DetectContentPMATCHValidateCallback (const Signature *s)
void DetectContentPropagateLimits (Signature *s)
void DetectContentPatternPrettyPrint (const DetectContentData *cd, char *str, size_t str_len)
int DetectContentConvertToNocase (DetectEngineCtx *de_ctx, DetectContentData *cd)

Detailed Description

Victor Julien

Simple content match part of the detection engine.

Definition in file detect-content.c.

Macro Definition Documentation


#define TEST_DONE   PASS

Definition at line 832 of file detect-content.c.


#define TEST_RUN (   sig,
{ \
SCLogDebug("TEST_RUN start: '%s'", (sig)); \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
de_ctx->flags |= DE_QUIET; \
char rule[2048]; \
snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
Signature *s = DetectEngineAppendSig(de_ctx, rule); \
SigPrepareStage1(de_ctx); \
bool res = TestLastContent(s, (o), (d)); \
FAIL_IF(res == false); \
DetectEngineCtxFree(de_ctx); \

Definition at line 816 of file detect-content.c.


#define VALIDATE (   e)
if (!(e)) { \
return; \

Function Documentation

◆ DetectContentConvertToNocase()

◆ DetectContentDataParse()

int DetectContentDataParse ( const char *  keyword,
const char *  contentstr,
uint8_t **  pstr,
uint16_t *  plen 

Parse a content string, ie "abc|DE|fgh".

content_strnull terminated string containing the content
resultresult pointer to pass the fully parsed byte array
result_lensize of the resulted data
flagsflags to be set by this parsing function
Return values

Definition at line 83 of file detect-content.c.

References SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().

Referenced by DetectContentParse().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentFree()

void DetectContentFree ( DetectEngineCtx de_ctx,
void *  ptr 

this function will SCFree memory associated with DetectContentData

cdpointer to DetectContentData

Definition at line 372 of file detect-content.c.

References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().

Referenced by DetectContentRegister(), and DetectContentSetup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentParse()

DetectContentData* DetectContentParse ( SpmGlobalThreadCtx spm_global_thread_ctx,
const char *  contentstr 

◆ DetectContentParseEncloseQuotes()

DetectContentData* DetectContentParseEncloseQuotes ( SpmGlobalThreadCtx spm_global_thread_ctx,
const char *  contentstr 

Definition at line 253 of file detect-content.c.

References DetectContentParse().

Here is the call graph for this function:

◆ DetectContentPatternPrettyPrint()

void DetectContentPatternPrettyPrint ( const DetectContentData cd,
char *  str,
size_t  str_len 

Definition at line 744 of file detect-content.c.

References DetectContentData_::content_len.

Referenced by DumpPatterns().

Here is the caller graph for this function:

◆ DetectContentPMATCHValidateCallback()

bool DetectContentPMATCHValidateCallback ( const Signature s)
Return values

Definition at line 454 of file detect-content.c.

References Signature_::flags, SCLogDebug, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), and SigParseMaxRequiredDsize().

Here is the call graph for this function:

◆ DetectContentPrint()

◆ DetectContentPropagateLimits()

void DetectContentPropagateLimits ( Signature s)

Definition at line 716 of file detect-content.c.

◆ DetectContentRegister()

void DetectContentRegister ( void  )

Definition at line 58 of file detect-content.c.

References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentSetup()

int DetectContentSetup ( DetectEngineCtx de_ctx,
Signature s,
const char *  contentstr 

Function to setup a content pattern.

de_ctxpointer to the current detection_engine
spointer to the current Signature
mpointer to the last parsed SigMatch
contentstrpointer to the current keyword content string
Return values
-1if error
0if all was ok

Definition at line 328 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectEngineBufferTypeValidateTransform(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SCLogError, SigMatchAppendSMToList(), and DetectEngineCtx_::spm_global_thread_ctx.

Referenced by DetectContentRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigParseRequiredContentSize()

void SigParseRequiredContentSize ( const Signature s,
const int  max_size,
const SigMatch sm,
int *  len,
int *  offset 

Determine the size needed to accommodate the content elements of a signature.

ssignature to get dsize value from
max_sizeMaximum buffer/data size allowed.
listsignature match list.
lenMaximum length required
offsetMaximum offset encountered

Note that negated content does not contribute to the maximum required size value. However, each negated content's values must not exceed the size value.

Values from negated content blocks are used to determine if the negated content block requires a value that exceeds "max_size". The distance and within values from negated content blocks are added to the running total of required content size to see if the max_size would be exceeded.

  • Non-negated content contributes to the required size (content length, distance)
  • Negated content values are checked but not accumulated for the required size.

Definition at line 408 of file detect-content.c.

References DetectContentData_::content_len, SigMatch_::ctx, DetectContentData_::depth, DETECT_CONTENT, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_NEGATED, DETECT_CONTENT_WITHIN, DetectContentData_::distance, DetectContentData_::flags, len, MAX, SigMatch_::next, offset, DetectContentData_::offset, SCLogDebug, SigMatch_::type, and DetectContentData_::within.

Referenced by SigParseMaxRequiredDsize().

Here is the caller graph for this function:
#define DE_QUIET
Definition: detect.h:320
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2541