detect-content.c File Reference

#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-engine-mpm.h"
#include "detect-engine.h"
#include "detect-engine-build.h"
#include "detect-engine-state.h"
#include "detect-parse.h"
#include "detect-pcre.h"
#include "util-mpm.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "app-layer.h"
#include "util-unittest.h"
#include "util-print.h"
#include "util-debug.h"
#include "util-spm.h"
#include "threads.h"
#include "util-unittest-helper.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-dsize.h"
#include "detect-engine-alert.h"
#include "packet.h"

Include dependency graph for detect-content.c:

Go to the source code of this file.

Macros
#define	VALIDATE(e)
#define	TEST_RUN(sig, o, d)
#define	TEST_DONE   PASS

Functions
void	DetectContentRegister (void)
int	DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
	Parse a content string, ie "abc|DE|fgh". More...
DetectContentData *	DetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
	DetectContentParse \initonly. More...
DetectContentData *	DetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
void	DetectContentPrint (DetectContentData *cd)
	Helper function to print a DetectContentData. More...
int	DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
	Function to setup a content pattern. More...
void	DetectContentFree (DetectEngineCtx *de_ctx, void *ptr)
	this function will SCFree memory associated with DetectContentData More...
void	SigParseRequiredContentSize (const Signature *s, const int max_size, int list, int *len, int *offset)
bool	DetectContentPMATCHValidateCallback (const Signature *s)
void	DetectContentPropagateLimits (Signature *s)
void	DetectContentPatternPrettyPrint (const DetectContentData *cd, char *str, size_t str_len)

Detailed Description

Author

Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Simple content match part of the detection engine.

Definition in file detect-content.c.

Macro Definition Documentation

TEST_DONE

#define TEST_DONE   PASS

Definition at line 809 of file detect-content.c.

TEST_RUN

#define TEST_RUN	(		sig,
			o,
			d
	)

Value:

    {                                                                                              \
        SCLogDebug("TEST_RUN start: '%s'", (sig));                                                 \
        DetectEngineCtx *de_ctx = DetectEngineCtxInit();                                           \
        FAIL_IF_NULL(de_ctx);                                                                      \
        de_ctx->flags |= DE_QUIET;                                                                 \
        char rule[2048];                                                                           \
        snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig));    \
        Signature *s = DetectEngineAppendSig(de_ctx, rule);                                        \
        FAIL_IF_NULL(s);                                                                           \
        SigAddressPrepareStage1(de_ctx);                                                           \
        bool res = TestLastContent(s, (o), (d));                                                   \
        FAIL_IF(res == false);                                                                     \
        DetectEngineCtxFree(de_ctx);                                                               \
    }

Definition at line 793 of file detect-content.c.

VALIDATE

#define VALIDATE

(

e

)

Value:

    if (!(e)) {                                                                                    \
        return;                                                                                    \
    }

Function Documentation

DetectContentDataParse()

int DetectContentDataParse	(	const char *	keyword,
		const char *	contentstr,
		uint8_t **	pstr,
		uint16_t *	plen
	)

Parse a content string, ie "abc|DE|fgh".

Parameters

content_str	null terminated string containing the content
result	result pointer to pass the fully parsed byte array
result_len	size of the resulted data
flags	flags to be set by this parsing function

Return values

-1	error
0	ok

Definition at line 83 of file detect-content.c.

References SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().

Referenced by DetectContentParse().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentFree()

void DetectContentFree	(	DetectEngineCtx *	de_ctx,
		void *	ptr
	)

this function will SCFree memory associated with DetectContentData

Parameters

cd	pointer to DetectContentData

Definition at line 378 of file detect-content.c.

References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().

Referenced by DetectContentRegister(), and DetectContentSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentParse()

DetectContentData* DetectContentParse	(	SpmGlobalThreadCtx *	spm_global_thread_ctx,
		const char *	contentstr
	)

DetectContentParse \initonly.

Definition at line 211 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DetectContentDataParse(), DetectContentData_::distance, len, DetectContentData_::offset, SCCalloc, SCFree, DetectContentData_::spm_ctx, SpmInitCtx(), unlikely, and DetectContentData_::within.

Referenced by DetectContentParseEncloseQuotes(), and DetectContentSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentParseEncloseQuotes()

DetectContentData* DetectContentParseEncloseQuotes	(	SpmGlobalThreadCtx *	spm_global_thread_ctx,
		const char *	contentstr
	)

Definition at line 253 of file detect-content.c.

References DetectContentParse().

Here is the call graph for this function:

DetectContentPatternPrettyPrint()

void DetectContentPatternPrettyPrint	(	const DetectContentData *	cd,
		char *	str,
		size_t	str_len
	)

Definition at line 744 of file detect-content.c.

References DetectContentData_::content_len.

Referenced by DumpPatterns().

Here is the caller graph for this function:

DetectContentPMATCHValidateCallback()

bool DetectContentPMATCHValidateCallback

(

const Signature *

s

)

Return values

true	valid
false	invalid

Definition at line 465 of file detect-content.c.

References Signature_::flags, SCLogDebug, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), and SigParseMaxRequiredDsize().

Here is the call graph for this function:

DetectContentPrint()

void DetectContentPrint

(

DetectContentData *

cd

)

Helper function to print a DetectContentData.

Definition at line 262 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NEGATED, DETECT_CONTENT_RELATIVE_NEXT, DetectContentData_::distance, DetectContentData_::flags, DetectContentData_::id, DetectContentData_::offset, DetectContentData_::replace, DetectContentData_::replace_len, SCFree, SCLogDebug, SCMalloc, and DetectContentData_::within.

Referenced by DetectContentSetup().

Here is the caller graph for this function:

DetectContentPropagateLimits()

void DetectContentPropagateLimits

(

Signature *

s

)

Definition at line 716 of file detect-content.c.

DetectContentRegister()

void DetectContentRegister

(

void

)

Definition at line 58 of file detect-content.c.

References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentSetup()

int DetectContentSetup	(	DetectEngineCtx *	de_ctx,
		Signature *	s,
		const char *	contentstr
	)

Function to setup a content pattern.

Parameters

de_ctx	pointer to the current detection_engine
s	pointer to the current Signature
m	pointer to the last parsed SigMatch
contentstr	pointer to the current keyword content string

Return values

-1	if error
0	if all was ok

Definition at line 328 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectEngineBufferTypeValidateTransform(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SCLogError, SigMatchAlloc(), SigMatchAppendSMToList(), DetectEngineCtx_::spm_global_thread_ctx, and SigMatch_::type.

Referenced by DetectContentRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

SigParseRequiredContentSize()

void SigParseRequiredContentSize	(	const Signature *	s,
		const int	max_size,
		int	list,
		int *	len,
		int *	offset
	)

Definition at line 414 of file detect-content.c.

Referenced by SigParseMaxRequiredDsize().

Here is the caller graph for this function: