suricata
detect-content.c File Reference
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-engine-mpm.h"
#include "detect-engine.h"
#include "detect-engine-build.h"
#include "detect-engine-state.h"
#include "detect-parse.h"
#include "detect-pcre.h"
#include "util-mpm.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "app-layer.h"
#include "util-unittest.h"
#include "util-print.h"
#include "util-debug.h"
#include "util-spm.h"
#include "threads.h"
#include "util-unittest-helper.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-dsize.h"
#include "detect-engine-alert.h"
#include "packet.h"
Include dependency graph for detect-content.c:

Go to the source code of this file.

Macros

#define VALIDATE(e)
 
#define TEST_RUN(sig, o, d)
 
#define TEST_DONE   PASS
 

Functions

void DetectContentRegister (void)
 
int DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
 Parse a content string, ie "abc|DE|fgh". More...
 
DetectContentDataDetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
 DetectContentParse \initonly. More...
 
DetectContentDataDetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
 
void DetectContentPrint (DetectContentData *cd)
 Helper function to print a DetectContentData. More...
 
int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
 Function to setup a content pattern. More...
 
void DetectContentFree (DetectEngineCtx *de_ctx, void *ptr)
 this function will SCFree memory associated with DetectContentData More...
 
void SigParseRequiredContentSize (const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset)
 Determine the size needed to accommodate the content elements of a signature. More...
 
bool DetectContentPMATCHValidateCallback (const Signature *s)
 
void DetectContentPropagateLimits (Signature *s)
 
void DetectContentPatternPrettyPrint (const DetectContentData *cd, char *str, size_t str_len)
 
int DetectContentConvertToNocase (DetectEngineCtx *de_ctx, DetectContentData *cd)
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Simple content match part of the detection engine.

Definition in file detect-content.c.

Macro Definition Documentation

◆ TEST_DONE

#define TEST_DONE   PASS

Definition at line 832 of file detect-content.c.

◆ TEST_RUN

#define TEST_RUN (   sig,
  o,
 
)
Value:
{ \
SCLogDebug("TEST_RUN start: '%s'", (sig)); \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
de_ctx->flags |= DE_QUIET; \
char rule[2048]; \
snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
Signature *s = DetectEngineAppendSig(de_ctx, rule); \
FAIL_IF_NULL(s); \
SigPrepareStage1(de_ctx); \
bool res = TestLastContent(s, (o), (d)); \
FAIL_IF(res == false); \
DetectEngineCtxFree(de_ctx); \
}

Definition at line 816 of file detect-content.c.

◆ VALIDATE

#define VALIDATE (   e)
Value:
if (!(e)) { \
return; \
}

Function Documentation

◆ DetectContentConvertToNocase()

◆ DetectContentDataParse()

int DetectContentDataParse ( const char *  keyword,
const char *  contentstr,
uint8_t **  pstr,
uint16_t *  plen 
)

Parse a content string, ie "abc|DE|fgh".

Parameters
content_strnull terminated string containing the content
resultresult pointer to pass the fully parsed byte array
result_lensize of the resulted data
flagsflags to be set by this parsing function
Return values
-1error
0ok

Definition at line 83 of file detect-content.c.

References SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().

Referenced by DetectContentParse().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentFree()

void DetectContentFree ( DetectEngineCtx de_ctx,
void *  ptr 
)

this function will SCFree memory associated with DetectContentData

Parameters
cdpointer to DetectContentData

Definition at line 372 of file detect-content.c.

References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().

Referenced by DetectContentRegister(), and DetectContentSetup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentParse()

DetectContentData* DetectContentParse ( SpmGlobalThreadCtx spm_global_thread_ctx,
const char *  contentstr 
)

◆ DetectContentParseEncloseQuotes()

DetectContentData* DetectContentParseEncloseQuotes ( SpmGlobalThreadCtx spm_global_thread_ctx,
const char *  contentstr 
)

Definition at line 253 of file detect-content.c.

References DetectContentParse().

Here is the call graph for this function:

◆ DetectContentPatternPrettyPrint()

void DetectContentPatternPrettyPrint ( const DetectContentData cd,
char *  str,
size_t  str_len 
)

Definition at line 744 of file detect-content.c.

References DetectContentData_::content_len.

Referenced by DumpPatterns().

Here is the caller graph for this function:

◆ DetectContentPMATCHValidateCallback()

bool DetectContentPMATCHValidateCallback ( const Signature s)
Return values
truevalid
falseinvalid

Definition at line 454 of file detect-content.c.

References Signature_::flags, SCLogDebug, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), and SigParseMaxRequiredDsize().

Here is the call graph for this function:

◆ DetectContentPrint()

◆ DetectContentPropagateLimits()

void DetectContentPropagateLimits ( Signature s)

Definition at line 716 of file detect-content.c.

◆ DetectContentRegister()

void DetectContentRegister ( void  )

Definition at line 58 of file detect-content.c.

References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentSetup()

int DetectContentSetup ( DetectEngineCtx de_ctx,
Signature s,
const char *  contentstr 
)

Function to setup a content pattern.

Parameters
de_ctxpointer to the current detection_engine
spointer to the current Signature
mpointer to the last parsed SigMatch
contentstrpointer to the current keyword content string
Return values
-1if error
0if all was ok

Definition at line 328 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectEngineBufferTypeValidateTransform(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SCLogError, SigMatchAppendSMToList(), and DetectEngineCtx_::spm_global_thread_ctx.

Referenced by DetectContentRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigParseRequiredContentSize()

void SigParseRequiredContentSize ( const Signature s,
const int  max_size,
const SigMatch sm,
int *  len,
int *  offset 
)

Determine the size needed to accommodate the content elements of a signature.

Parameters
ssignature to get dsize value from
max_sizeMaximum buffer/data size allowed.
listsignature match list.
lenMaximum length required
offsetMaximum offset encountered

Note that negated content does not contribute to the maximum required size value. However, each negated content's values must not exceed the size value.

Values from negated content blocks are used to determine if the negated content block requires a value that exceeds "max_size". The distance and within values from negated content blocks are added to the running total of required content size to see if the max_size would be exceeded.

  • Non-negated content contributes to the required size (content length, distance)
  • Negated content values are checked but not accumulated for the required size.

Definition at line 408 of file detect-content.c.

References DetectContentData_::content_len, SigMatch_::ctx, DetectContentData_::depth, DETECT_CONTENT, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_NEGATED, DETECT_CONTENT_WITHIN, DetectContentData_::distance, DetectContentData_::flags, len, MAX, SigMatch_::next, offset, DetectContentData_::offset, SCLogDebug, SigMatch_::type, and DetectContentData_::within.

Referenced by SigParseMaxRequiredDsize().

Here is the caller graph for this function:
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2558