suricata
|
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-engine-mpm.h"
#include "detect-engine.h"
#include "detect-engine-state.h"
#include "detect-parse.h"
#include "detect-pcre.h"
#include "util-mpm.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "app-layer.h"
#include "util-unittest.h"
#include "util-print.h"
#include "util-debug.h"
#include "util-spm.h"
#include "threads.h"
#include "util-unittest-helper.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-dsize.h"
Go to the source code of this file.
Macros | |
#define | TEST_RUN(sig, o, d) |
#define | TEST_DONE PASS |
Functions | |
void | DetectContentRegister (void) |
int | DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen) |
Parse a content string, ie "abc|DE|fgh". More... | |
DetectContentData * | DetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr) |
DetectContentParse \initonly. More... | |
DetectContentData * | DetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr) |
void | DetectContentPrint (DetectContentData *cd) |
Helper function to print a DetectContentData. More... | |
int | DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr) |
Function to setup a content pattern. More... | |
void | DetectContentFree (DetectEngineCtx *de_ctx, void *ptr) |
this function will SCFree memory associated with DetectContentData More... | |
bool | DetectContentPMATCHValidateCallback (const Signature *s) |
void | DetectContentPropagateLimits (Signature *s) |
apply depth/offset and distance/within to content matches More... | |
void | DetectContentPatternPrettyPrint (const DetectContentData *cd, char *str, size_t str_len) |
Simple content match part of the detection engine.
Definition in file detect-content.c.
#define TEST_DONE PASS |
Definition at line 719 of file detect-content.c.
#define TEST_RUN | ( | sig, | |
o, | |||
d | |||
) |
Definition at line 703 of file detect-content.c.
int DetectContentDataParse | ( | const char * | keyword, |
const char * | contentstr, | ||
uint8_t ** | pstr, | ||
uint16_t * | plen | ||
) |
Parse a content string, ie "abc|DE|fgh".
content_str | null terminated string containing the content |
result | result pointer to pass the fully parsed byte array |
result_len | size of the resulted data |
flags | flags to be set by this parsing function |
-1 | error |
0 | ok |
Definition at line 82 of file detect-content.c.
References SC_ERR_INVALID_SIGNATURE, SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().
Referenced by DetectContentParse().
void DetectContentFree | ( | DetectEngineCtx * | de_ctx, |
void * | ptr | ||
) |
this function will SCFree memory associated with DetectContentData
cd | pointer to DetectContentData |
Definition at line 380 of file detect-content.c.
References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().
Referenced by DetectContentRegister(), and DetectContentSetup().
DetectContentData* DetectContentParse | ( | SpmGlobalThreadCtx * | spm_global_thread_ctx, |
const char * | contentstr | ||
) |
DetectContentParse \initonly.
Definition at line 209 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DetectContentDataParse(), DetectContentData_::distance, len, DetectContentData_::offset, SCFree, SCMalloc, DetectContentData_::spm_ctx, SpmInitCtx(), unlikely, and DetectContentData_::within.
Referenced by DetectContentParseEncloseQuotes(), and DetectContentSetup().
DetectContentData* DetectContentParseEncloseQuotes | ( | SpmGlobalThreadCtx * | spm_global_thread_ctx, |
const char * | contentstr | ||
) |
Definition at line 253 of file detect-content.c.
References DetectContentParse().
void DetectContentPatternPrettyPrint | ( | const DetectContentData * | cd, |
char * | str, | ||
size_t | str_len | ||
) |
Definition at line 656 of file detect-content.c.
References DetectContentData_::content_len.
Referenced by DumpPatterns().
bool DetectContentPMATCHValidateCallback | ( | const Signature * | s | ) |
1 | valid |
0 | invalid |
Definition at line 398 of file detect-content.c.
References DetectContentData_::content_len, SigMatch_::ctx, DETECT_CONTENT, DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, SigMatch_::next, DetectContentData_::offset, SC_ERR_INVALID_SIGNATURE, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), SignatureInitData_::smlists, and SigMatch_::type.
void DetectContentPrint | ( | DetectContentData * | cd | ) |
Helper function to print a DetectContentData.
Definition at line 262 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NEGATED, DETECT_CONTENT_RELATIVE_NEXT, DetectContentData_::distance, DetectContentData_::flags, DetectContentData_::id, DetectContentData_::offset, DetectContentData_::replace, DetectContentData_::replace_len, SCFree, SCLogDebug, SCMalloc, and DetectContentData_::within.
Referenced by DetectContentSetup().
void DetectContentPropagateLimits | ( | Signature * | s | ) |
apply depth/offset and distance/within to content matches
The idea is that any limitation we can set is a win, as the mpm can use this to reduce match candidates.
E.g. if we have 'content:"1"; depth:1; content:"2"; distance:0; within:1;' we know that we can add 'offset:1; depth:2;' to the 2nd condition. This will then be used in mpm if the 2nd condition would be selected for mpm.
Another example: 'content:"1"; depth:1; content:"2"; distance:0;'. Here we cannot set a depth, but we can set an offset of 'offset:1;'. This will make the mpm a bit more precise.
Definition at line 446 of file detect-content.c.
References BUG_ON, and Signature_::init_data.
void DetectContentRegister | ( | void | ) |
Definition at line 57 of file detect-content.c.
References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.
Referenced by SigTableSetup().
int DetectContentSetup | ( | DetectEngineCtx * | de_ctx, |
Signature * | s, | ||
const char * | contentstr | ||
) |
Function to setup a content pattern.
de_ctx | pointer to the current detection_engine |
s | pointer to the current Signature |
m | pointer to the last parsed SigMatch |
contentstr | pointer to the current keyword content string |
-1 | if error |
0 | if all was ok |
Definition at line 328 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectEngineBufferTypeValidateTransform(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SC_ERR_INVALID_SIGNATURE, SCLogError, SigMatchAlloc(), SigMatchAppendSMToList(), DetectEngineCtx_::spm_global_thread_ctx, and SigMatch_::type.
Referenced by DetectContentRegister().