detect-content.c File Reference

#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-engine-mpm.h"
#include "detect-engine.h"
#include "detect-engine-buffer.h"
#include "detect-engine-build.h"
#include "detect-engine-state.h"
#include "detect-parse.h"
#include "detect-pcre.h"
#include "util-mpm.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "app-layer.h"
#include "util-unittest.h"
#include "util-print.h"
#include "util-debug.h"
#include "util-spm.h"
#include "threads.h"
#include "util-unittest-helper.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-dsize.h"
#include "detect-engine-alert.h"
#include "packet.h"

Include dependency graph for detect-content.c:

Go to the source code of this file.

Macros
#define	VALIDATE(e)
#define	TEST_RUN(sig, o, d)
#define	TEST_DONE   PASS

Functions
void	DetectContentRegister (void)
int	DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
	Parse a content string, ie "abc|DE|fgh". More...
DetectContentData *	DetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
	DetectContentParse \initonly. More...
DetectContentData *	DetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
void	DetectContentPrint (DetectContentData *cd)
	Helper function to print a DetectContentData. More...
int	DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
	Function to setup a content pattern. More...
void	DetectContentFree (DetectEngineCtx *de_ctx, void *ptr)
	this function will SCFree memory associated with DetectContentData More...
void	SigParseRequiredContentSize (const Signature *s, const uint64_t max_size, const SigMatch *sm, int *len, int *offset)
	Determine the size needed to accommodate the content elements of a signature. More...
bool	DetectContentPMATCHValidateCallback (const Signature *s)
void	DetectContentPropagateLimits (Signature *s)
void	DetectContentPatternPrettyPrint (const DetectContentData *cd, char *str, size_t str_len)
int	DetectContentConvertToNocase (DetectEngineCtx *de_ctx, DetectContentData *cd)

Detailed Description

Author

Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Simple content match part of the detection engine.

Definition in file detect-content.c.

Macro Definition Documentation

TEST_DONE

#define TEST_DONE   PASS

Definition at line 833 of file detect-content.c.

TEST_RUN

#define TEST_RUN	(		sig,
			o,
			d
	)

Value:

    {                                                                                              \
        SCLogDebug("TEST_RUN start: '%s'", (sig));                                                 \
        DetectEngineCtx *de_ctx = DetectEngineCtxInit();                                           \
        FAIL_IF_NULL(de_ctx);                                                                      \
        de_ctx->flags |= DE_QUIET;                                                                 \
        char rule[2048];                                                                           \
        snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig));    \
        Signature *s = DetectEngineAppendSig(de_ctx, rule);                                        \
        FAIL_IF_NULL(s);                                                                           \
        SigPrepareStage1(de_ctx);                                                                  \
        bool res = TestLastContent(s, (o), (d));                                                   \
        FAIL_IF_NOT(res);                                                                          \
        DetectEngineCtxFree(de_ctx);                                                               \
    }

Definition at line 817 of file detect-content.c.

VALIDATE

#define VALIDATE

(

e

)

Value:

    if (!(e)) {                                                                                    \
        return;                                                                                    \
    }

Function Documentation

DetectContentConvertToNocase()

int DetectContentConvertToNocase	(	DetectEngineCtx *	de_ctx,
		DetectContentData *	cd
	)

Definition at line 766 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, de_ctx, DETECT_CONTENT_NOCASE, DetectContentData_::flags, SCLogError, DetectContentData_::spm_ctx, DetectEngineCtx_::spm_global_thread_ctx, SpmDestroyCtx(), SpmInitCtx(), and u8_tolower.

Here is the call graph for this function:

DetectContentDataParse()

int DetectContentDataParse	(	const char *	keyword,
		const char *	contentstr,
		uint8_t **	pstr,
		uint16_t *	plen
	)

Parse a content string, ie "abc|DE|fgh".

Parameters

content_str	null terminated string containing the content
result	result pointer to pass the fully parsed byte array
result_len	size of the resulted data
flags	flags to be set by this parsing function

Return values

-1	error
0	ok

Definition at line 85 of file detect-content.c.

References SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().

Referenced by DetectContentParse().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentFree()

void DetectContentFree	(	DetectEngineCtx *	de_ctx,
		void *	ptr
	)

this function will SCFree memory associated with DetectContentData

Parameters

cd	pointer to DetectContentData

Definition at line 374 of file detect-content.c.

References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().

Referenced by DetectContentRegister(), and DetectContentSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentParse()

DetectContentData* DetectContentParse	(	SpmGlobalThreadCtx *	spm_global_thread_ctx,
		const char *	contentstr
	)

DetectContentParse \initonly.

Definition at line 213 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DetectContentDataParse(), DetectContentData_::distance, len, DetectContentData_::offset, SCCalloc, SCFree, DetectContentData_::spm_ctx, SpmInitCtx(), unlikely, and DetectContentData_::within.

Referenced by DetectContentParseEncloseQuotes(), and DetectContentSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentParseEncloseQuotes()

DetectContentData* DetectContentParseEncloseQuotes	(	SpmGlobalThreadCtx *	spm_global_thread_ctx,
		const char *	contentstr
	)

Definition at line 255 of file detect-content.c.

References DetectContentParse().

Here is the call graph for this function:

DetectContentPatternPrettyPrint()

void DetectContentPatternPrettyPrint	(	const DetectContentData *	cd,
		char *	str,
		size_t	str_len
	)

Definition at line 745 of file detect-content.c.

References DetectContentData_::content_len.

Referenced by DumpPatterns().

Here is the caller graph for this function:

DetectContentPMATCHValidateCallback()

bool DetectContentPMATCHValidateCallback

(

const Signature *

s

)

Return values

true	valid
false	invalid

Definition at line 456 of file detect-content.c.

References Signature_::flags, SCLogDebug, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), and SigParseMaxRequiredDsize().

Here is the call graph for this function:

DetectContentPrint()

void DetectContentPrint

(

DetectContentData *

cd

)

Helper function to print a DetectContentData.

Definition at line 264 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NEGATED, DETECT_CONTENT_RELATIVE_NEXT, DetectContentData_::distance, DetectContentData_::flags, DetectContentData_::id, DetectContentData_::offset, DetectContentData_::replace, DetectContentData_::replace_len, SCFree, SCLogDebug, SCMalloc, and DetectContentData_::within.

Referenced by DetectContentSetup().

Here is the caller graph for this function:

DetectContentPropagateLimits()

void DetectContentPropagateLimits

(

Signature *

s

)

Definition at line 717 of file detect-content.c.

DetectContentRegister()

void DetectContentRegister

(

void

)

Definition at line 59 of file detect-content.c.

References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentSetup()

int DetectContentSetup	(	DetectEngineCtx *	de_ctx,
		Signature *	s,
		const char *	contentstr
	)

Function to setup a content pattern.

Parameters

de_ctx	pointer to the current detection_engine
s	pointer to the current Signature
m	pointer to the last parsed SigMatch
contentstr	pointer to the current keyword content string

Return values

-1	if error
0	if all was ok

Definition at line 330 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectEngineBufferTypeValidateTransform(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SCLogError, SigMatchAppendSMToList(), and DetectEngineCtx_::spm_global_thread_ctx.

Referenced by DetectContentRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

SigParseRequiredContentSize()

void SigParseRequiredContentSize	(	const Signature *	s,
		const uint64_t	max_size,
		const SigMatch *	sm,
		int *	len,
		int *	offset
	)

Determine the size needed to accommodate the content elements of a signature.

Parameters

s	signature to get dsize value from
max_size	Maximum buffer/data size allowed.
list	signature match list.
len	Maximum length required
offset	Maximum offset encountered

Note that negated content does not contribute to the maximum required size value. However, each negated content's values must not exceed the size value.

Values from negated content blocks are used to determine if the negated content block requires a value that exceeds "max_size". The distance and within values from negated content blocks are added to the running total of required content size to see if the max_size would be exceeded.

• Non-negated content contributes to the required size (content length, distance)
• Negated content values are checked but not accumulated for the required size.

Definition at line 410 of file detect-content.c.

References DetectContentData_::content_len, SigMatch_::ctx, DetectContentData_::depth, DETECT_CONTENT, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_NEGATED, DETECT_CONTENT_WITHIN, DetectContentData_::distance, DetectContentData_::flags, len, MAX, SigMatch_::next, offset, DetectContentData_::offset, SCLogDebug, SigMatch_::type, and DetectContentData_::within.

Referenced by SigParseMaxRequiredDsize().

Here is the caller graph for this function: