suricata
|
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-engine-mpm.h"
#include "detect-engine.h"
#include "detect-engine-build.h"
#include "detect-engine-state.h"
#include "detect-parse.h"
#include "detect-pcre.h"
#include "util-mpm.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "app-layer.h"
#include "util-unittest.h"
#include "util-print.h"
#include "util-debug.h"
#include "util-spm.h"
#include "threads.h"
#include "util-unittest-helper.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-dsize.h"
#include "detect-engine-alert.h"
#include "packet.h"
Go to the source code of this file.
Macros | |
#define | VALIDATE(e) |
#define | TEST_RUN(sig, o, d) |
#define | TEST_DONE PASS |
Functions | |
void | DetectContentRegister (void) |
int | DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen) |
Parse a content string, ie "abc|DE|fgh". More... | |
DetectContentData * | DetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr) |
DetectContentParse \initonly. More... | |
DetectContentData * | DetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr) |
void | DetectContentPrint (DetectContentData *cd) |
Helper function to print a DetectContentData. More... | |
int | DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr) |
Function to setup a content pattern. More... | |
void | DetectContentFree (DetectEngineCtx *de_ctx, void *ptr) |
this function will SCFree memory associated with DetectContentData More... | |
void | SigParseRequiredContentSize (const Signature *s, const int max_size, const SigMatch *sm, int *len, int *offset) |
Determine the size needed to accommodate the content elements of a signature. More... | |
bool | DetectContentPMATCHValidateCallback (const Signature *s) |
void | DetectContentPropagateLimits (Signature *s) |
void | DetectContentPatternPrettyPrint (const DetectContentData *cd, char *str, size_t str_len) |
int | DetectContentConvertToNocase (DetectEngineCtx *de_ctx, DetectContentData *cd) |
Simple content match part of the detection engine.
Definition in file detect-content.c.
#define TEST_DONE PASS |
Definition at line 832 of file detect-content.c.
#define TEST_RUN | ( | sig, | |
o, | |||
d | |||
) |
Definition at line 816 of file detect-content.c.
#define VALIDATE | ( | e | ) |
int DetectContentConvertToNocase | ( | DetectEngineCtx * | de_ctx, |
DetectContentData * | cd | ||
) |
Definition at line 765 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, de_ctx, DETECT_CONTENT_NOCASE, DetectContentData_::flags, SCLogError, DetectContentData_::spm_ctx, DetectEngineCtx_::spm_global_thread_ctx, SpmDestroyCtx(), SpmInitCtx(), and u8_tolower.
int DetectContentDataParse | ( | const char * | keyword, |
const char * | contentstr, | ||
uint8_t ** | pstr, | ||
uint16_t * | plen | ||
) |
Parse a content string, ie "abc|DE|fgh".
content_str | null terminated string containing the content |
result | result pointer to pass the fully parsed byte array |
result_len | size of the resulted data |
flags | flags to be set by this parsing function |
-1 | error |
0 | ok |
Definition at line 83 of file detect-content.c.
References SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().
Referenced by DetectContentParse().
void DetectContentFree | ( | DetectEngineCtx * | de_ctx, |
void * | ptr | ||
) |
this function will SCFree memory associated with DetectContentData
cd | pointer to DetectContentData |
Definition at line 372 of file detect-content.c.
References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().
Referenced by DetectContentRegister(), and DetectContentSetup().
DetectContentData* DetectContentParse | ( | SpmGlobalThreadCtx * | spm_global_thread_ctx, |
const char * | contentstr | ||
) |
DetectContentParse \initonly.
Definition at line 211 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DetectContentDataParse(), DetectContentData_::distance, len, DetectContentData_::offset, SCCalloc, SCFree, DetectContentData_::spm_ctx, SpmInitCtx(), unlikely, and DetectContentData_::within.
Referenced by DetectContentParseEncloseQuotes(), and DetectContentSetup().
DetectContentData* DetectContentParseEncloseQuotes | ( | SpmGlobalThreadCtx * | spm_global_thread_ctx, |
const char * | contentstr | ||
) |
Definition at line 253 of file detect-content.c.
References DetectContentParse().
void DetectContentPatternPrettyPrint | ( | const DetectContentData * | cd, |
char * | str, | ||
size_t | str_len | ||
) |
Definition at line 744 of file detect-content.c.
References DetectContentData_::content_len.
Referenced by DumpPatterns().
bool DetectContentPMATCHValidateCallback | ( | const Signature * | s | ) |
true | valid |
false | invalid |
Definition at line 454 of file detect-content.c.
References Signature_::flags, SCLogDebug, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), and SigParseMaxRequiredDsize().
void DetectContentPrint | ( | DetectContentData * | cd | ) |
Helper function to print a DetectContentData.
Definition at line 262 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NEGATED, DETECT_CONTENT_RELATIVE_NEXT, DetectContentData_::distance, DetectContentData_::flags, DetectContentData_::id, DetectContentData_::offset, DetectContentData_::replace, DetectContentData_::replace_len, SCFree, SCLogDebug, SCMalloc, and DetectContentData_::within.
Referenced by DetectContentSetup().
void DetectContentPropagateLimits | ( | Signature * | s | ) |
Definition at line 716 of file detect-content.c.
void DetectContentRegister | ( | void | ) |
Definition at line 58 of file detect-content.c.
References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.
Referenced by SigTableSetup().
int DetectContentSetup | ( | DetectEngineCtx * | de_ctx, |
Signature * | s, | ||
const char * | contentstr | ||
) |
Function to setup a content pattern.
de_ctx | pointer to the current detection_engine |
s | pointer to the current Signature |
m | pointer to the last parsed SigMatch |
contentstr | pointer to the current keyword content string |
-1 | if error |
0 | if all was ok |
Definition at line 328 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectEngineBufferTypeValidateTransform(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SCLogError, SigMatchAppendSMToList(), and DetectEngineCtx_::spm_global_thread_ctx.
Referenced by DetectContentRegister().
void SigParseRequiredContentSize | ( | const Signature * | s, |
const int | max_size, | ||
const SigMatch * | sm, | ||
int * | len, | ||
int * | offset | ||
) |
Determine the size needed to accommodate the content elements of a signature.
s | signature to get dsize value from |
max_size | Maximum buffer/data size allowed. |
list | signature match list. |
len | Maximum length required |
offset | Maximum offset encountered |
Note that negated content does not contribute to the maximum required size value. However, each negated content's values must not exceed the size value.
Values from negated content blocks are used to determine if the negated content block requires a value that exceeds "max_size". The distance and within values from negated content blocks are added to the running total of required content size to see if the max_size would be exceeded.
Definition at line 408 of file detect-content.c.
References DetectContentData_::content_len, SigMatch_::ctx, DetectContentData_::depth, DETECT_CONTENT, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_NEGATED, DETECT_CONTENT_WITHIN, DetectContentData_::distance, DetectContentData_::flags, len, MAX, SigMatch_::next, offset, DetectContentData_::offset, SCLogDebug, SigMatch_::type, and DetectContentData_::within.
Referenced by SigParseMaxRequiredDsize().