suricata
Macros | Functions
detect-content.c File Reference
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-engine-mpm.h"
#include "detect-engine.h"
#include "detect-engine-state.h"
#include "detect-parse.h"
#include "detect-pcre.h"
#include "util-mpm.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "app-layer.h"
#include "util-unittest.h"
#include "util-print.h"
#include "util-debug.h"
#include "util-spm.h"
#include "threads.h"
#include "util-unittest-helper.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-dsize.h"
Include dependency graph for detect-content.c:

Go to the source code of this file.

Macros

#define TEST_RUN(sig, o, d)
 
#define TEST_DONE   PASS
 

Functions

void DetectContentRegister (void)
 
int DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
 Parse a content string, ie "abc|DE|fgh". More...
 
DetectContentDataDetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
 DetectContentParse . More...
 
DetectContentDataDetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
 
void DetectContentPrint (DetectContentData *cd)
 Helper function to print a DetectContentData. More...
 
int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
 Function to setup a content pattern. More...
 
void DetectContentFree (void *ptr)
 this function will SCFree memory associated with DetectContentData More...
 
_Bool DetectContentPMATCHValidateCallback (const Signature *s)
 
void DetectContentPropagateLimits (Signature *s)
 apply depth/offset and distance/within to content matches More...
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Simple content match part of the detection engine.

Definition in file detect-content.c.

Macro Definition Documentation

#define TEST_DONE   PASS

Definition at line 647 of file detect-content.c.

#define TEST_RUN (   sig,
  o,
 
)
Value:
{ \
SCLogDebug("TEST_RUN start: '%s'", (sig)); \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
char rule[2048]; \
snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
Signature *s = DetectEngineAppendSig(de_ctx, rule); \
FAIL_IF_NULL(s); \
SigAddressPrepareStage1(de_ctx); \
bool res = TestLastContent(s, (o), (d)); \
FAIL_IF(res == false); \
DetectEngineCtxFree(de_ctx); \
}
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2190
SigAddressPrepareStage1
int SigAddressPrepareStage1(DetectEngineCtx *de_ctx)
Preprocess signature, classify ip-only, etc, build sig array.
Definition: detect-engine-build.c:1281
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
Signature
struct Signature_ Signature
Signature container.
DetectEngineCtx
struct DetectEngineCtx_ DetectEngineCtx
main detection engine ctx
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640

Definition at line 632 of file detect-content.c.

Function Documentation

int DetectContentDataParse ( const char *  keyword,
const char *  contentstr,
uint8_t **  pstr,
uint16_t *  plen 
)

Parse a content string, ie "abc|DE|fgh".

Parameters
content_strnull terminated string containing the content
resultresult pointer to pass the fully parsed byte array
result_lensize of the resulted data
flagsflags to be set by this parsing function
Return values
-1error
0ok

Definition at line 78 of file detect-content.c.

References SC_ERR_INVALID_SIGNATURE, SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().

Referenced by DetectContentParse(), DetectFileextRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectFlowvarMatch(), DetectPktvarRegister(), and DetectReplaceRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectContentFree ( void *  ptr)

this function will SCFree memory associated with DetectContentData

Parameters
cdpointer to DetectContentData

Definition at line 359 of file detect-content.c.

References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().

Referenced by DetectContentRegister(), and DetectContentSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentData* DetectContentParse ( SpmGlobalThreadCtx spm_global_thread_ctx,
const char *  contentstr 
)

DetectContentParse .

Definition at line 199 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DetectContentDataParse(), DetectContentData_::distance, len, DetectContentData_::offset, SCFree, SCMalloc, DetectContentData_::spm_ctx, SpmInitCtx(), unlikely, and DetectContentData_::within.

Referenced by DetectContentParseEncloseQuotes(), and DetectContentSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentData* DetectContentParseEncloseQuotes ( SpmGlobalThreadCtx spm_global_thread_ctx,
const char *  contentstr 
)

Definition at line 243 of file detect-content.c.

References DetectContentParse().

Here is the call graph for this function:

_Bool DetectContentPMATCHValidateCallback ( const Signature s)
Return values
1valid
0invalid

Definition at line 377 of file detect-content.c.

References DetectContentData_::content_len, SigMatch_::ctx, DETECT_CONTENT, DETECT_SM_LIST_PMATCH, FALSE, Signature_::flags, Signature_::init_data, SigMatch_::next, DetectContentData_::offset, SC_ERR_INVALID_SIGNATURE, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), SignatureInitData_::smlists, TRUE, and SigMatch_::type.

Referenced by SigMatchList2DataArray().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectContentPrint ( DetectContentData cd)

Helper function to print a DetectContentData.

Definition at line 252 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NEGATED, DETECT_CONTENT_RELATIVE_NEXT, DetectContentData_::distance, DetectContentData_::flags, DetectContentData_::id, DetectContentData_::offset, DetectContentData_::replace, DetectContentData_::replace_len, SCFree, SCLogDebug, SCMalloc, and DetectContentData_::within.

Referenced by DetectContentSetup(), and DetectUricontentRegister().

Here is the caller graph for this function:

void DetectContentPropagateLimits ( Signature s)

apply depth/offset and distance/within to content matches

The idea is that any limitation we can set is a win, as the mpm can use this to reduce match candidates.

E.g. if we have 'content:"1"; depth:1; content:"2"; distance:0; within:1;' we know that we can add 'offset:1; depth:2;' to the 2nd condition. This will then be used in mpm if the 2nd condition would be selected for mpm.

Another example: 'content:"1"; depth:1; content:"2"; distance:0;'. Here we cannot set a depth, but we can set an offset of 'offset:1;'. This will make the mpm a bit more precise.

Definition at line 425 of file detect-content.c.

References BUG_ON, DetectContentData_::content_len, SigMatch_::ctx, DetectContentData_::depth, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_NEGATED, DETECT_CONTENT_OFFSET, DETECT_CONTENT_WITHIN, DETECT_PCRE, DETECT_PCRE_RELATIVE, DETECT_SM_LIST_PMATCH, DetectContentData_::distance, DetectPcreData_::flags, DetectContentData_::flags, Signature_::init_data, MIN, SigMatch_::next, DetectContentData_::offset, offset, SCLogDebug, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, SignatureInitData_::smlists_tail, SigMatch_::type, and DetectContentData_::within.

Referenced by SigAddressPrepareStage1().

Here is the caller graph for this function:

void DetectContentRegister ( void  )

Definition at line 55 of file detect-content.c.

References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), DOC_URL, DOC_VERSION, SigTableElmt_::flags, SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, SIGMATCH_HANDLE_NEGATION, SIGMATCH_QUOTES_MANDATORY, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectContentSetup ( DetectEngineCtx de_ctx,
Signature s,
const char *  contentstr 
)

Function to setup a content pattern.

Parameters
de_ctxpointer to the current detection_engine
spointer to the current Signature
mpointer to the last parsed SigMatch
contentstrpointer to the current keyword content string
Return values
-1if error
0if all was ok

Definition at line 318 of file detect-content.c.

References SigMatch_::ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SigMatchAlloc(), SigMatchAppendSMToList(), DetectEngineCtx_::spm_global_thread_ctx, and SigMatch_::type.

Referenced by DetectContentRegister(), and DetectUricontentRegister().

Here is the call graph for this function:

Here is the caller graph for this function: