detect-content.c File Reference
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "detect-engine-mpm.h"
#include "detect-engine.h"
#include "detect-engine-build.h"
#include "detect-engine-state.h"
#include "detect-parse.h"
#include "detect-pcre.h"
#include "util-mpm.h"
#include "flow.h"
#include "flow-util.h"
#include "flow-var.h"
#include "detect-flow.h"
#include "app-layer.h"
#include "util-unittest.h"
#include "util-print.h"
#include "util-debug.h"
#include "util-spm.h"
#include "threads.h"
#include "util-unittest-helper.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "detect-dsize.h"
#include "detect-engine-alert.h"
#include "packet.h"
Include dependency graph for detect-content.c:

Go to the source code of this file.


#define VALIDATE(e)
#define TEST_RUN(sig, o, d)
#define TEST_DONE   PASS


void DetectContentRegister (void)
int DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
 Parse a content string, ie "abc|DE|fgh". More...
DetectContentDataDetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
 DetectContentParse \initonly. More...
DetectContentDataDetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
void DetectContentPrint (DetectContentData *cd)
 Helper function to print a DetectContentData. More...
int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
 Function to setup a content pattern. More...
void DetectContentFree (DetectEngineCtx *de_ctx, void *ptr)
 this function will SCFree memory associated with DetectContentData More...
void SigParseRequiredContentSize (const Signature *s, const int max_size, int list, int *len, int *offset)
bool DetectContentPMATCHValidateCallback (const Signature *s)
void DetectContentPropagateLimits (Signature *s)
void DetectContentPatternPrettyPrint (const DetectContentData *cd, char *str, size_t str_len)

Detailed Description

Victor Julien

Simple content match part of the detection engine.

Definition in file detect-content.c.

Macro Definition Documentation


#define TEST_DONE   PASS

Definition at line 809 of file detect-content.c.


#define TEST_RUN (   sig,
{ \
SCLogDebug("TEST_RUN start: '%s'", (sig)); \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
de_ctx->flags |= DE_QUIET; \
char rule[2048]; \
snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
Signature *s = DetectEngineAppendSig(de_ctx, rule); \
SigAddressPrepareStage1(de_ctx); \
bool res = TestLastContent(s, (o), (d)); \
FAIL_IF(res == false); \
DetectEngineCtxFree(de_ctx); \

Definition at line 793 of file detect-content.c.


#define VALIDATE (   e)
if (!(e)) { \
return; \

Function Documentation

◆ DetectContentDataParse()

int DetectContentDataParse ( const char *  keyword,
const char *  contentstr,
uint8_t **  pstr,
uint16_t *  plen 

Parse a content string, ie "abc|DE|fgh".

content_strnull terminated string containing the content
resultresult pointer to pass the fully parsed byte array
result_lensize of the resulted data
flagsflags to be set by this parsing function
Return values

Definition at line 83 of file detect-content.c.

References SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().

Referenced by DetectContentParse().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentFree()

void DetectContentFree ( DetectEngineCtx de_ctx,
void *  ptr 

this function will SCFree memory associated with DetectContentData

cdpointer to DetectContentData

Definition at line 378 of file detect-content.c.

References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().

Referenced by DetectContentRegister(), and DetectContentSetup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentParse()

DetectContentData* DetectContentParse ( SpmGlobalThreadCtx spm_global_thread_ctx,
const char *  contentstr 

◆ DetectContentParseEncloseQuotes()

DetectContentData* DetectContentParseEncloseQuotes ( SpmGlobalThreadCtx spm_global_thread_ctx,
const char *  contentstr 

Definition at line 253 of file detect-content.c.

References DetectContentParse().

Here is the call graph for this function:

◆ DetectContentPatternPrettyPrint()

void DetectContentPatternPrettyPrint ( const DetectContentData cd,
char *  str,
size_t  str_len 

Definition at line 744 of file detect-content.c.

References DetectContentData_::content_len.

Referenced by DumpPatterns().

Here is the caller graph for this function:

◆ DetectContentPMATCHValidateCallback()

bool DetectContentPMATCHValidateCallback ( const Signature s)
Return values

Definition at line 465 of file detect-content.c.

References Signature_::flags, SCLogDebug, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), and SigParseMaxRequiredDsize().

Here is the call graph for this function:

◆ DetectContentPrint()

◆ DetectContentPropagateLimits()

void DetectContentPropagateLimits ( Signature s)

Definition at line 716 of file detect-content.c.

◆ DetectContentRegister()

void DetectContentRegister ( void  )

Definition at line 58 of file detect-content.c.

References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentSetup()

int DetectContentSetup ( DetectEngineCtx de_ctx,
Signature s,
const char *  contentstr 

Function to setup a content pattern.

de_ctxpointer to the current detection_engine
spointer to the current Signature
mpointer to the last parsed SigMatch
contentstrpointer to the current keyword content string
Return values
-1if error
0if all was ok

Definition at line 328 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectEngineBufferTypeValidateTransform(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SCLogError, SigMatchAlloc(), SigMatchAppendSMToList(), DetectEngineCtx_::spm_global_thread_ctx, and SigMatch_::type.

Referenced by DetectContentRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigParseRequiredContentSize()

void SigParseRequiredContentSize ( const Signature s,
const int  max_size,
int  list,
int *  len,
int *  offset 

Definition at line 414 of file detect-content.c.

Referenced by SigParseMaxRequiredDsize().

Here is the caller graph for this function:
#define DE_QUIET
Definition: detect.h:289
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2423
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2416