#include "util-spm.h"
Go to the source code of this file.
Data Structures | |
| struct | DetectContentData_ |
Typedefs | |
| typedef struct DetectContentData_ | DetectContentData |
Functions | |
| void | DetectContentRegister (void) |
| uint32_t | DetectContentMaxId (DetectEngineCtx *) |
| DetectContentData * | DetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr) |
| DetectContentParse \initonly. More... | |
| int | DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen) |
| Parse a content string, ie "abc|DE|fgh". More... | |
| DetectContentData * | DetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr) |
| int | DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr) |
| Function to setup a content pattern. More... | |
| void | DetectContentPrint (DetectContentData *) |
| Helper function to print a DetectContentData. More... | |
| void | DetectContentFree (DetectEngineCtx *, void *) |
| this function will SCFree memory associated with DetectContentData More... | |
| bool | DetectContentPMATCHValidateCallback (const Signature *s) |
| void | DetectContentPropagateLimits (Signature *s) |
| apply depth/offset and distance/within to content matches More... | |
Detailed Description
Definition in file detect-content.h.
Macro Definition Documentation
◆ DETECT_CONTENT_DEPTH
| #define DETECT_CONTENT_DEPTH BIT_U32(4) |
Definition at line 34 of file detect-content.h.
◆ DETECT_CONTENT_DEPTH_BE
| #define DETECT_CONTENT_DEPTH_BE BIT_U32(12) |
Definition at line 47 of file detect-content.h.
◆ DETECT_CONTENT_DISTANCE
| #define DETECT_CONTENT_DISTANCE BIT_U32(1) |
Definition at line 31 of file detect-content.h.
◆ DETECT_CONTENT_DISTANCE_BE
| #define DETECT_CONTENT_DISTANCE_BE BIT_U32(13) |
Definition at line 48 of file detect-content.h.
◆ DETECT_CONTENT_DISTANCE_NEXT
| #define DETECT_CONTENT_DISTANCE_NEXT BIT_U32(18) |
Definition at line 59 of file detect-content.h.
◆ DETECT_CONTENT_ENDS_WITH
| #define DETECT_CONTENT_ENDS_WITH BIT_U32(10) |
Definition at line 43 of file detect-content.h.
◆ DETECT_CONTENT_FAST_PATTERN
| #define DETECT_CONTENT_FAST_PATTERN BIT_U32(5) |
Definition at line 35 of file detect-content.h.
◆ DETECT_CONTENT_FAST_PATTERN_CHOP
| #define DETECT_CONTENT_FAST_PATTERN_CHOP BIT_U32(7) |
Definition at line 37 of file detect-content.h.
◆ DETECT_CONTENT_FAST_PATTERN_ONLY
| #define DETECT_CONTENT_FAST_PATTERN_ONLY BIT_U32(6) |
Definition at line 36 of file detect-content.h.
◆ DETECT_CONTENT_IS_SINGLE
| #define DETECT_CONTENT_IS_SINGLE | ( | c | ) |
Definition at line 67 of file detect-content.h.
◆ DETECT_CONTENT_MPM
| #define DETECT_CONTENT_MPM BIT_U32(20) |
MPM pattern selected by the engine or forced by fast_pattern keyword
Definition at line 62 of file detect-content.h.
◆ DETECT_CONTENT_MPM_IS_CONCLUSIVE
| #define DETECT_CONTENT_MPM_IS_CONCLUSIVE | ( | c | ) |
Definition at line 77 of file detect-content.h.
◆ DETECT_CONTENT_NEGATED
| #define DETECT_CONTENT_NEGATED BIT_U32(9) |
content is negated
Definition at line 41 of file detect-content.h.
◆ DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
| #define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED BIT_U32(16) |
Definition at line 56 of file detect-content.h.
◆ DETECT_CONTENT_NOCASE
| #define DETECT_CONTENT_NOCASE BIT_U32(0) |
Definition at line 30 of file detect-content.h.
◆ DETECT_CONTENT_OFFSET
| #define DETECT_CONTENT_OFFSET BIT_U32(3) |
Definition at line 33 of file detect-content.h.
◆ DETECT_CONTENT_OFFSET_BE
| #define DETECT_CONTENT_OFFSET_BE BIT_U32(11) |
Definition at line 46 of file detect-content.h.
◆ DETECT_CONTENT_RAWBYTES
| #define DETECT_CONTENT_RAWBYTES BIT_U32(8) |
content applies to a "raw"/undecoded field if applicable
Definition at line 39 of file detect-content.h.
◆ DETECT_CONTENT_RELATIVE_NEXT
| #define DETECT_CONTENT_RELATIVE_NEXT (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT) |
a relative match to this content is next, used in matching phase
Definition at line 65 of file detect-content.h.
◆ DETECT_CONTENT_REPLACE
| #define DETECT_CONTENT_REPLACE BIT_U32(15) |
Definition at line 52 of file detect-content.h.
◆ DETECT_CONTENT_STARTS_WITH
| #define DETECT_CONTENT_STARTS_WITH BIT_U32(19) |
Definition at line 60 of file detect-content.h.
◆ DETECT_CONTENT_WITHIN
| #define DETECT_CONTENT_WITHIN BIT_U32(2) |
Definition at line 32 of file detect-content.h.
◆ DETECT_CONTENT_WITHIN_BE
| #define DETECT_CONTENT_WITHIN_BE BIT_U32(14) |
Definition at line 49 of file detect-content.h.
◆ DETECT_CONTENT_WITHIN_NEXT
| #define DETECT_CONTENT_WITHIN_NEXT BIT_U32(17) |
Definition at line 58 of file detect-content.h.
Typedef Documentation
◆ DetectContentData
| typedef struct DetectContentData_ DetectContentData |
Function Documentation
◆ DetectContentDataParse()
| int DetectContentDataParse | ( | const char * | keyword, |
| const char * | contentstr, | ||
| uint8_t ** | pstr, | ||
| uint16_t * | plen | ||
| ) |
Parse a content string, ie "abc|DE|fgh".
- Parameters
-
content_str null terminated string containing the content result result pointer to pass the fully parsed byte array result_len size of the resulted data flags flags to be set by this parsing function
- Return values
-
-1 error 0 ok
Definition at line 78 of file detect-content.c.
References SC_ERR_INVALID_SIGNATURE, SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().
Referenced by DetectContentParse().
◆ DetectContentFree()
| void DetectContentFree | ( | DetectEngineCtx * | de_ctx, |
| void * | ptr | ||
| ) |
this function will SCFree memory associated with DetectContentData
- Parameters
-
cd pointer to DetectContentData
Definition at line 370 of file detect-content.c.
References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().
Referenced by DetectContentRegister(), and DetectContentSetup().
◆ DetectContentMaxId()
| uint32_t DetectContentMaxId | ( | DetectEngineCtx * | ) |
◆ DetectContentParse()
| DetectContentData* DetectContentParse | ( | SpmGlobalThreadCtx * | spm_global_thread_ctx, |
| const char * | contentstr | ||
| ) |
DetectContentParse \initonly.
Definition at line 199 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DetectContentDataParse(), DetectContentData_::distance, len, DetectContentData_::offset, SCFree, SCMalloc, DetectContentData_::spm_ctx, SpmInitCtx(), unlikely, and DetectContentData_::within.
Referenced by DetectContentParseEncloseQuotes(), and DetectContentSetup().
◆ DetectContentParseEncloseQuotes()
| DetectContentData* DetectContentParseEncloseQuotes | ( | SpmGlobalThreadCtx * | spm_global_thread_ctx, |
| const char * | contentstr | ||
| ) |
Definition at line 243 of file detect-content.c.
References DetectContentParse().
◆ DetectContentPMATCHValidateCallback()
| bool DetectContentPMATCHValidateCallback | ( | const Signature * | s | ) |
- Return values
-
1 valid 0 invalid
Definition at line 388 of file detect-content.c.
References DetectContentData_::content_len, SigMatch_::ctx, DETECT_CONTENT, DETECT_SM_LIST_PMATCH, FALSE, Signature_::flags, Signature_::init_data, SigMatch_::next, DetectContentData_::offset, SC_ERR_INVALID_SIGNATURE, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), SignatureInitData_::smlists, TRUE, and SigMatch_::type.
◆ DetectContentPrint()
| void DetectContentPrint | ( | DetectContentData * | ) |
Helper function to print a DetectContentData.
Definition at line 252 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NEGATED, DETECT_CONTENT_RELATIVE_NEXT, DetectContentData_::distance, DetectContentData_::flags, DetectContentData_::id, DetectContentData_::offset, DetectContentData_::replace, DetectContentData_::replace_len, SCFree, SCLogDebug, SCMalloc, and DetectContentData_::within.
Referenced by DetectContentSetup().
◆ DetectContentPropagateLimits()
| void DetectContentPropagateLimits | ( | Signature * | s | ) |
apply depth/offset and distance/within to content matches
The idea is that any limitation we can set is a win, as the mpm can use this to reduce match candidates.
E.g. if we have 'content:"1"; depth:1; content:"2"; distance:0; within:1;' we know that we can add 'offset:1; depth:2;' to the 2nd condition. This will then be used in mpm if the 2nd condition would be selected for mpm.
Another example: 'content:"1"; depth:1; content:"2"; distance:0;'. Here we cannot set a depth, but we can set an offset of 'offset:1;'. This will make the mpm a bit more precise.
Definition at line 436 of file detect-content.c.
References BUG_ON, and Signature_::init_data.
◆ DetectContentRegister()
| void DetectContentRegister | ( | void | ) |
Definition at line 55 of file detect-content.c.
References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.
Referenced by SigTableSetup().
◆ DetectContentSetup()
| int DetectContentSetup | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s, | ||
| const char * | contentstr | ||
| ) |
Function to setup a content pattern.
- Parameters
-
de_ctx pointer to the current detection_engine s pointer to the current Signature m pointer to the last parsed SigMatch contentstr pointer to the current keyword content string
- Return values
-
-1 if error 0 if all was ok
Definition at line 318 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectBufferTypeValidateTransform(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SC_ERR_INVALID_SIGNATURE, SCLogError, SigMatchAlloc(), SigMatchAppendSMToList(), DetectEngineCtx_::spm_global_thread_ctx, and SigMatch_::type.
Referenced by DetectContentRegister().
