#include "util-spm.h"
Go to the source code of this file.
Data Structures | |
| struct | DetectContentData_ |
Typedefs | |
| typedef struct DetectContentData_ | DetectContentData |
Functions | |
| void | DetectContentRegister (void) |
| DetectContentData * | DetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr) |
| DetectContentParse \initonly. More... | |
| int | DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen) |
| Parse a content string, ie "abc|DE|fgh". More... | |
| DetectContentData * | DetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr) |
| int | DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr) |
| Function to setup a content pattern. More... | |
| void | DetectContentPrint (DetectContentData *) |
| Helper function to print a DetectContentData. More... | |
| void | DetectContentFree (DetectEngineCtx *, void *) |
| this function will SCFree memory associated with DetectContentData More... | |
| bool | DetectContentPMATCHValidateCallback (const Signature *s) |
| void | DetectContentPropagateLimits (Signature *s) |
| void | DetectContentPatternPrettyPrint (const DetectContentData *cd, char *str, size_t str_len) |
| void | SigParseRequiredContentSize (const Signature *s, const uint64_t max, const SigMatch *sm, int *len, int *offset) |
| Determine the size needed to accommodate the content elements of a signature. More... | |
| int | DetectContentConvertToNocase (DetectEngineCtx *de_ctx, DetectContentData *cd) |
Detailed Description
Definition in file detect-content.h.
Macro Definition Documentation
◆ DETECT_CONTENT_DEPTH
| #define DETECT_CONTENT_DEPTH BIT_U32(4) |
Definition at line 34 of file detect-content.h.
◆ DETECT_CONTENT_DEPTH_VAR
| #define DETECT_CONTENT_DEPTH_VAR BIT_U32(12) |
Definition at line 47 of file detect-content.h.
◆ DETECT_CONTENT_DISTANCE
| #define DETECT_CONTENT_DISTANCE BIT_U32(1) |
Definition at line 31 of file detect-content.h.
◆ DETECT_CONTENT_DISTANCE2OFFSET
| #define DETECT_CONTENT_DISTANCE2OFFSET BIT_U32(22) |
Definition at line 64 of file detect-content.h.
◆ DETECT_CONTENT_DISTANCE_NEXT
| #define DETECT_CONTENT_DISTANCE_NEXT BIT_U32(18) |
Definition at line 59 of file detect-content.h.
◆ DETECT_CONTENT_DISTANCE_VAR
| #define DETECT_CONTENT_DISTANCE_VAR BIT_U32(13) |
Definition at line 48 of file detect-content.h.
◆ DETECT_CONTENT_ENDS_WITH
| #define DETECT_CONTENT_ENDS_WITH BIT_U32(10) |
Definition at line 43 of file detect-content.h.
◆ DETECT_CONTENT_FAST_PATTERN
| #define DETECT_CONTENT_FAST_PATTERN BIT_U32(5) |
Definition at line 35 of file detect-content.h.
◆ DETECT_CONTENT_FAST_PATTERN_CHOP
| #define DETECT_CONTENT_FAST_PATTERN_CHOP BIT_U32(7) |
Definition at line 37 of file detect-content.h.
◆ DETECT_CONTENT_FAST_PATTERN_ONLY
| #define DETECT_CONTENT_FAST_PATTERN_ONLY BIT_U32(6) |
Definition at line 36 of file detect-content.h.
◆ DETECT_CONTENT_IS_SINGLE
| #define DETECT_CONTENT_IS_SINGLE | ( | c | ) |
Definition at line 69 of file detect-content.h.
◆ DETECT_CONTENT_MPM
| #define DETECT_CONTENT_MPM BIT_U32(20) |
MPM pattern selected by the engine or forced by fast_pattern keyword
Definition at line 62 of file detect-content.h.
◆ DETECT_CONTENT_MPM_IS_CONCLUSIVE
| #define DETECT_CONTENT_MPM_IS_CONCLUSIVE | ( | c | ) |
Definition at line 79 of file detect-content.h.
◆ DETECT_CONTENT_NEGATED
| #define DETECT_CONTENT_NEGATED BIT_U32(9) |
content is negated
Definition at line 41 of file detect-content.h.
◆ DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
| #define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED BIT_U32(16) |
Definition at line 56 of file detect-content.h.
◆ DETECT_CONTENT_NOCASE
| #define DETECT_CONTENT_NOCASE BIT_U32(0) |
Definition at line 30 of file detect-content.h.
◆ DETECT_CONTENT_OFFSET
| #define DETECT_CONTENT_OFFSET BIT_U32(3) |
Definition at line 33 of file detect-content.h.
◆ DETECT_CONTENT_OFFSET_VAR
| #define DETECT_CONTENT_OFFSET_VAR BIT_U32(11) |
Definition at line 46 of file detect-content.h.
◆ DETECT_CONTENT_RAWBYTES
| #define DETECT_CONTENT_RAWBYTES BIT_U32(8) |
content applies to a "raw"/undecoded field if applicable
Definition at line 39 of file detect-content.h.
◆ DETECT_CONTENT_RELATIVE_NEXT
| #define DETECT_CONTENT_RELATIVE_NEXT (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT) |
a relative match to this content is next, used in matching phase
Definition at line 67 of file detect-content.h.
◆ DETECT_CONTENT_REPLACE
| #define DETECT_CONTENT_REPLACE BIT_U32(15) |
Definition at line 52 of file detect-content.h.
◆ DETECT_CONTENT_STARTS_WITH
| #define DETECT_CONTENT_STARTS_WITH BIT_U32(19) |
Definition at line 60 of file detect-content.h.
◆ DETECT_CONTENT_VALUE_MAX
| #define DETECT_CONTENT_VALUE_MAX 1024 * 1024 |
Definition at line 90 of file detect-content.h.
◆ DETECT_CONTENT_WITHIN
| #define DETECT_CONTENT_WITHIN BIT_U32(2) |
Definition at line 32 of file detect-content.h.
◆ DETECT_CONTENT_WITHIN2DEPTH
| #define DETECT_CONTENT_WITHIN2DEPTH BIT_U32(21) |
Definition at line 63 of file detect-content.h.
◆ DETECT_CONTENT_WITHIN_NEXT
| #define DETECT_CONTENT_WITHIN_NEXT BIT_U32(17) |
Definition at line 58 of file detect-content.h.
◆ DETECT_CONTENT_WITHIN_VAR
| #define DETECT_CONTENT_WITHIN_VAR BIT_U32(14) |
Definition at line 49 of file detect-content.h.
Typedef Documentation
◆ DetectContentData
| typedef struct DetectContentData_ DetectContentData |
Function Documentation
◆ DetectContentConvertToNocase()
| int DetectContentConvertToNocase | ( | DetectEngineCtx * | de_ctx, |
| DetectContentData * | cd | ||
| ) |
Definition at line 767 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, de_ctx, DETECT_CONTENT_NOCASE, DetectContentData_::flags, SCLogError, DetectContentData_::spm_ctx, DetectEngineCtx_::spm_global_thread_ctx, SpmDestroyCtx(), SpmInitCtx(), and u8_tolower.
◆ DetectContentDataParse()
| int DetectContentDataParse | ( | const char * | keyword, |
| const char * | contentstr, | ||
| uint8_t ** | pstr, | ||
| uint16_t * | plen | ||
| ) |
Parse a content string, ie "abc|DE|fgh".
- Parameters
-
content_str null terminated string containing the content result result pointer to pass the fully parsed byte array result_len size of the resulted data flags flags to be set by this parsing function
- Return values
-
-1 error 0 ok
Definition at line 85 of file detect-content.c.
References SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().
Referenced by DetectContentParse().
◆ DetectContentFree()
| void DetectContentFree | ( | DetectEngineCtx * | de_ctx, |
| void * | ptr | ||
| ) |
this function will SCFree memory associated with DetectContentData
- Parameters
-
cd pointer to DetectContentData
Definition at line 374 of file detect-content.c.
References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().
Referenced by DetectContentRegister(), and DetectContentSetup().
◆ DetectContentParse()
| DetectContentData* DetectContentParse | ( | SpmGlobalThreadCtx * | spm_global_thread_ctx, |
| const char * | contentstr | ||
| ) |
DetectContentParse \initonly.
Definition at line 213 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DetectContentDataParse(), DetectContentData_::distance, len, DetectContentData_::offset, SCCalloc, SCFree, DetectContentData_::spm_ctx, SpmInitCtx(), unlikely, and DetectContentData_::within.
Referenced by DetectContentParseEncloseQuotes(), and DetectContentSetup().
◆ DetectContentParseEncloseQuotes()
| DetectContentData* DetectContentParseEncloseQuotes | ( | SpmGlobalThreadCtx * | spm_global_thread_ctx, |
| const char * | contentstr | ||
| ) |
Definition at line 255 of file detect-content.c.
References DetectContentParse().
◆ DetectContentPatternPrettyPrint()
| void DetectContentPatternPrettyPrint | ( | const DetectContentData * | cd, |
| char * | str, | ||
| size_t | str_len | ||
| ) |
Definition at line 746 of file detect-content.c.
References DetectContentData_::content_len.
Referenced by DumpPatterns().
◆ DetectContentPMATCHValidateCallback()
| bool DetectContentPMATCHValidateCallback | ( | const Signature * | s | ) |
- Return values
-
true valid false invalid
Definition at line 456 of file detect-content.c.
References Signature_::flags, SCLogDebug, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), and SigParseMaxRequiredDsize().
◆ DetectContentPrint()
| void DetectContentPrint | ( | DetectContentData * | ) |
Helper function to print a DetectContentData.
Definition at line 264 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NEGATED, DETECT_CONTENT_RELATIVE_NEXT, DetectContentData_::distance, DetectContentData_::flags, DetectContentData_::id, DetectContentData_::offset, DetectContentData_::replace, DetectContentData_::replace_len, SCFree, SCLogDebug, SCMalloc, and DetectContentData_::within.
Referenced by DetectContentSetup().
◆ DetectContentPropagateLimits()
| void DetectContentPropagateLimits | ( | Signature * | s | ) |
Definition at line 718 of file detect-content.c.
◆ DetectContentRegister()
| void DetectContentRegister | ( | void | ) |
Definition at line 59 of file detect-content.c.
References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.
Referenced by SigTableSetup().
◆ DetectContentSetup()
| int DetectContentSetup | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s, | ||
| const char * | contentstr | ||
| ) |
Function to setup a content pattern.
- Parameters
-
de_ctx pointer to the current detection_engine s pointer to the current Signature m pointer to the last parsed SigMatch contentstr pointer to the current keyword content string
- Return values
-
-1 if error 0 if all was ok
Definition at line 330 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectEngineBufferTypeValidateTransform(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SCLogError, SCSigMatchAppendSMToList(), and DetectEngineCtx_::spm_global_thread_ctx.
Referenced by DetectContentRegister().
◆ SigParseRequiredContentSize()
| void SigParseRequiredContentSize | ( | const Signature * | s, |
| const uint64_t | max_size, | ||
| const SigMatch * | sm, | ||
| int * | len, | ||
| int * | offset | ||
| ) |
Determine the size needed to accommodate the content elements of a signature.
- Parameters
-
s signature to get dsize value from max_size Maximum buffer/data size allowed. list signature match list. len Maximum length required offset Maximum offset encountered
Note that negated content does not contribute to the maximum required size value. However, each negated content's values must not exceed the size value.
Values from negated content blocks are used to determine if the negated content block requires a value that exceeds "max_size". The distance and within values from negated content blocks are added to the running total of required content size to see if the max_size would be exceeded.
- Non-negated content contributes to the required size (content length, distance)
- Negated content values are checked but not accumulated for the required size.
Definition at line 410 of file detect-content.c.
References DetectContentData_::content_len, SigMatch_::ctx, DetectContentData_::depth, DETECT_CONTENT, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_NEGATED, DETECT_CONTENT_WITHIN, DetectContentData_::distance, DetectContentData_::flags, len, MAX, SigMatch_::next, offset, DetectContentData_::offset, SCLogDebug, SigMatch_::type, and DetectContentData_::within.
Referenced by SigParseMaxRequiredDsize().
