suricata
Data Structures | Macros | Typedefs | Functions
detect-content.h File Reference
#include "util-spm.h"
Include dependency graph for detect-content.h:

Go to the source code of this file.

Data Structures

struct  DetectContentData_
 

Macros

#define DETECT_CONTENT_NOCASE   BIT_U32(0)
 
#define DETECT_CONTENT_DISTANCE   BIT_U32(1)
 
#define DETECT_CONTENT_WITHIN   BIT_U32(2)
 
#define DETECT_CONTENT_OFFSET   BIT_U32(3)
 
#define DETECT_CONTENT_DEPTH   BIT_U32(4)
 
#define DETECT_CONTENT_FAST_PATTERN   BIT_U32(5)
 
#define DETECT_CONTENT_FAST_PATTERN_ONLY   BIT_U32(6)
 
#define DETECT_CONTENT_FAST_PATTERN_CHOP   BIT_U32(7)
 
#define DETECT_CONTENT_RAWBYTES   BIT_U32(8)
 
#define DETECT_CONTENT_NEGATED   BIT_U32(9)
 
#define DETECT_CONTENT_ENDS_WITH   BIT_U32(10)
 
#define DETECT_CONTENT_OFFSET_VAR   BIT_U32(11)
 
#define DETECT_CONTENT_DEPTH_VAR   BIT_U32(12)
 
#define DETECT_CONTENT_DISTANCE_VAR   BIT_U32(13)
 
#define DETECT_CONTENT_WITHIN_VAR   BIT_U32(14)
 
#define DETECT_CONTENT_REPLACE   BIT_U32(15)
 
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED   BIT_U32(16)
 
#define DETECT_CONTENT_WITHIN_NEXT   BIT_U32(17)
 
#define DETECT_CONTENT_DISTANCE_NEXT   BIT_U32(18)
 
#define DETECT_CONTENT_STARTS_WITH   BIT_U32(19)
 
#define DETECT_CONTENT_MPM   BIT_U32(20)
 
#define DETECT_CONTENT_RELATIVE_NEXT   (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT)
 
#define DETECT_CONTENT_IS_SINGLE(c)
 
#define DETECT_CONTENT_MPM_IS_CONCLUSIVE(c)
 

Typedefs

typedef struct DetectContentData_ DetectContentData
 

Functions

void DetectContentRegister (void)
 
uint32_t DetectContentMaxId (DetectEngineCtx *)
 
DetectContentDataDetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
 DetectContentParse \initonly. More...
 
int DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
 Parse a content string, ie "abc|DE|fgh". More...
 
DetectContentDataDetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
 
int DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
 Function to setup a content pattern. More...
 
void DetectContentPrint (DetectContentData *)
 Helper function to print a DetectContentData. More...
 
void DetectContentFree (DetectEngineCtx *, void *)
 this function will SCFree memory associated with DetectContentData More...
 
bool DetectContentPMATCHValidateCallback (const Signature *s)
 
void DetectContentPropagateLimits (Signature *s)
 apply depth/offset and distance/within to content matches More...
 
void DetectContentPatternPrettyPrint (const DetectContentData *cd, char *str, size_t str_len)
 
void SigParseRequiredContentSize (const Signature *s, const int max, int list, int *len, int *offset)
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect-content.h.

Macro Definition Documentation

◆ DETECT_CONTENT_DEPTH

#define DETECT_CONTENT_DEPTH   BIT_U32(4)

Definition at line 34 of file detect-content.h.

◆ DETECT_CONTENT_DEPTH_VAR

#define DETECT_CONTENT_DEPTH_VAR   BIT_U32(12)

Definition at line 47 of file detect-content.h.

◆ DETECT_CONTENT_DISTANCE

#define DETECT_CONTENT_DISTANCE   BIT_U32(1)

Definition at line 31 of file detect-content.h.

◆ DETECT_CONTENT_DISTANCE_NEXT

#define DETECT_CONTENT_DISTANCE_NEXT   BIT_U32(18)

Definition at line 59 of file detect-content.h.

◆ DETECT_CONTENT_DISTANCE_VAR

#define DETECT_CONTENT_DISTANCE_VAR   BIT_U32(13)

Definition at line 48 of file detect-content.h.

◆ DETECT_CONTENT_ENDS_WITH

#define DETECT_CONTENT_ENDS_WITH   BIT_U32(10)

Definition at line 43 of file detect-content.h.

◆ DETECT_CONTENT_FAST_PATTERN

#define DETECT_CONTENT_FAST_PATTERN   BIT_U32(5)

Definition at line 35 of file detect-content.h.

◆ DETECT_CONTENT_FAST_PATTERN_CHOP

#define DETECT_CONTENT_FAST_PATTERN_CHOP   BIT_U32(7)

Definition at line 37 of file detect-content.h.

◆ DETECT_CONTENT_FAST_PATTERN_ONLY

#define DETECT_CONTENT_FAST_PATTERN_ONLY   BIT_U32(6)

Definition at line 36 of file detect-content.h.

◆ DETECT_CONTENT_IS_SINGLE

#define DETECT_CONTENT_IS_SINGLE (   c)
Value:
(!( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
((c)->flags & DETECT_CONTENT_WITHIN) || \
((c)->flags & DETECT_CONTENT_RELATIVE_NEXT) || \
((c)->flags & DETECT_CONTENT_DEPTH) || \
((c)->flags & DETECT_CONTENT_OFFSET) ))

Definition at line 67 of file detect-content.h.

◆ DETECT_CONTENT_MPM

#define DETECT_CONTENT_MPM   BIT_U32(20)

MPM pattern selected by the engine or forced by fast_pattern keyword

Definition at line 62 of file detect-content.h.

◆ DETECT_CONTENT_MPM_IS_CONCLUSIVE

#define DETECT_CONTENT_MPM_IS_CONCLUSIVE (   c)
Value:
!( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
((c)->flags & DETECT_CONTENT_WITHIN) || \
((c)->flags & DETECT_CONTENT_DEPTH) || \
((c)->flags & DETECT_CONTENT_OFFSET) || \
((c)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP))

Definition at line 77 of file detect-content.h.

◆ DETECT_CONTENT_NEGATED

#define DETECT_CONTENT_NEGATED   BIT_U32(9)

content is negated

Definition at line 41 of file detect-content.h.

◆ DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED

#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED   BIT_U32(16)

Definition at line 56 of file detect-content.h.

◆ DETECT_CONTENT_NOCASE

#define DETECT_CONTENT_NOCASE   BIT_U32(0)

Definition at line 30 of file detect-content.h.

◆ DETECT_CONTENT_OFFSET

#define DETECT_CONTENT_OFFSET   BIT_U32(3)

Definition at line 33 of file detect-content.h.

◆ DETECT_CONTENT_OFFSET_VAR

#define DETECT_CONTENT_OFFSET_VAR   BIT_U32(11)

Definition at line 46 of file detect-content.h.

◆ DETECT_CONTENT_RAWBYTES

#define DETECT_CONTENT_RAWBYTES   BIT_U32(8)

content applies to a "raw"/undecoded field if applicable

Definition at line 39 of file detect-content.h.

◆ DETECT_CONTENT_RELATIVE_NEXT

#define DETECT_CONTENT_RELATIVE_NEXT   (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT)

a relative match to this content is next, used in matching phase

Definition at line 65 of file detect-content.h.

◆ DETECT_CONTENT_REPLACE

#define DETECT_CONTENT_REPLACE   BIT_U32(15)

Definition at line 52 of file detect-content.h.

◆ DETECT_CONTENT_STARTS_WITH

#define DETECT_CONTENT_STARTS_WITH   BIT_U32(19)

Definition at line 60 of file detect-content.h.

◆ DETECT_CONTENT_WITHIN

#define DETECT_CONTENT_WITHIN   BIT_U32(2)

Definition at line 32 of file detect-content.h.

◆ DETECT_CONTENT_WITHIN_NEXT

#define DETECT_CONTENT_WITHIN_NEXT   BIT_U32(17)

Definition at line 58 of file detect-content.h.

◆ DETECT_CONTENT_WITHIN_VAR

#define DETECT_CONTENT_WITHIN_VAR   BIT_U32(14)

Definition at line 49 of file detect-content.h.

Typedef Documentation

◆ DetectContentData

typedef struct DetectContentData_ DetectContentData

Function Documentation

◆ DetectContentDataParse()

int DetectContentDataParse ( const char *  keyword,
const char *  contentstr,
uint8_t **  pstr,
uint16_t *  plen 
)

Parse a content string, ie "abc|DE|fgh".

Parameters
content_strnull terminated string containing the content
resultresult pointer to pass the fully parsed byte array
result_lensize of the resulted data
flagsflags to be set by this parsing function
Return values
-1error
0ok

Definition at line 83 of file detect-content.c.

References SC_ERR_INVALID_SIGNATURE, SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().

Referenced by DetectContentParse().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentFree()

void DetectContentFree ( DetectEngineCtx de_ctx,
void *  ptr 
)

this function will SCFree memory associated with DetectContentData

Parameters
cdpointer to DetectContentData

Definition at line 379 of file detect-content.c.

References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().

Referenced by DetectContentRegister(), and DetectContentSetup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentMaxId()

uint32_t DetectContentMaxId ( DetectEngineCtx )

◆ DetectContentParse()

DetectContentData* DetectContentParse ( SpmGlobalThreadCtx spm_global_thread_ctx,
const char *  contentstr 
)

DetectContentParse \initonly.

Definition at line 210 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DetectContentDataParse(), DetectContentData_::distance, len, DetectContentData_::offset, SCCalloc, SCFree, DetectContentData_::spm_ctx, SpmInitCtx(), unlikely, and DetectContentData_::within.

Referenced by DetectContentParseEncloseQuotes(), and DetectContentSetup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentParseEncloseQuotes()

DetectContentData* DetectContentParseEncloseQuotes ( SpmGlobalThreadCtx spm_global_thread_ctx,
const char *  contentstr 
)

Definition at line 252 of file detect-content.c.

References DetectContentParse().

Here is the call graph for this function:

◆ DetectContentPatternPrettyPrint()

void DetectContentPatternPrettyPrint ( const DetectContentData cd,
char *  str,
size_t  str_len 
)

Definition at line 721 of file detect-content.c.

References DetectContentData_::content_len.

Referenced by DumpPatterns().

Here is the caller graph for this function:

◆ DetectContentPMATCHValidateCallback()

bool DetectContentPMATCHValidateCallback ( const Signature s)
Return values
truevalid
falseinvalid

Definition at line 466 of file detect-content.c.

References Signature_::flags, SC_ERR_INVALID_SIGNATURE, SCLogDebug, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), and SigParseMaxRequiredDsize().

Here is the call graph for this function:

◆ DetectContentPrint()

void DetectContentPrint ( DetectContentData )

Helper function to print a DetectContentData.

Definition at line 261 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NEGATED, DETECT_CONTENT_RELATIVE_NEXT, DetectContentData_::distance, DetectContentData_::flags, DetectContentData_::id, DetectContentData_::offset, DetectContentData_::replace, DetectContentData_::replace_len, SCFree, SCLogDebug, SCMalloc, and DetectContentData_::within.

Referenced by DetectContentSetup().

Here is the caller graph for this function:

◆ DetectContentPropagateLimits()

void DetectContentPropagateLimits ( Signature s)

apply depth/offset and distance/within to content matches

The idea is that any limitation we can set is a win, as the mpm can use this to reduce match candidates.

E.g. if we have 'content:"1"; depth:1; content:"2"; distance:0; within:1;' we know that we can add 'offset:1; depth:2;' to the 2nd condition. This will then be used in mpm if the 2nd condition would be selected for mpm.

Another example: 'content:"1"; depth:1; content:"2"; distance:0;'. Here we cannot set a depth, but we can set an offset of 'offset:1;'. This will make the mpm a bit more precise.

Definition at line 506 of file detect-content.c.

References BUG_ON, and Signature_::init_data.

◆ DetectContentRegister()

void DetectContentRegister ( void  )

Definition at line 58 of file detect-content.c.

References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ DetectContentSetup()

int DetectContentSetup ( DetectEngineCtx de_ctx,
Signature s,
const char *  contentstr 
)

Function to setup a content pattern.

Parameters
de_ctxpointer to the current detection_engine
spointer to the current Signature
mpointer to the last parsed SigMatch
contentstrpointer to the current keyword content string
Return values
-1if error
0if all was ok

Definition at line 327 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectEngineBufferTypeValidateTransform(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SC_ERR_INVALID_SIGNATURE, SCLogError, SigMatchAlloc(), SigMatchAppendSMToList(), DetectEngineCtx_::spm_global_thread_ctx, and SigMatch_::type.

Referenced by DetectContentRegister().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SigParseRequiredContentSize()

void SigParseRequiredContentSize ( const Signature s,
const int  max,
int  list,
int *  len,
int *  offset 
)

Definition at line 415 of file detect-content.c.

Referenced by SigParseMaxRequiredDsize().

Here is the caller graph for this function:
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
DETECT_CONTENT_FAST_PATTERN_CHOP
#define DETECT_CONTENT_FAST_PATTERN_CHOP
Definition: detect-content.h:36
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
flags
uint8_t flags
Definition: decode-gre.h:0
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31