suricata
|
#include "util-spm.h"
Go to the source code of this file.
Data Structures | |
struct | DetectContentData_ |
Typedefs | |
typedef struct DetectContentData_ | DetectContentData |
Functions | |
void | DetectContentRegister (void) |
uint32_t | DetectContentMaxId (DetectEngineCtx *) |
DetectContentData * | DetectContentParse (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr) |
DetectContentParse \initonly. More... | |
int | DetectContentDataParse (const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen) |
Parse a content string, ie "abc|DE|fgh". More... | |
DetectContentData * | DetectContentParseEncloseQuotes (SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr) |
int | DetectContentSetup (DetectEngineCtx *de_ctx, Signature *s, const char *contentstr) |
Function to setup a content pattern. More... | |
void | DetectContentPrint (DetectContentData *) |
Helper function to print a DetectContentData. More... | |
void | DetectContentFree (DetectEngineCtx *, void *) |
this function will SCFree memory associated with DetectContentData More... | |
bool | DetectContentPMATCHValidateCallback (const Signature *s) |
void | DetectContentPropagateLimits (Signature *s) |
apply depth/offset and distance/within to content matches More... | |
Definition in file detect-content.h.
#define DETECT_CONTENT_DEPTH BIT_U32(4) |
Definition at line 34 of file detect-content.h.
#define DETECT_CONTENT_DEPTH_VAR BIT_U32(12) |
Definition at line 47 of file detect-content.h.
#define DETECT_CONTENT_DISTANCE BIT_U32(1) |
Definition at line 31 of file detect-content.h.
#define DETECT_CONTENT_DISTANCE_NEXT BIT_U32(18) |
Definition at line 59 of file detect-content.h.
#define DETECT_CONTENT_DISTANCE_VAR BIT_U32(13) |
Definition at line 48 of file detect-content.h.
#define DETECT_CONTENT_ENDS_WITH BIT_U32(10) |
Definition at line 43 of file detect-content.h.
#define DETECT_CONTENT_FAST_PATTERN BIT_U32(5) |
Definition at line 35 of file detect-content.h.
#define DETECT_CONTENT_FAST_PATTERN_CHOP BIT_U32(7) |
Definition at line 37 of file detect-content.h.
#define DETECT_CONTENT_FAST_PATTERN_ONLY BIT_U32(6) |
Definition at line 36 of file detect-content.h.
#define DETECT_CONTENT_IS_SINGLE | ( | c | ) |
Definition at line 67 of file detect-content.h.
#define DETECT_CONTENT_MPM BIT_U32(20) |
MPM pattern selected by the engine or forced by fast_pattern keyword
Definition at line 62 of file detect-content.h.
#define DETECT_CONTENT_MPM_IS_CONCLUSIVE | ( | c | ) |
Definition at line 77 of file detect-content.h.
#define DETECT_CONTENT_NEGATED BIT_U32(9) |
content is negated
Definition at line 41 of file detect-content.h.
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED BIT_U32(16) |
Definition at line 56 of file detect-content.h.
#define DETECT_CONTENT_NOCASE BIT_U32(0) |
Definition at line 30 of file detect-content.h.
#define DETECT_CONTENT_OFFSET BIT_U32(3) |
Definition at line 33 of file detect-content.h.
#define DETECT_CONTENT_OFFSET_VAR BIT_U32(11) |
Definition at line 46 of file detect-content.h.
#define DETECT_CONTENT_RAWBYTES BIT_U32(8) |
content applies to a "raw"/undecoded field if applicable
Definition at line 39 of file detect-content.h.
#define DETECT_CONTENT_RELATIVE_NEXT (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT) |
a relative match to this content is next, used in matching phase
Definition at line 65 of file detect-content.h.
#define DETECT_CONTENT_REPLACE BIT_U32(15) |
Definition at line 52 of file detect-content.h.
#define DETECT_CONTENT_STARTS_WITH BIT_U32(19) |
Definition at line 60 of file detect-content.h.
#define DETECT_CONTENT_WITHIN BIT_U32(2) |
Definition at line 32 of file detect-content.h.
#define DETECT_CONTENT_WITHIN_NEXT BIT_U32(17) |
Definition at line 58 of file detect-content.h.
#define DETECT_CONTENT_WITHIN_VAR BIT_U32(14) |
Definition at line 49 of file detect-content.h.
typedef struct DetectContentData_ DetectContentData |
int DetectContentDataParse | ( | const char * | keyword, |
const char * | contentstr, | ||
uint8_t ** | pstr, | ||
uint16_t * | plen | ||
) |
Parse a content string, ie "abc|DE|fgh".
content_str | null terminated string containing the content |
result | result pointer to pass the fully parsed byte array |
result_len | size of the resulted data |
flags | flags to be set by this parsing function |
-1 | error |
0 | ok |
Definition at line 82 of file detect-content.c.
References SC_ERR_INVALID_SIGNATURE, SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().
Referenced by DetectContentParse().
void DetectContentFree | ( | DetectEngineCtx * | de_ctx, |
void * | ptr | ||
) |
this function will SCFree memory associated with DetectContentData
cd | pointer to DetectContentData |
Definition at line 374 of file detect-content.c.
References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().
Referenced by DetectContentRegister(), and DetectContentSetup().
uint32_t DetectContentMaxId | ( | DetectEngineCtx * | ) |
DetectContentData* DetectContentParse | ( | SpmGlobalThreadCtx * | spm_global_thread_ctx, |
const char * | contentstr | ||
) |
DetectContentParse \initonly.
Definition at line 203 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DetectContentDataParse(), DetectContentData_::distance, len, DetectContentData_::offset, SCFree, SCMalloc, DetectContentData_::spm_ctx, SpmInitCtx(), unlikely, and DetectContentData_::within.
Referenced by DetectContentParseEncloseQuotes(), and DetectContentSetup().
DetectContentData* DetectContentParseEncloseQuotes | ( | SpmGlobalThreadCtx * | spm_global_thread_ctx, |
const char * | contentstr | ||
) |
Definition at line 247 of file detect-content.c.
References DetectContentParse().
bool DetectContentPMATCHValidateCallback | ( | const Signature * | s | ) |
1 | valid |
0 | invalid |
Definition at line 392 of file detect-content.c.
References DetectContentData_::content_len, SigMatch_::ctx, DETECT_CONTENT, DETECT_SM_LIST_PMATCH, FALSE, Signature_::flags, Signature_::init_data, SigMatch_::next, DetectContentData_::offset, SC_ERR_INVALID_SIGNATURE, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), SignatureInitData_::smlists, TRUE, and SigMatch_::type.
void DetectContentPrint | ( | DetectContentData * | ) |
Helper function to print a DetectContentData.
Definition at line 256 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NEGATED, DETECT_CONTENT_RELATIVE_NEXT, DetectContentData_::distance, DetectContentData_::flags, DetectContentData_::id, DetectContentData_::offset, DetectContentData_::replace, DetectContentData_::replace_len, SCFree, SCLogDebug, SCMalloc, and DetectContentData_::within.
Referenced by DetectContentSetup().
void DetectContentPropagateLimits | ( | Signature * | s | ) |
apply depth/offset and distance/within to content matches
The idea is that any limitation we can set is a win, as the mpm can use this to reduce match candidates.
E.g. if we have 'content:"1"; depth:1; content:"2"; distance:0; within:1;' we know that we can add 'offset:1; depth:2;' to the 2nd condition. This will then be used in mpm if the 2nd condition would be selected for mpm.
Another example: 'content:"1"; depth:1; content:"2"; distance:0;'. Here we cannot set a depth, but we can set an offset of 'offset:1;'. This will make the mpm a bit more precise.
Definition at line 440 of file detect-content.c.
References BUG_ON, and Signature_::init_data.
void DetectContentRegister | ( | void | ) |
Definition at line 57 of file detect-content.c.
References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.
Referenced by SigTableSetup().
int DetectContentSetup | ( | DetectEngineCtx * | de_ctx, |
Signature * | s, | ||
const char * | contentstr | ||
) |
Function to setup a content pattern.
de_ctx | pointer to the current detection_engine |
s | pointer to the current Signature |
m | pointer to the last parsed SigMatch |
contentstr | pointer to the current keyword content string |
-1 | if error |
0 | if all was ok |
Definition at line 322 of file detect-content.c.
References DetectContentData_::content, DetectContentData_::content_len, SigMatch_::ctx, de_ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_MAX, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectBufferTypeValidateTransform(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SC_ERR_INVALID_SIGNATURE, SCLogError, SigMatchAlloc(), SigMatchAppendSMToList(), DetectEngineCtx_::spm_global_thread_ctx, and SigMatch_::type.
Referenced by DetectContentRegister().