#include "util-spm.h"

Include dependency graph for detect-content.h:

Data Structures
struct	DetectContentData_

Macros
#define	DETECT_CONTENT_NOCASE BIT_U32(0)

#define	DETECT_CONTENT_DISTANCE BIT_U32(1)

#define	DETECT_CONTENT_WITHIN BIT_U32(2)

#define	DETECT_CONTENT_OFFSET BIT_U32(3)

#define	DETECT_CONTENT_DEPTH BIT_U32(4)

#define	DETECT_CONTENT_FAST_PATTERN BIT_U32(5)

#define	DETECT_CONTENT_FAST_PATTERN_ONLY BIT_U32(6)

#define	DETECT_CONTENT_FAST_PATTERN_CHOP BIT_U32(7)

#define	DETECT_CONTENT_RAWBYTES BIT_U32(8)

#define	DETECT_CONTENT_NEGATED BIT_U32(9)

#define	DETECT_CONTENT_ENDS_WITH BIT_U32(10)

#define	DETECT_CONTENT_OFFSET_BE BIT_U32(11)

#define	DETECT_CONTENT_DEPTH_BE BIT_U32(12)

#define	DETECT_CONTENT_DISTANCE_BE BIT_U32(13)

#define	DETECT_CONTENT_WITHIN_BE BIT_U32(14)

#define	DETECT_CONTENT_REPLACE BIT_U32(15)

#define	DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED BIT_U32(16)

#define	DETECT_CONTENT_WITHIN_NEXT BIT_U32(17)

#define	DETECT_CONTENT_DISTANCE_NEXT BIT_U32(18)

#define	DETECT_CONTENT_STARTS_WITH BIT_U32(19)

#define	DETECT_CONTENT_MPM BIT_U32(20)

#define	DETECT_CONTENT_RELATIVE_NEXT (DETECT_CONTENT_WITHIN_NEXT\|DETECT_CONTENT_DISTANCE_NEXT)

#define	DETECT_CONTENT_IS_SINGLE(c)

#define	DETECT_CONTENT_MPM_IS_CONCLUSIVE(c)

Typedefs
typedef struct DetectContentData_	DetectContentData

Functions
void	DetectContentRegister (void)

uint32_t	DetectContentMaxId (DetectEngineCtx *)

DetectContentData *	DetectContentParse (SpmGlobalThreadCtx spm_global_thread_ctx, const char contentstr)
	DetectContentParse . More...

int	DetectContentDataParse (const char keyword, const char contentstr, uint8_t *pstr, uint16_t plen)
	Parse a content string, ie "abc\|DE\|fgh". More...

DetectContentData *	DetectContentParseEncloseQuotes (SpmGlobalThreadCtx spm_global_thread_ctx, const char contentstr)

int	DetectContentSetup (DetectEngineCtx de_ctx, Signature s, const char *contentstr)
	Function to setup a content pattern. More...

void	DetectContentPrint (DetectContentData *)
	Helper function to print a DetectContentData. More...

void	DetectContentFree (void *)
	this function will SCFree memory associated with DetectContentData More...

_Bool	DetectContentPMATCHValidateCallback (const Signature *s)

void	DetectContentPropagateLimits (Signature *s)
	apply depth/offset and distance/within to content matches More...

Detailed Description

Author: Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Definition in file detect-content.h.

Macro Definition Documentation

#define DETECT_CONTENT_DEPTH BIT_U32(4)

Definition at line 33 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectContentPropagateLimits(), DetectDepthRegister(), DetectDistanceRegister(), DetectEngineContentInspection(), DetectFastPatternRegister(), DetectPrefilterRegister(), DetectWithinRegister(), EngineAnalysisFP(), EngineAnalysisRules(), and SigMatchList2DataArray().

#define DETECT_CONTENT_DEPTH_BE BIT_U32(12)

Definition at line 46 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectDepthRegister(), DetectEngineContentInspection(), and PatternStrength().

#define DETECT_CONTENT_DISTANCE BIT_U32(1)

Definition at line 30 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectContentPropagateLimits(), DetectDepthRegister(), DetectDistanceRegister(), DetectEngineContentInspection(), DetectEngineContentModifierBufferSetup(), DetectFastPatternRegister(), DetectOffsetRegister(), DetectPrefilterRegister(), and EngineAnalysisFP().

#define DETECT_CONTENT_DISTANCE_BE BIT_U32(13)

Definition at line 47 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectDistanceRegister(), and DetectEngineContentInspection().

#define DETECT_CONTENT_DISTANCE_NEXT BIT_U32(18)

Definition at line 58 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), and DetectDistanceRegister().

#define DETECT_CONTENT_ENDS_WITH BIT_U32(10)

Definition at line 42 of file detect-content.h.

Referenced by DetectContentPropagateLimits(), DetectEngineContentInspection(), DetectIsdataatFree(), and DetectIsdataatSetup().

#define DETECT_CONTENT_FAST_PATTERN BIT_U32(5)

Definition at line 34 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectDepthRegister(), DetectDistanceRegister(), DetectFastPatternRegister(), DetectOffsetRegister(), DetectPrefilterRegister(), DetectWithinRegister(), EngineAnalysisFP(), and RetrieveFPForSig().

#define DETECT_CONTENT_FAST_PATTERN_CHOP BIT_U32(7)

Definition at line 36 of file detect-content.h.

Referenced by DetectFastPatternRegister(), DetectSetFastPatternAndItsId(), EngineAnalysisFP(), MpmStoreFree(), and PerCentEncodingMatch().

#define DETECT_CONTENT_FAST_PATTERN_ONLY BIT_U32(6)

Definition at line 35 of file detect-content.h.

Referenced by DetectDepthRegister(), DetectDistanceRegister(), DetectFastPatternRegister(), DetectOffsetRegister(), DetectWithinRegister(), and EngineAnalysisFP().

#define DETECT_CONTENT_IS_SINGLE ( c )

Value:

(!( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
                                        ((c)->flags & DETECT_CONTENT_WITHIN) || \
                                        ((c)->flags & DETECT_CONTENT_RELATIVE_NEXT) || \
                                        ((c)->flags & DETECT_CONTENT_DEPTH) || \
                                        ((c)->flags & DETECT_CONTENT_OFFSET) ))

Definition at line 66 of file detect-content.h.

Referenced by DetectEngineContentInspection().

#define DETECT_CONTENT_MPM BIT_U32(20)

MPM pattern selected by the engine or forced by fast_pattern keyword

Definition at line 61 of file detect-content.h.

#define DETECT_CONTENT_MPM_IS_CONCLUSIVE ( c )

Value:

!( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
                                       ((c)->flags & DETECT_CONTENT_WITHIN)   || \
                                       ((c)->flags & DETECT_CONTENT_DEPTH)    || \
                                       ((c)->flags & DETECT_CONTENT_OFFSET)   || \
                                       ((c)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP))

Definition at line 76 of file detect-content.h.

Referenced by MpmStoreFree().

#define DETECT_CONTENT_NEGATED BIT_U32(9)

#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED BIT_U32(16)

Definition at line 55 of file detect-content.h.

#define DETECT_CONTENT_NOCASE BIT_U32(0)

Definition at line 29 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectFastPatternRegister(), DetectHttpHHRegister(), DetectNocaseRegister(), DetectSetFastPatternAndItsId(), DetectTlsFingerprintRegister(), DetectTlsJa3HashRegister(), DetectTlsJa3SHashRegister(), DetectTlsSerialRegister(), EngineAnalysisFP(), and PatternStrength().

#define DETECT_CONTENT_OFFSET BIT_U32(3)

Definition at line 32 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectContentPropagateLimits(), DetectDepthRegister(), DetectDistanceRegister(), DetectFastPatternRegister(), DetectOffsetRegister(), DetectPrefilterRegister(), DetectWithinRegister(), EngineAnalysisFP(), EngineAnalysisRules(), and SigMatchList2DataArray().

#define DETECT_CONTENT_OFFSET_BE BIT_U32(11)

Definition at line 45 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectEngineContentInspection(), DetectOffsetRegister(), and PatternStrength().

#define DETECT_CONTENT_RAWBYTES BIT_U32(8)

content applies to a "raw"/undecoded field if applicable

Definition at line 38 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectEngineContentModifierBufferSetup(), and DetectRawbytesRegister().

#define DETECT_CONTENT_RELATIVE_NEXT (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT)

a relative match to this content is next, used in matching phase

Definition at line 64 of file detect-content.h.

Referenced by DetectByteExtractDoMatch(), DetectByteExtractRetrieveSMVar(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectContentPrint(), DetectDistanceRegister(), DetectEngineContentModifierBufferSetup(), DetectIsdataatSetup(), DetectPcrePayloadMatch(), DetectReplaceFreeInternal(), and DetectUricontentRegister().

#define DETECT_CONTENT_REPLACE BIT_U32(15)

Definition at line 51 of file detect-content.h.

Referenced by DetectEngineContentInspection(), DetectEngineContentModifierBufferSetup(), and DetectReplaceRegister().

#define DETECT_CONTENT_STARTS_WITH BIT_U32(19)

Definition at line 59 of file detect-content.h.

Referenced by DetectDepthRegister(), and DetectOffsetRegister().

#define DETECT_CONTENT_WITHIN BIT_U32(2)

Definition at line 31 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectContentPropagateLimits(), DetectDepthRegister(), DetectEngineContentInspection(), DetectEngineContentModifierBufferSetup(), DetectFastPatternRegister(), DetectOffsetRegister(), DetectPrefilterRegister(), DetectWithinRegister(), and EngineAnalysisFP().

#define DETECT_CONTENT_WITHIN_BE BIT_U32(14)

Definition at line 48 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectEngineContentInspection(), and DetectWithinRegister().

#define DETECT_CONTENT_WITHIN_NEXT BIT_U32(17)

Definition at line 57 of file detect-content.h.

Referenced by DetectByteExtractRetrieveSMVar(), DetectEngineContentInspection(), and DetectWithinRegister().

Typedef Documentation

typedef struct DetectContentData_ DetectContentData

Function Documentation

int DetectContentDataParse	(	const char *	keyword,
		const char *	contentstr,
		uint8_t **	pstr,
		uint16_t *	plen
	)

Parse a content string, ie "abc|DE|fgh".

Parameters

content_str	null terminated string containing the content
result	result pointer to pass the fully parsed byte array
result_len	size of the resulted data
flags	flags to be set by this parsing function

Return values

-1	error
0	ok

Definition at line 78 of file detect-content.c.

References SC_ERR_INVALID_SIGNATURE, SCCalloc, SCLogDebug, SCLogError, str, and strlcpy().

Referenced by DetectContentParse(), DetectFileextRegister(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectFlowvarMatch(), DetectPktvarRegister(), and DetectReplaceRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectContentFree ( void * ptr )

this function will SCFree memory associated with DetectContentData

Parameters

cd	pointer to DetectContentData

Definition at line 359 of file detect-content.c.

References SCEnter, SCFree, SCReturn, DetectContentData_::spm_ctx, and SpmDestroyCtx().

Referenced by DetectContentRegister(), and DetectContentSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

uint32_t DetectContentMaxId ( DetectEngineCtx * )

DetectContentData* DetectContentParse	(	SpmGlobalThreadCtx *	spm_global_thread_ctx,
		const char *	contentstr
	)

DetectContentParse .

Definition at line 199 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DetectContentDataParse(), DetectContentData_::distance, len, DetectContentData_::offset, SCFree, SCMalloc, DetectContentData_::spm_ctx, SpmInitCtx(), unlikely, and DetectContentData_::within.

Referenced by DetectContentParseEncloseQuotes(), and DetectContentSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

DetectContentData* DetectContentParseEncloseQuotes	(	SpmGlobalThreadCtx *	spm_global_thread_ctx,
		const char *	contentstr
	)

Definition at line 243 of file detect-content.c.

References DetectContentParse().

Here is the call graph for this function:

_Bool DetectContentPMATCHValidateCallback ( const Signature * s )

Return values

1	valid
0	invalid

Definition at line 377 of file detect-content.c.

References DetectContentData_::content_len, SigMatch_::ctx, DETECT_CONTENT, DETECT_SM_LIST_PMATCH, FALSE, Signature_::flags, Signature_::init_data, SigMatch_::next, DetectContentData_::offset, SC_ERR_INVALID_SIGNATURE, SCLogError, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), SignatureInitData_::smlists, TRUE, and SigMatch_::type.

Referenced by SigMatchList2DataArray().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectContentPrint ( DetectContentData * )

Helper function to print a DetectContentData.

Definition at line 252 of file detect-content.c.

References DetectContentData_::content, DetectContentData_::content_len, DetectContentData_::depth, DETECT_CONTENT_NEGATED, DETECT_CONTENT_RELATIVE_NEXT, DetectContentData_::distance, DetectContentData_::flags, DetectContentData_::id, DetectContentData_::offset, DetectContentData_::replace, DetectContentData_::replace_len, SCFree, SCLogDebug, SCMalloc, and DetectContentData_::within.

Referenced by DetectContentSetup(), and DetectUricontentRegister().

Here is the caller graph for this function:

void DetectContentPropagateLimits ( Signature * s )

apply depth/offset and distance/within to content matches

The idea is that any limitation we can set is a win, as the mpm can use this to reduce match candidates.

E.g. if we have 'content:"1"; depth:1; content:"2"; distance:0; within:1;' we know that we can add 'offset:1; depth:2;' to the 2nd condition. This will then be used in mpm if the 2nd condition would be selected for mpm.

Another example: 'content:"1"; depth:1; content:"2"; distance:0;'. Here we cannot set a depth, but we can set an offset of 'offset:1;'. This will make the mpm a bit more precise.

Definition at line 425 of file detect-content.c.

References BUG_ON, DetectContentData_::content_len, SigMatch_::ctx, DetectContentData_::depth, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_NEGATED, DETECT_CONTENT_OFFSET, DETECT_CONTENT_WITHIN, DETECT_PCRE, DETECT_PCRE_RELATIVE, DETECT_SM_LIST_PMATCH, DetectContentData_::distance, DetectPcreData_::flags, DetectContentData_::flags, Signature_::init_data, MIN, SigMatch_::next, DetectContentData_::offset, offset, SCLogDebug, SignatureInitData_::smlists, SignatureInitData_::smlists_array_size, SignatureInitData_::smlists_tail, SigMatch_::type, and DetectContentData_::within.

Referenced by SigAddressPrepareStage1().

Here is the caller graph for this function:

void DetectContentRegister ( void )

Definition at line 55 of file detect-content.c.

References SigTableElmt_::desc, DETECT_CONTENT, DetectContentFree(), DetectContentSetup(), DOC_URL, DOC_VERSION, SigTableElmt_::flags, SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, SIGMATCH_HANDLE_NEGATION, SIGMATCH_QUOTES_MANDATORY, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the call graph for this function:

Here is the caller graph for this function:

int DetectContentSetup	(	DetectEngineCtx *	de_ctx,
		Signature *	s,
		const char *	contentstr
	)

Function to setup a content pattern.

Parameters

de_ctx	pointer to the current detection_engine
s	pointer to the current Signature
m	pointer to the last parsed SigMatch
contentstr	pointer to the current keyword content string

Return values

-1	if error
0	if all was ok

Definition at line 318 of file detect-content.c.

References SigMatch_::ctx, DETECT_CONTENT, DETECT_CONTENT_NEGATED, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DetectBufferGetActiveList(), DetectContentFree(), DetectContentParse(), DetectContentPrint(), DetectContentData_::flags, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::negated, SigMatchAlloc(), SigMatchAppendSMToList(), DetectEngineCtx_::spm_global_thread_ctx, and SigMatch_::type.

Referenced by DetectContentRegister(), and DetectUricontentRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

Data Structures

Macros

Typedefs

Functions

Detailed Description

Macro Definition Documentation

Typedef Documentation

Function Documentation