suricata
detect-content.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DETECT_CONTENT_H__
25 #define __DETECT_CONTENT_H__
26 
27 /* Flags affecting this content */
28 
29 #define DETECT_CONTENT_NOCASE BIT_U32(0)
30 #define DETECT_CONTENT_DISTANCE BIT_U32(1)
31 #define DETECT_CONTENT_WITHIN BIT_U32(2)
32 #define DETECT_CONTENT_OFFSET BIT_U32(3)
33 #define DETECT_CONTENT_DEPTH BIT_U32(4)
34 #define DETECT_CONTENT_FAST_PATTERN BIT_U32(5)
35 #define DETECT_CONTENT_FAST_PATTERN_ONLY BIT_U32(6)
36 #define DETECT_CONTENT_FAST_PATTERN_CHOP BIT_U32(7)
37 /** content applies to a "raw"/undecoded field if applicable */
38 #define DETECT_CONTENT_RAWBYTES BIT_U32(8)
39 /** content is negated */
40 #define DETECT_CONTENT_NEGATED BIT_U32(9)
41 
42 #define DETECT_CONTENT_ENDS_WITH BIT_U32(10)
43 
44 /* BE - byte extract */
45 #define DETECT_CONTENT_OFFSET_BE BIT_U32(11)
46 #define DETECT_CONTENT_DEPTH_BE BIT_U32(12)
47 #define DETECT_CONTENT_DISTANCE_BE BIT_U32(13)
48 #define DETECT_CONTENT_WITHIN_BE BIT_U32(14)
49 
50 /* replace data */
51 #define DETECT_CONTENT_REPLACE BIT_U32(15)
52 /* this flag is set during the staging phase. It indicates that a content
53  * has been added to the mpm phase and requires no further inspection inside
54  * the inspection phase */
55 #define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED BIT_U32(16)
56 
57 #define DETECT_CONTENT_WITHIN_NEXT BIT_U32(17)
58 #define DETECT_CONTENT_DISTANCE_NEXT BIT_U32(18)
59 #define DETECT_CONTENT_STARTS_WITH BIT_U32(19)
60 /** MPM pattern selected by the engine or forced by fast_pattern keyword */
61 #define DETECT_CONTENT_MPM BIT_U32(20)
62 
63 /** a relative match to this content is next, used in matching phase */
64 #define DETECT_CONTENT_RELATIVE_NEXT (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT)
65 
66 #define DETECT_CONTENT_IS_SINGLE(c) (!( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
67  ((c)->flags & DETECT_CONTENT_WITHIN) || \
68  ((c)->flags & DETECT_CONTENT_RELATIVE_NEXT) || \
69  ((c)->flags & DETECT_CONTENT_DEPTH) || \
70  ((c)->flags & DETECT_CONTENT_OFFSET) ))
71 
72 /* if a pattern has no depth/offset limits, no relative specifiers and isn't
73  * chopped for the mpm, we can take the mpm and consider this pattern a match
74  * w/o futher inspection. Warning: this may still mean other patterns depend
75  * on this pattern that force match validation anyway. */
76 #define DETECT_CONTENT_MPM_IS_CONCLUSIVE(c) \
77  !( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
78  ((c)->flags & DETECT_CONTENT_WITHIN) || \
79  ((c)->flags & DETECT_CONTENT_DEPTH) || \
80  ((c)->flags & DETECT_CONTENT_OFFSET) || \
81  ((c)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP))
82 
83 
84 #include "util-spm.h"
85 
86 typedef struct DetectContentData_ {
87  uint8_t *content;
88  uint16_t content_len;
89  uint16_t replace_len;
90  /* for chopped fast pattern, the length */
91  uint16_t fp_chop_len;
92  /* for chopped fast pattern, the offset */
93  uint16_t fp_chop_offset;
94  /* would want to move PatIntId here and flags down to remove the padding
95  * gap, but I think the first four members was used as a template for
96  * casting. \todo check this and fix it if posssible */
97  uint32_t flags;
99  uint16_t depth;
100  uint16_t offset;
101  int32_t distance;
102  int32_t within;
103  /* SPM search context. */
105  /* pointer to replacement data */
106  uint8_t *replace;
108 
109 /* prototypes */
110 void DetectContentRegister (void);
113  const char *contentstr);
114 int DetectContentDataParse(const char *keyword, const char *contentstr,
115  uint8_t **pstr, uint16_t *plen);
117  const char *contentstr);
118 
119 int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr);
121 
122 void DetectContentFree(void *);
125 
126 #endif /* __DETECT_CONTENT_H__ */
#define PatIntId
int DetectContentDataParse(const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
Parse a content string, ie "abc|DE|fgh".
uint32_t DetectContentMaxId(DetectEngineCtx *)
DetectContentData * DetectContentParseEncloseQuotes(SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
Signature container.
Definition: detect.h:522
main detection engine ctx
Definition: detect.h:761
void DetectContentPrint(DetectContentData *)
Helper function to print a DetectContentData.
struct DetectContentData_ DetectContentData
_Bool DetectContentPMATCHValidateCallback(const Signature *s)
DetectContentData * DetectContentParse(SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
DetectContentParse .
void DetectContentFree(void *)
this function will SCFree memory associated with DetectContentData
void DetectContentRegister(void)
void DetectContentPropagateLimits(Signature *s)
apply depth/offset and distance/within to content matches
int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
Function to setup a content pattern.