Go to the documentation of this file.
45 #define PARSE_REGEX "([a-z]+)(?:,\\s*([\\-_A-z0-9\\s\\.]+)){1,4}"
71 const uint8_t *data,
const uint32_t data_len)
73 if (data == NULL || data_len == 0)
82 if (r.
rep.value > sd->
rep.value)
86 if (r.
rep.value < sd->
rep.value)
90 if (r.
rep.value == sd->
rep.value)
97 static int DetectDatarepParse(
const char *
str,
char *cmd,
int cmd_len,
char *
name,
int name_len,
99 uint64_t *memcap, uint32_t *
hashsize)
101 bool cmd_set =
false;
102 bool name_set =
false;
103 bool value_set =
false;
105 char copy[strlen(
str)+1];
107 char *xsaveptr = NULL;
108 char *key = strtok_r(copy,
",", &xsaveptr);
109 while (key != NULL) {
110 while (*key !=
'\0' && isblank(*key)) {
113 char *val = strchr(key,
' ');
116 while (*val !=
'\0' && isblank(*val)) {
124 if (strlen(key) == 0) {
134 }
else if (!cmd_set) {
140 }
else if (!value_set) {
154 if (strcmp(key,
"type") == 0) {
157 if (strcmp(val,
"md5") == 0) {
159 }
else if (strcmp(val,
"sha256") == 0) {
161 }
else if (strcmp(val,
"string") == 0) {
163 }
else if (strcmp(val,
"ipv4") == 0) {
165 }
else if (strcmp(val,
"ip") == 0) {
167 }
else if (strcmp(val,
"ipv6") == 0) {
174 }
else if (strcmp(key,
"load") == 0) {
178 if (strcmp(key,
"memcap") == 0) {
181 " resetting to default",
186 if (strcmp(key,
"hashsize") == 0) {
189 " resetting to default",
199 key = strtok_r(NULL,
",", &xsaveptr);
203 SCLogError(
"if load is used type must be set as well");
207 if (!name_set || !cmd_set || !value_set) {
213 while (strlen(
name) > 0 && isblank(
name[strlen(
name) - 1])) {
218 for (
size_t i = 0; i < strlen(
name); i++) {
219 if (isblank(
name[i])) {
220 SCLogError(
"spaces not allowed in dataset names");
229 static void GetDirName(
const char *in,
char *out,
size_t outs)
231 if (strlen(in) == 0) {
235 size_t size = strlen(in) + 1;
239 char *dir = dirname(tmp);
245 char *load,
size_t load_size)
257 char dir[PATH_MAX] =
"";
262 if (snprintf(path,
sizeof(path),
"%s/%s", dir, load) >= (
int)
sizeof(path))
267 strlcpy(load, path, load_size);
268 SCLogDebug(
"using path '%s' (HAVE_LIBGEN_H)", load);
270 SCLogDebug(
"path '%s' does not exist (HAVE_LIBGEN_H)", path);
281 strlcpy(load, loadp, load_size);
282 SCLogDebug(
"using path '%s' (non-HAVE_LIBGEN_H)", load);
284 SCLogDebug(
"path '%s' does not exist (non-HAVE_LIBGEN_H)", loadp);
295 char cmd_str[16] =
"",
name[64] =
"";
297 char load[PATH_MAX] =
"";
303 SCLogError(
"datarep is only supported for sticky buffers");
309 SCLogError(
"datarep is only supported for sticky buffers");
313 if (!DetectDatarepParse(rawstr, cmd_str,
sizeof(cmd_str),
name,
sizeof(
name), &
type, load,
314 sizeof(load), &value, &memcap, &
hashsize)) {
318 if (strlen(load) != 0) {
319 if (SetupLoadPath(
de_ctx, load,
sizeof(load)) != 0)
324 if (strcmp(cmd_str,
">") == 0) {
326 }
else if (strcmp(cmd_str,
"<") == 0) {
328 }
else if (strcmp(cmd_str,
"==") == 0) {
331 SCLogError(
"datarep operation \"%s\" is not supported.", cmd_str);
347 cd->
rep.value = value;
350 cmd_str, strlen(
name) ?
name :
"(none)");
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
int ParseSizeStringU64(const char *size, uint64_t *res)
struct HtpBodyChunk_ * next
int DetectDatarepMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
main detection engine ctx
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
void DetectDatarepRegister(void)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
size_t strlcpy(char *dst, const char *src, size_t siz)
Dataset * DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load, uint64_t memcap, uint32_t hashsize)
#define DATASET_TYPE_NOTSET
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Per thread variable structure.
#define SCLogWarning(...)
Macro used to log WARNING messages.
SignatureInitData * init_data
Data structures and function prototypes for keeping state for the detection engine.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_SM_LIST_NOTSET
bool SCPathExists(const char *path)
Check if a path exists.
int DetectDatarepBufferMatch(DetectEngineThreadCtx *det_ctx, const DetectDatarepData *sd, const uint8_t *data, const uint32_t data_len)
int PathIsAbsolute(const char *path)
Check if a path is absolute.
int ParseSizeStringU32(const char *size, uint32_t *res)
#define SCLogError(...)
Macro used to log ERROR messages.
void DetectDatarepFree(DetectEngineCtx *, void *)
char * DetectLoadCompleteSigPath(const DetectEngineCtx *de_ctx, const char *sig_file)
Create the path if default-rule-path was specified.
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
DataRepResultType DatasetLookupwRep(Dataset *set, const uint8_t *data, const uint32_t data_len, const DataRepType *rep)