Go to the documentation of this file.
47 #define DETECT_DATASET_CMD_SET 0
48 #define DETECT_DATASET_CMD_UNSET 1
49 #define DETECT_DATASET_CMD_ISNOTSET 2
50 #define DETECT_DATASET_CMD_ISSET 3
69 const uint8_t *data,
const uint32_t data_len)
71 if (data == NULL || data_len == 0)
122 const uint8_t *data,
const uint32_t data_len)
124 if (data == NULL || data_len == 0)
128 return DetectDatajsonBufferMatch(det_ctx, sd, data, data_len);
167 static int DetectDatasetParse(
const char *
str,
char *cmd,
int cmd_len,
char *
name,
int name_len,
168 enum DatasetTypes *
type,
char *load,
size_t load_size,
char *save,
size_t save_size,
170 size_t value_key_size,
char *array_key,
size_t array_key_size,
char *enrichment_key,
171 size_t enrichment_key_size,
bool *remove_key)
173 bool cmd_set =
false;
174 bool name_set =
false;
175 bool load_set =
false;
176 bool save_set =
false;
177 bool state_set =
false;
178 bool format_set =
false;
180 char copy[strlen(
str)+1];
182 char *xsaveptr = NULL;
183 char *key = strtok_r(copy,
",", &xsaveptr);
185 while (key != NULL) {
186 while (*key !=
'\0' && isblank(*key)) {
189 char *val = strchr(key,
' ');
192 while (*val !=
'\0' && isblank(*val)) {
200 if (strlen(key) == 0) {
205 if (val && strlen(val) != 0) {
210 }
else if (!name_set) {
211 if (val && strlen(val) != 0) {
219 if (strcmp(key,
"remove_key") == 0) {
223 }
else if (strcmp(key,
"type") == 0) {
226 if (strcmp(val,
"md5") == 0) {
228 }
else if (strcmp(val,
"sha256") == 0) {
230 }
else if (strcmp(val,
"string") == 0) {
232 }
else if (strcmp(val,
"ipv4") == 0) {
234 }
else if (strcmp(val,
"ipv6") == 0) {
236 }
else if (strcmp(val,
"ip") == 0) {
243 }
else if (strcmp(key,
"save") == 0) {
251 }
else if (strcmp(key,
"load") == 0) {
259 }
else if (strcmp(key,
"state") == 0) {
268 }
else if (strcmp(key,
"format") == 0) {
274 if (strcmp(val,
"csv") == 0) {
276 }
else if (strcmp(val,
"ndjson") == 0) {
278 }
else if (strcmp(val,
"json") == 0) {
285 }
else if (strcmp(key,
"value_key") == 0) {
286 if (strlen(val) > value_key_size) {
287 SCLogError(
"'key' value too long (limit is %zu)", value_key_size);
290 strlcpy(value_key, val, value_key_size);
291 }
else if (strcmp(key,
"array_key") == 0) {
292 if (strlen(val) > array_key_size) {
293 SCLogError(
"'key' value too long (limit is %zu)", array_key_size);
296 strlcpy(array_key, val, array_key_size);
297 }
else if (strcmp(key,
"context_key") == 0) {
298 for (
size_t i = 0; i < strlen(val); i++) {
299 if (!isalnum(val[i]) && val[i] !=
'_') {
300 SCLogError(
"context_key can only contain alphanumeric characters and "
305 if (strlen(val) > enrichment_key_size) {
306 SCLogError(
"'key' value too long (limit is %zu)", enrichment_key_size);
309 strlcpy(enrichment_key, val, enrichment_key_size);
312 if (strcmp(key,
"memcap") == 0) {
315 " resetting to default",
320 if (strcmp(key,
"hashsize") == 0) {
323 " resetting to default",
333 key = strtok_r(NULL,
",", &xsaveptr);
336 if ((load_set || save_set) && state_set) {
337 SCLogError(
"'state' can not be mixed with 'load' and 'save'");
342 while (strlen(
name) > 0 && isblank(
name[strlen(
name) - 1])) {
347 for (
size_t i = 0; i < strlen(
name); i++) {
348 if (isblank(
name[i])) {
349 SCLogError(
"spaces not allowed in dataset names");
358 static void GetDirName(
const char *in,
char *out,
size_t outs)
360 if (strlen(in) == 0) {
364 size_t size = strlen(in) + 1;
368 char *dir = dirname(tmp);
374 char *load,
size_t load_size)
386 char dir[PATH_MAX] =
"";
391 if (snprintf(path,
sizeof(path),
"%s/%s", dir, load) >= (
int)
sizeof(path))
396 strlcpy(load, path, load_size);
397 SCLogDebug(
"using path '%s' (HAVE_LIBGEN_H)", load);
408 strlcpy(load, loadp, load_size);
409 SCLogDebug(
"using path '%s' (non-HAVE_LIBGEN_H)", load);
417 char *save,
size_t save_size)
422 if (
SCConfGetBool(
"datasets.rules.allow-write", &allow_save)) {
424 SCLogError(
"Rules containing save/state datasets have been disabled");
429 int allow_absolute = 0;
430 (void)
SCConfGetBool(
"datasets.rules.allow-absolute-filenames", &allow_absolute);
431 if (allow_absolute) {
432 SCLogNotice(
"Allowing absolute filename for dataset rule: %s", save);
435 SCLogError(
"Absolute paths not allowed: %s", save);
440 SCLogError(
"Directory traversals not allowed: %s", save);
450 if (snprintf(path,
sizeof(path),
"%s/%s", dir, save) >=
456 strlcpy(save, path, save_size);
470 char load[PATH_MAX] =
"";
471 char save[PATH_MAX] =
"";
476 bool remove_key =
false;
479 SCLogError(
"datasets are only supported for sticky buffers");
485 SCLogError(
"datasets are only supported for sticky buffers");
489 if (!DetectDatasetParse(rawstr, cmd_str,
sizeof(cmd_str),
name,
sizeof(
name), &
type, load,
490 sizeof(load), save,
sizeof(save), &memcap, &
hashsize, &format, value_key,
491 sizeof(value_key), array_key,
sizeof(array_key), enrichment_key,
492 sizeof(enrichment_key), &remove_key)) {
496 if (strcmp(cmd_str,
"isset") == 0) {
498 }
else if (strcmp(cmd_str,
"isnotset") == 0) {
500 }
else if (strcmp(cmd_str,
"set") == 0) {
502 SCLogError(
"json format is not supported for 'set' command");
506 }
else if (strcmp(cmd_str,
"unset") == 0) {
508 SCLogError(
"json format is not supported for 'unset' command");
513 SCLogError(
"dataset action \"%s\" is not supported.", cmd_str);
518 if (strlen(save) != 0) {
519 SCLogError(
"json format is not supported with 'save' or 'state' option");
522 if (strlen(enrichment_key) == 0) {
523 SCLogError(
"json format needs a 'context_key' parameter");
526 if (strlen(value_key) == 0) {
527 SCLogError(
"json format needs a 'value_key' parameter");
534 if (strlen(save) == 0 && strlen(load) != 0) {
535 if (SetupLoadPath(
de_ctx, load,
sizeof(load)) != 0)
539 }
else if (strlen(save) != 0 && strlen(load) == 0) {
540 if (SetupSavePath(
de_ctx, save,
sizeof(save)) != 0)
544 }
else if (strlen(save) != 0 && strlen(load) != 0 &&
545 strcmp(save, load) == 0) {
546 if (SetupSavePath(
de_ctx, save,
sizeof(save)) != 0)
548 strlcpy(load, save,
sizeof(load));
581 cmd_str, strlen(
name) ?
name :
"(none)");
DataJsonResultType DatajsonLookup(Dataset *set, const uint8_t *data, const uint32_t data_len)
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
#define DETECT_DATASET_CMD_SET
int ParseSizeStringU64(const char *size, uint64_t *res)
struct HtpBodyChunk_ * next
main detection engine ctx
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
const char * ConfigGetDataDirectory(void)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define SIG_JSON_CONTENT_ITEM_LEN
void DatajsonUnlockElt(DataJsonResultType *r)
#define DETECT_DATASET_CMD_ISSET
size_t strlcpy(char *dst, const char *src, size_t siz)
Dataset * DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load, uint64_t memcap, uint32_t hashsize)
bool SCPathContainsTraversal(const char *path)
Check for directory traversal.
int DatasetRemove(Dataset *set, const uint8_t *data, const uint32_t data_len)
int DatasetAdd(Dataset *set, const uint8_t *data, const uint32_t data_len)
#define SIG_JSON_CONTENT_KEY_LEN
void DetectDatasetFree(DetectEngineCtx *, void *)
#define DATASET_TYPE_NOTSET
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
#define SCLogWarning(...)
Macro used to log WARNING messages.
uint8_t json_content_capacity
void DetectDatasetRegister(void)
SignatureInitData * init_data
int DatasetLookup(Dataset *set, const uint8_t *data, const uint32_t data_len)
see if data is part of the set
Data structures and function prototypes for keeping state for the detection engine.
int DetectEngineThreadCtxGetJsonContext(DetectEngineThreadCtx *det_ctx)
char json_key[SIG_JSON_CONTENT_KEY_LEN]
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_SM_LIST_NOTSET
bool SCPathExists(const char *path)
Check if a path exists.
int DetectDatasetBufferMatch(DetectEngineThreadCtx *det_ctx, const DetectDatasetData *sd, const uint8_t *data, const uint32_t data_len)
#define DATASET_NAME_MAX_LEN
#define DETECT_DATASET_CMD_UNSET
int PathIsAbsolute(const char *path)
Check if a path is absolute.
int ParseSizeStringU32(const char *size, uint32_t *res)
SigJsonContent * json_content
#define SCLogError(...)
Macro used to log ERROR messages.
Dataset * DatajsonGet(const char *name, enum DatasetTypes type, const char *load, uint64_t memcap, uint32_t hashsize, char *json_key_value, char *json_array_key, DatasetFormats format, bool remove_key)
#define DETECT_DATASET_CMD_ISNOTSET
char * DetectLoadCompleteSigPath(const DetectEngineCtx *de_ctx, const char *sig_file)
Create the path if default-rule-path was specified.
#define SCLogNotice(...)
Macro used to log NOTICE messages.
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
#define DEBUG_VALIDATE_BUG_ON(exp)
char json_content[SIG_JSON_CONTENT_ITEM_LEN]