Go to the documentation of this file.
46 #define DETECT_DATASET_CMD_SET 0
47 #define DETECT_DATASET_CMD_UNSET 1
48 #define DETECT_DATASET_CMD_ISNOTSET 2
49 #define DETECT_DATASET_CMD_ISSET 3
70 const uint8_t *data,
const uint32_t data_len)
72 if (data == NULL || data_len == 0)
111 static int DetectDatasetParse(
const char *
str,
char *cmd,
int cmd_len,
char *
name,
int name_len,
112 enum DatasetTypes *
type,
char *load,
size_t load_size,
char *save,
size_t save_size,
113 uint64_t *memcap, uint32_t *
hashsize)
115 bool cmd_set =
false;
116 bool name_set =
false;
117 bool load_set =
false;
118 bool save_set =
false;
119 bool state_set =
false;
121 char copy[strlen(
str)+1];
123 char *xsaveptr = NULL;
124 char *key = strtok_r(copy,
",", &xsaveptr);
125 while (key != NULL) {
126 while (*key !=
'\0' && isblank(*key)) {
129 char *val = strchr(key,
' ');
132 while (*val !=
'\0' && isblank(*val)) {
140 if (strlen(key) == 0) {
145 if (val && strlen(val) != 0) {
150 }
else if (!name_set) {
151 if (val && strlen(val) != 0) {
161 if (strcmp(key,
"type") == 0) {
164 if (strcmp(val,
"md5") == 0) {
166 }
else if (strcmp(val,
"sha256") == 0) {
168 }
else if (strcmp(val,
"string") == 0) {
170 }
else if (strcmp(val,
"ipv4") == 0) {
172 }
else if (strcmp(val,
"ipv6") == 0) {
174 }
else if (strcmp(val,
"ip") == 0) {
181 }
else if (strcmp(key,
"save") == 0) {
189 }
else if (strcmp(key,
"load") == 0) {
197 }
else if (strcmp(key,
"state") == 0) {
207 if (strcmp(key,
"memcap") == 0) {
210 " resetting to default",
215 if (strcmp(key,
"hashsize") == 0) {
218 " resetting to default",
228 key = strtok_r(NULL,
",", &xsaveptr);
231 if ((load_set || save_set) && state_set) {
232 SCLogWarning(
"'state' can not be mixed with 'load' and 'save'");
237 while (strlen(
name) > 0 && isblank(
name[strlen(
name) - 1])) {
242 for (
size_t i = 0; i < strlen(
name); i++) {
243 if (isblank(
name[i])) {
244 SCLogError(
"spaces not allowed in dataset names");
253 static void GetDirName(
const char *in,
char *out,
size_t outs)
255 if (strlen(in) == 0) {
259 size_t size = strlen(in) + 1;
263 char *dir = dirname(tmp);
269 char *load,
size_t load_size)
281 char dir[PATH_MAX] =
"";
286 if (snprintf(path,
sizeof(path),
"%s/%s", dir, load) >= (
int)
sizeof(path))
291 strlcpy(load, path, load_size);
292 SCLogDebug(
"using path '%s' (HAVE_LIBGEN_H)", load);
303 strlcpy(load, loadp, load_size);
304 SCLogDebug(
"using path '%s' (non-HAVE_LIBGEN_H)", load);
312 char *save,
size_t save_size)
317 if (
SCConfGetBool(
"datasets.rules.allow-write", &allow_save)) {
319 SCLogError(
"Rules containing save/state datasets have been disabled");
324 int allow_absolute = 0;
325 (void)
SCConfGetBool(
"datasets.rules.allow-absolute-filenames", &allow_absolute);
326 if (allow_absolute) {
327 SCLogNotice(
"Allowing absolute filename for dataset rule: %s", save);
330 SCLogError(
"Absolute paths not allowed: %s", save);
335 SCLogError(
"Directory traversals not allowed: %s", save);
344 if (snprintf(path,
sizeof(path),
"%s/%s", dir, save) >= (
int)
sizeof(path))
349 strlcpy(save, path, save_size);
362 char load[PATH_MAX] =
"";
363 char save[PATH_MAX] =
"";
366 SCLogError(
"datasets are only supported for sticky buffers");
372 SCLogError(
"datasets are only supported for sticky buffers");
376 if (!DetectDatasetParse(rawstr, cmd_str,
sizeof(cmd_str),
name,
sizeof(
name), &
type, load,
377 sizeof(load), save,
sizeof(save), &memcap, &
hashsize)) {
381 if (strcmp(cmd_str,
"isset") == 0) {
383 }
else if (strcmp(cmd_str,
"isnotset") == 0) {
385 }
else if (strcmp(cmd_str,
"set") == 0) {
387 }
else if (strcmp(cmd_str,
"unset") == 0) {
390 SCLogError(
"dataset action \"%s\" is not supported.", cmd_str);
396 if (strlen(save) == 0 && strlen(load) != 0) {
397 if (SetupLoadPath(
de_ctx, load,
sizeof(load)) != 0)
401 }
else if (strlen(save) != 0 && strlen(load) == 0) {
402 if (SetupSavePath(
de_ctx, save,
sizeof(save)) != 0)
406 }
else if (strlen(save) != 0 && strlen(load) != 0 &&
407 strcmp(save, load) == 0) {
408 if (SetupSavePath(
de_ctx, save,
sizeof(save)) != 0)
410 strlcpy(load, save,
sizeof(load));
428 cmd_str, strlen(
name) ?
name :
"(none)");
SigTableElmt * sigmatch_table
void(* Free)(DetectEngineCtx *, void *)
#define DETECT_DATASET_CMD_SET
int ParseSizeStringU64(const char *size, uint64_t *res)
struct HtpBodyChunk_ * next
main detection engine ctx
int SCConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
const char * ConfigGetDataDirectory(void)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
#define DETECT_DATASET_CMD_ISSET
size_t strlcpy(char *dst, const char *src, size_t siz)
Dataset * DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load, uint64_t memcap, uint32_t hashsize)
bool SCPathContainsTraversal(const char *path)
Check for directory traversal.
int DatasetRemove(Dataset *set, const uint8_t *data, const uint32_t data_len)
int DatasetAdd(Dataset *set, const uint8_t *data, const uint32_t data_len)
void DetectDatasetFree(DetectEngineCtx *, void *)
#define DATASET_TYPE_NOTSET
#define SCLogWarning(...)
Macro used to log WARNING messages.
void DetectDatasetRegister(void)
SignatureInitData * init_data
int DatasetLookup(Dataset *set, const uint8_t *data, const uint32_t data_len)
see if data is part of the set
Data structures and function prototypes for keeping state for the detection engine.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_SM_LIST_NOTSET
bool SCPathExists(const char *path)
Check if a path exists.
int DetectDatasetBufferMatch(DetectEngineThreadCtx *det_ctx, const DetectDatasetData *sd, const uint8_t *data, const uint32_t data_len)
#define DATASET_NAME_MAX_LEN
#define DETECT_DATASET_CMD_UNSET
int PathIsAbsolute(const char *path)
Check if a path is absolute.
int ParseSizeStringU32(const char *size, uint32_t *res)
#define SCLogError(...)
Macro used to log ERROR messages.
#define DETECT_DATASET_CMD_ISNOTSET
char * DetectLoadCompleteSigPath(const DetectEngineCtx *de_ctx, const char *sig_file)
Create the path if default-rule-path was specified.
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
#define SCLogNotice(...)
Macro used to log NOTICE messages.
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
#define DEBUG_VALIDATE_BUG_ON(exp)