Go to the documentation of this file.
65 const uint8_t *data,
const uint32_t data_len)
67 if (data == NULL || data_len == 0)
100 static int DetectDatasetParse(
const char *
str,
char *cmd,
int cmd_len,
char *name,
int name_len,
101 enum DatasetTypes *
type,
char *load,
size_t load_size,
char *save,
size_t save_size,
102 uint64_t *memcap, uint32_t *
hashsize)
104 bool cmd_set =
false;
105 bool name_set =
false;
106 bool load_set =
false;
107 bool save_set =
false;
108 bool state_set =
false;
110 char copy[strlen(
str)+1];
112 char *xsaveptr = NULL;
113 char *key = strtok_r(copy,
",", &xsaveptr);
114 while (key != NULL) {
115 while (*key !=
'\0' && isblank(*key)) {
118 char *val = strchr(key,
' ');
121 while (*val !=
'\0' && isblank(*val)) {
129 if (strlen(key) == 0) {
134 if (val && strlen(val) != 0) {
139 }
else if (!name_set) {
140 if (val && strlen(val) != 0) {
150 if (strcmp(key,
"type") == 0) {
153 if (strcmp(val,
"md5") == 0) {
155 }
else if (strcmp(val,
"sha256") == 0) {
157 }
else if (strcmp(val,
"string") == 0) {
159 }
else if (strcmp(val,
"ipv4") == 0) {
161 }
else if (strcmp(val,
"ipv6") == 0) {
163 }
else if (strcmp(val,
"ip") == 0) {
170 }
else if (strcmp(key,
"save") == 0) {
178 }
else if (strcmp(key,
"load") == 0) {
186 }
else if (strcmp(key,
"state") == 0) {
196 if (strcmp(key,
"memcap") == 0) {
199 " resetting to default",
204 if (strcmp(key,
"hashsize") == 0) {
207 " resetting to default",
217 key = strtok_r(NULL,
",", &xsaveptr);
220 if ((load_set || save_set) && state_set) {
221 SCLogWarning(
"'state' can not be mixed with 'load' and 'save'");
226 while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) {
227 name[strlen(name) - 1] =
'\0';
231 for (
size_t i = 0; i < strlen(name); i++) {
232 if (isblank(name[i])) {
233 SCLogError(
"spaces not allowed in dataset names");
242 static void GetDirName(
const char *in,
char *out,
size_t outs)
244 if (strlen(in) == 0) {
248 size_t size = strlen(in) + 1;
252 char *dir = dirname(tmp);
259 char *load,
size_t load_size)
271 char dir[PATH_MAX] =
"";
276 if (snprintf(path,
sizeof(path),
"%s/%s", dir, load) >= (
int)
sizeof(path))
281 strlcpy(load, path, load_size);
282 SCLogDebug(
"using path '%s' (HAVE_LIBGEN_H)", load);
293 strlcpy(load, loadp, load_size);
294 SCLogDebug(
"using path '%s' (non-HAVE_LIBGEN_H)", load);
302 char *save,
size_t save_size)
307 if (
ConfGetBool(
"datasets.rules.allow-write", &allow_save)) {
309 SCLogError(
"Rules containing save/state datasets have been disabled");
314 int allow_absolute = 0;
315 (void)
ConfGetBool(
"datasets.rules.allow-absolute-filenames", &allow_absolute);
316 if (allow_absolute) {
317 SCLogNotice(
"Allowing absolute filename for dataset rule: %s", save);
320 SCLogError(
"Absolute paths not allowed: %s", save);
325 SCLogError(
"Directory traversals not allowed: %s", save);
334 if (snprintf(path,
sizeof(path),
"%s/%s", dir, save) >= (
int)
sizeof(path))
339 strlcpy(save, path, save_size);
353 char load[PATH_MAX] =
"";
354 char save[PATH_MAX] =
"";
357 SCLogError(
"datasets are only supported for sticky buffers");
363 SCLogError(
"datasets are only supported for sticky buffers");
367 if (!DetectDatasetParse(rawstr, cmd_str,
sizeof(cmd_str), name,
sizeof(name), &
type, load,
368 sizeof(load), save,
sizeof(save), &memcap, &
hashsize)) {
372 if (strcmp(cmd_str,
"isset") == 0) {
374 }
else if (strcmp(cmd_str,
"isnotset") == 0) {
376 }
else if (strcmp(cmd_str,
"set") == 0) {
378 }
else if (strcmp(cmd_str,
"unset") == 0) {
381 SCLogError(
"dataset action \"%s\" is not supported.", cmd_str);
387 if (strlen(save) == 0 && strlen(load) != 0) {
388 if (SetupLoadPath(
de_ctx, load,
sizeof(load)) != 0)
392 }
else if (strlen(save) != 0 && strlen(load) == 0) {
393 if (SetupSavePath(
de_ctx, save,
sizeof(save)) != 0)
397 }
else if (strlen(save) != 0 && strlen(load) != 0 &&
398 strcmp(save, load) == 0) {
399 if (SetupSavePath(
de_ctx, save,
sizeof(save)) != 0)
401 strlcpy(load, save,
sizeof(load));
404 SCLogDebug(
"name '%s' load '%s' save '%s'", name, load, save);
407 SCLogError(
"failed to set up dataset '%s'.", name);
411 SCLogError(
"dataset too large for set memcap");
423 cmd_str, strlen(name) ? name :
"(none)");
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
void(* Free)(DetectEngineCtx *, void *)
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
int ParseSizeStringU64(const char *size, uint64_t *res)
struct HtpBodyChunk_ * next
#define DETECT_DATASET_CMD_SET
main detection engine ctx
const char * ConfigGetDataDirectory(void)
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
size_t strlcpy(char *dst, const char *src, size_t siz)
Dataset * DatasetGet(const char *name, enum DatasetTypes type, const char *save, const char *load, uint64_t memcap, uint32_t hashsize)
bool SCPathContainsTraversal(const char *path)
Check for directory traversal.
int DatasetAdd(Dataset *set, const uint8_t *data, const uint32_t data_len)
void DetectDatasetFree(DetectEngineCtx *, void *)
#define DATASET_TYPE_NOTSET
Per thread variable structure.
#define SCLogWarning(...)
Macro used to log WARNING messages.
void DetectDatasetRegister(void)
#define DETECT_DATASET_CMD_ISSET
SignatureInitData * init_data
int DatasetLookup(Dataset *set, const uint8_t *data, const uint32_t data_len)
see if data is part of the set
Data structures and function prototypes for keeping state for the detection engine.
SigMatch * SigMatchAlloc(void)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
#define DETECT_SM_LIST_NOTSET
bool SCPathExists(const char *path)
Check if a path exists.
int DetectDatasetBufferMatch(DetectEngineThreadCtx *det_ctx, const DetectDatasetData *sd, const uint8_t *data, const uint32_t data_len)
#define DETECT_DATASET_CMD_UNSET
#define DATASET_NAME_MAX_LEN
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int PathIsAbsolute(const char *path)
Check if a path is absolute.
int ParseSizeStringU32(const char *size, uint32_t *res)
#define DETECT_DATASET_CMD_ISNOTSET
#define SCLogError(...)
Macro used to log ERROR messages.
a single match condition for a signature
char * DetectLoadCompleteSigPath(const DetectEngineCtx *de_ctx, const char *sig_file)
Create the path if default-rule-path was specified.
int DetectDatasetMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
#define SCLogNotice(...)
Macro used to log NOTICE messages.