suricata
|
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine-prefilter-common.h"
#include "detect-engine-build.h"
#include "flow-var.h"
#include "detect-content.h"
#include "detect-dsize.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "util-byte.h"
#include "pkt-var.h"
#include "host.h"
#include "util-profiling.h"
#include "util-unittest-helper.h"
#include "detect-engine.h"
#include "detect-engine-alert.h"
#include "packet.h"
Go to the source code of this file.
Functions | |
void | DetectDsizeRegister (void) |
Registration function for dsize: keyword. More... | |
int | SigParseGetMaxDsize (const Signature *s) |
get max dsize "depth" More... | |
void | SigParseSetDsizePair (Signature *s) |
set prefilter dsize pair More... | |
int | SigParseMaxRequiredDsize (const Signature *s) |
Determine the required dsize for the signature. More... | |
void | SigParseApplyDsizeToContent (Signature *s) |
Apply dsize as depth to content matches in the rule. More... | |
Implements the dsize keyword
Definition in file detect-dsize.c.
void DetectDsizeRegister | ( | void | ) |
Registration function for dsize: keyword.
Definition at line 61 of file detect-dsize.c.
References SigTableElmt_::desc, DETECT_DSIZE, SigTableElmt_::Match, SigTableElmt_::name, sigmatch_table, and SigTableElmt_::url.
Referenced by SigTableSetup().
void SigParseApplyDsizeToContent | ( | Signature * | s | ) |
Apply dsize as depth to content matches in the rule.
s | signature to get dsize value from |
Definition at line 324 of file detect-dsize.c.
References SigMatch_::ctx, DetectContentData_::depth, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_SM_LIST_PMATCH, DetectContentData_::flags, Signature_::flags, DetectContentData_::id, Signature_::id, Signature_::init_data, SigMatch_::next, SCEnter, SCLogDebug, SIG_FLAG_DSIZE, SigParseGetMaxDsize(), SigParseSetDsizePair(), SignatureInitData_::smlists, and SigMatch_::type.
int SigParseGetMaxDsize | ( | const Signature * | s | ) |
get max dsize "depth"
s | signature to get dsize value from |
depth | or negative value |
Definition at line 211 of file detect-dsize.c.
References SigMatch_::ctx, DETECT_UINT_EQ, DETECT_UINT_GT, DETECT_UINT_LT, DETECT_UINT_NE, DETECT_UINT_RA, SignatureInitData_::dsize_sm, Signature_::flags, Signature_::init_data, SCReturnInt, and SIG_FLAG_DSIZE.
Referenced by DetectContentPMATCHValidateCallback(), SigParseApplyDsizeToContent(), and SigParseMaxRequiredDsize().
int SigParseMaxRequiredDsize | ( | const Signature * | s | ) |
Determine the required dsize for the signature.
s | signature to get dsize value from |
Note that negated content does not contribute to the maximum required dsize value. However, each negated content's values must not exceed the dsize value. See SigParseRequiredContentSize.
-1 | Signature doesn't have a dsize keyword |
>= | 0 Dsize value required to not exclude content matches |
Definition at line 288 of file detect-dsize.c.
References DETECT_SM_LIST_PMATCH, Signature_::flags, Signature_::init_data, offset, SCEnter, SCLogDebug, SCReturnInt, SIG_FLAG_DSIZE, Signature_::sig_str, SigParseGetMaxDsize(), SigParseRequiredContentSize(), and SignatureInitData_::smlists.
Referenced by DetectContentPMATCHValidateCallback().
void SigParseSetDsizePair | ( | Signature * | s | ) |
set prefilter dsize pair
s | signature to get dsize value from |
Definition at line 234 of file detect-dsize.c.
References SigMatch_::ctx, DETECT_UINT_EQ, DETECT_UINT_GT, DETECT_UINT_GTE, DETECT_UINT_LT, DETECT_UINT_LTE, DETECT_UINT_NE, DETECT_UINT_RA, Signature_::dsize_high, Signature_::dsize_low, Signature_::dsize_mode, SignatureInitData_::dsize_sm, Signature_::flags, Signature_::init_data, SCLogDebug, and SIG_FLAG_DSIZE.
Referenced by SigParseApplyDsizeToContent().