suricata
detect-dsize.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef SURICATA_DETECT_DSIZE_H
25 #define SURICATA_DETECT_DSIZE_H
26 
27 #include "detect-engine-uint.h"
28 
29 /* prototypes */
30 void DetectDsizeRegister (void);
31 
33 int SigParseGetMaxDsize(const Signature *s);
36 
37 /** Determine if a packet p should be kicked out during prefilter due
38  * to dsize outside the range specified in signature s */
39 static inline bool SigDsizePrefilter(const Packet *p, const Signature *s, uint32_t sflags)
40 {
41  if (unlikely(sflags & SIG_FLAG_DSIZE)) {
42  if (likely(p->payload_len < s->dsize_low || p->payload_len > s->dsize_high)) {
43  if (!(s->dsize_mode == DETECT_UINT_NE)) {
44  SCLogDebug("kicked out as p->payload_len %u, dsize low %u, hi %u", p->payload_len,
45  s->dsize_low, s->dsize_high);
46  return true;
47  }
48  }
49  }
50  return false;
51 }
52 
53 #endif /* SURICATA_DETECT_DSIZE_H */
detect-engine-uint.h
DetectDsizeRegister
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
Definition: detect-dsize.c:61
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigParseApplyDsizeToContent
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
Definition: detect-dsize.c:324
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:575
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:610
SigParseMaxRequiredDsize
int SigParseMaxRequiredDsize(const Signature *s)
Determine the required dsize for the signature.
Definition: detect-dsize.c:288
Packet_
Definition: decode.h:476
SigParseGetMaxDsize
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
Definition: detect-dsize.c:211
SigParseSetDsizePair
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
Definition: detect-dsize.c:234
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:611
Signature_
Signature container.
Definition: detect.h:603
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:612
likely
#define likely(expr)
Definition: util-optimize.h:32
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:245