suricata
detect-dsize.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DETECT_DSIZE_H__
25 #define __DETECT_DSIZE_H__
26 
27 #include "detect-engine-uint.h"
28 
29 /* prototypes */
30 void DetectDsizeRegister (void);
31 
32 int SigParseGetMaxDsize(const Signature *s);
35 
36 /** Determine if a packet p should be kicked out during prefilter due
37  * to dsize outside the range specified in signature s */
38 static inline bool SigDsizePrefilter(const Packet *p, const Signature *s, uint32_t sflags)
39 {
40  if (unlikely(sflags & SIG_FLAG_DSIZE)) {
41  if (likely(p->payload_len < s->dsize_low || p->payload_len > s->dsize_high)) {
42  if (!(s->dsize_mode == DETECT_UINT_NE)) {
43  SCLogDebug("kicked out as p->payload_len %u, dsize low %u, hi %u", p->payload_len,
44  s->dsize_low, s->dsize_high);
45  return true;
46  }
47  }
48  }
49  return false;
50 }
51 
52 #endif /* __DETECT_DSIZE_H__ */
53 
detect-engine-uint.h
DetectDsizeRegister
void DetectDsizeRegister(void)
Registration function for dsize: keyword.
Definition: detect-dsize.c:61
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigParseApplyDsizeToContent
void SigParseApplyDsizeToContent(Signature *s)
Apply dsize as depth to content matches in the rule.
Definition: detect-dsize.c:296
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
DETECT_UINT_NE
#define DETECT_UINT_NE
Definition: detect-engine-uint.h:36
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:574
Signature_::dsize_low
uint16_t dsize_low
Definition: detect.h:546
Packet_
Definition: decode.h:433
SigParseGetMaxDsize
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
Definition: detect-dsize.c:226
SigParseSetDsizePair
void SigParseSetDsizePair(Signature *s)
set prefilter dsize pair
Definition: detect-dsize.c:249
Signature_::dsize_high
uint16_t dsize_high
Definition: detect.h:547
Signature_
Signature container.
Definition: detect.h:540
Signature_::dsize_mode
uint8_t dsize_mode
Definition: detect.h:548
likely
#define likely(expr)
Definition: util-optimize.h:32
SIG_FLAG_DSIZE
#define SIG_FLAG_DSIZE
Definition: detect.h:208