#include "suricata-common.h"#include "suricata.h"#include "decode.h"#include "detect.h"#include "detect-engine.h"#include "detect-parse.h"#include "detect-content.h"#include "detect-pcre.h"#include "detect-isdataat.h"#include "detect-bytetest.h"#include "detect-bytemath.h"#include "detect-bytejump.h"#include "detect-byte-extract.h"#include "detect-replace.h"#include "detect-engine-content-inspection.h"#include "detect-uricontent.h"#include "detect-urilen.h"#include "detect-engine-uint.h"#include "detect-bsize.h"#include "detect-lua.h"#include "detect-base64-decode.h"#include "detect-base64-data.h"#include "detect-dataset.h"#include "detect-datarep.h"#include "util-spm.h"#include "util-debug.h"#include "util-print.h"#include "util-validate.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "util-profiling.h"#include "rust.h"#include "tests/detect-engine-content-inspection.c"
Go to the source code of this file.
Functions | |
| uint8_t | DetectEngineContentInspection (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode) |
| Run the actual payload match functions. More... | |
Detailed Description
Performs content inspection on any buffer supplied.
Definition in file detect-engine-content-inspection.c.
Function Documentation
◆ DetectEngineContentInspection()
| uint8_t DetectEngineContentInspection | ( | DetectEngineCtx * | de_ctx, |
| DetectEngineThreadCtx * | det_ctx, | ||
| const Signature * | s, | ||
| const SigMatchData * | smd, | ||
| Packet * | p, | ||
| Flow * | f, | ||
| const uint8_t * | buffer, | ||
| uint32_t | buffer_len, | ||
| uint32_t | stream_start_offset, | ||
| uint8_t | flags, | ||
| uint8_t | inspection_mode | ||
| ) |
Run the actual payload match functions.
The following keywords are inspected:
- content, including all the http and dce modified contents
- isdataat
- pcre
- bytejump
- bytetest
- byte_extract
- urilen
- All keywords are evaluated against the buffer with buffer_len.
For accounting the last match in relative matching the det_ctx->buffer_offset int is used.
- Parameters
-
de_ctx Detection engine context det_ctx Detection engine thread context s Signature to inspect sm SigMatch to inspect p Packet. Can be NULL. f Flow (for pcre flowvar storage) buffer Ptr to the buffer to inspect buffer_len Length of the payload stream_start_offset Indicates the start of the current buffer in the whole buffer stream inspected. This applies if the current buffer is inspected in chunks. inspection_mode Refers to the engine inspection mode we are currently inspecting. Can be payload, stream, one of the http buffer inspection modes or dce inspection mode. flags DETECT_CI_FLAG_*
- Return values
-
0 no match 1 match
< used in recursive searching
Definition at line 106 of file detect-engine-content-inspection.c.
References DetectEngineThreadCtx_::buffer_offset, BUG_ON, DetectEngineThreadCtx_::byte_values, DetectContentData_::content, DetectContentData_::content_len, SigMatchData_::ctx, DetectIsdataatData_::dataat, de_ctx, DetectContentData_::depth, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_DEPTH_VAR, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_DISTANCE_VAR, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_IS_SINGLE, DETECT_CONTENT_NEGATED, DETECT_CONTENT_OFFSET_VAR, DETECT_CONTENT_REPLACE, DETECT_CONTENT_WITHIN, DETECT_CONTENT_WITHIN_NEXT, DETECT_CONTENT_WITHIN_VAR, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, DETECT_ISDATAAT, DETECT_PCRE, DETECT_PCRE_RELATIVE_NEXT, DetectEngineContentInspection(), DetectPcrePayloadMatch(), DetectReplaceAddToList(), DetectEngineThreadCtx_::discontinue_matching, DetectContentData_::distance, flags, DetectIsdataatData_::flags, DetectPcreData_::flags, DetectContentData_::flags, DetectContentData_::id, DetectEngineThreadCtx_::inspection_recursion_counter, DetectEngineCtx_::inspection_recursion_limit, SigMatchData_::is_last, ISDATAAT_NEGATED, ISDATAAT_OFFSET_VAR, ISDATAAT_RELATIVE, KEYWORD_PROFILING_END, KEYWORD_PROFILING_START, offset, DetectContentData_::offset, DetectEngineThreadCtx_::pcre_match_start_offset, DetectEngineThreadCtx_::replist, SCEnter, SCLogDebug, SCLogWarning, SCReturnInt, DetectContentData_::spm_ctx, DetectEngineThreadCtx_::spm_thread_ctx, SpmScan(), SigMatchData_::type, and DetectContentData_::within.
Referenced by DetectBase64DataDoMatch(), DetectEngineContentInspection(), DetectEngineInspectBufferGeneric(), DetectEngineInspectPacketPayload(), and DetectEngineInspectPktBufferGeneric().
