suricata
detect-engine-content-inspection.c File Reference
#include "suricata-common.h"
#include "suricata.h"
#include "decode.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-parse.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-isdataat.h"
#include "detect-bytetest.h"
#include "detect-bytejump.h"
#include "detect-byte-extract.h"
#include "detect-replace.h"
#include "detect-engine-content-inspection.h"
#include "detect-uricontent.h"
#include "detect-urilen.h"
#include "detect-bsize.h"
#include "detect-lua.h"
#include "detect-base64-decode.h"
#include "detect-base64-data.h"
#include "app-layer-dcerpc.h"
#include "util-spm.h"
#include "util-debug.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-profiling.h"
#include "tests/detect-engine-content-inspection.c"
Include dependency graph for detect-engine-content-inspection.c:

Go to the source code of this file.

Functions

int DetectEngineContentInspection (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data)
 Run the actual payload match functions. More...
 

Detailed Description

Author
Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com

Performs content inspection on any buffer supplied.

Definition in file detect-engine-content-inspection.c.

Function Documentation

int DetectEngineContentInspection ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchData smd,
Flow f,
uint8_t *  buffer,
uint32_t  buffer_len,
uint32_t  stream_start_offset,
uint8_t  flags,
uint8_t  inspection_mode,
void *  data 
)

Run the actual payload match functions.

The following keywords are inspected:

  • content, including all the http and dce modified contents
  • isdaatat
  • pcre
  • bytejump
  • bytetest
  • byte_extract
  • urilen
  • All keywords are evaluated against the buffer with buffer_len.

For accounting the last match in relative matching the det_ctx->buffer_offset int is used.

Parameters
de_ctxDetection engine context
det_ctxDetection engine thread context
sSignature to inspect
smSigMatch to inspect
fFlow (for pcre flowvar storage)
bufferPtr to the buffer to inspect
buffer_lenLength of the payload
stream_start_offsetIndicates the start of the current buffer in the whole buffer stream inspected. This applies if the current buffer is inspected in chunks.
inspection_modeRefers to the engine inspection mode we are currently inspecting. Can be payload, stream, one of the http buffer inspection modes or dce inspection mode.
dataUsed to send some custom data. For example in payload inspection mode, data contains packet ptr, and under dce inspection mode, contains dce state.
Return values
0no match
1match

< used in recursive searching

Definition at line 102 of file detect-engine-content-inspection.c.

References DetectEngineThreadCtx_::bj_values, DetectEngineThreadCtx_::buffer_offset, BUG_ON, DetectContentData_::content_len, SigMatchData_::ctx, DetectIsdataatData_::dataat, DCERPCState_::dcerpc, DCERPC_::dcerpchdr, DetectContentData_::depth, DETECT_AL_URILEN, DETECT_BASE64_DECODE, DETECT_BSIZE, DETECT_BYTE_EXTRACT, DETECT_BYTE_EXTRACT_ENDIAN_BIG, DETECT_BYTE_EXTRACT_ENDIAN_DCE, DETECT_BYTE_EXTRACT_ENDIAN_LITTLE, DETECT_BYTE_EXTRACT_FLAG_ENDIAN, DETECT_BYTEJUMP, DETECT_BYTEJUMP_DCE, DETECT_BYTEJUMP_LITTLE, DETECT_BYTEJUMP_OFFSET_BE, DETECT_BYTETEST, DETECT_BYTETEST_DCE, DETECT_BYTETEST_LITTLE, DETECT_BYTETEST_OFFSET_BE, DETECT_BYTETEST_VALUE_BE, DETECT_CI_FLAGS_END, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_DEPTH_BE, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_DISTANCE_BE, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_IS_SINGLE, DETECT_CONTENT_NEGATED, DETECT_CONTENT_OFFSET_BE, DETECT_CONTENT_REPLACE, DETECT_CONTENT_WITHIN, DETECT_CONTENT_WITHIN_BE, DETECT_CONTENT_WITHIN_NEXT, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, DETECT_ISDATAAT, DETECT_LUA, DETECT_PCRE, DETECT_PCRE_RELATIVE_NEXT, DETECT_SM_LIST_BASE64_DATA, DETECT_URILEN_EQ, DETECT_URILEN_GT, DETECT_URILEN_LT, DETECT_URILEN_RA, DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectBsizeMatch(), DetectByteExtractDoMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectEngineContentInspection(), DetectLuaMatchBuffer(), DetectPcrePayloadMatch(), DetectReplaceAddToList(), DetectEngineThreadCtx_::discontinue_matching, DetectContentData_::distance, DetectByteExtractData_::endian, DetectIsdataatData_::flags, flags, DetectPcreData_::flags, DetectBytejumpData_::flags, DetectByteExtractData_::flags, DetectBytetestData_::flags, DetectContentData_::flags, DetectContentData_::id, DetectEngineThreadCtx_::inspection_recursion_counter, DetectEngineCtx_::inspection_recursion_limit, SigMatchData_::is_last, ISDATAAT_NEGATED, ISDATAAT_OFFSET_BE, ISDATAAT_RELATIVE, KEYWORD_PROFILING_END, KEYWORD_PROFILING_START, DetectByteExtractData_::local_id, DetectUrilenData_::mode, DetectBytejumpData_::offset, DetectBytetestData_::offset, DetectContentData_::offset, offset, DCERPCHdr_::packed_drep, DetectEngineThreadCtx_::pcre_match_start_offset, DetectEngineThreadCtx_::replist, SC_ERR_INVALID_VALUE, SCEnter, SCLogDebug, SCLogWarning, SCReturnInt, DetectContentData_::spm_ctx, DetectEngineThreadCtx_::spm_thread_ctx, SpmScan(), SigMatchData_::type, DetectUrilenData_::urilen1, DetectBytetestData_::value, and DetectContentData_::within.

Referenced by DetectBase64DataDoMatch(), DetectEngineContentInspection(), DetectEngineInspectBufferGeneric(), DetectEngineInspectPacketPayload(), DetectFilenameRegister(), DetectHttpResponseLineRegister(), and DetectTemplateRustBufferRegister().

Here is the call graph for this function:

Here is the caller graph for this function: