108 uint32_t buffer_len, uint32_t stream_start_offset, uint8_t
flags, uint8_t inspection_mode)
121 if (smd == NULL || buffer_len == 0) {
130 SCLogDebug(
"inspecting content %"PRIu32
" buffer_len %"PRIu32, cd->
id, buffer_len);
146 const uint8_t *found = NULL;
148 uint32_t depth = buffer_len;
149 uint32_t prev_offset = 0;
157 offset = prev_buffer_offset;
165 if (distance < 0 && (uint32_t)(abs(distance)) >
offset)
170 SCLogDebug(
"cd->distance %"PRIi32
", offset %"PRIu32
", depth %"PRIu32,
176 if ((int32_t)depth > (int32_t)(prev_buffer_offset + det_ctx->
byte_values[cd->
within] + distance)) {
180 if ((int32_t)depth > (int32_t)(prev_buffer_offset + cd->
within + distance)) {
181 depth = prev_buffer_offset + cd->
within + distance;
184 SCLogDebug(
"cd->within %"PRIi32
", det_ctx->buffer_offset %"PRIu32
", depth %"PRIu32,
185 cd->
within, prev_buffer_offset, depth);
188 if (stream_start_offset != 0 && prev_buffer_offset == 0) {
189 if (depth <= stream_start_offset) {
191 }
else if (depth >= (stream_start_offset + buffer_len)) {
194 depth = depth - stream_start_offset;
204 if (cd->
depth != 0) {
205 if ((cd->
depth + prev_buffer_offset) < depth) {
206 depth = prev_buffer_offset + cd->
depth;
227 if (cd->
depth != 0) {
233 if (depth <= stream_start_offset) {
235 }
else if (depth >= (stream_start_offset + buffer_len)) {
238 depth = depth - stream_start_offset;
247 prev_buffer_offset = 0;
260 if (prev_offset != 0)
265 if (depth > buffer_len)
270 if (
offset > depth || depth == 0) {
278 const uint8_t *sbuffer = buffer +
offset;
279 uint32_t sbuffer_len = depth -
offset;
280 uint32_t match_offset = 0;
281 SCLogDebug(
"sbuffer_len %"PRIu32, sbuffer_len);
283 BUG_ON(sbuffer_len > buffer_len);
286 SCLogDebug(
"depth < buffer_len while DETECT_CONTENT_ENDS_WITH is set. Can't possibly match.");
312 SCLogDebug(
"content %"PRIu32
" matched at offset %"PRIu32
", but negated so no match", cd->
id, match_offset);
319 match_offset = (uint32_t)((found - buffer) + cd->
content_len);
320 SCLogDebug(
"content %"PRIu32
" matched at offset %"PRIu32
"", cd->
id, match_offset);
347 buffer, buffer_len, stream_start_offset,
flags, inspection_mode);
354 SCLogDebug(
"'next sm' said to discontinue this right now");
360 SCLogDebug(
"'next sm' does not depend on me, so we can give up");
365 SCLogDebug(
"'next sm' depends on me %p, lets see what we can do (flags %u)", cd, cd->
flags);
368 prev_offset = (match_offset - (cd->
content_len - 1));
369 SCLogDebug(
"trying to see if there is another match after prev_offset %"PRIu32, prev_offset);
378 uint32_t dataat = id->
dataat;
381 if (be_value >= 100000000) {
383 SCLogDebug(
"extracted value %"PRIu64
" very big: no match", be_value);
386 SCLogDebug(
"extracted value way %"PRIu64
" very big: match", be_value);
389 dataat = (uint32_t)be_value;
390 SCLogDebug(
"isdataat: using value %u from byte_extract local_id %u", dataat, id->
dataat);
395 SCLogDebug(
"det_ctx->buffer_offset + dataat %"PRIu32
" > %"PRIu32, det_ctx->
buffer_offset + dataat, buffer_len);
406 if (dataat < buffer_len) {
412 SCLogDebug(
"absolute isdataat mismatch, id->isdataat %"PRIu32
", buffer_len %"PRIu32
"", dataat, buffer_len);
423 uint32_t prev_offset = 0;
435 SCLogDebug(
"no relative match coming up, so this is a match");
447 p, f, buffer, buffer_len, stream_start_offset,
flags,
462 uint8_t btflags = btd->
flags;
464 uint64_t value = btd->
value;
469 value = det_ctx->byte_values[value];
490 uint16_t bjflags = bjd->
flags;
516 uint8_t endian = bed->
endian;
531 &det_ctx->byte_values[bed->
local_id], endian) != 1) {
535 SCLogDebug(
"[BE] Fetched value for index %d: %"PRIu64,
541 DetectByteMathData *bmd = (DetectByteMathData *)smd->ctx;
542 uint8_t endian = bmd->endian;
546 if ((bmd->flags & DETECT_BYTEMATH_FLAG_ENDIAN) && endian == (int)EndianDCE &&
554 if (bmd->flags & DETECT_BYTEMATH_FLAG_RVALUE_VAR) {
555 rvalue = det_ctx->byte_values[bmd->local_id];
557 rvalue = bmd->rvalue;
562 &det_ctx->byte_values[bmd->local_id], endian) != 1) {
566 SCLogDebug(
"[BM] Fetched value for index %d: %"PRIu64,
567 bmd->local_id, det_ctx->byte_values[bmd->local_id]);
573 const uint64_t data_size = buffer_len + stream_start_offset;
576 det_ctx->discontinue_matching = 1;
592 det_ctx->discontinue_matching = 1;
603 det_ctx->discontinue_matching = 1;
610 DetectUrilenData *urilend = (DetectUrilenData *) smd->ctx;
611 if (buffer_len > UINT16_MAX) {
621 det_ctx->discontinue_matching = 0;
630 det_ctx->buffer_offset, f) != 1)
665 buffer_len, stream_start_offset,
flags, inspection_mode);