suricata
detect-engine-content-inspection.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Performs content inspection on any buffer supplied.
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-engine.h"
33 #include "detect-parse.h"
34 #include "detect-content.h"
35 #include "detect-pcre.h"
36 #include "detect-isdataat.h"
37 #include "detect-bytetest.h"
38 #include "detect-bytemath.h"
39 #include "detect-bytejump.h"
40 #include "detect-byte-extract.h"
41 #include "detect-replace.h"
43 #include "detect-uricontent.h"
44 #include "detect-urilen.h"
45 #include "detect-bsize.h"
46 #include "detect-lua.h"
47 #include "detect-base64-decode.h"
48 #include "detect-base64-data.h"
49 #include "detect-dataset.h"
50 #include "detect-datarep.h"
51 
52 #include "app-layer-dcerpc.h"
53 
54 #include "util-spm.h"
55 #include "util-debug.h"
56 #include "util-print.h"
57 
58 #include "util-unittest.h"
59 #include "util-unittest-helper.h"
60 #include "util-profiling.h"
61 
62 #ifdef HAVE_LUA
63 #include "util-lua.h"
64 #endif
65 
66 /**
67  * \brief Run the actual payload match functions
68  *
69  * The following keywords are inspected:
70  * - content, including all the http and dce modified contents
71  * - isdaatat
72  * - pcre
73  * - bytejump
74  * - bytetest
75  * - byte_extract
76  * - urilen
77  * -
78  *
79  * All keywords are evaluated against the buffer with buffer_len.
80  *
81  * For accounting the last match in relative matching the
82  * det_ctx->buffer_offset int is used.
83  *
84  * \param de_ctx Detection engine context
85  * \param det_ctx Detection engine thread context
86  * \param s Signature to inspect
87  * \param sm SigMatch to inspect
88  * \param p Packet. Can be NULL.
89  * \param f Flow (for pcre flowvar storage)
90  * \param buffer Ptr to the buffer to inspect
91  * \param buffer_len Length of the payload
92  * \param stream_start_offset Indicates the start of the current buffer in
93  * the whole buffer stream inspected. This
94  * applies if the current buffer is inspected
95  * in chunks.
96  * \param inspection_mode Refers to the engine inspection mode we are currently
97  * inspecting. Can be payload, stream, one of the http
98  * buffer inspection modes or dce inspection mode.
99  * \param flags DETECT_CI_FLAG_*
100  *
101  * \retval 0 no match
102  * \retval 1 match
103  */
105  const Signature *s, const SigMatchData *smd,
106  Packet *p, Flow *f,
107  const uint8_t *buffer, uint32_t buffer_len,
108  uint32_t stream_start_offset, uint8_t flags,
109  uint8_t inspection_mode)
110 {
111  SCEnter();
113 
114  det_ctx->inspection_recursion_counter++;
115 
117  det_ctx->discontinue_matching = 1;
118  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
119  SCReturnInt(0);
120  }
121 
122  if (smd == NULL || buffer_len == 0) {
123  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
124  SCReturnInt(0);
125  }
126 
127  /* \todo unify this which is phase 2 of payload inspection unification */
128  if (smd->type == DETECT_CONTENT) {
129 
131  SCLogDebug("inspecting content %"PRIu32" buffer_len %"PRIu32, cd->id, buffer_len);
132 
133  /* we might have already have this content matched by the mpm.
134  * (if there is any other reason why we'd want to avoid checking
135  * it here, please fill it in) */
136  //if (cd->flags & DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED) {
137  // goto match;
138  //}
139 
140  /* rule parsers should take care of this */
141 #ifdef DEBUG
142  BUG_ON(cd->depth != 0 && cd->depth <= cd->offset);
143 #endif
144 
145  /* search for our pattern, checking the matches recursively.
146  * if we match we look for the next SigMatch as well */
147  const uint8_t *found = NULL;
148  uint32_t offset = 0;
149  uint32_t depth = buffer_len;
150  uint32_t prev_offset = 0; /**< used in recursive searching */
151  uint32_t prev_buffer_offset = det_ctx->buffer_offset;
152 
153  do {
154  if ((cd->flags & DETECT_CONTENT_DISTANCE) ||
155  (cd->flags & DETECT_CONTENT_WITHIN)) {
156  SCLogDebug("det_ctx->buffer_offset %"PRIu32, det_ctx->buffer_offset);
157 
158  offset = prev_buffer_offset;
159  depth = buffer_len;
160 
161  int distance = cd->distance;
162  if (cd->flags & DETECT_CONTENT_DISTANCE) {
164  distance = det_ctx->byte_values[cd->distance];
165  }
166  if (distance < 0 && (uint32_t)(abs(distance)) > offset)
167  offset = 0;
168  else
169  offset += distance;
170 
171  SCLogDebug("cd->distance %"PRIi32", offset %"PRIu32", depth %"PRIu32,
172  distance, offset, depth);
173  }
174 
175  if (cd->flags & DETECT_CONTENT_WITHIN) {
176  if (cd->flags & DETECT_CONTENT_WITHIN_VAR) {
177  if ((int32_t)depth > (int32_t)(prev_buffer_offset + det_ctx->byte_values[cd->within] + distance)) {
178  depth = prev_buffer_offset + det_ctx->byte_values[cd->within] + distance;
179  }
180  } else {
181  if ((int32_t)depth > (int32_t)(prev_buffer_offset + cd->within + distance)) {
182  depth = prev_buffer_offset + cd->within + distance;
183  }
184 
185  SCLogDebug("cd->within %"PRIi32", det_ctx->buffer_offset %"PRIu32", depth %"PRIu32,
186  cd->within, prev_buffer_offset, depth);
187  }
188 
189  if (stream_start_offset != 0 && prev_buffer_offset == 0) {
190  if (depth <= stream_start_offset) {
191  goto no_match;
192  } else if (depth >= (stream_start_offset + buffer_len)) {
193  ;
194  } else {
195  depth = depth - stream_start_offset;
196  }
197  }
198  }
199 
200  if (cd->flags & DETECT_CONTENT_DEPTH_VAR) {
201  if ((det_ctx->byte_values[cd->depth] + prev_buffer_offset) < depth) {
202  depth = prev_buffer_offset + det_ctx->byte_values[cd->depth];
203  }
204  } else {
205  if (cd->depth != 0) {
206  if ((cd->depth + prev_buffer_offset) < depth) {
207  depth = prev_buffer_offset + cd->depth;
208  }
209 
210  SCLogDebug("cd->depth %"PRIu32", depth %"PRIu32, cd->depth, depth);
211  }
212  }
213 
214  if (cd->flags & DETECT_CONTENT_OFFSET_VAR) {
215  if (det_ctx->byte_values[cd->offset] > offset)
216  offset = det_ctx->byte_values[cd->offset];
217  } else {
218  if (cd->offset > offset) {
219  offset = cd->offset;
220  SCLogDebug("setting offset %"PRIu32, offset);
221  }
222  }
223  } else { /* implied no relative matches */
224  /* set depth */
225  if (cd->flags & DETECT_CONTENT_DEPTH_VAR) {
226  depth = det_ctx->byte_values[cd->depth];
227  } else {
228  if (cd->depth != 0) {
229  depth = cd->depth;
230  }
231  }
232 
233  if (stream_start_offset != 0 && cd->flags & DETECT_CONTENT_DEPTH) {
234  if (depth <= stream_start_offset) {
235  goto no_match;
236  } else if (depth >= (stream_start_offset + buffer_len)) {
237  ;
238  } else {
239  depth = depth - stream_start_offset;
240  }
241  }
242 
243  /* set offset */
245  offset = det_ctx->byte_values[cd->offset];
246  else
247  offset = cd->offset;
248  prev_buffer_offset = 0;
249  }
250 
251  /* If the value came from a variable, make sure to adjust the depth so it's relative
252  * to the offset value.
253  */
255  depth += offset;
256  }
257 
258  /* update offset with prev_offset if we're searching for
259  * matches after the first occurrence. */
260  SCLogDebug("offset %"PRIu32", prev_offset %"PRIu32, offset, prev_offset);
261  if (prev_offset != 0)
262  offset = prev_offset;
263 
264  SCLogDebug("offset %"PRIu32", depth %"PRIu32, offset, depth);
265 
266  if (depth > buffer_len)
267  depth = buffer_len;
268 
269  /* if offset is bigger than depth we can never match on a pattern.
270  * We can however, "match" on a negated pattern. */
271  if (offset > depth || depth == 0) {
272  if (cd->flags & DETECT_CONTENT_NEGATED) {
273  goto match;
274  } else {
275  goto no_match;
276  }
277  }
278 
279  const uint8_t *sbuffer = buffer + offset;
280  uint32_t sbuffer_len = depth - offset;
281  uint32_t match_offset = 0;
282  SCLogDebug("sbuffer_len %"PRIu32, sbuffer_len);
283 #ifdef DEBUG
284  BUG_ON(sbuffer_len > buffer_len);
285 #endif
286  if (cd->flags & DETECT_CONTENT_ENDS_WITH && depth < buffer_len) {
287  SCLogDebug("depth < buffer_len while DETECT_CONTENT_ENDS_WITH is set. Can't possibly match.");
288  found = NULL;
289  } else if (cd->content_len > sbuffer_len) {
290  found = NULL;
291  } else {
292  /* do the actual search */
293  found = SpmScan(cd->spm_ctx, det_ctx->spm_thread_ctx, sbuffer,
294  sbuffer_len);
295  }
296 
297  /* next we evaluate the result in combination with the
298  * negation flag. */
299  SCLogDebug("found %p cd negated %s", found, cd->flags & DETECT_CONTENT_NEGATED ? "true" : "false");
300 
301  if (found == NULL && !(cd->flags & DETECT_CONTENT_NEGATED)) {
303  /* independent match from previous matches, so failure is fatal */
304  det_ctx->discontinue_matching = 1;
305  }
306 
307  goto no_match;
308  } else if (found == NULL && (cd->flags & DETECT_CONTENT_NEGATED)) {
309  goto match;
310  } else if (found != NULL && (cd->flags & DETECT_CONTENT_NEGATED)) {
311  SCLogDebug("content %"PRIu32" matched at offset %"PRIu32", but negated so no match", cd->id, match_offset);
312  /* don't bother carrying recursive matches now, for preceding
313  * relative keywords */
314  if (DETECT_CONTENT_IS_SINGLE(cd))
315  det_ctx->discontinue_matching = 1;
316  goto no_match;
317  } else {
318  match_offset = (uint32_t)((found - buffer) + cd->content_len);
319  SCLogDebug("content %"PRIu32" matched at offset %"PRIu32"", cd->id, match_offset);
320  det_ctx->buffer_offset = match_offset;
321 
322  if ((cd->flags & DETECT_CONTENT_ENDS_WITH) == 0 || match_offset == buffer_len) {
323  /* Match branch, add replace to the list if needed */
324  if (cd->flags & DETECT_CONTENT_REPLACE) {
325  if (inspection_mode == DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD) {
326  /* we will need to replace content if match is confirmed
327  * cast to non-const as replace writes to it. */
328  det_ctx->replist = DetectReplaceAddToList(det_ctx->replist, (uint8_t *)found, cd);
329  } else {
330  SCLogWarning(SC_ERR_INVALID_VALUE, "Can't modify payload without packet");
331  }
332  }
333 
334  /* if this is the last match we're done */
335  if (smd->is_last) {
336  goto match;
337  }
338 
339  SCLogDebug("content %"PRIu32, cd->id);
340  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
341 
342  /* see if the next buffer keywords match. If not, we will
343  * search for another occurrence of this content and see
344  * if the others match then until we run out of matches */
345  int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1,
346  p, f, buffer, buffer_len, stream_start_offset, flags,
347  inspection_mode);
348  if (r == 1) {
349  SCReturnInt(1);
350  }
351  SCLogDebug("no match for 'next sm'");
352 
353  if (det_ctx->discontinue_matching) {
354  SCLogDebug("'next sm' said to discontinue this right now");
355  goto no_match;
356  }
357 
358  /* no match and no reason to look for another instance */
359  if ((cd->flags & DETECT_CONTENT_WITHIN_NEXT) == 0) {
360  SCLogDebug("'next sm' does not depend on me, so we can give up");
361  det_ctx->discontinue_matching = 1;
362  goto no_match;
363  }
364 
365  SCLogDebug("'next sm' depends on me %p, lets see what we can do (flags %u)", cd, cd->flags);
366  }
367  /* set the previous match offset to the start of this match + 1 */
368  prev_offset = (match_offset - (cd->content_len - 1));
369  SCLogDebug("trying to see if there is another match after prev_offset %"PRIu32, prev_offset);
370  }
371 
372  } while(1);
373 
374  } else if (smd->type == DETECT_ISDATAAT) {
375  SCLogDebug("inspecting isdataat");
376 
377  const DetectIsdataatData *id = (DetectIsdataatData *)smd->ctx;
378  uint32_t dataat = id->dataat;
379  if (id->flags & ISDATAAT_OFFSET_VAR) {
380  uint64_t be_value = det_ctx->byte_values[dataat];
381  if (be_value >= 100000000) {
382  if ((id->flags & ISDATAAT_NEGATED) == 0) {
383  SCLogDebug("extracted value %"PRIu64" very big: no match", be_value);
384  goto no_match;
385  }
386  SCLogDebug("extracted value way %"PRIu64" very big: match", be_value);
387  goto match;
388  }
389  dataat = (uint32_t)be_value;
390  SCLogDebug("isdataat: using value %u from byte_extract local_id %u", dataat, id->dataat);
391  }
392 
393  if (id->flags & ISDATAAT_RELATIVE) {
394  if (det_ctx->buffer_offset + dataat > buffer_len) {
395  SCLogDebug("det_ctx->buffer_offset + dataat %"PRIu32" > %"PRIu32, det_ctx->buffer_offset + dataat, buffer_len);
396  if (id->flags & ISDATAAT_NEGATED)
397  goto match;
398  goto no_match;
399  } else {
400  SCLogDebug("relative isdataat match");
401  if (id->flags & ISDATAAT_NEGATED)
402  goto no_match;
403  goto match;
404  }
405  } else {
406  if (dataat < buffer_len) {
407  SCLogDebug("absolute isdataat match");
408  if (id->flags & ISDATAAT_NEGATED)
409  goto no_match;
410  goto match;
411  } else {
412  SCLogDebug("absolute isdataat mismatch, id->isdataat %"PRIu32", buffer_len %"PRIu32"", dataat, buffer_len);
413  if (id->flags & ISDATAAT_NEGATED)
414  goto match;
415  goto no_match;
416  }
417  }
418 
419  } else if (smd->type == DETECT_PCRE) {
420  SCLogDebug("inspecting pcre");
421  DetectPcreData *pe = (DetectPcreData *)smd->ctx;
422  uint32_t prev_buffer_offset = det_ctx->buffer_offset;
423  uint32_t prev_offset = 0;
424  int r = 0;
425 
426  det_ctx->pcre_match_start_offset = 0;
427  do {
428  r = DetectPcrePayloadMatch(det_ctx, s, smd, p, f,
429  buffer, buffer_len);
430  if (r == 0) {
431  goto no_match;
432  }
433 
434  if (!(pe->flags & DETECT_PCRE_RELATIVE_NEXT)) {
435  SCLogDebug("no relative match coming up, so this is a match");
436  goto match;
437  }
438  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
439 
440  /* save it, in case we need to do a pcre match once again */
441  prev_offset = det_ctx->pcre_match_start_offset;
442 
443  /* see if the next payload keywords match. If not, we will
444  * search for another occurrence of this pcre and see
445  * if the others match, until we run out of matches */
446  r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1,
447  p, f, buffer, buffer_len, stream_start_offset, flags,
448  inspection_mode);
449  if (r == 1) {
450  SCReturnInt(1);
451  }
452 
453  if (det_ctx->discontinue_matching)
454  goto no_match;
455 
456  det_ctx->buffer_offset = prev_buffer_offset;
457  det_ctx->pcre_match_start_offset = prev_offset;
458  } while (1);
459 
460  } else if (smd->type == DETECT_BYTETEST) {
461  DetectBytetestData *btd = (DetectBytetestData *)smd->ctx;
462  uint8_t btflags = btd->flags;
463  int32_t offset = btd->offset;
464  uint64_t value = btd->value;
465  if (btflags & DETECT_BYTETEST_OFFSET_VAR) {
466  offset = det_ctx->byte_values[offset];
467  }
468  if (btflags & DETECT_BYTETEST_VALUE_VAR) {
469  value = det_ctx->byte_values[value];
470  }
471 
472  /* if we have dce enabled we will have to use the endianness
473  * specified by the dce header */
474  if (btflags & DETECT_BYTETEST_DCE) {
475  /* enable the endianness flag temporarily. once we are done
476  * processing we reset the flags to the original value*/
477  btflags |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
479  }
480 
481  if (DetectBytetestDoMatch(det_ctx, s, smd->ctx, buffer, buffer_len, btflags,
482  offset, value) != 1) {
483  goto no_match;
484  }
485 
486  goto match;
487 
488  } else if (smd->type == DETECT_BYTEJUMP) {
489  DetectBytejumpData *bjd = (DetectBytejumpData *)smd->ctx;
490  uint16_t bjflags = bjd->flags;
491  int32_t offset = bjd->offset;
492 
493  if (bjflags & DETECT_CONTENT_OFFSET_VAR) {
494  offset = det_ctx->byte_values[offset];
495  }
496 
497  /* if we have dce enabled we will have to use the endianness
498  * specified by the dce header */
499  if (bjflags & DETECT_BYTEJUMP_DCE) {
500  /* enable the endianness flag temporarily. once we are done
501  * processing we reset the flags to the original value*/
502  bjflags |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
504  }
505 
506  if (DetectBytejumpDoMatch(det_ctx, s, smd->ctx, buffer, buffer_len,
507  bjflags, offset) != 1) {
508  goto no_match;
509  }
510 
511  goto match;
512 
513  } else if (smd->type == DETECT_BYTE_EXTRACT) {
514 
515  DetectByteExtractData *bed = (DetectByteExtractData *)smd->ctx;
516  uint8_t endian = bed->endian;
517 
518  /* if we have dce enabled we will have to use the endianness
519  * specified by the dce header */
520  if ((bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) &&
521  endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE &&
523 
524  /* enable the endianness flag temporarily. once we are done
525  * processing we reset the flags to the original value*/
526  endian |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
528  }
529 
530  if (DetectByteExtractDoMatch(det_ctx, smd, s, buffer,
531  buffer_len,
532  &det_ctx->byte_values[bed->local_id],
533  endian) != 1) {
534  goto no_match;
535  }
536 
537  SCLogDebug("[BE] Fetched value for index %d: %"PRIu64,
538  bed->local_id, det_ctx->byte_values[bed->local_id]);
539  goto match;
540 
541  } else if (smd->type == DETECT_BYTEMATH) {
542 
543  DetectByteMathData *bmd = (DetectByteMathData *)smd->ctx;
544  uint8_t endian = bmd->endian;
545 
546  /* if we have dce enabled we will have to use the endianness
547  * specified by the dce header */
548  if ((bmd->flags & DETECT_BYTEMATH_FLAG_ENDIAN) &&
549  endian == DETECT_BYTEMATH_ENDIAN_DCE &&
551 
552  /* enable the endianness flag temporarily. once we are done
553  * processing we reset the flags to the original value*/
554  endian |= ((flags & DETECT_CI_FLAGS_DCE_LE) ?
556  }
557  uint64_t rvalue;
558  if (bmd->flags & DETECT_BYTEMATH_RVALUE_VAR) {
559  rvalue = det_ctx->byte_values[bmd->local_id];
560  } else {
561  rvalue = bmd->rvalue;
562  }
563 
564 
565  if (DetectByteMathDoMatch(det_ctx, smd, s, buffer,
566  buffer_len,
567  rvalue,
568  &det_ctx->byte_values[bmd->local_id],
569  endian) != 1) {
570  goto no_match;
571  }
572 
573  SCLogDebug("[BM] Fetched value for index %d: %"PRIu64,
574  bmd->local_id, det_ctx->byte_values[bmd->local_id]);
575  goto match;
576 
577  } else if (smd->type == DETECT_BSIZE) {
578 
579  bool eof = (flags & DETECT_CI_FLAGS_END);
580  const uint64_t data_size = buffer_len + stream_start_offset;
581  int r = DetectBsizeMatch(smd->ctx, data_size, eof);
582  if (r < 0) {
583  det_ctx->discontinue_matching = 1;
584  goto no_match;
585 
586  } else if (r == 0) {
587  goto no_match;
588  }
589  goto match;
590 
591  } else if (smd->type == DETECT_DATASET) {
592 
593  //PrintRawDataFp(stdout, buffer, buffer_len);
594  const DetectDatasetData *sd = (const DetectDatasetData *) smd->ctx;
595  int r = DetectDatasetBufferMatch(det_ctx, sd, buffer, buffer_len); //TODO buffer offset?
596  if (r == 1) {
597  goto match;
598  }
599  det_ctx->discontinue_matching = 1;
600  goto no_match;
601 
602  } else if (smd->type == DETECT_DATAREP) {
603 
604  //PrintRawDataFp(stdout, buffer, buffer_len);
605  const DetectDatarepData *sd = (const DetectDatarepData *) smd->ctx;
606  int r = DetectDatarepBufferMatch(det_ctx, sd, buffer, buffer_len); //TODO buffer offset?
607  if (r == 1) {
608  goto match;
609  }
610  det_ctx->discontinue_matching = 1;
611  goto no_match;
612 
613  } else if (smd->type == DETECT_AL_URILEN) {
614  SCLogDebug("inspecting uri len");
615 
616  int r = 0;
617  DetectUrilenData *urilend = (DetectUrilenData *) smd->ctx;
618 
619  switch (urilend->mode) {
620  case DETECT_URILEN_EQ:
621  if (buffer_len == urilend->urilen1)
622  r = 1;
623  break;
624  case DETECT_URILEN_LT:
625  if (buffer_len < urilend->urilen1)
626  r = 1;
627  break;
628  case DETECT_URILEN_GT:
629  if (buffer_len > urilend->urilen1)
630  r = 1;
631  break;
632  case DETECT_URILEN_RA:
633  if (buffer_len > urilend->urilen1 &&
634  buffer_len < urilend->urilen2) {
635  r = 1;
636  }
637  break;
638  }
639 
640  if (r == 1) {
641  goto match;
642  }
643 
644  det_ctx->discontinue_matching = 0;
645 
646  goto no_match;
647 #ifdef HAVE_LUA
648  }
649  else if (smd->type == DETECT_LUA) {
650  SCLogDebug("lua starting");
651 
652  if (DetectLuaMatchBuffer(det_ctx, s, smd, buffer, buffer_len,
653  det_ctx->buffer_offset, f) != 1)
654  {
655  SCLogDebug("lua no_match");
656  goto no_match;
657  }
658  SCLogDebug("lua match");
659  goto match;
660 #endif /* HAVE_LUA */
661  } else if (smd->type == DETECT_BASE64_DECODE) {
662  if (DetectBase64DecodeDoMatch(det_ctx, s, smd, buffer, buffer_len)) {
663  if (s->sm_arrays[DETECT_SM_LIST_BASE64_DATA] != NULL) {
664  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
665  if (DetectBase64DataDoMatch(de_ctx, det_ctx, s, f)) {
666  /* Base64 is a terminal list. */
667  goto final_match;
668  }
669  }
670  }
671  } else {
672  SCLogDebug("sm->type %u", smd->type);
673 #ifdef DEBUG
674  BUG_ON(1);
675 #endif
676  }
677 
678 no_match:
679  KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
680  SCReturnInt(0);
681 
682 match:
683  /* this sigmatch matched, inspect the next one. If it was the last,
684  * the buffer portion of the signature matched. */
685  if (!smd->is_last) {
686  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
687  int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1,
688  p, f, buffer, buffer_len, stream_start_offset, flags,
689  inspection_mode);
690  SCReturnInt(r);
691  }
692 final_match:
693  KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
694  SCReturnInt(1);
695 }
696 
697 #ifdef UNITTESTS
699 #endif
DetectEngineThreadCtx_::byte_values
uint64_t * byte_values
Definition: detect.h:1121
DETECT_BYTEMATH_ENDIAN_DCE
#define DETECT_BYTEMATH_ENDIAN_DCE
Definition: detect-bytemath.h:38
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:100
DetectDatasetData_
Definition: detect-dataset.h:36
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
app-layer-dcerpc.h
detect-content.h
DETECT_BYTE_EXTRACT_ENDIAN_DCE
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE
Definition: detect-byte-extract.h:38
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1041
detect-engine.h
DetectByteMathData_
Holds data related to byte_math keyword.
Definition: detect-bytemath.h:51
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
DetectPcrePayloadMatch
int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *payload, uint32_t payload_len)
Match a regex on a single payload.
Definition: detect-pcre.c:190
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:73
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
DetectContentData_::within
int32_t within
Definition: detect-content.h:102
DetectBase64DecodeDoMatch
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *payload, uint32_t payload_len)
Definition: detect-base64-decode.c:59
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_BYTEJUMP_LITTLE
#define DETECT_BYTEJUMP_LITTLE
Definition: detect-bytejump.h:35
DetectByteExtractData_::local_id
uint8_t local_id
Definition: detect-byte-extract.h:45
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
detect-isdataat.h
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
util-lua.h
DetectByteExtractData_
Holds data related to byte_extract keyword.
Definition: detect-byte-extract.h:43
DetectDatarepData_
Definition: detect-datarep.h:36
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:332
detect-bsize.h
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_::inspection_recursion_limit
int inspection_recursion_limit
Definition: detect.h:839
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
DETECT_DATAREP
@ DETECT_DATAREP
Definition: detect-engine-register.h:99
DETECT_BYTEMATH_RVALUE_VAR
#define DETECT_BYTEMATH_RVALUE_VAR
Definition: detect-bytemath.h:32
DETECT_BYTETEST_DCE
#define DETECT_BYTETEST_DCE
Definition: detect-bytetest.h:47
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
detect-lua.h
DetectUrilenData_::urilen1
uint16_t urilen1
Definition: detect-urilen.h:33
DETECT_BYTEJUMP_DCE
#define DETECT_BYTEJUMP_DCE
Definition: detect-bytejump.h:40
DetectEngineThreadCtx_::spm_thread_ctx
SpmThreadCtx * spm_thread_ctx
Definition: detect.h:1115
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:48
DetectEngineContentInspection
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:104
DetectBytetestData_
Definition: detect-bytetest.h:52
DetectByteMathData_::endian
uint8_t endian
Definition: detect-bytemath.h:63
SigMatchData_
Data needed for Match()
Definition: detect.h:329
detect-pcre.h
KEYWORD_PROFILING_START
#define KEYWORD_PROFILING_START
Definition: util-profiling.h:69
DETECT_CI_FLAGS_DCE_BE
#define DETECT_CI_FLAGS_DCE_BE
Definition: detect-engine-content-inspection.h:42
DetectBytejumpData_
Definition: detect-bytejump.h:44
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:49
util-unittest-helper.h
KEYWORD_PROFILING_END
#define KEYWORD_PROFILING_END(ctx, type, m)
Definition: util-profiling.h:83
detect-base64-data.h
DETECT_URILEN_GT
#define DETECT_URILEN_GT
Definition: detect-urilen.h:28
DetectLuaMatchBuffer
int DetectLuaMatchBuffer(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, const uint8_t *buffer, uint32_t buffer_len, uint32_t offset, Flow *f)
decode.h
util-debug.h
DETECT_CONTENT_ENDS_WITH
#define DETECT_CONTENT_ENDS_WITH
Definition: detect-content.h:42
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectBsizeMatch
int DetectBsizeMatch(const SigMatchCtx *ctx, const uint64_t buffer_size, bool eof)
bsize match function
Definition: detect-bsize.c:84
DetectEngineThreadCtx_
Definition: detect.h:1010
DETECT_BSIZE
@ DETECT_BSIZE
Definition: detect-engine-register.h:105
DETECT_SM_LIST_BASE64_DATA
@ DETECT_SM_LIST_BASE64_DATA
Definition: detect.h:95
DetectByteMathData_::local_id
uint8_t local_id
Definition: detect-bytemath.h:53
DETECT_URILEN_EQ
#define DETECT_URILEN_EQ
Definition: detect-urilen.h:30
DETECT_LUA
@ DETECT_LUA
Definition: detect-engine-register.h:210
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
DETECT_BYTE_EXTRACT_ENDIAN_BIG
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG
Definition: detect-byte-extract.h:36
detect.h
DetectBytejumpDoMatch
int DetectBytejumpDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchCtx *ctx, const uint8_t *payload, uint32_t payload_len, uint16_t flags, int32_t offset)
Byte jump match function.
Definition: detect-bytejump.c:95
SigMatchData_::type
uint8_t type
Definition: detect.h:330
DETECT_CONTENT_IS_SINGLE
#define DETECT_CONTENT_IS_SINGLE(c)
Definition: detect-content.h:66
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
DetectBase64DataDoMatch
int DetectBase64DataDoMatch(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f)
Definition: detect-base64-data.c:64
DetectContentData_::id
PatIntId id
Definition: detect-content.h:98
DetectByteExtractData_::endian
uint8_t endian
Definition: detect-byte-extract.h:52
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
util-profiling.h
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:99
SpmScan
uint8_t * SpmScan(const SpmCtx *ctx, SpmThreadCtx *thread_ctx, const uint8_t *haystack, uint32_t haystack_len)
Definition: util-spm.c:194
Packet_
Definition: decode.h:414
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DETECT_CI_FLAGS_END
#define DETECT_CI_FLAGS_END
Definition: detect-engine-content-inspection.h:39
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
DetectByteMathData_::rvalue
uint32_t rvalue
Definition: detect-bytemath.h:57
detect-replace.h
DetectReplaceAddToList
DetectReplaceList * DetectReplaceAddToList(DetectReplaceList *replist, uint8_t *found, DetectContentData *cd)
Definition: detect-replace.c:187
DetectByteMathData_::flags
uint8_t flags
Definition: detect-bytemath.h:62
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:61
DETECT_URILEN_RA
#define DETECT_URILEN_RA
Definition: detect-urilen.h:29
DETECT_BYTEMATH_FLAG_ENDIAN
#define DETECT_BYTEMATH_FLAG_ENDIAN
Definition: detect-bytemath.h:31
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1076
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DetectDatasetBufferMatch
int DetectDatasetBufferMatch(DetectEngineThreadCtx *det_ctx, const DetectDatasetData *sd, const uint8_t *data, const uint32_t data_len)
Definition: detect-dataset.c:66
DETECT_URILEN_LT
#define DETECT_URILEN_LT
Definition: detect-urilen.h:27
DetectDatarepBufferMatch
int DetectDatarepBufferMatch(DetectEngineThreadCtx *det_ctx, const DetectDatarepData *sd, const uint8_t *data, const uint32_t data_len)
Definition: detect-datarep.c:67
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:72
DETECT_BYTEMATH_ENDIAN_LITTLE
#define DETECT_BYTEMATH_ENDIAN_LITTLE
Definition: detect-bytemath.h:37
flags
uint8_t flags
Definition: decode-gre.h:0
DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
Definition: detect-byte-extract.h:37
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:331
suricata-common.h
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:101
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1088
DetectBytetestDoMatch
int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchCtx *ctx, const uint8_t *payload, uint32_t payload_len, uint8_t flags, int32_t offset, uint64_t value)
Bytetest detection code.
Definition: detect-bytetest.c:105
util-spm.h
detect-dataset.h
detect-base64-decode.h
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
DetectContentData_::spm_ctx
SpmCtx * spm_ctx
Definition: detect-content.h:104
DetectEngineThreadCtx_::pcre_match_start_offset
uint32_t pcre_match_start_offset
Definition: detect.h:1043
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
detect-datarep.h
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
Definition: detect-engine-content-inspection.h:32
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:170
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint16_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:114
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:79
DetectByteExtractData_::flags
uint8_t flags
Definition: detect-byte-extract.h:51
DETECT_BYTE_EXTRACT_FLAG_ENDIAN
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN
Definition: detect-byte-extract.h:32
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:59
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:36
DetectByteMathDoMatch
int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint16_t payload_len, uint64_t rvalue, uint64_t *value, uint8_t endian)
Definition: detect-bytemath.c:136
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
DetectUrilenData_::mode
uint8_t mode
Definition: detect-urilen.h:35
detect-urilen.h
suricata.h
DetectPcreData_
Definition: detect-pcre.h:39
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:74
DetectUrilenData_
Definition: detect-urilen.h:32
DETECT_BASE64_DECODE
@ DETECT_BASE64_DECODE
Definition: detect-engine-register.h:237
detect-uricontent.h
DETECT_BYTEMATH_ENDIAN_BIG
#define DETECT_BYTEMATH_ENDIAN_BIG
Definition: detect-bytemath.h:36
DetectEngineThreadCtx_::replist
DetectReplaceList * replist
Definition: detect.h:1124
DETECT_CONTENT_REPLACE
#define DETECT_CONTENT_REPLACE
Definition: detect-content.h:51
detect-engine-content-inspection.c
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
DETECT_BYTETEST_LITTLE
#define DETECT_BYTETEST_LITTLE
Definition: detect-bytetest.h:43
DETECT_AL_URILEN
@ DETECT_AL_URILEN
Definition: detect-engine-register.h:123
DETECT_DATASET
@ DETECT_DATASET
Definition: detect-engine-register.h:98
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:61
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
DETECT_CI_FLAGS_DCE_LE
#define DETECT_CI_FLAGS_DCE_LE
Definition: detect-engine-content-inspection.h:41
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:47
detect-bytemath.h
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
detect-bytetest.h