suricata
detect-engine-content-inspection.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define DETECT_CI_FLAGS_START   BIT_U8(0)
 
#define DETECT_CI_FLAGS_END   BIT_U8(1)
 
#define DETECT_CI_FLAGS_DCE_LE   BIT_U8(2)
 
#define DETECT_CI_FLAGS_DCE_BE   BIT_U8(3)
 
#define DETECT_CI_FLAGS_SINGLE   (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END)
 

Enumerations

enum  { DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD = 0, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE }
 

Functions

int DetectEngineContentInspection (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
 Run the actual payload match functions. More...
 
void DetectEngineContentInspectionRegisterTests (void)
 

Detailed Description

Macro Definition Documentation

#define DETECT_CI_FLAGS_DCE_BE   BIT_U8(3)

DCERPC record in big endian

Definition at line 43 of file detect-engine-content-inspection.h.

Referenced by DetectEngineContentInspection().

#define DETECT_CI_FLAGS_DCE_LE   BIT_U8(2)

DCERPC record in little endian

Definition at line 42 of file detect-engine-content-inspection.h.

Referenced by DetectEngineContentInspection().

#define DETECT_CI_FLAGS_END   BIT_U8(1)

indication that current buffer is the end of the data

Definition at line 39 of file detect-engine-content-inspection.h.

Referenced by DetectEngineContentInspection(), DetectEngineInspectBufferGeneric(), and DetectEngineInspectPktBufferGeneric().

#define DETECT_CI_FLAGS_SINGLE   (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END)

buffer is a single, non-streaming, buffer. Data sent to the content inspection function contains both start and end of the data.

Definition at line 47 of file detect-engine-content-inspection.h.

Referenced by DetectBase64DataDoMatch(), DetectEngineInspectPacketPayload(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectTemplateRustBufferRegister(), and DetectTlsCertsRegister().

#define DETECT_CI_FLAGS_START   BIT_U8(0)

unused, reserved for future use

Definition at line 38 of file detect-engine-content-inspection.h.

Referenced by DetectEngineInspectBufferGeneric(), and DetectEngineInspectPktBufferGeneric().

Enumeration Type Documentation

anonymous enum

indication to content engine what type of data we're inspecting

Enumerator
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD 
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER 
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM 
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE 

Definition at line 31 of file detect-engine-content-inspection.h.

Function Documentation

int DetectEngineContentInspection ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchData smd,
Packet p,
Flow f,
const uint8_t *  buffer,
uint32_t  buffer_len,
uint32_t  stream_start_offset,
uint8_t  flags,
uint8_t  inspection_mode 
)

Run the actual payload match functions.

The following keywords are inspected:

  • content, including all the http and dce modified contents
  • isdaatat
  • pcre
  • bytejump
  • bytetest
  • byte_extract
  • urilen
  • All keywords are evaluated against the buffer with buffer_len.

For accounting the last match in relative matching the det_ctx->buffer_offset int is used.

Parameters
de_ctxDetection engine context
det_ctxDetection engine thread context
sSignature to inspect
smSigMatch to inspect
pPacket. Can be NULL.
fFlow (for pcre flowvar storage)
bufferPtr to the buffer to inspect
buffer_lenLength of the payload
stream_start_offsetIndicates the start of the current buffer in the whole buffer stream inspected. This applies if the current buffer is inspected in chunks.
inspection_modeRefers to the engine inspection mode we are currently inspecting. Can be payload, stream, one of the http buffer inspection modes or dce inspection mode.
flagsDETECT_CI_FLAG_*
Return values
0no match
1match

< used in recursive searching

Definition at line 103 of file detect-engine-content-inspection.c.

References DetectEngineThreadCtx_::bj_values, DetectEngineThreadCtx_::buffer_offset, BUG_ON, DetectContentData_::content_len, SigMatchData_::ctx, DetectIsdataatData_::dataat, DetectContentData_::depth, DETECT_AL_URILEN, DETECT_BASE64_DECODE, DETECT_BSIZE, DETECT_BYTE_EXTRACT, DETECT_BYTE_EXTRACT_ENDIAN_BIG, DETECT_BYTE_EXTRACT_ENDIAN_DCE, DETECT_BYTE_EXTRACT_ENDIAN_LITTLE, DETECT_BYTE_EXTRACT_FLAG_ENDIAN, DETECT_BYTEJUMP, DETECT_BYTEJUMP_DCE, DETECT_BYTEJUMP_LITTLE, DETECT_BYTEJUMP_OFFSET_BE, DETECT_BYTETEST, DETECT_BYTETEST_DCE, DETECT_BYTETEST_LITTLE, DETECT_BYTETEST_OFFSET_BE, DETECT_BYTETEST_VALUE_BE, DETECT_CI_FLAGS_DCE_BE, DETECT_CI_FLAGS_DCE_LE, DETECT_CI_FLAGS_END, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_DEPTH_BE, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_DISTANCE_BE, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_IS_SINGLE, DETECT_CONTENT_NEGATED, DETECT_CONTENT_OFFSET_BE, DETECT_CONTENT_REPLACE, DETECT_CONTENT_WITHIN, DETECT_CONTENT_WITHIN_BE, DETECT_CONTENT_WITHIN_NEXT, DETECT_DATAREP, DETECT_DATASET, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, DETECT_ISDATAAT, DETECT_LUA, DETECT_PCRE, DETECT_PCRE_RELATIVE_NEXT, DETECT_SM_LIST_BASE64_DATA, DETECT_URILEN_EQ, DETECT_URILEN_GT, DETECT_URILEN_LT, DETECT_URILEN_RA, DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectBsizeMatch(), DetectByteExtractDoMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectDatarepBufferMatch(), DetectDatasetBufferMatch(), DetectEngineContentInspection(), DetectLuaMatchBuffer(), DetectPcrePayloadMatch(), DetectReplaceAddToList(), DetectEngineThreadCtx_::discontinue_matching, DetectContentData_::distance, DetectByteExtractData_::endian, DetectIsdataatData_::flags, DetectPcreData_::flags, DetectBytejumpData_::flags, DetectByteExtractData_::flags, DetectBytetestData_::flags, DetectContentData_::flags, flags, DetectContentData_::id, DetectEngineThreadCtx_::inspection_recursion_counter, DetectEngineCtx_::inspection_recursion_limit, SigMatchData_::is_last, ISDATAAT_NEGATED, ISDATAAT_OFFSET_BE, ISDATAAT_RELATIVE, KEYWORD_PROFILING_END, KEYWORD_PROFILING_START, DetectByteExtractData_::local_id, DetectUrilenData_::mode, DetectBytejumpData_::offset, DetectBytetestData_::offset, DetectContentData_::offset, offset, DetectEngineThreadCtx_::pcre_match_start_offset, DetectEngineThreadCtx_::replist, SC_ERR_INVALID_VALUE, SCEnter, SCLogDebug, SCLogWarning, SCReturnInt, DetectContentData_::spm_ctx, DetectEngineThreadCtx_::spm_thread_ctx, SpmScan(), SigMatchData_::type, DetectUrilenData_::urilen1, DetectBytetestData_::value, and DetectContentData_::within.

Referenced by DetectBase64DataDoMatch(), DetectEngineContentInspection(), DetectEngineInspectBufferGeneric(), DetectEngineInspectPacketPayload(), DetectEngineInspectPktBufferGeneric(), DetectFilemagicRegister(), DetectFilenameRegister(), DetectTemplateRustBufferRegister(), and DetectTlsCertsRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectEngineContentInspectionRegisterTests ( void  )

Definition at line 266 of file detect-engine-content-inspection.c.

References UtRegisterTest().

Referenced by SigRegisterTests().

Here is the call graph for this function:

Here is the caller graph for this function: