suricata
detect-engine-content-inspection.h File Reference

Go to the source code of this file.

Macros

#define DETECT_CI_FLAGS_START   BIT_U8(0)
 
#define DETECT_CI_FLAGS_END   BIT_U8(1)
 
#define DETECT_CI_FLAGS_DCE_LE   BIT_U8(2)
 
#define DETECT_CI_FLAGS_DCE_BE   BIT_U8(3)
 
#define DETECT_CI_FLAGS_SINGLE   (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END)
 

Enumerations

enum  DetectContentInspectionType {
  DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD = 0, DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME,
  DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
}
 

Functions

bool DetectEngineContentInspection (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
 wrapper around DetectEngineContentInspectionInternal to return true/false only More...
 
bool DetectEngineContentInspectionBuffer (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b, const enum DetectContentInspectionType inspection_mode)
 content inspect entry for inspection buffers More...
 
bool DetectContentInspectionMatchOnAbsentBuffer (const SigMatchData *smd)
 tells if we should match on absent buffer, because there is an absent keyword being used More...
 
void DetectEngineContentInspectionRegisterTests (void)
 

Detailed Description

Macro Definition Documentation

◆ DETECT_CI_FLAGS_DCE_BE

#define DETECT_CI_FLAGS_DCE_BE   BIT_U8(3)

DCERPC record in big endian

Definition at line 46 of file detect-engine-content-inspection.h.

◆ DETECT_CI_FLAGS_DCE_LE

#define DETECT_CI_FLAGS_DCE_LE   BIT_U8(2)

DCERPC record in little endian

Definition at line 45 of file detect-engine-content-inspection.h.

◆ DETECT_CI_FLAGS_END

#define DETECT_CI_FLAGS_END   BIT_U8(1)

indication that current buffer is the end of the data

Definition at line 44 of file detect-engine-content-inspection.h.

◆ DETECT_CI_FLAGS_SINGLE

#define DETECT_CI_FLAGS_SINGLE   (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END)

buffer is a single, non-streaming, buffer. Data sent to the content inspection function contains both start and end of the data.

Definition at line 50 of file detect-engine-content-inspection.h.

◆ DETECT_CI_FLAGS_START

#define DETECT_CI_FLAGS_START   BIT_U8(0)

indication that current buffer is the start of the data

Definition at line 42 of file detect-engine-content-inspection.h.

Enumeration Type Documentation

◆ DetectContentInspectionType

indication to content engine what type of data we're inspecting

Enumerator
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD 
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER 
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM 
DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME 
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE 

Definition at line 31 of file detect-engine-content-inspection.h.

Function Documentation

◆ DetectContentInspectionMatchOnAbsentBuffer()

bool DetectContentInspectionMatchOnAbsentBuffer ( const SigMatchData smd)

tells if we should match on absent buffer, because there is an absent keyword being used

Parameters
smdarray of content inspection matches
Return values
booltrue to match on absent buffer, false otherwise

Definition at line 767 of file detect-engine-content-inspection.c.

References DETECT_ABSENT, SigMatchData_::is_last, and SigMatchData_::type.

◆ DetectEngineContentInspection()

bool DetectEngineContentInspection ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchData smd,
Packet p,
Flow f,
const uint8_t *  buffer,
const uint32_t  buffer_len,
const uint32_t  stream_start_offset,
const uint8_t  flags,
const enum DetectContentInspectionType  inspection_mode 
)

wrapper around DetectEngineContentInspectionInternal to return true/false only

Parameters
smdsigmatches to evaluate

Definition at line 723 of file detect-engine-content-inspection.c.

References DetectEngineThreadCtx_::buffer_offset, ctx, de_ctx, and DetectEngineCtx_::inspection_recursion_limit.

Referenced by DetectEngineInspectBufferGeneric(), DetectEngineInspectPacketPayload(), and DetectEngineInspectPktBufferGeneric().

Here is the caller graph for this function:

◆ DetectEngineContentInspectionBuffer()

bool DetectEngineContentInspectionBuffer ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchData smd,
Packet p,
Flow f,
const InspectionBuffer b,
const enum DetectContentInspectionType  inspection_mode 
)

content inspect entry for inspection buffers

Parameters
de_ctxdetection engine
det_ctxdetect engine thread ctx
ssignature being inspected
smdarray of content inspection matches
ppacket
fflow
binspection buffer to inspect
inspection_modeinspection mode to use
Return values
booltrue if smd matched the buffer b, false otherwise

content inspect entry for inspection buffers

Parameters
smdsigmatches to evaluate

Definition at line 747 of file detect-engine-content-inspection.c.

References DetectEngineThreadCtx_::buffer_offset, ctx, de_ctx, and DetectEngineCtx_::inspection_recursion_limit.

Referenced by DetectEngineInspectMultiBufferGeneric().

Here is the caller graph for this function:

◆ DetectEngineContentInspectionRegisterTests()

void DetectEngineContentInspectionRegisterTests ( void  )

Definition at line 317 of file detect-engine-content-inspection.c.

References UtRegisterTest().

Here is the call graph for this function: