suricata
detect-engine-content-inspection.h File Reference
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define DETECT_CI_FLAGS_START   BIT_U8(0)
 
#define DETECT_CI_FLAGS_END   BIT_U8(1)
 
#define DETECT_CI_FLAGS_SINGLE   (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END)
 

Enumerations

enum  { DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD = 0, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE }
 

Functions

int DetectEngineContentInspection (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data)
 Run the actual payload match functions. More...
 
void DetectEngineContentInspectionRegisterTests (void)
 

Detailed Description

Macro Definition Documentation

#define DETECT_CI_FLAGS_END   BIT_U8(1)

indication that current buffer is the end of the data

Definition at line 38 of file detect-engine-content-inspection.h.

Referenced by DetectEngineContentInspection(), and DetectEngineInspectBufferGeneric().

#define DETECT_CI_FLAGS_SINGLE   (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END)

buffer is a single, non-streaming, buffer. Data sent to the content inspection function contains both start and end of the data.

Definition at line 44 of file detect-engine-content-inspection.h.

Referenced by DetectBase64DataDoMatch(), DetectEngineInspectPacketPayload(), DetectFilenameRegister(), DetectHttpResponseLineRegister(), and DetectTemplateRustBufferRegister().

#define DETECT_CI_FLAGS_START   BIT_U8(0)

unused, reserved for future use

Definition at line 37 of file detect-engine-content-inspection.h.

Referenced by DetectEngineInspectBufferGeneric().

Enumeration Type Documentation

anonymous enum

indication to content engine what type of data we're inspecting

Enumerator
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD 
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM 
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE 

Definition at line 31 of file detect-engine-content-inspection.h.

Function Documentation

int DetectEngineContentInspection ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchData smd,
Flow f,
uint8_t *  buffer,
uint32_t  buffer_len,
uint32_t  stream_start_offset,
uint8_t  flags,
uint8_t  inspection_mode,
void *  data 
)

Run the actual payload match functions.

The following keywords are inspected:

  • content, including all the http and dce modified contents
  • isdaatat
  • pcre
  • bytejump
  • bytetest
  • byte_extract
  • urilen
  • All keywords are evaluated against the buffer with buffer_len.

For accounting the last match in relative matching the det_ctx->buffer_offset int is used.

Parameters
de_ctxDetection engine context
det_ctxDetection engine thread context
sSignature to inspect
smSigMatch to inspect
fFlow (for pcre flowvar storage)
bufferPtr to the buffer to inspect
buffer_lenLength of the payload
stream_start_offsetIndicates the start of the current buffer in the whole buffer stream inspected. This applies if the current buffer is inspected in chunks.
inspection_modeRefers to the engine inspection mode we are currently inspecting. Can be payload, stream, one of the http buffer inspection modes or dce inspection mode.
dataUsed to send some custom data. For example in payload inspection mode, data contains packet ptr, and under dce inspection mode, contains dce state.
Return values
0no match
1match

< used in recursive searching

Definition at line 102 of file detect-engine-content-inspection.c.

References DetectEngineThreadCtx_::bj_values, DetectEngineThreadCtx_::buffer_offset, BUG_ON, DetectContentData_::content_len, SigMatchData_::ctx, DetectIsdataatData_::dataat, DCERPCState_::dcerpc, DCERPC_::dcerpchdr, DetectContentData_::depth, DETECT_AL_URILEN, DETECT_BASE64_DECODE, DETECT_BSIZE, DETECT_BYTE_EXTRACT, DETECT_BYTE_EXTRACT_ENDIAN_BIG, DETECT_BYTE_EXTRACT_ENDIAN_DCE, DETECT_BYTE_EXTRACT_ENDIAN_LITTLE, DETECT_BYTE_EXTRACT_FLAG_ENDIAN, DETECT_BYTEJUMP, DETECT_BYTEJUMP_DCE, DETECT_BYTEJUMP_LITTLE, DETECT_BYTEJUMP_OFFSET_BE, DETECT_BYTETEST, DETECT_BYTETEST_DCE, DETECT_BYTETEST_LITTLE, DETECT_BYTETEST_OFFSET_BE, DETECT_BYTETEST_VALUE_BE, DETECT_CI_FLAGS_END, DETECT_CONTENT, DETECT_CONTENT_DEPTH, DETECT_CONTENT_DEPTH_BE, DETECT_CONTENT_DISTANCE, DETECT_CONTENT_DISTANCE_BE, DETECT_CONTENT_ENDS_WITH, DETECT_CONTENT_IS_SINGLE, DETECT_CONTENT_NEGATED, DETECT_CONTENT_OFFSET_BE, DETECT_CONTENT_REPLACE, DETECT_CONTENT_WITHIN, DETECT_CONTENT_WITHIN_BE, DETECT_CONTENT_WITHIN_NEXT, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, DETECT_ISDATAAT, DETECT_LUA, DETECT_PCRE, DETECT_PCRE_RELATIVE_NEXT, DETECT_SM_LIST_BASE64_DATA, DETECT_URILEN_EQ, DETECT_URILEN_GT, DETECT_URILEN_LT, DETECT_URILEN_RA, DetectBase64DataDoMatch(), DetectBase64DecodeDoMatch(), DetectBsizeMatch(), DetectByteExtractDoMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectEngineContentInspection(), DetectLuaMatchBuffer(), DetectPcrePayloadMatch(), DetectReplaceAddToList(), DetectEngineThreadCtx_::discontinue_matching, DetectContentData_::distance, DetectByteExtractData_::endian, DetectIsdataatData_::flags, flags, DetectPcreData_::flags, DetectBytejumpData_::flags, DetectByteExtractData_::flags, DetectBytetestData_::flags, DetectContentData_::flags, DetectContentData_::id, DetectEngineThreadCtx_::inspection_recursion_counter, DetectEngineCtx_::inspection_recursion_limit, SigMatchData_::is_last, ISDATAAT_NEGATED, ISDATAAT_OFFSET_BE, ISDATAAT_RELATIVE, KEYWORD_PROFILING_END, KEYWORD_PROFILING_START, DetectByteExtractData_::local_id, DetectUrilenData_::mode, DetectBytejumpData_::offset, DetectBytetestData_::offset, DetectContentData_::offset, offset, DCERPCHdr_::packed_drep, DetectEngineThreadCtx_::pcre_match_start_offset, DetectEngineThreadCtx_::replist, SC_ERR_INVALID_VALUE, SCEnter, SCLogDebug, SCLogWarning, SCReturnInt, DetectContentData_::spm_ctx, DetectEngineThreadCtx_::spm_thread_ctx, SpmScan(), SigMatchData_::type, DetectUrilenData_::urilen1, DetectBytetestData_::value, and DetectContentData_::within.

Referenced by DetectBase64DataDoMatch(), DetectEngineContentInspection(), DetectEngineInspectBufferGeneric(), DetectEngineInspectPacketPayload(), DetectFilenameRegister(), DetectHttpResponseLineRegister(), and DetectTemplateRustBufferRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

void DetectEngineContentInspectionRegisterTests ( void  )

Definition at line 266 of file detect-engine-content-inspection.c.

References UtRegisterTest().

Referenced by SigRegisterTests().

Here is the call graph for this function:

Here is the caller graph for this function: