suricata
detect-engine-content-inspection.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  */
24 
25 #ifndef SURICATA_DETECT_ENGINE_CONTENT_INSPECTION_H
26 #define SURICATA_DETECT_ENGINE_CONTENT_INSPECTION_H
27 
28 /** indication to content engine what type of data
29  * we're inspecting
30  */
32  DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD = 0, /* enables 'replace' logic */
33  DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER, /* indicates a header is being inspected */
34  DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, /* enables "stream" inspection logic */
35  DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME, /* enables "frame" inspection logic */
36  DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, /* enables "state" - used for buffers coming from
37  the app-layer state. */
38 };
39 
40 #define DETECT_CI_FLAGS_START \
41  BIT_U8(0) /**< indication that current buffer is the start of the data */
42 #define DETECT_CI_FLAGS_END BIT_U8(1) /**< indication that current buffer
43  * is the end of the data */
44 #define DETECT_CI_FLAGS_DCE_LE BIT_U8(2) /**< DCERPC record in little endian */
45 #define DETECT_CI_FLAGS_DCE_BE BIT_U8(3) /**< DCERPC record in big endian */
46 
47 /** buffer is a single, non-streaming, buffer. Data sent to the content
48  * inspection function contains both start and end of the data. */
49 #define DETECT_CI_FLAGS_SINGLE (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END)
50 
51 /* implicit "public" just returns true match, false no match */
53  const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer,
54  const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags,
55  const enum DetectContentInspectionType inspection_mode);
56 
57 /** \brief content inspect entry for inspection buffers
58  * \param de_ctx detection engine
59  * \param det_ctx detect engine thread ctx
60  * \param s signature being inspected
61  * \param smd array of content inspection matches
62  * \param p packet
63  * \param f flow
64  * \param b inspection buffer to inspect
65  * \param inspection_mode inspection mode to use
66  * \retval bool true if smd matched the buffer b, false otherwise */
68  const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b,
69  const enum DetectContentInspectionType inspection_mode);
70 
71 /** \brief tells if we should match on absent buffer, because
72  * there is an absent keyword being used
73  * \param smd array of content inspection matches
74  * \retval bool true to match on absent buffer, false otherwise */
76 
78 
79 #endif /* SURICATA_DETECT_ENGINE_CONTENT_INSPECTION_H */
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
Definition: detect-engine-content-inspection.h:34
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition: detect-engine-content-inspection.c:317
InspectionBuffer
Definition: detect.h:373
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
DetectContentInspectionType
DetectContentInspectionType
Definition: detect-engine-content-inspection.h:31
SigMatchData_
Data needed for Match()
Definition: detect.h:358
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
Definition: detect-engine-content-inspection.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1098
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
Packet_
Definition: decode.h:476
flags
uint8_t flags
Definition: decode-gre.h:0
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:723
DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME
Definition: detect-engine-content-inspection.h:35
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
Definition: detect-engine-content-inspection.h:33
DetectEngineContentInspectionBuffer
bool DetectEngineContentInspectionBuffer(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const InspectionBuffer *b, const enum DetectContentInspectionType inspection_mode)
content inspect entry for inspection buffers
Definition: detect-engine-content-inspection.c:747
Signature_
Signature container.
Definition: detect.h:603
DetectContentInspectionMatchOnAbsentBuffer
bool DetectContentInspectionMatchOnAbsentBuffer(const SigMatchData *smd)
tells if we should match on absent buffer, because there is an absent keyword being used
Definition: detect-engine-content-inspection.c:767