suricata
detect-engine-content-inspection.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  */
24 
25 #ifndef __DETECT_ENGINE_CONTENT_INSPECTION_H__
26 #define __DETECT_ENGINE_CONTENT_INSPECTION_H__
27 
28 /** indication to content engine what type of data
29  * we're inspecting
30  */
31 enum {
32  DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD = 0, /* enables 'replace' logic */
37 };
38 
39 #define DETECT_CI_FLAGS_START BIT_U8(0) /**< unused, reserved for future use */
40 #define DETECT_CI_FLAGS_END BIT_U8(1) /**< indication that current buffer
41  * is the end of the data */
42 #define DETECT_CI_FLAGS_DCE_LE BIT_U8(2) /**< DCERPC record in little endian */
43 #define DETECT_CI_FLAGS_DCE_BE BIT_U8(3) /**< DCERPC record in big endian */
44 
45 /** buffer is a single, non-streaming, buffer. Data sent to the content
46  * inspection function contains both start and end of the data. */
47 #define DETECT_CI_FLAGS_SINGLE (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END)
48 
50  const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer,
51  uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode);
52 
54 
55 #endif /* __DETECT_ENGINE_CONTENT_INSPECTION_H__ */
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition: detect-engine-content-inspection.c:276
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:826
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
Definition: detect-engine-content-inspection.h:32
SigMatchData_
Data needed for Match()
Definition: detect.h:349
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1074
Packet_
Definition: decode.h:430
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER
Definition: detect-engine-content-inspection.h:33
DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME
Definition: detect-engine-content-inspection.h:35
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
Definition: detect-engine-content-inspection.h:34
flags
uint8_t flags
Definition: decode-gre.h:0
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:106
Signature_
Signature container.
Definition: detect.h:581
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36