Go to the documentation of this file.
51 SCLogDebug(
"frame %p engine %p", frame, engine);
79 const Frames *frames,
const Frame *frame,
const uint32_t idx)
95 const uint8_t *data = buffer->
inspect;
101 if (data != NULL && data_len >= mpm_ctx->
minlen) {
103 mpm_ctx, &det_ctx->
mtcu, &det_ctx->
pmq, data, data_len);
108 static void PrefilterMpmFrameFree(
void *ptr)
126 mpm_reg->
frame_v1.type, pectx, PrefilterMpmFrameFree, mpm_reg->
pname);
138 SCLogDebug(
"inspecting rule %u against frame %p/%" PRIi64
"/%s", s->
id, frame, frame->
id,
142 if (frame->
type == e->type) {
147 if (e->v1.Callback(det_ctx, e, s, p, frames, frame, idx) ==
true) {
148 SCLogDebug(
"sid %u: e %p Callback returned true", s->
id, e);
151 SCLogDebug(
"sid %u: e %p Callback returned false", s->
id, e);
154 "sid %u: e %p not for frame type %u (want %u)", s->
id, e, frame->
type, e->type);
165 const Frames *frames,
const Frame *frame,
const int list_id,
const uint32_t idx,
181 const uint32_t data_len = frame_len;
183 SCLogDebug(
"packet %" PRIu64
" -> frame %p/%" PRIi64
"/%s rel_offset %" PRIi64
184 " type %u len %" PRIi64,
192 buffer->
flags = ci_flags;
206 static int FrameStreamDataFunc(
207 void *cb_data,
const uint8_t *input,
const uint32_t input_len,
const uint64_t
offset)
210 SCLogDebug(
"fsd %p { det_ct:%p, transforms:%p, frame:%p, list_id:%d, idx:%u, "
211 "frame_data_offset_abs:%" PRIu64
", frame_start_offset_abs:%" PRIu64
212 " }, input: %p, input_len:%u, offset:%" PRIu64,
223 const uint8_t *data = input;
224 uint8_t ci_flags = 0;
233 data_len = input_len;
244 uint64_t request_delta =
247 BUG_ON(request_delta > frame_delta);
250 if (frame_delta >= (uint64_t)
frame->
len) {
254 uint32_t adjusted_frame_len = (uint32_t)((uint64_t)
frame->
len - frame_delta);
255 SCLogDebug(
"frame len after applying offset %" PRIu64
": %u", frame_delta,
258 data_len =
MIN(adjusted_frame_len, input_len);
259 SCLogDebug(
"usable data len for frame: %u", data_len);
261 if ((uint64_t)data_len + frame_delta == (uint64_t)
frame->
len) {
266 data_len = input_len;
272 buffer->
flags = ci_flags;
284 if (!first && buffer->
inspect != NULL)
289 if (p->
proto == IPPROTO_UDP) {
290 return DetectFrame2InspectBufferUdp(
336 BUG_ON(frame_start_abs_offset < 0);
345 (uint64_t)frame_start_abs_offset };
388 const uint8_t *data = buffer->
inspect;
395 const uint8_t ci_flags = buffer->
flags;
396 SCLogDebug(
"frame %p rel_offset %" PRIi64
" type %u len %" PRIi64
397 " ci_flags %02x (start:%s, end:%s)",
401 SCLogDebug(
"buffer %p offset %" PRIu64
" len %u ci_flags %02x (start:%s, end:%s)", buffer,
struct PrefilterMpmFrameCtx PrefilterMpmFrameCtx
int DetectEngineInspectFrameBufferGeneric(DetectEngineThreadCtx *det_ctx, const DetectEngineFrameInspectionEngine *engine, const Signature *s, Packet *p, const Frames *frames, const Frame *frame, const uint32_t idx)
Do the content inspection & validation for a signature.
#define DETECT_CI_FLAGS_START
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
#define PREFILTER_PROFILING_END(ctx, profile_id)
uint32_t rule_id_array_cnt
Container for matching data for a signature group.
int PrefilterGenericMpmFrameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
#define PREFILTER_PROFILING_START
DetectEngineTransforms transforms
void DetectRunPrefilterFrame(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p, const Frames *frames, const Frame *frame, const AppProto alproto, const uint32_t idx)
const DetectEngineTransforms * transforms
main detection engine ctx
DetectEngineThreadCtx * det_ctx
one time registration of keywords at start up
int PrefilterAppendFrameEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterFrameFn PrefilterFrameFunc, AppProto alproto, uint8_t frame_type, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
DetectEngineFrameInspectionEngine * frame_inspect
struct DetectBufferMpmRegistery_::@87::@91 frame_v1
uint64_t StreamTcpGetUsable(const TcpStream *stream, const bool eof)
const DetectEngineTransforms * transforms
InspectionBuffer * DetectFrame2InspectBuffer(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Packet *p, const Frames *frames, const Frame *frame, const int list_id, const uint32_t idx, const bool first)
#define PKT_IS_TOSERVER(p)
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
#define STREAM_BASE_OFFSET(stream)
Per thread variable structure.
#define DETECT_ENGINE_INSPECT_SIG_MATCH
const DetectEngineTransforms * transforms
struct DetectEngineFrameInspectionEngine::@86 v1
int DetectRunFrameInspectRule(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p, const Frames *frames, const Frame *frame, const uint32_t idx)
#define DETECT_CI_FLAGS_END
uint64_t frame_start_offset_abs
union PrefilterEngine_::@101 cb
PrefilterFrameFn PrefilterFrame
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
PrefilterEngine * frame_engines
uint16_t discontinue_matching
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
struct DetectEngineFrameInspectionEngine * next
int inspection_recursion_counter
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
union PrefilterEngine_::@100 ctx
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
AppProto alproto
application level protocol
int StreamReassembleForFrame(TcpSession *ssn, TcpStream *stream, StreamReassembleRawFunc Callback, void *cb_data, const uint64_t offset, const bool eof)
uint64_t frame_data_offset_abs
#define DEBUG_VALIDATE_BUG_ON(exp)