suricata
detect-file-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-engine-state.h"
37 #include "detect-engine-file.h"
38 #include "detect-file-data.h"
39 
40 #include "app-layer.h"
41 #include "app-layer-parser.h"
42 #include "app-layer-htp.h"
43 #include "app-layer-smtp.h"
44 
45 #include "flow.h"
46 #include "flow-var.h"
47 #include "flow-util.h"
48 
49 #include "util-debug.h"
50 #include "util-spm-bm.h"
51 #include "util-unittest.h"
52 #include "util-unittest-helper.h"
54 #include "util-profiling.h"
55 
56 static int DetectFiledataSetup (DetectEngineCtx *, Signature *, const char *);
57 #ifdef UNITTESTS
58 static void DetectFiledataRegisterTests(void);
59 #endif
60 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
61  Signature *s);
62 static int g_file_data_buffer_id = 0;
63 
64 /* file API */
66  const DetectBufferMpmRegistry *mpm_reg, int list_id);
67 
68 /**
69  * \brief Registration function for keyword: file_data
70  */
72 {
73  sigmatch_table[DETECT_FILE_DATA].name = "file.data";
74  sigmatch_table[DETECT_FILE_DATA].alias = "file_data";
75  sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on file data";
76  sigmatch_table[DETECT_FILE_DATA].url = "/rules/file-keywords.html#file-data";
77  sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup;
78 #ifdef UNITTESTS
80 #endif
82 
87 
88  DetectBufferTypeRegisterSetupCallback("file_data", DetectFiledataSetupCallback);
89 
90  DetectBufferTypeSetDescriptionByName("file_data", "data from tracked files");
92 
93  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
94 }
95 
96 static void SetupDetectEngineConfig(DetectEngineCtx *de_ctx) {
98  return;
99 
100  /* initialize default */
101  for (int i = 0; i < (int)ALPROTO_MAX; i++) {
105  }
106 
107  /* add protocol specific settings here */
108 
109  /* SMTP */
113 
115 }
116 
117 /**
118  * \brief this function is used to parse filedata options
119  * \brief into the current signature
120  *
121  * \param de_ctx pointer to the Detection Engine Context
122  * \param s pointer to the Current Signature
123  * \param str pointer to the user provided "filestore" option
124  *
125  * \retval 0 on Success
126  * \retval -1 on Failure
127  */
128 static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
129 {
130  SCEnter();
131 
132  if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP)) {
133  SCLogError("The 'file_data' keyword cannot be used with non-TCP protocols");
134  return -1;
135  }
136 
137  if (s->alproto != ALPROTO_UNKNOWN && !AppLayerParserSupportsFiles(IPPROTO_TCP, s->alproto)) {
138  SCLogError("The 'file_data' keyword cannot be used with TCP protocol %s",
140  return -1;
141  }
142 
144  !(s->flags & SIG_FLAG_TOSERVER) && (s->flags & SIG_FLAG_TOCLIENT)) {
145  SCLogError("The 'file-data' keyword cannot be used with SMTP flow:to_client or "
146  "flow:from_server.");
147  return -1;
148  }
149 
151  return -1;
152 
154  SetupDetectEngineConfig(de_ctx);
155  return 0;
156 }
157 
158 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
159  Signature *s)
160 {
161  if (s->alproto == ALPROTO_HTTP1 || s->alproto == ALPROTO_UNKNOWN ||
162  s->alproto == ALPROTO_HTTP) {
164  }
165 
166  /* server body needs to be inspected in sync with stream if possible */
168 
169  SCLogDebug("callback invoked by %u", s->id);
170 }
171 
172 /* common */
173 
174 static void PrefilterMpmFiledataFree(void *ptr)
175 {
176  SCFree(ptr);
177 }
178 
179 /* file API based inspection */
180 
181 static inline InspectionBuffer *FiledataWithXformsGetDataCallback(DetectEngineThreadCtx *det_ctx,
182  const DetectEngineTransforms *transforms, const int list_id, int local_file_id,
183  InspectionBuffer *base_buffer)
184 {
185  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_file_id);
186  if (buffer == NULL) {
187  SCLogDebug("list_id: %d: no buffer", list_id);
188  return NULL;
189  }
190  if (buffer->initialized) {
191  SCLogDebug("list_id: %d: returning %p", list_id, buffer);
192  return buffer;
193  }
194 
195  InspectionBufferSetupMulti(buffer, transforms, base_buffer->inspect, base_buffer->inspect_len);
196  buffer->inspect_offset = base_buffer->inspect_offset;
197  SCLogDebug("xformed buffer %p size %u", buffer, buffer->inspect_len);
198  SCReturnPtr(buffer, "InspectionBuffer");
199 }
200 
201 static InspectionBuffer *FiledataGetDataCallback(DetectEngineThreadCtx *det_ctx,
202  const DetectEngineTransforms *transforms, Flow *f, uint8_t flow_flags, File *cur_file,
203  const int list_id, const int base_id, int local_file_id, void *txv)
204 {
205  SCEnter();
206  SCLogDebug("starting: list_id %d base_id %d", list_id, base_id);
207 
208  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, base_id, local_file_id);
209  SCLogDebug("base: buffer %p", buffer);
210  if (buffer == NULL)
211  return NULL;
212  if (base_id != list_id && buffer->inspect != NULL) {
213  SCLogDebug("handle xform %s", (list_id != base_id) ? "true" : "false");
214  return FiledataWithXformsGetDataCallback(
215  det_ctx, transforms, list_id, local_file_id, buffer);
216  }
217  if (buffer->initialized) {
218  SCLogDebug("base_id: %d, not first: use %p", base_id, buffer);
219  return buffer;
220  }
221 
222  const uint64_t file_size = FileDataSize(cur_file);
223  const DetectEngineCtx *de_ctx = det_ctx->de_ctx;
224  const uint32_t content_limit = de_ctx->filedata_config[f->alproto].content_limit;
225  const uint32_t content_inspect_min_size =
227 
228  SCLogDebug("[list %d] content_limit %u, content_inspect_min_size %u", list_id, content_limit,
229  content_inspect_min_size);
230 
231  SCLogDebug("[list %d] file %p size %" PRIu64 ", state %d", list_id, cur_file, file_size,
232  cur_file->state);
233 
234  /* no new data */
235  if (cur_file->content_inspected == file_size) {
236  SCLogDebug("no new data");
237  goto empty_return;
238  }
239 
240  if (file_size == 0) {
241  SCLogDebug("no data to inspect for this transaction");
242  goto empty_return;
243  }
244 
245  SCLogDebug("offset %" PRIu64, StreamingBufferGetOffset(cur_file->sb));
246  SCLogDebug("size %" PRIu64, cur_file->size);
247  SCLogDebug("content_inspected %" PRIu64, cur_file->content_inspected);
248  SCLogDebug("inspect_window %" PRIu32, cur_file->inspect_window);
249  SCLogDebug("inspect_min_size %" PRIu32, cur_file->inspect_min_size);
250 
251  bool ips = false;
252  uint64_t offset = 0;
253  if (f->alproto == ALPROTO_HTTP1) {
254 
255  htp_tx_t *tx = txv;
256  HtpState *htp_state = f->alstate;
257  ips = htp_state->cfg->http_body_inline;
258 
259  const bool body_done = AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP1, tx,
260  flow_flags) > HTP_RESPONSE_BODY;
261 
262  SCLogDebug("response.body_limit %u file_size %" PRIu64
263  ", cur_file->inspect_min_size %" PRIu32 ", EOF %s, progress > body? %s",
264  htp_state->cfg->response.body_limit, file_size, cur_file->inspect_min_size,
265  flow_flags & STREAM_EOF ? "true" : "false", BOOL2STR(body_done));
266 
267  if (!htp_state->cfg->http_body_inline) {
268  /* inspect the body if the transfer is complete or we have hit
269  * our body size limit */
270  if ((htp_state->cfg->response.body_limit == 0 ||
271  file_size < htp_state->cfg->response.body_limit) &&
272  file_size < cur_file->inspect_min_size && !body_done &&
273  !(flow_flags & STREAM_EOF)) {
274  SCLogDebug("we still haven't seen the entire response body. "
275  "Let's defer body inspection till we see the "
276  "entire body.");
277  goto empty_return;
278  }
279  SCLogDebug("inline and we're continuing");
280  }
281 
282  bool force = (flow_flags & STREAM_EOF) || (cur_file->state > FILE_STATE_OPENED) ||
283  body_done || htp_state->cfg->http_body_inline;
284  /* get the inspect buffer
285  *
286  * make sure that we have at least the configured inspect_win size.
287  * If we have more, take at least 1/4 of the inspect win size before
288  * the new data.
289  */
290  if (cur_file->content_inspected == 0) {
291  if (!force && file_size < cur_file->inspect_min_size) {
292  SCLogDebug("skip as file_size %" PRIu64 " < inspect_min_size %u", file_size,
293  cur_file->inspect_min_size);
294  goto empty_return;
295  }
296  } else {
297  uint64_t new_data = file_size - cur_file->content_inspected;
298  BUG_ON(new_data == 0);
299  if (new_data < cur_file->inspect_window) {
300  uint64_t inspect_short = cur_file->inspect_window - new_data;
301  if (cur_file->content_inspected < inspect_short) {
302  offset = 0;
303  SCLogDebug("offset %" PRIu64, offset);
304  } else {
305  offset = cur_file->content_inspected - inspect_short;
306  SCLogDebug("offset %" PRIu64, offset);
307  }
308  } else {
309  BUG_ON(cur_file->content_inspected == 0);
310  uint32_t margin = cur_file->inspect_window / 4;
311  if ((uint64_t)margin <= cur_file->content_inspected) {
312  offset = cur_file->content_inspected - (cur_file->inspect_window / 4);
313  } else {
314  offset = 0;
315  }
316  SCLogDebug("offset %" PRIu64 " (data from offset %" PRIu64 ")", offset,
317  file_size - offset);
318  }
319  }
320 
321  } else {
322  if ((content_limit == 0 || file_size < content_limit) &&
323  file_size < content_inspect_min_size && !(flow_flags & STREAM_EOF) &&
324  !(cur_file->state > FILE_STATE_OPENED)) {
325  SCLogDebug("we still haven't seen the entire content. "
326  "Let's defer content inspection till we see the "
327  "entire content. We've seen %ld and need at least %d",
328  file_size, content_inspect_min_size);
329  goto empty_return;
330  }
331  offset = cur_file->content_inspected;
332  }
333 
334  const uint8_t *data;
335  uint32_t data_len;
336 
337  SCLogDebug("Fetching data at offset: %ld", offset);
338  StreamingBufferGetDataAtOffset(cur_file->sb, &data, &data_len, offset);
339  SCLogDebug("data_len %u", data_len);
340  /* update inspected tracker */
341  buffer->inspect_offset = offset;
342 
343  if (ips && file_size < cur_file->inspect_min_size) {
344  // don't update content_inspected yet
345  } else {
346  SCLogDebug("content inspected: %" PRIu64, cur_file->content_inspected);
347  cur_file->content_inspected = MAX(cur_file->content_inspected, offset + data_len);
348  SCLogDebug("content inspected: %" PRIu64, cur_file->content_inspected);
349  }
350 
351  InspectionBufferSetupMulti(buffer, NULL, data, data_len);
352  SCLogDebug("[list %d] [before] buffer offset %" PRIu64 "; buffer len %" PRIu32
353  "; data_len %" PRIu32 "; file_size %" PRIu64,
354  list_id, buffer->inspect_offset, buffer->inspect_len, data_len, file_size);
355 
356  if (f->alproto == ALPROTO_HTTP1 && flow_flags & STREAM_TOCLIENT) {
357  HtpState *htp_state = f->alstate;
358  /* built-in 'transformation' */
359  if (htp_state->cfg->swf_decompression_enabled) {
360  int swf_file_type = FileIsSwfFile(data, data_len);
361  if (swf_file_type == FILE_SWF_ZLIB_COMPRESSION ||
362  swf_file_type == FILE_SWF_LZMA_COMPRESSION) {
363  SCLogDebug("decompressing ...");
364  (void)FileSwfDecompression(data, data_len, det_ctx, buffer,
365  htp_state->cfg->swf_compression_type, htp_state->cfg->swf_decompress_depth,
366  htp_state->cfg->swf_compress_depth);
367  SCLogDebug("uncompressed buffer %p size %u; buf: \"%s\"", buffer,
368  buffer->inspect_len, (char *)buffer->inspect);
369  }
370  }
371  }
372 
373  SCLogDebug("content inspected: %" PRIu64, cur_file->content_inspected);
374 
375  /* get buffer for the list id if it is different from the base id */
376  if (list_id != base_id) {
377  SCLogDebug("regular %d has been set up: now handle xforms id %d", base_id, list_id);
378  InspectionBuffer *tbuffer = FiledataWithXformsGetDataCallback(
379  det_ctx, transforms, list_id, local_file_id, buffer);
380  SCReturnPtr(tbuffer, "InspectionBuffer");
381  }
382  SCReturnPtr(buffer, "InspectionBuffer");
383 
384 empty_return:
386  return NULL;
387 }
388 
390  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
391  void *alstate, void *txv, uint64_t tx_id)
392 {
393  const DetectEngineTransforms *transforms = NULL;
394  if (!engine->mpm) {
395  transforms = engine->v2.transforms;
396  }
397 
398  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, alstate, txv, flags);
399  FileContainer *ffc = files.fc;
400  if (ffc == NULL) {
402  }
403 
404  int local_file_id = 0;
405  File *file = ffc->head;
406  for (; file != NULL; file = file->next) {
407  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx, transforms, f, flags, file,
408  engine->sm_list, engine->sm_list_base, local_file_id, txv);
409  if (buffer == NULL)
410  continue;
411 
412  bool eof = (file->state == FILE_STATE_CLOSED);
413  uint8_t ciflags = eof ? DETECT_CI_FLAGS_END : 0;
414  if (buffer->inspect_offset == 0)
415  ciflags |= DETECT_CI_FLAGS_START;
416 
417  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
418  buffer->inspect, buffer->inspect_len, buffer->inspect_offset, ciflags,
420  if (match) {
422  }
423  local_file_id++;
424  }
425 
427 }
428 
429 /** \brief Filedata Filedata Mpm prefilter callback
430  *
431  * \param det_ctx detection engine thread ctx
432  * \param pectx inspection context
433  * \param p packet to inspect
434  * \param f flow to inspect
435  * \param txv tx to inspect
436  * \param idx transaction id
437  * \param flags STREAM_* flags including direction
438  */
439 static void PrefilterTxFiledata(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
440  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *txd, const uint8_t flags)
441 {
442  SCEnter();
443 
444  if (!AppLayerParserHasFilesInDir(txd, flags))
445  return;
446 
447  const PrefilterMpmFiledata *ctx = (const PrefilterMpmFiledata *)pectx;
448  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
449  const int list_id = ctx->list_id;
450 
451  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, f->alstate, txv, flags);
452  FileContainer *ffc = files.fc;
453  if (ffc != NULL) {
454  int local_file_id = 0;
455  for (File *file = ffc->head; file != NULL; file = file->next) {
456  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx, ctx->transforms, f, flags,
457  file, list_id, ctx->base_list_id, local_file_id, txv);
458  if (buffer == NULL)
459  continue;
460  SCLogDebug("[%" PRIu64 "] buffer size %u", p->pcap_cnt, buffer->inspect_len);
461 
462  if (buffer->inspect_len >= mpm_ctx->minlen) {
463  uint32_t prev_rule_id_array_cnt = det_ctx->pmq.rule_id_array_cnt;
464  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq,
465  buffer->inspect, buffer->inspect_len);
466  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
467 
468  if (det_ctx->pmq.rule_id_array_cnt > prev_rule_id_array_cnt) {
469  SCLogDebug(
470  "%u matches", det_ctx->pmq.rule_id_array_cnt - prev_rule_id_array_cnt);
471  }
472  }
473  local_file_id++;
474  }
475  }
476 }
477 
479  const DetectBufferMpmRegistry *mpm_reg, int list_id)
480 {
481  PrefilterMpmFiledata *pectx = SCCalloc(1, sizeof(*pectx));
482  if (pectx == NULL)
483  return -1;
484  pectx->list_id = list_id;
485  pectx->base_list_id = mpm_reg->sm_list_base;
486  pectx->mpm_ctx = mpm_ctx;
487  pectx->transforms = &mpm_reg->transforms;
488 
489  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFiledata,
490  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
491  pectx, PrefilterMpmFiledataFree, mpm_reg->pname);
492 }
493 
494 #ifdef UNITTESTS
495 #include "tests/detect-file-data.c"
496 #endif
HtpState_::cfg
const struct HTPCfgRec_ * cfg
Definition: app-layer-htp.h:258
SMTPConfig::content_limit
uint32_t content_limit
Definition: app-layer-smtp.h:106
DetectEngineAppInspectionEngine_
Definition: detect.h:424
SigTableElmt_::url
const char * url
Definition: detect.h:1296
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:428
FileContainer_
Definition: util-file.h:113
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DETECT_CI_FLAGS_START
#define DETECT_CI_FLAGS_START
Definition: detect-engine-content-inspection.h:40
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1293
InspectionBuffer::initialized
bool initialized
Definition: detect.h:375
PrefilterRuleStore_::rule_id_array_cnt
uint32_t rule_id_array_cnt
Definition: util-prefilter.h:40
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1445
SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:284
DetectEngineTransforms
Definition: detect.h:406
DetectBufferMpmRegistry_::sm_list_base
int16_t sm_list_base
Definition: detect.h:682
HTPCfgRec_::response
HTPCfgDir response
Definition: app-layer-htp.h:172
File_::inspect_min_size
uint32_t inspect_min_size
Definition: util-file.h:104
SIG_FLAG_INIT_NEED_FLUSH
#define SIG_FLAG_INIT_NEED_FLUSH
Definition: detect.h:289
File_::size
uint64_t size
Definition: util-file.h:102
Signature_::alproto
AppProto alproto
Definition: detect.h:598
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SIG_FLAG_INIT_FILEDATA
#define SIG_FLAG_INIT_FILEDATA
Definition: detect.h:292
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:607
HTPCfgDir_::body_limit
uint32_t body_limit
Definition: app-layer-htp.h:151
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1335
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1092
FileSwfDecompression
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, DetectEngineThreadCtx *det_ctx, InspectionBuffer *out_buffer, int swf_type, uint32_t decompress_depth, uint32_t compress_depth)
This function decompresses a buffer with zlib/lzma algorithm.
Definition: util-file-decompression.c:71
InspectionBuffer
Definition: detect.h:371
threads.h
FILE_STATE_OPENED
@ FILE_STATE_OPENED
Definition: util-file.h:70
Flow_
Flow data structure.
Definition: flow.h:351
File_::state
FileState state
Definition: util-file.h:82
DetectBufferTypeRegisterSetupCallback
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
Definition: detect-engine.c:1266
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1201
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1287
AppLayerParserSupportsFiles
bool AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:1174
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
PrefilterMpmFiledataRegister
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-file-data.c:478
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1022
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:677
detect-file-data.h
DetectEngineAppInspectionEngine_::sm_list_base
uint16_t sm_list_base
Definition: detect.h:431
FILEDATA_CONTENT_LIMIT
#define FILEDATA_CONTENT_LIMIT
Definition: app-layer-smtp.c:63
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:545
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@88::@90 app_v2
HTPCfgRec_::swf_compress_depth
uint32_t swf_compress_depth
Definition: app-layer-htp.h:169
StreamingBufferGetDataAtOffset
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
Definition: util-streaming-buffer.c:1771
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:264
MAX
#define MAX(x, y)
Definition: suricata-common.h:395
ALPROTO_MAX
@ ALPROTO_MAX
Definition: app-layer-protos.h:76
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:690
DetectEngineCtx_::content_inspect_window
uint32_t content_inspect_window
Definition: detect.h:946
detect-engine-prefilter.h
util-unittest.h
HtpState_
Definition: app-layer-htp.h:244
SMTPConfig::content_inspect_min_size
uint32_t content_inspect_min_size
Definition: app-layer-smtp.h:107
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1072
File_::sb
StreamingBuffer * sb
Definition: util-file.h:83
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:430
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:43
PrefilterMpmFiledata::transforms
const DetectEngineTransforms * transforms
Definition: detect-file-data.h:34
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:263
app-layer-htp.h
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine.c:1546
decode.h
util-debug.h
HTPCfgRec_::http_body_inline
int http_body_inline
Definition: app-layer-htp.h:164
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
detect-engine-file.h
BOOL2STR
#define BOOL2STR(b)
Definition: util-debug.h:527
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
HTPCfgRec_::swf_decompress_depth
uint32_t swf_decompress_depth
Definition: app-layer-htp.h:168
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
PrefilterMpmFiledata::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-file-data.h:33
DetectFiledataRegister
void DetectFiledataRegister(void)
Registration function for keyword: file_data.
Definition: detect-file-data.c:71
HTPCfgRec_::swf_decompression_enabled
int swf_decompression_enabled
Definition: app-layer-htp.h:166
FILEDATA_CONTENT_INSPECT_MIN_SIZE
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
Definition: app-layer-smtp.c:65
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:373
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
smtp_config
SMTPConfig smtp_config
Definition: app-layer-smtp.c:246
util-profiling.h
PrefilterMpmFiledata::base_list_id
int base_list_id
Definition: detect-file-data.h:32
Signature_::flags
uint32_t flags
Definition: detect.h:594
Packet_
Definition: decode.h:437
DETECT_CI_FLAGS_END
#define DETECT_CI_FLAGS_END
Definition: detect-engine-content-inspection.h:42
FILE_SWF_ZLIB_COMPRESSION
@ FILE_SWF_ZLIB_COMPRESSION
Definition: util-file-decompression.h:33
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:662
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
FileIsSwfFile
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
Definition: util-file-decompression.c:41
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
AppLayerHtpEnableResponseBodyCallback
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
Definition: app-layer-htp.c:487
DetectFileHandlerTableElmt_::priority
int priority
Definition: detect-parse.h:34
HTPCfgRec_::swf_compression_type
HtpSwfCompressType swf_compression_type
Definition: app-layer-htp.h:167
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:168
DETECT_FILE_DATA
@ DETECT_FILE_DATA
Definition: detect-engine-register.h:185
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@85 v2
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1200
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:326
detect-engine-content-inspection.h
DetectEngineCtx_::filedata_config
struct DetectEngineCtx_::@93 filedata_config[ALPROTO_MAX]
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:441
File_::content_inspected
uint64_t content_inspected
Definition: util-file.h:99
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1355
FILE_SWF_LZMA_COMPRESSION
@ FILE_SWF_LZMA_COMPRESSION
Definition: util-file-decompression.h:34
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:287
flags
uint8_t flags
Definition: decode-gre.h:0
Signature_::proto
DetectProto proto
Definition: detect.h:612
SigTableElmt_::alias
const char * alias
Definition: detect.h:1294
suricata-common.h
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
File_::next
struct File_ * next
Definition: util-file.h:92
DetectFileHandlerTableElmt_::PrefilterFn
PrefilterRegisterFunc PrefilterFn
Definition: detect-parse.h:35
util-spm-bm.h
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1559
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:374
DetectFiledataRegisterTests
void DetectFiledataRegisterTests(void)
Definition: detect-file-data.c:64
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:372
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:476
Signature_::id
uint32_t id
Definition: detect.h:628
DetectEngineCtx_::content_limit
uint32_t content_limit
Definition: detect.h:944
detect-parse.h
FILEDATA_CONTENT_INSPECT_WINDOW
#define FILEDATA_CONTENT_INSPECT_WINDOW
Definition: app-layer-smtp.c:67
Signature_
Signature container.
Definition: detect.h:593
AppLayerGetProtoName
const char * AppLayerGetProtoName(AppProto alproto)
Given the internal protocol id, returns a string representation of the protocol.
Definition: app-layer.c:1005
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:438
util-file-decompression.h
ALPROTO_HTTP
@ ALPROTO_HTTP
Definition: app-layer-protos.h:67
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
File_::inspect_window
uint32_t inspect_window
Definition: util-file.h:103
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
DetectEngineCtx_::filedata_config_initialized
bool filedata_config_initialized
Definition: detect.h:934
DetectEngineCtx_::content_inspect_min_size
uint32_t content_inspect_min_size
Definition: detect.h:945
DetectFileHandlerTableElmt_::Callback
InspectEngineFuncPtr Callback
Definition: detect-parse.h:36
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1216
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1499
filehandler_table
DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE]
Definition: detect-parse.c:77
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1473
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:877
DetectFileHandlerTableElmt_::name
const char * name
Definition: detect-parse.h:33
app-layer-smtp.h
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1169
PrefilterMpmFiledata
Definition: detect-file-data.h:30
MpmCtx_
Definition: util-mpm.h:88
flow.h
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:723
detect-file-data.c
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
PrefilterMpmFiledata::list_id
int list_id
Definition: detect-file-data.h:31
flow-var.h
SMTPConfig::content_inspect_window
uint32_t content_inspect_window
Definition: app-layer-smtp.h:108
DetectEngineInspectFiledata
uint8_t DetectEngineInspectFiledata(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect-file-data.c:389
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
app-layer.h
DetectProtoContainsProto
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
Definition: detect-engine-proto.c:135
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:679