suricata
detect-file-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-state.h"
38 #include "detect-file-data.h"
39 
40 #include "app-layer-parser.h"
41 #include "app-layer-htp.h"
42 #include "app-layer-smtp.h"
43 
44 #include "flow.h"
45 #include "flow-var.h"
46 #include "flow-util.h"
47 
48 #include "util-debug.h"
49 #include "util-spm-bm.h"
50 #include "util-unittest.h"
51 #include "util-unittest-helper.h"
53 
54 static int DetectFiledataSetup (DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectFiledataRegisterTests(void);
57 #endif
58 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
59  Signature *s);
60 static int g_file_data_buffer_id = 0;
61 
62 /* HTTP */
63 static InspectionBuffer *HttpServerBodyGetDataCallback(DetectEngineThreadCtx *det_ctx,
64  const DetectEngineTransforms *transforms,
65  Flow *f, const uint8_t flow_flags,
66  void *txv, const int list_id);
67 
68 /* file API */
69 static int DetectEngineInspectFiledata(
70  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
71  const DetectEngineAppInspectionEngine *engine,
72  const Signature *s,
73  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
75  SigGroupHead *sgh, MpmCtx *mpm_ctx,
76  const DetectMpmAppLayerRegistery *mpm_reg, int list_id);
77 
78 /**
79  * \brief Registration function for keyword: file_data
80  */
82 {
83  sigmatch_table[DETECT_FILE_DATA].name = "file_data";
84  sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on file data";
85  sigmatch_table[DETECT_FILE_DATA].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#file-data";
86  sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup;
87 #ifdef UNITTESTS
89 #endif
91 
94  ALPROTO_SMTP, 0);
97  HttpServerBodyGetDataCallback,
98  ALPROTO_HTTP, HTP_RESPONSE_BODY);
99 #ifdef HAVE_RUST
102  ALPROTO_SMB, 0);
105  ALPROTO_SMB, 0);
106 #endif
107 
109  ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_BODY,
110  DetectEngineInspectBufferGeneric, HttpServerBodyGetDataCallback);
113  DetectEngineInspectFiledata, NULL);
115  DetectFiledataSetupCallback);
116 #ifdef HAVE_RUST
119  DetectEngineInspectFiledata, NULL);
122  DetectEngineInspectFiledata, NULL);
123 #endif
124 
126  "http response body, smb files or smtp attachments data");
127 
128  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
129 }
130 
131 #define FILEDATA_CONTENT_LIMIT 100000
132 #define FILEDATA_CONTENT_INSPECT_MIN_SIZE 32768
133 #define FILEDATA_CONTENT_INSPECT_WINDOW 4096
134 
135 static void SetupDetectEngineConfig(DetectEngineCtx *de_ctx) {
136  if (de_ctx->filedata_config_initialized)
137  return;
138 
139  /* initialize default */
140  for (int i = 0; i < (int)ALPROTO_MAX; i++) {
144  }
145 
146  /* add protocol specific settings here */
147 
148  /* SMTP */
152 
153  de_ctx->filedata_config_initialized = true;
154 }
155 
156 /**
157  * \brief this function is used to parse filedata options
158  * \brief into the current signature
159  *
160  * \param de_ctx pointer to the Detection Engine Context
161  * \param s pointer to the Current Signature
162  * \param str pointer to the user provided "filestore" option
163  *
164  * \retval 0 on Success
165  * \retval -1 on Failure
166  */
167 static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
168 {
169  SCEnter();
170 
171  if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP) ||
172  (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP &&
173  s->alproto != ALPROTO_SMTP && s->alproto != ALPROTO_SMB)) {
174  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
175  return -1;
176  }
177 
179  (s->flags & SIG_FLAG_TOSERVER) && !(s->flags & SIG_FLAG_TOCLIENT)) {
180  SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with "
181  "flow:to_server or flow:from_client with http.");
182  return -1;
183  }
184 
186  !(s->flags & SIG_FLAG_TOSERVER) && (s->flags & SIG_FLAG_TOCLIENT)) {
187  SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with "
188  "flow:to_client or flow:from_server with smtp.");
189  return -1;
190  }
191 
193 
194  SetupDetectEngineConfig(de_ctx);
195  return 0;
196 }
197 
198 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
199  Signature *s)
200 {
201  if (s->alproto == ALPROTO_HTTP || s->alproto == ALPROTO_UNKNOWN) {
203  }
204 
205 
206  /* server body needs to be inspected in sync with stream if possible */
208 
209  SCLogDebug("callback invoked by %u", s->id);
210 }
211 
212 /* HTTP based detection */
213 
214 static inline HtpBody *GetResponseBody(htp_tx_t *tx)
215 {
216  HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx);
217  if (htud == NULL) {
218  SCLogDebug("no htud");
219  return NULL;
220  }
221 
222  return &htud->response_body;
223 }
224 
225 static InspectionBuffer *HttpServerBodyGetDataCallback(DetectEngineThreadCtx *det_ctx,
226  const DetectEngineTransforms *transforms,
227  Flow *f, const uint8_t flow_flags,
228  void *txv, const int list_id)
229 {
230  SCEnter();
231 
232  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
233  if (buffer->inspect != NULL)
234  return buffer;
235 
236  htp_tx_t *tx = txv;
237  HtpState *htp_state = f->alstate;
238  const uint8_t flags = flow_flags;
239 
240  HtpBody *body = GetResponseBody(tx);
241  if (body == NULL) {
242  return NULL;
243  }
244 
245  /* no new data */
246  if (body->body_inspected == body->content_len_so_far) {
247  SCLogDebug("no new data");
248  return NULL;
249  }
250 
251  HtpBodyChunk *cur = body->first;
252  if (cur == NULL) {
253  SCLogDebug("No http chunks to inspect for this transacation");
254  return NULL;
255  }
256 
257  SCLogDebug("response.body_limit %u response_body.content_len_so_far %"PRIu64
258  ", response.inspect_min_size %"PRIu32", EOF %s, progress > body? %s",
259  htp_state->cfg->response.body_limit,
260  body->content_len_so_far,
261  htp_state->cfg->response.inspect_min_size,
262  flags & STREAM_EOF ? "true" : "false",
263  (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) ? "true" : "false");
264 
265  if (!htp_state->cfg->http_body_inline) {
266  /* inspect the body if the transfer is complete or we have hit
267  * our body size limit */
268  if ((htp_state->cfg->response.body_limit == 0 ||
269  body->content_len_so_far < htp_state->cfg->response.body_limit) &&
270  body->content_len_so_far < htp_state->cfg->response.inspect_min_size &&
271  !(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) &&
272  !(flags & STREAM_EOF)) {
273  SCLogDebug("we still haven't seen the entire response body. "
274  "Let's defer body inspection till we see the "
275  "entire body.");
276  return NULL;
277  }
278  }
279 
280  /* get the inspect buffer
281  *
282  * make sure that we have at least the configured inspect_win size.
283  * If we have more, take at least 1/4 of the inspect win size before
284  * the new data.
285  */
286  uint64_t offset = 0;
287  if (body->body_inspected > htp_state->cfg->response.inspect_min_size) {
289  uint64_t inspect_win = body->content_len_so_far - body->body_inspected;
290  SCLogDebug("inspect_win %"PRIu64, inspect_win);
291  if (inspect_win < htp_state->cfg->response.inspect_window) {
292  uint64_t inspect_short = htp_state->cfg->response.inspect_window - inspect_win;
293  if (body->body_inspected < inspect_short)
294  offset = 0;
295  else
296  offset = body->body_inspected - inspect_short;
297  } else {
298  offset = body->body_inspected - (htp_state->cfg->response.inspect_window / 4);
299  }
300  }
301 
302  const uint8_t *data;
303  uint32_t data_len;
304 
306  &data, &data_len, offset);
307  InspectionBufferSetup(buffer, data, data_len);
308  buffer->inspect_offset = offset;
309 
310  /* built-in 'transformation' */
311  if (htp_state->cfg->swf_decompression_enabled) {
312  int swf_file_type = FileIsSwfFile(data, data_len);
313  if (swf_file_type == FILE_SWF_ZLIB_COMPRESSION ||
314  swf_file_type == FILE_SWF_LZMA_COMPRESSION)
315  {
316  (void)FileSwfDecompression(data, data_len,
317  det_ctx,
318  buffer,
319  htp_state->cfg->swf_compression_type,
320  htp_state->cfg->swf_decompress_depth,
321  htp_state->cfg->swf_compress_depth);
322  }
323  }
324 
325  /* move inspected tracker to end of the data. HtpBodyPrune will consider
326  * the window sizes when freeing data */
327  body->body_inspected = body->content_len_so_far;
328  SCLogDebug("body->body_inspected now: %"PRIu64, body->body_inspected);
329 
330  SCReturnPtr(buffer, "InspectionBuffer");
331 }
332 
333 /* file API based inspection */
334 
335 static InspectionBuffer *FiledataGetDataCallback(DetectEngineThreadCtx *det_ctx,
336  const DetectEngineTransforms *transforms,
337  Flow *f, uint8_t flow_flags, File *cur_file,
338  int list_id, int local_file_id, bool first)
339 {
340  SCEnter();
341 
343  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(fb, local_file_id);
344  if (buffer == NULL)
345  return NULL;
346  if (!first && buffer->inspect != NULL)
347  return buffer;
348 
349  const uint64_t file_size = FileDataSize(cur_file);
350  const DetectEngineCtx *de_ctx = det_ctx->de_ctx;
351  const uint32_t content_limit = de_ctx->filedata_config[f->alproto].content_limit;
352  const uint32_t content_inspect_min_size = de_ctx->filedata_config[f->alproto].content_inspect_min_size;
353  // TODO this is unused, is that right?
354  //const uint32_t content_inspect_window = de_ctx->filedata_config[f->alproto].content_inspect_window;
355 
356  SCLogDebug("content_limit %u, content_inspect_min_size %u",
357  content_limit, content_inspect_min_size);
358 
359  SCLogDebug("file %p size %"PRIu64", state %d", cur_file, file_size, cur_file->state);
360 
361  /* no new data */
362  if (cur_file->content_inspected == file_size) {
363  SCLogDebug("no new data");
364  return NULL;
365  }
366 
367  if (file_size == 0) {
368  SCLogDebug("no data to inspect for this transaction");
369  return NULL;
370  }
371 
372  if ((content_limit == 0 || file_size < content_limit) &&
373  file_size < content_inspect_min_size &&
374  !(flow_flags & STREAM_EOF) && !(cur_file->state > FILE_STATE_OPENED)) {
375  SCLogDebug("we still haven't seen the entire content. "
376  "Let's defer content inspection till we see the "
377  "entire content.");
378  return NULL;
379  }
380 
381  const uint8_t *data;
382  uint32_t data_len;
383 
385  &data, &data_len,
386  cur_file->content_inspected);
387  InspectionBufferSetup(buffer, data, data_len);
388  buffer->inspect_offset = cur_file->content_inspected;
389  InspectionBufferApplyTransforms(buffer, transforms);
390 
391  /* update inspected tracker */
392  cur_file->content_inspected = file_size;
393  SCLogDebug("content_inspected %"PRIu64, cur_file->content_inspected);
394 
395  SCLogDebug("file_data buffer %p, data %p len %u offset %"PRIu64,
396  buffer, buffer->inspect, buffer->inspect_len, buffer->inspect_offset);
397 
398  SCReturnPtr(buffer, "InspectionBuffer");
399 }
400 
401 static int DetectEngineInspectFiledata(
402  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
403  const DetectEngineAppInspectionEngine *engine,
404  const Signature *s,
405  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
406 {
407  int r = 0;
408  int match = 0;
409 
410  // TODO remove
411  if (f->alproto == ALPROTO_HTTP) {
412  abort();
413  }
414 
415  const DetectEngineTransforms *transforms = NULL;
416  if (!engine->mpm) {
417  transforms = engine->v2.transforms;
418  }
419 
421  f->alstate, flags);
422  if (ffc == NULL) {
424  }
425 
426  int local_file_id = 0;
427  File *file = ffc->head;
428  for (; file != NULL; file = file->next) {
429  if (file->txid != tx_id)
430  continue;
431 
432  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx,
433  transforms, f, flags, file, engine->sm_list, local_file_id, false);
434  if (buffer == NULL)
435  continue;
436 
437  bool eof = (file->state == FILE_STATE_CLOSED);
438  uint8_t ciflags = eof ? DETECT_CI_FLAGS_END : 0;
439  if (buffer->inspect_offset == 0)
440  ciflags |= DETECT_CI_FLAGS_START;
441 
442  det_ctx->buffer_offset = 0;
443  det_ctx->discontinue_matching = 0;
444  det_ctx->inspection_recursion_counter = 0;
445  match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
446  f,
447  (uint8_t *)buffer->inspect,
448  buffer->inspect_len,
449  buffer->inspect_offset, ciflags,
451  if (match == 1) {
452  r = 1;
453  break;
454  }
455  local_file_id++;
456  }
457 
458  if (r == 1)
460  else
462 }
463 
464 typedef struct PrefilterMpmFiledata {
465  int list_id;
466  const MpmCtx *mpm_ctx;
469 
470 /** \brief Filedata Filedata Mpm prefilter callback
471  *
472  * \param det_ctx detection engine thread ctx
473  * \param p packet to inspect
474  * \param f flow to inspect
475  * \param txv tx to inspect
476  * \param pectx inspection context
477  */
478 static void PrefilterTxFiledata(DetectEngineThreadCtx *det_ctx,
479  const void *pectx,
480  Packet *p, Flow *f, void *txv,
481  const uint64_t idx, const uint8_t flags)
482 {
483  SCEnter();
484 
485  const PrefilterMpmFiledata *ctx = (const PrefilterMpmFiledata *)pectx;
486  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
487  const int list_id = ctx->list_id;
488 
490  f->alstate, flags);
491  int local_file_id = 0;
492  if (ffc != NULL) {
493  File *file = ffc->head;
494  for (; file != NULL; file = file->next) {
495  if (file->txid != idx)
496  continue;
497 
498  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx,
499  ctx->transforms, f, flags, file, list_id, local_file_id, true);
500  if (buffer == NULL)
501  continue;
502 
503  if (buffer->inspect_len >= mpm_ctx->minlen) {
504  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
505  &det_ctx->mtcu, &det_ctx->pmq,
506  buffer->inspect, buffer->inspect_len);
507  }
508  }
509  }
510 }
511 
512 static void PrefilterMpmFiledataFree(void *ptr)
513 {
514  SCFree(ptr);
515 }
516 
518  SigGroupHead *sgh, MpmCtx *mpm_ctx,
519  const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
520 {
521  PrefilterMpmFiledata *pectx = SCCalloc(1, sizeof(*pectx));
522  if (pectx == NULL)
523  return -1;
524  pectx->list_id = list_id;
525  pectx->mpm_ctx = mpm_ctx;
526  pectx->transforms = &mpm_reg->v2.transforms;
527 
528  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFiledata,
529  mpm_reg->v2.alproto, mpm_reg->v2.tx_min_progress,
530  pectx, PrefilterMpmFiledataFree, mpm_reg->pname);
531 }
532 
533 #ifdef UNITTESTS
534 #include "tests/detect-file-data.c"
535 #endif
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
DetectProto proto
Definition: detect.h:512
SignatureInitData * init_data
Definition: detect.h:563
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
#define SCLogDebug(...)
Definition: util-debug.h:335
uint16_t minlen
Definition: util-mpm.h:99
uint32_t content_limit
uint32_t inspect_window
#define SIG_FLAG_INIT_NEED_FLUSH
Definition: detect.h:268
#define BUG_ON(x)
uint16_t discontinue_matching
Definition: detect.h:1029
uint32_t flags
Definition: detect.h:496
uint8_t proto
Definition: flow.h:343
HTPCfgDir response
uint32_t id
Definition: detect.h:528
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
const struct HTPCfgRec_ * cfg
uint32_t inspect_min_size
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:277
one time registration of keywords at start up
Definition: detect.h:570
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
uint64_t offset
uint32_t content_inspect_window
Definition: detect.h:838
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
Container for matching data for a signature group.
Definition: detect.h:1298
int http_body_inline
uint64_t content_inspected
Definition: util-file.h:88
uint32_t buffer_offset
Definition: detect.h:994
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
const char * name
Definition: detect.h:1163
Signature container.
Definition: detect.h:495
struct File_ * next
Definition: util-file.h:79
SMTPConfig smtp_config
uint32_t swf_decompress_depth
struct DetectEngineCtx_::@94 filedata_config[ALPROTO_MAX]
StreamingBuffer * sb
Definition: util-file.h:68
uint32_t content_inspect_min_size
Definition: detect.h:837
struct DetectEngineAppInspectionEngine_::@92 v2
main detection engine ctx
Definition: detect.h:723
#define DETECT_CI_FLAGS_END
void * alstate
Definition: flow.h:433
bool filedata_config_initialized
Definition: detect.h:840
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SCCalloc(nm, a)
Definition: util-mem.h:197
uint32_t content_inspect_min_size
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
#define SIG_FLAG_TOCLIENT
Definition: detect.h:242
#define DETECT_ENGINE_INSPECT_SIG_MATCH
uint64_t inspect_offset
Definition: detect.h:349
uint64_t body_inspected
HtpBody response_body
Data structures and function prototypes for keeping state for the detection engine.
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
StreamingBuffer * sb
uint8_t mpm_type
Definition: util-mpm.h:90
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:263
#define STREAM_EOF
Definition: stream.h:30
uint64_t txid
Definition: util-file.h:69
#define SIG_FLAG_TOSERVER
Definition: detect.h:241
#define SCEnter(...)
Definition: util-debug.h:337
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
uint32_t content_limit
Definition: detect.h:836
PrefilterRuleStore pmq
Definition: detect.h:1064
void DetectFiledataRegister(void)
Registration function for keyword: file_data.
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
struct DetectMpmAppLayerRegistery_::@93 v2
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id)
AppProto alproto
Definition: detect.h:499
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
const MpmCtx * mpm_ctx
const char * desc
Definition: detect.h:1165
struct PrefilterMpmFiledata PrefilterMpmFiledata
#define FILEDATA_CONTENT_LIMIT
void DetectFiledataRegisterTests(void)
DetectEngineCtx * de_ctx
Definition: detect.h:1089
uint32_t body_limit
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.h:169
#define SCFree(a)
Definition: util-mem.h:228
uint64_t content_len_so_far
uint16_t tx_id
DetectEngineTransforms transforms
Definition: detect.h:588
uint32_t init_flags
Definition: detect.h:459
#define FILEDATA_CONTENT_INSPECT_WINDOW
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
MpmThreadCtx mtcu
Definition: detect.h:1062
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define SIGMATCH_NOOPT
Definition: detect.h:1331
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data)
Run the actual payload match functions.
const char * url
Definition: detect.h:1166
FileState state
Definition: util-file.h:67
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
HtpSwfCompressType swf_compression_type
InspectionBufferMultipleForList * InspectionBufferGetMulti(DetectEngineThreadCtx *det_ctx, const int list_id)
int inspection_recursion_counter
Definition: detect.h:1041
uint32_t inspect_len
Definition: detect.h:348
int DetectBufferSetActiveList(Signature *s, const int list)
const uint8_t * inspect
Definition: detect.h:347
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
HtpBodyChunk * first
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:162
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, DetectEngineThreadCtx *det_ctx, InspectionBuffer *out_buffer, int swf_type, uint32_t decompress_depth, uint32_t compress_depth)
This function decompresses a buffer with zlib/lzma algorithm.
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
const DetectEngineTransforms * transforms
AppProto alproto
application level protocol
Definition: flow.h:404
int swf_decompression_enabled
FileContainer * AppLayerParserGetFiles(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t direction)
uint32_t content_inspect_window
#define DOC_VERSION
Definition: suricata.h:91
#define DETECT_CI_FLAGS_START
uint32_t swf_compress_depth
InspectionBuffer * InspectionBufferMultipleForListGet(InspectionBufferMultipleForList *fb, uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
uint16_t flags
Definition: detect.h:1157
Flow data structure.
Definition: flow.h:324
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
void(* RegisterTests)(void)
Definition: detect.h:1155
const DetectEngineTransforms * transforms
Definition: detect.h:419
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine