Go to the documentation of this file.
60 static int g_file_data_buffer_id = 0;
62 static inline HtpBody *GetResponseBody(htp_tx_t *tx);
71 void *alstate,
void *txv, uint64_t tx_id);
128 HTP_RESPONSE_BODY, DetectEngineInspectBufferHttpBody, NULL);
130 HTP_REQUEST_BODY, DetectEngineInspectFiledata, NULL);
133 DetectEngineInspectFiledata, NULL);
135 DetectFiledataSetupCallback);
138 DetectEngineInspectFiledata, NULL);
141 DetectEngineInspectFiledata, NULL);
144 DetectEngineInspectFiledata, NULL);
147 DetectEngineInspectFiledata, NULL);
208 SCLogError(
"rule contains conflicting keywords.");
215 "flow:to_client or flow:from_server with smtp.");
223 SetupDetectEngineConfig(
de_ctx);
250 static void PrefilterMpmFiledataFree(
void *ptr)
257 static inline HtpBody *GetResponseBody(htp_tx_t *tx)
284 const int list_id,
const int base_id)
289 if (base_id != list_id && buffer->
inspect != NULL)
290 return HttpServerBodyXformsGetDataCallback(det_ctx, transforms, list_id, buffer);
291 else if (buffer->
inspect != NULL)
296 const uint8_t
flags = flow_flags;
298 HtpBody *body = GetResponseBody(tx);
311 SCLogDebug(
"No http chunks to inspect for this transaction");
315 SCLogDebug(
"response.body_limit %u response_body.content_len_so_far %" PRIu64
316 ", response.inspect_min_size %" PRIu32
", EOF %s, progress > body? %s",
331 HTP_RESPONSE_BODY) &&
332 !(
flags & STREAM_EOF)) {
333 SCLogDebug(
"we still haven't seen the entire response body. "
334 "Let's defer body inspection till we see the "
350 SCLogDebug(
"inspect_win %"PRIu64, inspect_win);
351 if (inspect_win < htp_state->cfg->response.inspect_window) {
366 &data, &data_len,
offset);
387 if (base_id != list_id) {
388 buffer = HttpServerBodyXformsGetDataCallback(det_ctx, transforms, list_id, buffer);
401 if (buffer == NULL || buffer->
inspect == NULL) {
406 const uint8_t *data = buffer->
inspect;
411 ci_flags |= buffer->
flags;
425 if (
flags & STREAM_TOSERVER) {
454 const int list_id = ctx->
list_id;
481 mpm_reg->
app_v2.tx_min_progress, pectx, PrefilterMpmFiledataFree, mpm_reg->
pname);
491 if (buffer == NULL) {
492 SCLogDebug(
"list_id: %d: no buffer", list_id);
496 SCLogDebug(
"list_id: %d: returning %p", list_id, buffer);
508 const int list_id,
const int base_id,
int local_file_id)
511 SCLogDebug(
"starting: list_id %d base_id %d", list_id, base_id);
517 if (base_id != list_id && buffer->
inspect != NULL) {
518 SCLogDebug(
"handle xform %s", (list_id != base_id) ?
"true" :
"false");
519 return FiledataWithXformsGetDataCallback(
520 det_ctx, transforms, list_id, local_file_id, buffer);
523 SCLogDebug(
"base_id: %d, not first: use %p", base_id, buffer);
534 SCLogDebug(
"[list %d] content_limit %u, content_inspect_min_size %u", list_id, content_limit,
535 content_inspect_min_size);
537 SCLogDebug(
"[list %d] file %p size %" PRIu64
", state %d", list_id, cur_file, file_size,
546 if (file_size == 0) {
547 SCLogDebug(
"no data to inspect for this transaction");
551 if ((content_limit == 0 || file_size < content_limit) &&
552 file_size < content_inspect_min_size &&
554 SCLogDebug(
"we still haven't seen the entire content. "
555 "Let's defer content inspection till we see the "
567 SCLogDebug(
"[list %d] [before] buffer offset %" PRIu64
"; buffer len %" PRIu32
568 "; data_len %" PRIu32
"; file_size %" PRIu64,
577 if (list_id != base_id) {
578 SCLogDebug(
"regular %d has been set up: now handle xforms id %d", base_id, list_id);
580 det_ctx, transforms, list_id, local_file_id, buffer);
590 void *alstate,
void *txv, uint64_t tx_id)
606 int local_file_id = 0;
608 for (; file != NULL; file = file->
next) {
656 if (!AppLayerParserHasFilesInDir(txd,
flags))
661 const int list_id = ctx->
list_id;
666 int local_file_id = 0;
667 for (
File *file = ffc->
head; file != NULL; file = file->
next) {
697 mpm_reg->
app_v2.alproto, mpm_reg->
app_v2.tx_min_progress,
698 pectx, PrefilterMpmFiledataFree, mpm_reg->
pname);
const struct HTPCfgRec_ * cfg
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
#define DETECT_CI_FLAGS_START
Container for matching data for a signature group.
#define SIG_FLAG_INIT_FLOW
#define SIG_FLAG_INIT_NEED_FLUSH
#define SIG_FLAG_INIT_FILEDATA
DetectEngineTransforms transforms
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
@ FILE_SWF_LZMA_COMPRESSION
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, DetectEngineThreadCtx *det_ctx, InspectionBuffer *out_buffer, int swf_type, uint32_t decompress_depth, uint32_t compress_depth)
This function decompresses a buffer with zlib/lzma algorithm.
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
struct DetectBufferMpmRegistery_::@87::@89 app_v2
main detection engine ctx
one time registration of keywords at start up
#define FILEDATA_CONTENT_LIMIT
struct DetectEngineCtx_::@92 filedata_config[ALPROTO_MAX]
uint32_t swf_compress_depth
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
#define SIG_FLAG_TOCLIENT
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
struct PrefilterMpmFiledata PrefilterMpmFiledata
uint32_t content_inspect_window
struct DetectEngineAppInspectionEngine_::@84 v2
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
uint32_t content_inspect_min_size
int DetectBufferTypeGetByName(const char *name)
uint64_t content_len_so_far
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
const DetectEngineTransforms * transforms
#define SIG_FLAG_TOSERVER
uint32_t inspect_min_size
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
uint32_t swf_decompress_depth
#define DETECT_ENGINE_INSPECT_SIG_MATCH
void DetectFiledataRegister(void)
Registration function for keyword: file_data.
int swf_decompression_enabled
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
#define DETECT_CI_FLAGS_END
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
SignatureInitData * init_data
#define SCReturnPtr(x, type)
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
Data structures and function prototypes for keeping state for the detection engine.
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
HtpSwfCompressType swf_compression_type
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
uint64_t FileDataSize(const File *file)
get the size of the file data
uint16_t discontinue_matching
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
uint64_t content_inspected
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
struct AppLayerTxData AppLayerTxData
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
@ FILE_SWF_ZLIB_COMPRESSION
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int inspection_recursion_counter
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
void DetectFiledataRegisterTests(void)
#define SCLogError(...)
Macro used to log ERROR messages.
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id, InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
#define FILEDATA_CONTENT_INSPECT_WINDOW
const DetectEngineTransforms * transforms
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
bool filedata_config_initialized
uint32_t content_inspect_min_size
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
int DetectBufferSetActiveList(Signature *s, const int list)
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
AppProto alproto
application level protocol
uint32_t content_inspect_window
void(* RegisterTests)(void)
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto