suricata
detect-file-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-state.h"
38 #include "detect-file-data.h"
39 
40 #include "app-layer-parser.h"
41 #include "app-layer-htp.h"
42 #include "app-layer-smtp.h"
43 
44 #include "flow.h"
45 #include "flow-var.h"
46 #include "flow-util.h"
47 
48 #include "util-debug.h"
49 #include "util-spm-bm.h"
50 #include "util-unittest.h"
51 #include "util-unittest-helper.h"
53 
54 static int DetectFiledataSetup (DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectFiledataRegisterTests(void);
57 #endif
58 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
59  Signature *s);
60 static int g_file_data_buffer_id = 0;
61 
62 /* HTTP */
63 static InspectionBuffer *HttpServerBodyGetDataCallback(DetectEngineThreadCtx *det_ctx,
64  const DetectEngineTransforms *transforms,
65  Flow *f, const uint8_t flow_flags,
66  void *txv, const int list_id);
67 
68 /* file API */
69 static int DetectEngineInspectFiledata(
70  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
71  const DetectEngineAppInspectionEngine *engine,
72  const Signature *s,
73  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
75  SigGroupHead *sgh, MpmCtx *mpm_ctx,
76  const DetectBufferMpmRegistery *mpm_reg, int list_id);
77 
78 /**
79  * \brief Registration function for keyword: file_data
80  */
82 {
83  sigmatch_table[DETECT_FILE_DATA].name = "file.data";
84  sigmatch_table[DETECT_FILE_DATA].alias = "file_data";
85  sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on file data";
86  sigmatch_table[DETECT_FILE_DATA].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#file-data";
87  sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup;
88 #ifdef UNITTESTS
90 #endif
92 
95  ALPROTO_SMTP, 0);
98  HttpServerBodyGetDataCallback,
99  ALPROTO_HTTP, HTP_RESPONSE_BODY);
100 #ifdef HAVE_RUST
103  ALPROTO_SMB, 0);
106  ALPROTO_SMB, 0);
107 #endif
108 
110  ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_BODY,
111  DetectEngineInspectBufferGeneric, HttpServerBodyGetDataCallback);
114  DetectEngineInspectFiledata, NULL);
116  DetectFiledataSetupCallback);
117 #ifdef HAVE_RUST
120  DetectEngineInspectFiledata, NULL);
123  DetectEngineInspectFiledata, NULL);
124 #endif
125 
127  "http response body, smb files or smtp attachments data");
128 
129  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
130 }
131 
132 #define FILEDATA_CONTENT_LIMIT 100000
133 #define FILEDATA_CONTENT_INSPECT_MIN_SIZE 32768
134 #define FILEDATA_CONTENT_INSPECT_WINDOW 4096
135 
136 static void SetupDetectEngineConfig(DetectEngineCtx *de_ctx) {
137  if (de_ctx->filedata_config_initialized)
138  return;
139 
140  /* initialize default */
141  for (int i = 0; i < (int)ALPROTO_MAX; i++) {
145  }
146 
147  /* add protocol specific settings here */
148 
149  /* SMTP */
153 
154  de_ctx->filedata_config_initialized = true;
155 }
156 
157 /**
158  * \brief this function is used to parse filedata options
159  * \brief into the current signature
160  *
161  * \param de_ctx pointer to the Detection Engine Context
162  * \param s pointer to the Current Signature
163  * \param str pointer to the user provided "filestore" option
164  *
165  * \retval 0 on Success
166  * \retval -1 on Failure
167  */
168 static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
169 {
170  SCEnter();
171 
172  if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP) ||
173  (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP &&
174  s->alproto != ALPROTO_SMTP && s->alproto != ALPROTO_SMB)) {
175  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
176  return -1;
177  }
178 
180  (s->flags & SIG_FLAG_TOSERVER) && !(s->flags & SIG_FLAG_TOCLIENT)) {
181  SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with "
182  "flow:to_server or flow:from_client with http.");
183  return -1;
184  }
185 
187  !(s->flags & SIG_FLAG_TOSERVER) && (s->flags & SIG_FLAG_TOCLIENT)) {
188  SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with "
189  "flow:to_client or flow:from_server with smtp.");
190  return -1;
191  }
192 
194 
195  SetupDetectEngineConfig(de_ctx);
196  return 0;
197 }
198 
199 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
200  Signature *s)
201 {
202  if (s->alproto == ALPROTO_HTTP || s->alproto == ALPROTO_UNKNOWN) {
204  }
205 
206 
207  /* server body needs to be inspected in sync with stream if possible */
209 
210  SCLogDebug("callback invoked by %u", s->id);
211 }
212 
213 /* HTTP based detection */
214 
215 static inline HtpBody *GetResponseBody(htp_tx_t *tx)
216 {
217  HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx);
218  if (htud == NULL) {
219  SCLogDebug("no htud");
220  return NULL;
221  }
222 
223  return &htud->response_body;
224 }
225 
226 static InspectionBuffer *HttpServerBodyGetDataCallback(DetectEngineThreadCtx *det_ctx,
227  const DetectEngineTransforms *transforms,
228  Flow *f, const uint8_t flow_flags,
229  void *txv, const int list_id)
230 {
231  SCEnter();
232 
233  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
234  if (buffer->inspect != NULL)
235  return buffer;
236 
237  htp_tx_t *tx = txv;
238  HtpState *htp_state = f->alstate;
239  const uint8_t flags = flow_flags;
240 
241  HtpBody *body = GetResponseBody(tx);
242  if (body == NULL) {
243  return NULL;
244  }
245 
246  /* no new data */
247  if (body->body_inspected == body->content_len_so_far) {
248  SCLogDebug("no new data");
249  return NULL;
250  }
251 
252  HtpBodyChunk *cur = body->first;
253  if (cur == NULL) {
254  SCLogDebug("No http chunks to inspect for this transacation");
255  return NULL;
256  }
257 
258  SCLogDebug("response.body_limit %u response_body.content_len_so_far %"PRIu64
259  ", response.inspect_min_size %"PRIu32", EOF %s, progress > body? %s",
260  htp_state->cfg->response.body_limit,
261  body->content_len_so_far,
262  htp_state->cfg->response.inspect_min_size,
263  flags & STREAM_EOF ? "true" : "false",
264  (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) ? "true" : "false");
265 
266  if (!htp_state->cfg->http_body_inline) {
267  /* inspect the body if the transfer is complete or we have hit
268  * our body size limit */
269  if ((htp_state->cfg->response.body_limit == 0 ||
270  body->content_len_so_far < htp_state->cfg->response.body_limit) &&
271  body->content_len_so_far < htp_state->cfg->response.inspect_min_size &&
272  !(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) &&
273  !(flags & STREAM_EOF)) {
274  SCLogDebug("we still haven't seen the entire response body. "
275  "Let's defer body inspection till we see the "
276  "entire body.");
277  return NULL;
278  }
279  }
280 
281  /* get the inspect buffer
282  *
283  * make sure that we have at least the configured inspect_win size.
284  * If we have more, take at least 1/4 of the inspect win size before
285  * the new data.
286  */
287  uint64_t offset = 0;
288  if (body->body_inspected > htp_state->cfg->response.inspect_min_size) {
290  uint64_t inspect_win = body->content_len_so_far - body->body_inspected;
291  SCLogDebug("inspect_win %"PRIu64, inspect_win);
292  if (inspect_win < htp_state->cfg->response.inspect_window) {
293  uint64_t inspect_short = htp_state->cfg->response.inspect_window - inspect_win;
294  if (body->body_inspected < inspect_short)
295  offset = 0;
296  else
297  offset = body->body_inspected - inspect_short;
298  } else {
299  offset = body->body_inspected - (htp_state->cfg->response.inspect_window / 4);
300  }
301  }
302 
303  const uint8_t *data;
304  uint32_t data_len;
305 
307  &data, &data_len, offset);
308  InspectionBufferSetup(buffer, data, data_len);
309  buffer->inspect_offset = offset;
310 
311  /* built-in 'transformation' */
312  if (htp_state->cfg->swf_decompression_enabled) {
313  int swf_file_type = FileIsSwfFile(data, data_len);
314  if (swf_file_type == FILE_SWF_ZLIB_COMPRESSION ||
315  swf_file_type == FILE_SWF_LZMA_COMPRESSION)
316  {
317  (void)FileSwfDecompression(data, data_len,
318  det_ctx,
319  buffer,
320  htp_state->cfg->swf_compression_type,
321  htp_state->cfg->swf_decompress_depth,
322  htp_state->cfg->swf_compress_depth);
323  }
324  }
325 
326  /* move inspected tracker to end of the data. HtpBodyPrune will consider
327  * the window sizes when freeing data */
328  body->body_inspected = body->content_len_so_far;
329  SCLogDebug("body->body_inspected now: %"PRIu64, body->body_inspected);
330 
331  SCReturnPtr(buffer, "InspectionBuffer");
332 }
333 
334 /* file API based inspection */
335 
336 static InspectionBuffer *FiledataGetDataCallback(DetectEngineThreadCtx *det_ctx,
337  const DetectEngineTransforms *transforms,
338  Flow *f, uint8_t flow_flags, File *cur_file,
339  int list_id, int local_file_id, bool first)
340 {
341  SCEnter();
342 
344  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(fb, local_file_id);
345  if (buffer == NULL)
346  return NULL;
347  if (!first && buffer->inspect != NULL)
348  return buffer;
349 
350  const uint64_t file_size = FileDataSize(cur_file);
351  const DetectEngineCtx *de_ctx = det_ctx->de_ctx;
352  const uint32_t content_limit = de_ctx->filedata_config[f->alproto].content_limit;
353  const uint32_t content_inspect_min_size = de_ctx->filedata_config[f->alproto].content_inspect_min_size;
354  // TODO this is unused, is that right?
355  //const uint32_t content_inspect_window = de_ctx->filedata_config[f->alproto].content_inspect_window;
356 
357  SCLogDebug("content_limit %u, content_inspect_min_size %u",
358  content_limit, content_inspect_min_size);
359 
360  SCLogDebug("file %p size %"PRIu64", state %d", cur_file, file_size, cur_file->state);
361 
362  /* no new data */
363  if (cur_file->content_inspected == file_size) {
364  SCLogDebug("no new data");
365  return NULL;
366  }
367 
368  if (file_size == 0) {
369  SCLogDebug("no data to inspect for this transaction");
370  return NULL;
371  }
372 
373  if ((content_limit == 0 || file_size < content_limit) &&
374  file_size < content_inspect_min_size &&
375  !(flow_flags & STREAM_EOF) && !(cur_file->state > FILE_STATE_OPENED)) {
376  SCLogDebug("we still haven't seen the entire content. "
377  "Let's defer content inspection till we see the "
378  "entire content.");
379  return NULL;
380  }
381 
382  const uint8_t *data;
383  uint32_t data_len;
384 
386  &data, &data_len,
387  cur_file->content_inspected);
388  InspectionBufferSetup(buffer, data, data_len);
389  buffer->inspect_offset = cur_file->content_inspected;
390  InspectionBufferApplyTransforms(buffer, transforms);
391 
392  /* update inspected tracker */
393  cur_file->content_inspected = file_size;
394  SCLogDebug("content_inspected %"PRIu64, cur_file->content_inspected);
395 
396  SCLogDebug("file_data buffer %p, data %p len %u offset %"PRIu64,
397  buffer, buffer->inspect, buffer->inspect_len, buffer->inspect_offset);
398 
399  SCReturnPtr(buffer, "InspectionBuffer");
400 }
401 
402 static int DetectEngineInspectFiledata(
403  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
404  const DetectEngineAppInspectionEngine *engine,
405  const Signature *s,
406  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
407 {
408  int r = 0;
409  int match = 0;
410 
411  // TODO remove
412  if (f->alproto == ALPROTO_HTTP) {
413  abort();
414  }
415 
416  const DetectEngineTransforms *transforms = NULL;
417  if (!engine->mpm) {
418  transforms = engine->v2.transforms;
419  }
420 
422  f->alstate, flags);
423  if (ffc == NULL) {
425  }
426 
427  int local_file_id = 0;
428  File *file = ffc->head;
429  for (; file != NULL; file = file->next) {
430  if (file->txid != tx_id)
431  continue;
432 
433  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx,
434  transforms, f, flags, file, engine->sm_list, local_file_id, false);
435  if (buffer == NULL)
436  continue;
437 
438  bool eof = (file->state == FILE_STATE_CLOSED);
439  uint8_t ciflags = eof ? DETECT_CI_FLAGS_END : 0;
440  if (buffer->inspect_offset == 0)
441  ciflags |= DETECT_CI_FLAGS_START;
442 
443  det_ctx->buffer_offset = 0;
444  det_ctx->discontinue_matching = 0;
445  det_ctx->inspection_recursion_counter = 0;
446  match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
447  NULL, f,
448  (uint8_t *)buffer->inspect,
449  buffer->inspect_len,
450  buffer->inspect_offset, ciflags,
452  if (match == 1) {
453  r = 1;
454  break;
455  }
456  local_file_id++;
457  }
458 
459  if (r == 1)
461  else
463 }
464 
465 typedef struct PrefilterMpmFiledata {
466  int list_id;
467  const MpmCtx *mpm_ctx;
470 
471 /** \brief Filedata Filedata Mpm prefilter callback
472  *
473  * \param det_ctx detection engine thread ctx
474  * \param p packet to inspect
475  * \param f flow to inspect
476  * \param txv tx to inspect
477  * \param pectx inspection context
478  */
479 static void PrefilterTxFiledata(DetectEngineThreadCtx *det_ctx,
480  const void *pectx,
481  Packet *p, Flow *f, void *txv,
482  const uint64_t idx, const uint8_t flags)
483 {
484  SCEnter();
485 
486  const PrefilterMpmFiledata *ctx = (const PrefilterMpmFiledata *)pectx;
487  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
488  const int list_id = ctx->list_id;
489 
491  f->alstate, flags);
492  int local_file_id = 0;
493  if (ffc != NULL) {
494  File *file = ffc->head;
495  for (; file != NULL; file = file->next) {
496  if (file->txid != idx)
497  continue;
498 
499  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx,
500  ctx->transforms, f, flags, file, list_id, local_file_id, true);
501  if (buffer == NULL)
502  continue;
503 
504  if (buffer->inspect_len >= mpm_ctx->minlen) {
505  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
506  &det_ctx->mtcu, &det_ctx->pmq,
507  buffer->inspect, buffer->inspect_len);
508  }
509  }
510  }
511 }
512 
513 static void PrefilterMpmFiledataFree(void *ptr)
514 {
515  SCFree(ptr);
516 }
517 
519  SigGroupHead *sgh, MpmCtx *mpm_ctx,
520  const DetectBufferMpmRegistery *mpm_reg, int list_id)
521 {
522  PrefilterMpmFiledata *pectx = SCCalloc(1, sizeof(*pectx));
523  if (pectx == NULL)
524  return -1;
525  pectx->list_id = list_id;
526  pectx->mpm_ctx = mpm_ctx;
527  pectx->transforms = &mpm_reg->transforms;
528 
529  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFiledata,
530  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
531  pectx, PrefilterMpmFiledataFree, mpm_reg->pname);
532 }
533 
534 #ifdef UNITTESTS
535 #include "tests/detect-file-data.c"
536 #endif
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1439
DetectProto proto
Definition: detect.h:534
SignatureInitData * init_data
Definition: detect.h:586
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1179
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
#define SCLogDebug(...)
Definition: util-debug.h:335
uint16_t minlen
Definition: util-mpm.h:99
uint32_t content_limit
uint32_t inspect_window
#define SIG_FLAG_INIT_NEED_FLUSH
Definition: detect.h:259
#define BUG_ON(x)
uint16_t discontinue_matching
Definition: detect.h:1060
uint32_t flags
Definition: detect.h:518
uint8_t proto
Definition: flow.h:344
HTPCfgDir response
uint32_t id
Definition: detect.h:550
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
DetectEngineTransforms transforms
Definition: detect.h:613
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
const struct HTPCfgRec_ * cfg
uint32_t inspect_min_size
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:277
uint64_t offset
uint32_t content_inspect_window
Definition: detect.h:871
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
Container for matching data for a signature group.
Definition: detect.h:1329
int http_body_inline
uint64_t content_inspected
Definition: util-file.h:88
uint32_t buffer_offset
Definition: detect.h:1025
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
const char * name
Definition: detect.h:1193
Signature container.
Definition: detect.h:517
struct File_ * next
Definition: util-file.h:79
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
SMTPConfig smtp_config
uint32_t swf_decompress_depth
StreamingBuffer * sb
Definition: util-file.h:68
uint32_t content_inspect_min_size
Definition: detect.h:870
struct DetectEngineAppInspectionEngine_::@92 v2
main detection engine ctx
Definition: detect.h:756
#define DETECT_CI_FLAGS_END
void * alstate
Definition: flow.h:438
bool filedata_config_initialized
Definition: detect.h:873
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SCCalloc(nm, a)
Definition: util-mem.h:253
uint32_t content_inspect_min_size
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
#define SIG_FLAG_TOCLIENT
Definition: detect.h:233
#define DETECT_ENGINE_INSPECT_SIG_MATCH
uint64_t inspect_offset
Definition: detect.h:339
uint64_t body_inspected
HtpBody response_body
Data structures and function prototypes for keeping state for the detection engine.
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
StreamingBuffer * sb
uint8_t mpm_type
Definition: util-mpm.h:90
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:254
#define STREAM_EOF
Definition: stream.h:30
one time registration of keywords at start up
Definition: detect.h:600
uint64_t txid
Definition: util-file.h:69
struct DetectEngineCtx_::@98 filedata_config[ALPROTO_MAX]
#define SIG_FLAG_TOSERVER
Definition: detect.h:232
#define SCEnter(...)
Definition: util-debug.h:337
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
uint32_t content_limit
Definition: detect.h:869
PrefilterRuleStore pmq
Definition: detect.h:1095
void DetectFiledataRegister(void)
Registration function for keyword: file_data.
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
AppProto alproto
Definition: detect.h:521
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
const MpmCtx * mpm_ctx
const char * desc
Definition: detect.h:1195
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
struct PrefilterMpmFiledata PrefilterMpmFiledata
#define FILEDATA_CONTENT_LIMIT
void DetectFiledataRegisterTests(void)
const char * alias
Definition: detect.h:1194
DetectEngineCtx * de_ctx
Definition: detect.h:1120
uint32_t body_limit
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.h:169
#define SCFree(a)
Definition: util-mem.h:322
uint64_t content_len_so_far
uint16_t tx_id
struct DetectBufferMpmRegistery_::@94::@96 app_v2
uint32_t init_flags
Definition: detect.h:481
#define FILEDATA_CONTENT_INSPECT_WINDOW
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
MpmThreadCtx mtcu
Definition: detect.h:1093
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define SIGMATCH_NOOPT
Definition: detect.h:1362
const char * url
Definition: detect.h:1196
FileState state
Definition: util-file.h:67
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
HtpSwfCompressType swf_compression_type
InspectionBufferMultipleForList * InspectionBufferGetMulti(DetectEngineThreadCtx *det_ctx, const int list_id)
int inspection_recursion_counter
Definition: detect.h:1072
uint32_t inspect_len
Definition: detect.h:340
int DetectBufferSetActiveList(Signature *s, const int list)
const uint8_t * inspect
Definition: detect.h:338
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
HtpBodyChunk * first
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:162
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, DetectEngineThreadCtx *det_ctx, InspectionBuffer *out_buffer, int swf_type, uint32_t decompress_depth, uint32_t compress_depth)
This function decompresses a buffer with zlib/lzma algorithm.
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
const DetectEngineTransforms * transforms
AppProto alproto
application level protocol
Definition: flow.h:409
int swf_decompression_enabled
FileContainer * AppLayerParserGetFiles(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t direction)
uint32_t content_inspect_window
#define DOC_VERSION
Definition: suricata.h:91
#define DETECT_CI_FLAGS_START
uint32_t swf_compress_depth
InspectionBuffer * InspectionBufferMultipleForListGet(InspectionBufferMultipleForList *fb, uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
uint16_t flags
Definition: detect.h:1187
Flow data structure.
Definition: flow.h:325
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
void(* RegisterTests)(void)
Definition: detect.h:1185
const DetectEngineTransforms * transforms
Definition: detect.h:411