suricata
detect-file-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "debug.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-state.h"
38 #include "detect-file-data.h"
39 
40 #include "app-layer-parser.h"
41 #include "app-layer-htp.h"
42 #include "app-layer-smtp.h"
43 
44 #include "flow.h"
45 #include "flow-var.h"
46 #include "flow-util.h"
47 
48 #include "util-debug.h"
49 #include "util-spm-bm.h"
50 #include "util-unittest.h"
51 #include "util-unittest-helper.h"
53 
54 static int DetectFiledataSetup (DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectFiledataRegisterTests(void);
57 #endif
58 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
59  Signature *s);
60 static int g_file_data_buffer_id = 0;
61 
62 /* HTTP */
63 static InspectionBuffer *HttpServerBodyGetDataCallback(DetectEngineThreadCtx *det_ctx,
64  const DetectEngineTransforms *transforms,
65  Flow *f, const uint8_t flow_flags,
66  void *txv, const int list_id);
67 
68 /* file API */
69 static int DetectEngineInspectFiledata(
70  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
71  const DetectEngineAppInspectionEngine *engine,
72  const Signature *s,
73  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id);
75  SigGroupHead *sgh, MpmCtx *mpm_ctx,
76  const DetectBufferMpmRegistery *mpm_reg, int list_id);
77 
78 /**
79  * \brief Registration function for keyword: file_data
80  */
82 {
83  sigmatch_table[DETECT_FILE_DATA].name = "file.data";
84  sigmatch_table[DETECT_FILE_DATA].alias = "file_data";
85  sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on file data";
86  sigmatch_table[DETECT_FILE_DATA].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#file-data";
87  sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup;
88 #ifdef UNITTESTS
90 #endif
92 
95  ALPROTO_SMTP, 0);
98  HttpServerBodyGetDataCallback,
99  ALPROTO_HTTP, HTP_RESPONSE_BODY);
102  ALPROTO_SMB, 0);
105  ALPROTO_SMB, 0);
106 
108  ALPROTO_HTTP, SIG_FLAG_TOCLIENT, HTP_RESPONSE_BODY,
109  DetectEngineInspectBufferGeneric, HttpServerBodyGetDataCallback);
112  DetectEngineInspectFiledata, NULL);
114  DetectFiledataSetupCallback);
117  DetectEngineInspectFiledata, NULL);
120  DetectEngineInspectFiledata, NULL);
121 
123  "http response body, smb files or smtp attachments data");
124 
125  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
126 }
127 
128 #define FILEDATA_CONTENT_LIMIT 100000
129 #define FILEDATA_CONTENT_INSPECT_MIN_SIZE 32768
130 #define FILEDATA_CONTENT_INSPECT_WINDOW 4096
131 
132 static void SetupDetectEngineConfig(DetectEngineCtx *de_ctx) {
133  if (de_ctx->filedata_config_initialized)
134  return;
135 
136  /* initialize default */
137  for (int i = 0; i < (int)ALPROTO_MAX; i++) {
141  }
142 
143  /* add protocol specific settings here */
144 
145  /* SMTP */
149 
150  de_ctx->filedata_config_initialized = true;
151 }
152 
153 /**
154  * \brief this function is used to parse filedata options
155  * \brief into the current signature
156  *
157  * \param de_ctx pointer to the Detection Engine Context
158  * \param s pointer to the Current Signature
159  * \param str pointer to the user provided "filestore" option
160  *
161  * \retval 0 on Success
162  * \retval -1 on Failure
163  */
164 static int DetectFiledataSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
165 {
166  SCEnter();
167 
168  if (!DetectProtoContainsProto(&s->proto, IPPROTO_TCP) ||
169  (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_HTTP &&
170  s->alproto != ALPROTO_SMTP && s->alproto != ALPROTO_SMB)) {
171  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
172  return -1;
173  }
174 
176  (s->flags & SIG_FLAG_TOSERVER) && !(s->flags & SIG_FLAG_TOCLIENT)) {
177  SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with "
178  "flow:to_server or flow:from_client with http.");
179  return -1;
180  }
181 
183  !(s->flags & SIG_FLAG_TOSERVER) && (s->flags & SIG_FLAG_TOCLIENT)) {
184  SCLogError(SC_ERR_INVALID_SIGNATURE, "Can't use file_data with "
185  "flow:to_client or flow:from_server with smtp.");
186  return -1;
187  }
188 
189  if (DetectBufferSetActiveList(s, DetectBufferTypeGetByName("file_data")) < 0)
190  return -1;
191 
192  SetupDetectEngineConfig(de_ctx);
193  return 0;
194 }
195 
196 static void DetectFiledataSetupCallback(const DetectEngineCtx *de_ctx,
197  Signature *s)
198 {
199  if (s->alproto == ALPROTO_HTTP || s->alproto == ALPROTO_UNKNOWN) {
201  }
202 
203 
204  /* server body needs to be inspected in sync with stream if possible */
206 
207  SCLogDebug("callback invoked by %u", s->id);
208 }
209 
210 /* HTTP based detection */
211 
212 static inline HtpBody *GetResponseBody(htp_tx_t *tx)
213 {
214  HtpTxUserData *htud = (HtpTxUserData *)htp_tx_get_user_data(tx);
215  if (htud == NULL) {
216  SCLogDebug("no htud");
217  return NULL;
218  }
219 
220  return &htud->response_body;
221 }
222 
223 static InspectionBuffer *HttpServerBodyGetDataCallback(DetectEngineThreadCtx *det_ctx,
224  const DetectEngineTransforms *transforms,
225  Flow *f, const uint8_t flow_flags,
226  void *txv, const int list_id)
227 {
228  SCEnter();
229 
230  InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
231  if (buffer->inspect != NULL)
232  return buffer;
233 
234  htp_tx_t *tx = txv;
235  HtpState *htp_state = f->alstate;
236  const uint8_t flags = flow_flags;
237 
238  HtpBody *body = GetResponseBody(tx);
239  if (body == NULL) {
240  return NULL;
241  }
242 
243  /* no new data */
244  if (body->body_inspected == body->content_len_so_far) {
245  SCLogDebug("no new data");
246  return NULL;
247  }
248 
249  HtpBodyChunk *cur = body->first;
250  if (cur == NULL) {
251  SCLogDebug("No http chunks to inspect for this transacation");
252  return NULL;
253  }
254 
255  SCLogDebug("response.body_limit %u response_body.content_len_so_far %"PRIu64
256  ", response.inspect_min_size %"PRIu32", EOF %s, progress > body? %s",
257  htp_state->cfg->response.body_limit,
258  body->content_len_so_far,
259  htp_state->cfg->response.inspect_min_size,
260  flags & STREAM_EOF ? "true" : "false",
261  (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) ? "true" : "false");
262 
263  if (!htp_state->cfg->http_body_inline) {
264  /* inspect the body if the transfer is complete or we have hit
265  * our body size limit */
266  if ((htp_state->cfg->response.body_limit == 0 ||
267  body->content_len_so_far < htp_state->cfg->response.body_limit) &&
268  body->content_len_so_far < htp_state->cfg->response.inspect_min_size &&
269  !(AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_RESPONSE_BODY) &&
270  !(flags & STREAM_EOF)) {
271  SCLogDebug("we still haven't seen the entire response body. "
272  "Let's defer body inspection till we see the "
273  "entire body.");
274  return NULL;
275  }
276  }
277 
278  /* get the inspect buffer
279  *
280  * make sure that we have at least the configured inspect_win size.
281  * If we have more, take at least 1/4 of the inspect win size before
282  * the new data.
283  */
284  uint64_t offset = 0;
285  if (body->body_inspected > htp_state->cfg->response.inspect_min_size) {
287  uint64_t inspect_win = body->content_len_so_far - body->body_inspected;
288  SCLogDebug("inspect_win %"PRIu64, inspect_win);
289  if (inspect_win < htp_state->cfg->response.inspect_window) {
290  uint64_t inspect_short = htp_state->cfg->response.inspect_window - inspect_win;
291  if (body->body_inspected < inspect_short)
292  offset = 0;
293  else
294  offset = body->body_inspected - inspect_short;
295  } else {
296  offset = body->body_inspected - (htp_state->cfg->response.inspect_window / 4);
297  }
298  }
299 
300  const uint8_t *data;
301  uint32_t data_len;
302 
304  &data, &data_len, offset);
305  InspectionBufferSetup(buffer, data, data_len);
306  buffer->inspect_offset = offset;
307 
308  /* built-in 'transformation' */
309  if (htp_state->cfg->swf_decompression_enabled) {
310  int swf_file_type = FileIsSwfFile(data, data_len);
311  if (swf_file_type == FILE_SWF_ZLIB_COMPRESSION ||
312  swf_file_type == FILE_SWF_LZMA_COMPRESSION)
313  {
314  (void)FileSwfDecompression(data, data_len,
315  det_ctx,
316  buffer,
317  htp_state->cfg->swf_compression_type,
318  htp_state->cfg->swf_decompress_depth,
319  htp_state->cfg->swf_compress_depth);
320  }
321  }
322 
323  /* move inspected tracker to end of the data. HtpBodyPrune will consider
324  * the window sizes when freeing data */
325  body->body_inspected = body->content_len_so_far;
326  SCLogDebug("body->body_inspected now: %"PRIu64, body->body_inspected);
327 
328  SCReturnPtr(buffer, "InspectionBuffer");
329 }
330 
331 /* file API based inspection */
332 
333 static InspectionBuffer *FiledataGetDataCallback(DetectEngineThreadCtx *det_ctx,
334  const DetectEngineTransforms *transforms,
335  Flow *f, uint8_t flow_flags, File *cur_file,
336  int list_id, int local_file_id, bool first)
337 {
338  SCEnter();
339 
341  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(fb, local_file_id);
342  if (buffer == NULL)
343  return NULL;
344  if (!first && buffer->inspect != NULL)
345  return buffer;
346 
347  const uint64_t file_size = FileDataSize(cur_file);
348  const DetectEngineCtx *de_ctx = det_ctx->de_ctx;
349  const uint32_t content_limit = de_ctx->filedata_config[f->alproto].content_limit;
350  const uint32_t content_inspect_min_size = de_ctx->filedata_config[f->alproto].content_inspect_min_size;
351  // TODO this is unused, is that right?
352  //const uint32_t content_inspect_window = de_ctx->filedata_config[f->alproto].content_inspect_window;
353 
354  SCLogDebug("content_limit %u, content_inspect_min_size %u",
355  content_limit, content_inspect_min_size);
356 
357  SCLogDebug("file %p size %"PRIu64", state %d", cur_file, file_size, cur_file->state);
358 
359  /* no new data */
360  if (cur_file->content_inspected == file_size) {
361  SCLogDebug("no new data");
362  return NULL;
363  }
364 
365  if (file_size == 0) {
366  SCLogDebug("no data to inspect for this transaction");
367  return NULL;
368  }
369 
370  if ((content_limit == 0 || file_size < content_limit) &&
371  file_size < content_inspect_min_size &&
372  !(flow_flags & STREAM_EOF) && !(cur_file->state > FILE_STATE_OPENED)) {
373  SCLogDebug("we still haven't seen the entire content. "
374  "Let's defer content inspection till we see the "
375  "entire content.");
376  return NULL;
377  }
378 
379  const uint8_t *data;
380  uint32_t data_len;
381 
383  &data, &data_len,
384  cur_file->content_inspected);
385  InspectionBufferSetup(buffer, data, data_len);
386  buffer->inspect_offset = cur_file->content_inspected;
387  InspectionBufferApplyTransforms(buffer, transforms);
388 
389  /* update inspected tracker */
390  cur_file->content_inspected = file_size;
391  SCLogDebug("content_inspected %"PRIu64, cur_file->content_inspected);
392 
393  SCLogDebug("file_data buffer %p, data %p len %u offset %"PRIu64,
394  buffer, buffer->inspect, buffer->inspect_len, buffer->inspect_offset);
395 
396  SCReturnPtr(buffer, "InspectionBuffer");
397 }
398 
399 static int DetectEngineInspectFiledata(
400  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
401  const DetectEngineAppInspectionEngine *engine,
402  const Signature *s,
403  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
404 {
405  int r = 0;
406  int match = 0;
407 
408  // TODO remove
409  if (f->alproto == ALPROTO_HTTP) {
410  abort();
411  }
412 
413  const DetectEngineTransforms *transforms = NULL;
414  if (!engine->mpm) {
415  transforms = engine->v2.transforms;
416  }
417 
419  f->alstate, flags);
420  if (ffc == NULL) {
422  }
423 
424  int local_file_id = 0;
425  File *file = ffc->head;
426  for (; file != NULL; file = file->next) {
427  if (file->txid != tx_id)
428  continue;
429 
430  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx,
431  transforms, f, flags, file, engine->sm_list, local_file_id, false);
432  if (buffer == NULL)
433  continue;
434 
435  bool eof = (file->state == FILE_STATE_CLOSED);
436  uint8_t ciflags = eof ? DETECT_CI_FLAGS_END : 0;
437  if (buffer->inspect_offset == 0)
438  ciflags |= DETECT_CI_FLAGS_START;
439 
440  det_ctx->buffer_offset = 0;
441  det_ctx->discontinue_matching = 0;
442  det_ctx->inspection_recursion_counter = 0;
443  match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
444  NULL, f,
445  (uint8_t *)buffer->inspect,
446  buffer->inspect_len,
447  buffer->inspect_offset, ciflags,
449  if (match == 1) {
450  r = 1;
451  break;
452  }
453  local_file_id++;
454  }
455 
456  if (r == 1)
458  else
460 }
461 
462 typedef struct PrefilterMpmFiledata {
463  int list_id;
464  const MpmCtx *mpm_ctx;
467 
468 /** \brief Filedata Filedata Mpm prefilter callback
469  *
470  * \param det_ctx detection engine thread ctx
471  * \param p packet to inspect
472  * \param f flow to inspect
473  * \param txv tx to inspect
474  * \param pectx inspection context
475  */
476 static void PrefilterTxFiledata(DetectEngineThreadCtx *det_ctx,
477  const void *pectx,
478  Packet *p, Flow *f, void *txv,
479  const uint64_t idx, const uint8_t flags)
480 {
481  SCEnter();
482 
483  const PrefilterMpmFiledata *ctx = (const PrefilterMpmFiledata *)pectx;
484  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
485  const int list_id = ctx->list_id;
486 
488  f->alstate, flags);
489  int local_file_id = 0;
490  if (ffc != NULL) {
491  File *file = ffc->head;
492  for (; file != NULL; file = file->next) {
493  if (file->txid != idx)
494  continue;
495 
496  InspectionBuffer *buffer = FiledataGetDataCallback(det_ctx,
497  ctx->transforms, f, flags, file, list_id, local_file_id, true);
498  if (buffer == NULL)
499  continue;
500 
501  if (buffer->inspect_len >= mpm_ctx->minlen) {
502  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
503  &det_ctx->mtcu, &det_ctx->pmq,
504  buffer->inspect, buffer->inspect_len);
505  }
506  }
507  }
508 }
509 
510 static void PrefilterMpmFiledataFree(void *ptr)
511 {
512  SCFree(ptr);
513 }
514 
516  SigGroupHead *sgh, MpmCtx *mpm_ctx,
517  const DetectBufferMpmRegistery *mpm_reg, int list_id)
518 {
519  PrefilterMpmFiledata *pectx = SCCalloc(1, sizeof(*pectx));
520  if (pectx == NULL)
521  return -1;
522  pectx->list_id = list_id;
523  pectx->mpm_ctx = mpm_ctx;
524  pectx->transforms = &mpm_reg->transforms;
525 
526  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFiledata,
527  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
528  pectx, PrefilterMpmFiledataFree, mpm_reg->pname);
529 }
530 
531 #ifdef UNITTESTS
532 #include "tests/detect-file-data.c"
533 #endif
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
DetectProto proto
Definition: detect.h:539
SignatureInitData * init_data
Definition: detect.h:591
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define FILEDATA_CONTENT_INSPECT_MIN_SIZE
#define SCLogDebug(...)
Definition: util-debug.h:335
uint16_t minlen
Definition: util-mpm.h:99
uint32_t content_limit
uint32_t inspect_window
struct DetectEngineAppInspectionEngine_::@93 v2
#define SIG_FLAG_INIT_NEED_FLUSH
Definition: detect.h:263
#define BUG_ON(x)
uint16_t discontinue_matching
Definition: detect.h:1067
uint32_t flags
Definition: detect.h:523
uint8_t proto
Definition: flow.h:344
HTPCfgDir response
uint32_t id
Definition: detect.h:555
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
int StreamingBufferGetDataAtOffset(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t offset)
DetectEngineTransforms transforms
Definition: detect.h:618
int PrefilterMpmFiledataRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
const struct HTPCfgRec_ * cfg
uint32_t inspect_min_size
struct DetectBufferMpmRegistery_::@95::@97 app_v2
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:277
uint64_t offset
uint32_t content_inspect_window
Definition: detect.h:877
void DetectBufferTypeRegisterSetupCallback(const char *name, void(*SetupCallback)(const DetectEngineCtx *, Signature *))
Container for matching data for a signature group.
Definition: detect.h:1336
int http_body_inline
uint64_t content_inspected
Definition: util-file.h:88
uint32_t buffer_offset
Definition: detect.h:1032
InspectionBuffer * InspectionBufferGet(DetectEngineThreadCtx *det_ctx, const int list_id)
const char * name
Definition: detect.h:1200
Signature container.
Definition: detect.h:522
struct File_ * next
Definition: util-file.h:79
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
SMTPConfig smtp_config
uint32_t swf_decompress_depth
StreamingBuffer * sb
Definition: util-file.h:68
uint32_t content_inspect_min_size
Definition: detect.h:876
main detection engine ctx
Definition: detect.h:761
#define DETECT_CI_FLAGS_END
void * alstate
Definition: flow.h:438
bool filedata_config_initialized
Definition: detect.h:879
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SCCalloc(nm, a)
Definition: util-mem.h:253
uint32_t content_inspect_min_size
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
#define DETECT_ENGINE_INSPECT_SIG_MATCH
uint64_t inspect_offset
Definition: detect.h:344
uint64_t body_inspected
HtpBody response_body
Data structures and function prototypes for keeping state for the detection engine.
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
StreamingBuffer * sb
uint8_t mpm_type
Definition: util-mpm.h:90
#define SIG_FLAG_INIT_FLOW
Definition: detect.h:258
#define STREAM_EOF
Definition: stream.h:30
one time registration of keywords at start up
Definition: detect.h:605
uint64_t txid
Definition: util-file.h:69
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
#define SCEnter(...)
Definition: util-debug.h:337
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
uint32_t content_limit
Definition: detect.h:875
PrefilterRuleStore pmq
Definition: detect.h:1102
struct DetectEngineCtx_::@99 filedata_config[ALPROTO_MAX]
void DetectFiledataRegister(void)
Registration function for keyword: file_data.
void AppLayerHtpEnableResponseBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
AppProto alproto
Definition: detect.h:526
int DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
const MpmCtx * mpm_ctx
const char * desc
Definition: detect.h:1202
int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id)
struct PrefilterMpmFiledata PrefilterMpmFiledata
#define FILEDATA_CONTENT_LIMIT
void DetectFiledataRegisterTests(void)
const char * alias
Definition: detect.h:1201
DetectEngineCtx * de_ctx
Definition: detect.h:1127
uint32_t body_limit
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.h:169
#define SCFree(a)
Definition: util-mem.h:322
uint64_t content_len_so_far
uint16_t tx_id
uint32_t init_flags
Definition: detect.h:486
#define FILEDATA_CONTENT_INSPECT_WINDOW
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
MpmThreadCtx mtcu
Definition: detect.h:1100
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
#define SIGMATCH_NOOPT
Definition: detect.h:1369
const char * url
Definition: detect.h:1203
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
FileState state
Definition: util-file.h:67
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
HtpSwfCompressType swf_compression_type
InspectionBufferMultipleForList * InspectionBufferGetMulti(DetectEngineThreadCtx *det_ctx, const int list_id)
int inspection_recursion_counter
Definition: detect.h:1079
uint32_t inspect_len
Definition: detect.h:345
int DetectBufferSetActiveList(Signature *s, const int list)
const uint8_t * inspect
Definition: detect.h:343
#define DOC_URL
Definition: suricata.h:86
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
HtpBodyChunk * first
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:162
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len, DetectEngineThreadCtx *det_ctx, InspectionBuffer *out_buffer, int swf_type, uint32_t decompress_depth, uint32_t compress_depth)
This function decompresses a buffer with zlib/lzma algorithm.
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
const DetectEngineTransforms * transforms
AppProto alproto
application level protocol
Definition: flow.h:409
int swf_decompression_enabled
FileContainer * AppLayerParserGetFiles(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t direction)
uint32_t content_inspect_window
#define DOC_VERSION
Definition: suricata.h:91
#define DETECT_CI_FLAGS_START
uint32_t swf_compress_depth
InspectionBuffer * InspectionBufferMultipleForListGet(InspectionBufferMultipleForList *fb, uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
uint16_t flags
Definition: detect.h:1194
Flow data structure.
Definition: flow.h:325
int DetectProtoContainsProto(const DetectProto *dp, int proto)
see if a DetectProto contains a certain proto
void(* RegisterTests)(void)
Definition: detect.h:1192
const DetectEngineTransforms * transforms
Definition: detect.h:416