suricata
detect-filemagic.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-content.h"
32 
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
37 #include "detect-engine-file.h"
38 
39 #include "flow.h"
40 #include "flow-var.h"
41 #include "flow-util.h"
42 
43 #include "util-debug.h"
44 #include "util-spm-bm.h"
45 #include "util-magic.h"
46 #include "util-print.h"
47 
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "util-profiling.h"
51 
52 #include "app-layer.h"
53 #include "app-layer-parser.h"
54 
55 #include "stream-tcp.h"
56 
57 #include "detect-file-data.h"
58 #include "detect-filemagic.h"
59 
60 #include "conf.h"
61 
62 #ifndef HAVE_MAGIC
63 
64 static int DetectFilemagicSetupNoSupport (DetectEngineCtx *de_ctx, Signature *s, const char *str)
65 {
66  SCLogError("no libmagic support built in, needed for filemagic keyword");
67  return -1;
68 }
69 
70 /**
71  * \brief Registration function for keyword: filemagic
72  */
74 {
75  sigmatch_table[DETECT_FILEMAGIC].name = "filemagic";
76  sigmatch_table[DETECT_FILEMAGIC].desc = "match on the information libmagic returns about a file";
77  sigmatch_table[DETECT_FILEMAGIC].url = "/rules/file-keywords.html#filemagic";
78  sigmatch_table[DETECT_FILEMAGIC].Setup = DetectFilemagicSetupNoSupport;
80 }
81 
82 #else /* HAVE_MAGIC */
83 
84 typedef struct DetectFilemagicThreadData {
85  magic_t ctx;
86 } DetectFilemagicThreadData;
87 
88 static int DetectFilemagicSetup(DetectEngineCtx *, Signature *, const char *);
89 static int g_file_match_list_id = 0;
90 
91 static int DetectFilemagicSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
92 static int g_file_magic_buffer_id = 0;
93 
94 static int PrefilterMpmFilemagicRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
95  MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id);
96 static uint8_t DetectEngineInspectFilemagic(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
97  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
98  void *alstate, void *txv, uint64_t tx_id);
99 
100 /**
101  * \brief Registration function for keyword: filemagic
102  */
103 void DetectFilemagicRegister(void)
104 {
105  sigmatch_table[DETECT_FILEMAGIC].name = "filemagic";
106  sigmatch_table[DETECT_FILEMAGIC].desc = "match on the information libmagic returns about a file";
107  sigmatch_table[DETECT_FILEMAGIC].url = "/rules/file-keywords.html#filemagic";
108  sigmatch_table[DETECT_FILEMAGIC].Setup = DetectFilemagicSetup;
111 
112  sigmatch_table[DETECT_FILE_MAGIC].name = "file.magic";
113  sigmatch_table[DETECT_FILE_MAGIC].desc = "sticky buffer to match on the file magic";
114  sigmatch_table[DETECT_FILE_MAGIC].url = "/rules/file-keywords.html#filemagic";
115  sigmatch_table[DETECT_FILE_MAGIC].Setup = DetectFilemagicSetupSticky;
117 
118  filehandler_table[DETECT_FILE_MAGIC].name = "file.magic",
120  filehandler_table[DETECT_FILE_MAGIC].PrefilterFn = PrefilterMpmFilemagicRegister;
121  filehandler_table[DETECT_FILE_MAGIC].Callback = DetectEngineInspectFilemagic;
122 
123  g_file_match_list_id = DetectBufferTypeRegister("files");
124 
125  DetectBufferTypeSetDescriptionByName("file.magic", "file magic");
127 
128  g_file_magic_buffer_id = DetectBufferTypeGetByName("file.magic");
129  SCLogDebug("registering filemagic rule option");
130  return;
131 }
132 
133 #define FILEMAGIC_MIN_SIZE 512
134 
135 /**
136  * \brief run the magic check
137  *
138  * \param file the file
139  *
140  * \retval -1 error
141  * \retval 0 ok
142  */
143 int FilemagicThreadLookup(magic_t *ctx, File *file)
144 {
145  if (ctx == NULL || file == NULL || FileDataSize(file) == 0) {
146  SCReturnInt(-1);
147  }
148 
149  const uint8_t *data = NULL;
150  uint32_t data_len = 0;
151  uint64_t offset = 0;
152 
154  &data, &data_len, &offset);
155  if (offset == 0) {
156  if (FileDataSize(file) >= FILEMAGIC_MIN_SIZE) {
157  file->magic = MagicThreadLookup(ctx, data, data_len);
158  } else if (file->state >= FILE_STATE_CLOSED) {
159  file->magic = MagicThreadLookup(ctx, data, data_len);
160  }
161  }
162  SCReturnInt(0);
163 }
164 
165 static void *DetectFilemagicThreadInit(void *data /*@unused@*/)
166 {
167  DetectFilemagicThreadData *t = SCCalloc(1, sizeof(DetectFilemagicThreadData));
168  if (unlikely(t == NULL)) {
169  SCLogError("couldn't alloc ctx memory");
170  return NULL;
171  }
172 
173  t->ctx = MagicInitContext();
174  if (t->ctx == NULL)
175  goto error;
176 
177  return (void *)t;
178 
179 error:
180  if (t->ctx)
181  magic_close(t->ctx);
182  SCFree(t);
183  return NULL;
184 }
185 
186 static void DetectFilemagicThreadFree(void *ctx)
187 {
188  if (ctx != NULL) {
189  DetectFilemagicThreadData *t = (DetectFilemagicThreadData *)ctx;
190  if (t->ctx)
191  magic_close(t->ctx);
192  SCFree(t);
193  }
194 }
195 
196 /**
197  * \brief this function is used to parse filemagic options
198  * \brief into the current signature
199  *
200  * \param de_ctx pointer to the Detection Engine Context
201  * \param s pointer to the Current Signature
202  * \param str pointer to the user provided "filemagic" option
203  *
204  * \retval 0 on Success
205  * \retval -1 on Failure
206  */
207 static int DetectFilemagicSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
208 {
209  if (s->init_data->transforms.cnt) {
210  SCLogError("previous transforms not consumed before 'filemagic'");
211  SCReturnInt(-1);
212  }
215 
216  if (DetectContentSetup(de_ctx, s, str) < 0) {
217  return -1;
218  }
219 
221  if (sm == NULL)
222  return -1;
223 
225  if (DetectContentConvertToNocase(de_ctx, cd) != 0)
226  return -1;
228  de_ctx, s, NULL, DETECT_FILE_MAGIC, g_file_magic_buffer_id, s->alproto) < 0)
229  return -1;
230 
231  if (de_ctx->filemagic_thread_ctx_id == -1) {
233  de_ctx, "filemagic", DetectFilemagicThreadInit, NULL, DetectFilemagicThreadFree, 1);
234  if (de_ctx->filemagic_thread_ctx_id == -1)
235  return -1;
236  }
237  return 0;
238 }
239 
240 /* file.magic implementation */
241 
242 /**
243  * \brief this function setup the file.magic keyword used in the rule
244  *
245  * \param de_ctx Pointer to the Detection Engine Context
246  * \param s Pointer to the Signature to which the current keyword belongs
247  * \param str Should hold an empty string always
248  *
249  * \retval 0 On success
250  */
251 static int DetectFilemagicSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
252 {
253  if (DetectBufferSetActiveList(de_ctx, s, g_file_magic_buffer_id) < 0)
254  return -1;
255 
256  if (de_ctx->filemagic_thread_ctx_id == -1) {
258  de_ctx, "filemagic", DetectFilemagicThreadInit, NULL, DetectFilemagicThreadFree, 1);
259  if (de_ctx->filemagic_thread_ctx_id == -1)
260  return -1;
261  }
262  return 0;
263 }
264 
265 static InspectionBuffer *FilemagicGetDataCallback(DetectEngineThreadCtx *det_ctx,
266  const DetectEngineTransforms *transforms, Flow *f, uint8_t flow_flags, File *cur_file,
267  int list_id, int local_file_id)
268 {
269  SCEnter();
270 
271  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_file_id);
272  if (buffer == NULL)
273  return NULL;
274  if (buffer->initialized)
275  return buffer;
276 
277  if (cur_file->magic == NULL) {
278  DetectFilemagicThreadData *tfilemagic =
279  (DetectFilemagicThreadData *)DetectThreadCtxGetKeywordThreadCtx(
280  det_ctx, det_ctx->de_ctx->filemagic_thread_ctx_id);
281  if (tfilemagic == NULL) {
283  return NULL;
284  }
285 
286  FilemagicThreadLookup(&tfilemagic->ctx, cur_file);
287  }
288  if (cur_file->magic == NULL) {
289  return NULL;
290  }
291 
292  const uint8_t *data = (const uint8_t *)cur_file->magic;
293  uint32_t data_len = (uint32_t)strlen(cur_file->magic);
294 
295  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
296 
297  SCReturnPtr(buffer, "InspectionBuffer");
298 }
299 
300 static uint8_t DetectEngineInspectFilemagic(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
301  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
302  void *alstate, void *txv, uint64_t tx_id)
303 {
304  const DetectEngineTransforms *transforms = NULL;
305  if (!engine->mpm) {
306  transforms = engine->v2.transforms;
307  }
308 
309  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, alstate, txv, flags);
310  FileContainer *ffc = files.fc;
311  if (ffc == NULL) {
313  }
314 
316  int local_file_id = 0;
317  for (File *file = ffc->head; file != NULL; file = file->next) {
318  InspectionBuffer *buffer = FilemagicGetDataCallback(
319  det_ctx, transforms, f, flags, file, engine->sm_list, local_file_id);
320  if (buffer == NULL)
321  continue;
322 
323  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
324  buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
326  if (match) {
328  } else {
330  }
331  local_file_id++;
332  }
333  return r;
334 }
335 
336 typedef struct PrefilterMpmFilemagic {
337  int list_id;
338  const MpmCtx *mpm_ctx;
339  const DetectEngineTransforms *transforms;
340 } PrefilterMpmFilemagic;
341 
342 /** \brief Filedata Filedata Mpm prefilter callback
343  *
344  * \param det_ctx detection engine thread ctx
345  * \param p packet to inspect
346  * \param f flow to inspect
347  * \param txv tx to inspect
348  * \param pectx inspection context
349  */
350 static void PrefilterTxFilemagic(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
351  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *txd, const uint8_t flags)
352 {
353  SCEnter();
354 
355  if (!AppLayerParserHasFilesInDir(txd, flags))
356  return;
357 
358  const PrefilterMpmFilemagic *ctx = (const PrefilterMpmFilemagic *)pectx;
359  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
360  const int list_id = ctx->list_id;
361 
362  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, f->alstate, txv, flags);
363  FileContainer *ffc = files.fc;
364  if (ffc != NULL) {
365  int local_file_id = 0;
366  for (File *file = ffc->head; file != NULL; file = file->next) {
367  InspectionBuffer *buffer = FilemagicGetDataCallback(
368  det_ctx, ctx->transforms, f, flags, file, list_id, local_file_id);
369  if (buffer == NULL)
370  continue;
371 
372  if (buffer->inspect_len >= mpm_ctx->minlen) {
373  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq,
374  buffer->inspect, buffer->inspect_len);
375  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
376  }
377  local_file_id++;
378  }
379  }
380 }
381 
382 static void PrefilterMpmFilemagicFree(void *ptr)
383 {
384  SCFree(ptr);
385 }
386 
387 static int PrefilterMpmFilemagicRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
388  MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
389 {
390  PrefilterMpmFilemagic *pectx = SCCalloc(1, sizeof(*pectx));
391  if (pectx == NULL)
392  return -1;
393  pectx->list_id = list_id;
394  pectx->mpm_ctx = mpm_ctx;
395  pectx->transforms = &mpm_reg->transforms;
396 
397  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFilemagic,
398  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
399  pectx, PrefilterMpmFilemagicFree, mpm_reg->pname);
400 }
401 
402 #endif /* HAVE_MAGIC */
DetectEngineAppInspectionEngine_
Definition: detect.h:424
SigTableElmt_::url
const char * url
Definition: detect.h:1296
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:428
detect-content.h
FileContainer_
Definition: util-file.h:113
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1497
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1293
InspectionBuffer::initialized
bool initialized
Definition: detect.h:375
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1445
DetectThreadCtxGetKeywordThreadCtx
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3634
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectEngineTransforms
Definition: detect.h:406
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
Signature_::alproto
AppProto alproto
Definition: detect.h:598
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1382
InspectionBuffer
Definition: detect.h:371
threads.h
Flow_
Flow data structure.
Definition: flow.h:351
File_::state
FileState state
Definition: util-file.h:82
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1201
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1287
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1069
DetectContentConvertToNocase
int DetectContentConvertToNocase(DetectEngineCtx *de_ctx, DetectContentData *cd)
Definition: detect-content.c:765
StreamingBufferGetData
int StreamingBufferGetData(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t *stream_offset)
Definition: util-streaming-buffer.c:1754
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:677
detect-file-data.h
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@88::@90 app_v2
DetectContentData_
Definition: detect-content.h:93
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:690
detect-engine-prefilter.h
DetectFilemagicRegister
void DetectFilemagicRegister(void)
Registration function for keyword: filemagic.
Definition: detect-filemagic.c:73
util-unittest.h
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1119
File_::sb
StreamingBuffer * sb
Definition: util-file.h:83
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:430
SIGMATCH_QUOTES_MANDATORY
#define SIGMATCH_QUOTES_MANDATORY
Definition: detect.h:1489
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:43
InspectionBufferSetupMultiEmpty
void InspectionBufferSetupMultiEmpty(InspectionBuffer *buffer)
setup the buffer empty
Definition: detect-engine.c:1593
decode.h
util-debug.h
DETECT_FILE_MAGIC
@ DETECT_FILE_MAGIC
Definition: detect-engine-register.h:221
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectContentSetup
int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
Function to setup a content pattern.
Definition: detect-content.c:328
DetectEngineThreadCtx_
Definition: detect.h:1092
FILE_SIG_NEED_MAGIC
#define FILE_SIG_NEED_MAGIC
Definition: detect.h:313
detect-engine-file.h
SignatureInitData_::list
int list
Definition: detect.h:562
util-print.h
detect-filemagic.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
DETECT_FILEMAGIC
@ DETECT_FILEMAGIC
Definition: detect-engine-register.h:220
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:373
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1291
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:350
util-profiling.h
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:205
Packet_
Definition: decode.h:437
conf.h
util-magic.h
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1493
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:662
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
DetectFileHandlerTableElmt_::priority
int priority
Definition: detect-parse.h:34
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:168
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@85 v2
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1200
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:326
detect-engine-content-inspection.h
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:138
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:441
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1355
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:287
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:49
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1055
flags
uint8_t flags
Definition: decode-gre.h:0
DetectRegisterThreadCtxFuncs
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
Definition: detect-engine.c:3564
suricata-common.h
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:609
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
File_::next
struct File_ * next
Definition: util-file.h:92
DetectFileHandlerTableElmt_::PrefilterFn
PrefilterRegisterFunc PrefilterFn
Definition: detect-parse.h:35
util-spm-bm.h
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1606
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:374
DetectEngineCtx_::filemagic_thread_ctx_id
int filemagic_thread_ctx_id
Definition: detect.h:884
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:372
str
#define str(s)
Definition: suricata-common.h:291
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:476
detect-parse.h
Signature_
Signature container.
Definition: detect.h:593
SigMatch_
a single match condition for a signature
Definition: detect.h:347
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:438
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
DetectEngineTransforms::cnt
int cnt
Definition: detect.h:408
DetectFileHandlerTableElmt_::Callback
InspectEngineFuncPtr Callback
Definition: detect-parse.h:36
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1216
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1546
FILE_SIG_NEED_FILE
#define FILE_SIG_NEED_FILE
Definition: detect.h:311
filehandler_table
DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE]
Definition: detect-parse.c:77
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1473
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:619
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:888
DetectFileHandlerTableElmt_::name
const char * name
Definition: detect-parse.h:33
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1216
SignatureInitData_::transforms
DetectEngineTransforms transforms
Definition: detect.h:565
MpmCtx_
Definition: util-mpm.h:88
flow.h
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:723
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
app-layer.h
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:679