suricata
detect-filemagic.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "threads.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-content.h"
32 
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
37 
38 #include "flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 
42 #include "util-debug.h"
43 #include "util-spm-bm.h"
44 #include "util-magic.h"
45 #include "util-print.h"
46 
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "util-profiling.h"
50 
51 #include "app-layer.h"
52 #include "app-layer-parser.h"
53 
54 #include "stream-tcp.h"
55 
56 #include "detect-filemagic.h"
57 
58 #include "conf.h"
59 
60 #ifndef HAVE_MAGIC
61 
62 static int DetectFilemagicSetupNoSupport (DetectEngineCtx *de_ctx, Signature *s, const char *str)
63 {
64  SCLogError("no libmagic support built in, needed for filemagic keyword");
65  return -1;
66 }
67 
68 /**
69  * \brief Registration function for keyword: filemagic
70  */
72 {
73  sigmatch_table[DETECT_FILEMAGIC].name = "filemagic";
74  sigmatch_table[DETECT_FILEMAGIC].desc = "match on the information libmagic returns about a file";
75  sigmatch_table[DETECT_FILEMAGIC].url = "/rules/file-keywords.html#filemagic";
76  sigmatch_table[DETECT_FILEMAGIC].Setup = DetectFilemagicSetupNoSupport;
78 }
79 
80 #else /* HAVE_MAGIC */
81 
82 typedef struct DetectFilemagicThreadData {
83  magic_t ctx;
84 } DetectFilemagicThreadData;
85 
86 typedef struct DetectFilemagicData {
87  uint8_t *name; /** name of the file to match */
88  BmCtx *bm_ctx; /** BM context */
89  uint16_t len; /** name length */
90  uint32_t flags;
91 } DetectFilemagicData;
92 
93 static int DetectFilemagicMatch (DetectEngineThreadCtx *, Flow *,
94  uint8_t, File *, const Signature *, const SigMatchCtx *);
95 static int DetectFilemagicSetup (DetectEngineCtx *, Signature *, const char *);
96 #ifdef UNITTESTS
97 static void DetectFilemagicRegisterTests(void);
98 #endif
99 static void DetectFilemagicFree(DetectEngineCtx *, void *);
100 static int g_file_match_list_id = 0;
101 
102 static int DetectFilemagicSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
103 static int g_file_magic_buffer_id = 0;
104 
105 static int PrefilterMpmFilemagicRegister(DetectEngineCtx *de_ctx,
106  SigGroupHead *sgh, MpmCtx *mpm_ctx,
107  const DetectBufferMpmRegistery *mpm_reg, int list_id);
108 static uint8_t DetectEngineInspectFilemagic(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
109  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
110  void *alstate, void *txv, uint64_t tx_id);
111 
112 static int g_magic_thread_ctx_id = -1;
113 
114 /**
115  * \brief Registration function for keyword: filemagic
116  */
117 void DetectFilemagicRegister(void)
118 {
119  sigmatch_table[DETECT_FILEMAGIC].name = "filemagic";
120  sigmatch_table[DETECT_FILEMAGIC].desc = "match on the information libmagic returns about a file";
121  sigmatch_table[DETECT_FILEMAGIC].url = "/rules/file-keywords.html#filemagic";
122  sigmatch_table[DETECT_FILEMAGIC].FileMatch = DetectFilemagicMatch;
123  sigmatch_table[DETECT_FILEMAGIC].Setup = DetectFilemagicSetup;
124  sigmatch_table[DETECT_FILEMAGIC].Free = DetectFilemagicFree;
125 #ifdef UNITTESTS
126  sigmatch_table[DETECT_FILEMAGIC].RegisterTests = DetectFilemagicRegisterTests;
127 #endif
130 
131  sigmatch_table[DETECT_FILE_MAGIC].name = "file.magic";
132  sigmatch_table[DETECT_FILE_MAGIC].desc = "sticky buffer to match on the file magic";
133  sigmatch_table[DETECT_FILE_MAGIC].url = "/rules/file-keywords.html#filemagic";
134  sigmatch_table[DETECT_FILE_MAGIC].Setup = DetectFilemagicSetupSticky;
136 
137  g_file_match_list_id = DetectBufferTypeRegister("files");
138 
140  ALPROTO_HTTP2, 0 };
142  0 };
143 
144  for (int i = 0; protos_ts[i] != 0; i++) {
145  DetectAppLayerInspectEngineRegister2("file.magic", protos_ts[i],
147  DetectEngineInspectFilemagic, NULL);
148 
150  PrefilterMpmFilemagicRegister, NULL, protos_ts[i],
151  0);
152  }
153  for (int i = 0; protos_tc[i] != 0; i++) {
154  DetectAppLayerInspectEngineRegister2("file.magic", protos_tc[i],
156  DetectEngineInspectFilemagic, NULL);
157 
159  PrefilterMpmFilemagicRegister, NULL, protos_tc[i],
160  0);
161  }
162 
164  "file magic");
165 
166  g_file_magic_buffer_id = DetectBufferTypeGetByName("file.magic");
167  SCLogDebug("registering filemagic rule option");
168  return;
169 }
170 
171 #define FILEMAGIC_MIN_SIZE 512
172 
173 /**
174  * \brief run the magic check
175  *
176  * \param file the file
177  *
178  * \retval -1 error
179  * \retval 0 ok
180  */
181 int FilemagicThreadLookup(magic_t *ctx, File *file)
182 {
183  if (ctx == NULL || file == NULL || FileDataSize(file) == 0) {
184  SCReturnInt(-1);
185  }
186 
187  const uint8_t *data = NULL;
188  uint32_t data_len = 0;
189  uint64_t offset = 0;
190 
192  &data, &data_len, &offset);
193  if (offset == 0) {
194  if (FileDataSize(file) >= FILEMAGIC_MIN_SIZE) {
195  file->magic = MagicThreadLookup(ctx, data, data_len);
196  } else if (file->state >= FILE_STATE_CLOSED) {
197  file->magic = MagicThreadLookup(ctx, data, data_len);
198  }
199  }
200  SCReturnInt(0);
201 }
202 
203 /**
204  * \brief match the specified filemagic
205  *
206  * \param t thread local vars
207  * \param det_ctx pattern matcher thread local data
208  * \param f *LOCKED* flow
209  * \param flags direction flags
210  * \param file file being inspected
211  * \param s signature being inspected
212  * \param m sigmatch that we will cast into DetectFilemagicData
213  *
214  * \retval 0 no match
215  * \retval 1 match
216  */
217 static int DetectFilemagicMatch (DetectEngineThreadCtx *det_ctx,
218  Flow *f, uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
219 {
220  SCEnter();
221  int ret = 0;
222  DetectFilemagicData *filemagic = (DetectFilemagicData *)m;
223 
224  DetectFilemagicThreadData *tfilemagic =
225  (DetectFilemagicThreadData *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, g_magic_thread_ctx_id);
226  if (tfilemagic == NULL) {
227  SCReturnInt(0);
228  }
229 
230  if (file->magic == NULL) {
231  FilemagicThreadLookup(&tfilemagic->ctx, file);
232  }
233 
234  if (file->magic != NULL) {
235  SCLogDebug("magic %s", file->magic);
236 
237  /* we include the \0 in the inspection, so patterns can match on the
238  * end of the string. */
239  if (BoyerMooreNocase(filemagic->name, filemagic->len, (uint8_t *)file->magic,
240  strlen(file->magic) + 1, filemagic->bm_ctx) != NULL)
241  {
242 #ifdef DEBUG
243  if (SCLogDebugEnabled()) {
244  char *name = SCMalloc(filemagic->len + 1);
245  if (name != NULL) {
246  memcpy(name, filemagic->name, filemagic->len);
247  name[filemagic->len] = '\0';
248  SCLogDebug("will look for filemagic %s", name);
249  SCFree(name);
250  }
251  }
252 #endif
253 
254  if (!(filemagic->flags & DETECT_CONTENT_NEGATED)) {
255  ret = 1;
256  }
257  } else if (filemagic->flags & DETECT_CONTENT_NEGATED) {
258  SCLogDebug("negated match");
259  ret = 1;
260  }
261  }
262 
263  SCReturnInt(ret);
264 }
265 
266 /**
267  * \brief Parse the filemagic keyword
268  *
269  * \param de_ctx Pointer to the detection engine context
270  * \param idstr Pointer to the user provided option
271  *
272  * \retval filemagic pointer to DetectFilemagicData on success
273  * \retval NULL on failure
274  */
275 static DetectFilemagicData *DetectFilemagicParse (DetectEngineCtx *de_ctx, const char *str, bool negate)
276 {
277  DetectFilemagicData *filemagic = NULL;
278 
279  /* We have a correct filemagic option */
280  filemagic = SCMalloc(sizeof(DetectFilemagicData));
281  if (unlikely(filemagic == NULL))
282  goto error;
283 
284  memset(filemagic, 0x00, sizeof(DetectFilemagicData));
285 
286  if (DetectContentDataParse ("filemagic", str, &filemagic->name, &filemagic->len) == -1) {
287  goto error;
288  }
289 
290  filemagic->bm_ctx = BoyerMooreNocaseCtxInit(filemagic->name, filemagic->len);
291  if (filemagic->bm_ctx == NULL) {
292  goto error;
293  }
294 
295  if (negate) {
296  filemagic->flags |= DETECT_CONTENT_NEGATED;
297  }
298 
299  SCLogDebug("flags %02X", filemagic->flags);
300  if (filemagic->flags & DETECT_CONTENT_NEGATED) {
301  SCLogDebug("negated filemagic");
302  }
303 
304 #ifdef DEBUG
305  if (SCLogDebugEnabled()) {
306  char *name = SCMalloc(filemagic->len + 1);
307  if (name != NULL) {
308  memcpy(name, filemagic->name, filemagic->len);
309  name[filemagic->len] = '\0';
310  SCLogDebug("will look for filemagic %s", name);
311  SCFree(name);
312  }
313  }
314 #endif
315 
316  return filemagic;
317 
318 error:
319  if (filemagic != NULL)
320  DetectFilemagicFree(de_ctx, filemagic);
321  return NULL;
322 }
323 
324 static void *DetectFilemagicThreadInit(void *data /*@unused@*/)
325 {
326  DetectFilemagicThreadData *t = SCCalloc(1, sizeof(DetectFilemagicThreadData));
327  if (unlikely(t == NULL)) {
328  SCLogError("couldn't alloc ctx memory");
329  return NULL;
330  }
331 
332  t->ctx = MagicInitContext();
333  if (t->ctx == NULL)
334  goto error;
335 
336  return (void *)t;
337 
338 error:
339  if (t->ctx)
340  magic_close(t->ctx);
341  SCFree(t);
342  return NULL;
343 }
344 
345 static void DetectFilemagicThreadFree(void *ctx)
346 {
347  if (ctx != NULL) {
348  DetectFilemagicThreadData *t = (DetectFilemagicThreadData *)ctx;
349  if (t->ctx)
350  magic_close(t->ctx);
351  SCFree(t);
352  }
353 }
354 
355 /**
356  * \brief this function is used to parse filemagic options
357  * \brief into the current signature
358  *
359  * \param de_ctx pointer to the Detection Engine Context
360  * \param s pointer to the Current Signature
361  * \param str pointer to the user provided "filemagic" option
362  *
363  * \retval 0 on Success
364  * \retval -1 on Failure
365  */
366 static int DetectFilemagicSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
367 {
368  SigMatch *sm = NULL;
369 
370  DetectFilemagicData *filemagic = DetectFilemagicParse(de_ctx, str, s->init_data->negated);
371  if (filemagic == NULL)
372  return -1;
373 
374  g_magic_thread_ctx_id = DetectRegisterThreadCtxFuncs(
375  de_ctx, "filemagic", DetectFilemagicThreadInit, NULL, DetectFilemagicThreadFree, 1);
376  if (g_magic_thread_ctx_id == -1)
377  goto error;
378 
379  /* Okay so far so good, lets get this into a SigMatch
380  * and put it in the Signature. */
381  sm = SigMatchAlloc();
382  if (sm == NULL)
383  goto error;
384 
385  sm->type = DETECT_FILEMAGIC;
386  sm->ctx = (void *)filemagic;
387 
388  SigMatchAppendSMToList(s, sm, g_file_match_list_id);
389 
391  return 0;
392 
393 error:
394  DetectFilemagicFree(de_ctx, filemagic);
395  if (sm != NULL)
396  SCFree(sm);
397  return -1;
398 }
399 
400 /**
401  * \brief this function will free memory associated with DetectFilemagicData
402  *
403  * \param filemagic pointer to DetectFilemagicData
404  */
405 static void DetectFilemagicFree(DetectEngineCtx *de_ctx, void *ptr)
406 {
407  if (ptr != NULL) {
408  DetectFilemagicData *filemagic = (DetectFilemagicData *)ptr;
409  if (filemagic->bm_ctx != NULL) {
410  BoyerMooreCtxDeInit(filemagic->bm_ctx);
411  }
412  if (filemagic->name != NULL)
413  SCFree(filemagic->name);
414  SCFree(filemagic);
415  }
416 }
417 
418 /* file.magic implementation */
419 
420 /**
421  * \brief this function setup the file.magic keyword used in the rule
422  *
423  * \param de_ctx Pointer to the Detection Engine Context
424  * \param s Pointer to the Signature to which the current keyword belongs
425  * \param str Should hold an empty string always
426  *
427  * \retval 0 On success
428  */
429 static int DetectFilemagicSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
430 {
431  if (DetectBufferSetActiveList(s, g_file_magic_buffer_id) < 0)
432  return -1;
433 
434  if (g_magic_thread_ctx_id == -1) {
435  g_magic_thread_ctx_id = DetectRegisterThreadCtxFuncs(de_ctx, "filemagic",
436  DetectFilemagicThreadInit, NULL,
437  DetectFilemagicThreadFree, 1);
438  if (g_magic_thread_ctx_id == -1)
439  return -1;
440  }
441  return 0;
442 }
443 
444 static InspectionBuffer *FilemagicGetDataCallback(DetectEngineThreadCtx *det_ctx,
445  const DetectEngineTransforms *transforms, Flow *f, uint8_t flow_flags, File *cur_file,
446  int list_id, int local_file_id)
447 {
448  SCEnter();
449 
450  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_file_id);
451  if (buffer == NULL)
452  return NULL;
453  if (buffer->initialized)
454  return buffer;
455 
456  if (cur_file->magic == NULL) {
457  DetectFilemagicThreadData *tfilemagic =
458  (DetectFilemagicThreadData *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, g_magic_thread_ctx_id);
459  if (tfilemagic == NULL) {
460  return NULL;
461  }
462 
463  FilemagicThreadLookup(&tfilemagic->ctx, cur_file);
464  }
465  if (cur_file->magic == NULL) {
466  return NULL;
467  }
468 
469  const uint8_t *data = (const uint8_t *)cur_file->magic;
470  uint32_t data_len = (uint32_t)strlen(cur_file->magic);
471 
472  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
473 
474  SCReturnPtr(buffer, "InspectionBuffer");
475 }
476 
477 static uint8_t DetectEngineInspectFilemagic(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
478  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
479  void *alstate, void *txv, uint64_t tx_id)
480 {
481  const DetectEngineTransforms *transforms = NULL;
482  if (!engine->mpm) {
483  transforms = engine->v2.transforms;
484  }
485 
486  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, alstate, txv, flags);
487  FileContainer *ffc = files.fc;
488  if (ffc == NULL) {
490  }
491 
493  int local_file_id = 0;
494  for (File *file = ffc->head; file != NULL; file = file->next) {
495  InspectionBuffer *buffer = FilemagicGetDataCallback(
496  det_ctx, transforms, f, flags, file, engine->sm_list, local_file_id);
497  if (buffer == NULL)
498  continue;
499 
500  det_ctx->buffer_offset = 0;
501  det_ctx->discontinue_matching = 0;
502  det_ctx->inspection_recursion_counter = 0;
503  int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
504  NULL, f,
505  (uint8_t *)buffer->inspect,
506  buffer->inspect_len,
509  if (match == 1) {
511  } else {
513  }
514  local_file_id++;
515  }
516  return r;
517 }
518 
519 typedef struct PrefilterMpmFilemagic {
520  int list_id;
521  const MpmCtx *mpm_ctx;
522  const DetectEngineTransforms *transforms;
523 } PrefilterMpmFilemagic;
524 
525 /** \brief Filedata Filedata Mpm prefilter callback
526  *
527  * \param det_ctx detection engine thread ctx
528  * \param p packet to inspect
529  * \param f flow to inspect
530  * \param txv tx to inspect
531  * \param pectx inspection context
532  */
533 static void PrefilterTxFilemagic(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
534  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *txd, const uint8_t flags)
535 {
536  SCEnter();
537 
538  if (!AppLayerParserHasFilesInDir(txd, flags))
539  return;
540 
541  const PrefilterMpmFilemagic *ctx = (const PrefilterMpmFilemagic *)pectx;
542  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
543  const int list_id = ctx->list_id;
544 
545  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, f->alstate, txv, flags);
546  FileContainer *ffc = files.fc;
547  if (ffc != NULL) {
548  int local_file_id = 0;
549  for (File *file = ffc->head; file != NULL; file = file->next) {
550  InspectionBuffer *buffer = FilemagicGetDataCallback(
551  det_ctx, ctx->transforms, f, flags, file, list_id, local_file_id);
552  if (buffer == NULL)
553  continue;
554 
555  if (buffer->inspect_len >= mpm_ctx->minlen) {
556  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
557  &det_ctx->mtcu, &det_ctx->pmq,
558  buffer->inspect, buffer->inspect_len);
559  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
560  }
561  local_file_id++;
562  }
563  }
564 }
565 
566 static void PrefilterMpmFilemagicFree(void *ptr)
567 {
568  SCFree(ptr);
569 }
570 
571 static int PrefilterMpmFilemagicRegister(DetectEngineCtx *de_ctx,
572  SigGroupHead *sgh, MpmCtx *mpm_ctx,
573  const DetectBufferMpmRegistery *mpm_reg, int list_id)
574 {
575  PrefilterMpmFilemagic *pectx = SCCalloc(1, sizeof(*pectx));
576  if (pectx == NULL)
577  return -1;
578  pectx->list_id = list_id;
579  pectx->mpm_ctx = mpm_ctx;
580  pectx->transforms = &mpm_reg->transforms;
581 
582  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFilemagic,
583  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
584  pectx, PrefilterMpmFilemagicFree, mpm_reg->pname);
585 }
586 #ifdef UNITTESTS /* UNITTESTS */
587 
588 /**
589  * \test DetectFilemagicTestParse01
590  */
591 static int DetectFilemagicTestParse01 (void)
592 {
593  DetectFilemagicData *dnd = DetectFilemagicParse(NULL, "secret.pdf", false);
594  FAIL_IF_NULL(dnd);
595  DetectFilemagicFree(NULL, dnd);
596  PASS;
597 }
598 
599 /**
600  * \test DetectFilemagicTestParse02
601  */
602 static int DetectFilemagicTestParse02 (void)
603 {
604  DetectFilemagicData *dnd = DetectFilemagicParse(NULL, "backup.tar.gz", false);
605  FAIL_IF_NULL(dnd);
606  FAIL_IF_NOT(dnd->len == 13);
607  FAIL_IF_NOT(memcmp(dnd->name, "backup.tar.gz", 13) == 0);
608  DetectFilemagicFree(NULL, dnd);
609  PASS;
610 }
611 
612 /**
613  * \test DetectFilemagicTestParse03
614  */
615 static int DetectFilemagicTestParse03 (void)
616 {
617  DetectFilemagicData *dnd = DetectFilemagicParse(NULL, "cmd.exe", false);
618  FAIL_IF_NULL(dnd);
619  FAIL_IF_NOT(dnd->len == 7);
620  FAIL_IF_NOT(memcmp(dnd->name, "cmd.exe", 7) == 0);
621  DetectFilemagicFree(NULL, dnd);
622  PASS;
623 }
624 
625 /**
626  * \brief this function registers unit tests for DetectFilemagic
627  */
628 void DetectFilemagicRegisterTests(void)
629 {
630  UtRegisterTest("DetectFilemagicTestParse01", DetectFilemagicTestParse01);
631  UtRegisterTest("DetectFilemagicTestParse02", DetectFilemagicTestParse02);
632  UtRegisterTest("DetectFilemagicTestParse03", DetectFilemagicTestParse03);
633 }
634 #endif /* UNITTESTS */
635 #endif /* HAVE_MAGIC */
636 
DetectEngineAppInspectionEngine_
Definition: detect.h:390
SigTableElmt_::url
const char * url
Definition: detect.h:1241
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:394
detect-content.h
FileContainer_
Definition: util-file.h:113
len
uint8_t len
Definition: app-layer-dnp3.h:2
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1053
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1447
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1228
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1238
InspectionBuffer::initialized
bool initialized
Definition: detect.h:341
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1395
DetectThreadCtxGetKeywordThreadCtx
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3501
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectEngineTransforms
Definition: detect.h:372
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:640
InspectionBuffer
Definition: detect.h:337
threads.h
Flow_
Flow data structure.
Definition: flow.h:357
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1214
File_::state
FileState state
Definition: util-file.h:82
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1134
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1232
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
StreamingBufferGetData
int StreamingBufferGetData(const StreamingBuffer *sb, const uint8_t **data, uint32_t *data_len, uint64_t *stream_offset)
Definition: util-streaming-buffer.c:1570
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:626
m
SCMutex m
Definition: flow-hash.h:6
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:229
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
detect-engine-prefilter.h
DetectFilemagicRegister
void DetectFilemagicRegister(void)
Registration function for keyword: filemagic.
Definition: detect-filemagic.c:71
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1132
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
File_::sb
StreamingBuffer * sb
Definition: util-file.h:83
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:396
SIGMATCH_QUOTES_MANDATORY
#define SIGMATCH_QUOTES_MANDATORY
Definition: detect.h:1439
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:44
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:228
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_FILE_MAGIC
@ DETECT_FILE_MAGIC
Definition: detect-engine-register.h:213
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
FILE_SIG_NEED_MAGIC
#define FILE_SIG_NEED_MAGIC
Definition: detect.h:279
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
BmCtx_
Definition: util-spm-bm.h:33
util-print.h
detect-filemagic.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
DETECT_FILEMAGIC
@ DETECT_FILEMAGIC
Definition: detect-engine-register.h:212
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:339
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1236
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
BoyerMooreNocase
uint8_t * BoyerMooreNocase(const uint8_t *x, uint16_t m, const uint8_t *y, uint32_t n, BmCtx *bm_ctx)
Boyer Moore search algorithm Is better as the pattern length increases and for big buffers to search ...
Definition: util-spm-bm.c:351
util-profiling.h
Packet_
Definition: decode.h:428
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
conf.h
util-magic.h
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1443
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
SignatureInitData_::negated
bool negated
Definition: detect.h:495
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:61
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:239
FileDataSize
uint64_t FileDataSize(const File *file)
get the size of the file data
Definition: util-file.c:323
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:308
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1092
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
DetectContentDataParse
int DetectContentDataParse(const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
Parse a content string, ie "abc|DE|fgh".
Definition: detect-content.c:83
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:106
FILE_STATE_CLOSED
@ FILE_STATE_CLOSED
Definition: util-file.h:71
File_
Definition: util-file.h:79
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1303
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:307
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1025
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:628
flags
uint8_t flags
Definition: decode-gre.h:0
DetectRegisterThreadCtxFuncs
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
Definition: detect-engine.c:3431
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:555
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1111
File_::next
struct File_ * next
Definition: util-file.h:92
util-spm-bm.h
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1431
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:340
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:338
str
#define str(s)
Definition: suricata-common.h:280
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:482
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:404
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1384
FILE_SIG_NEED_FILE
#define FILE_SIG_NEED_FILE
Definition: detect.h:277
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1423
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:890
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1293
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1176
MpmCtx_
Definition: util-mpm.h:88
flow.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
BoyerMooreNocaseCtxInit
BmCtx * BoyerMooreNocaseCtxInit(uint8_t *needle, uint16_t needle_len)
Setup a Booyer Moore context for nocase search.
Definition: util-spm-bm.c:105
SCLogDebugEnabled
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
Definition: util-debug.c:769
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:354
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
app-layer.h
BoyerMooreCtxDeInit
void BoyerMooreCtxDeInit(BmCtx *bmctx)
Free the memory allocated to Booyer Moore context.
Definition: util-spm-bm.c:119