Go to the documentation of this file.
62 static void DetectFilenameRegisterTests(
void);
65 static int g_file_match_list_id = 0;
66 static int g_file_name_buffer_id = 0;
71 static int DetectEngineInspectFilename(
75 Flow *f, uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id);
136 for (
int i = 0; protos_ts[i] != 0; i++) {
139 DetectEngineInspectFilename, NULL);
142 PrefilterMpmFilenameRegister, NULL, protos_ts[i],
145 for (
int i = 0; protos_tc[i] != 0; i++) {
148 DetectEngineInspectFilename, NULL);
151 PrefilterMpmFilenameRegister, NULL, protos_tc[i],
159 SCLogDebug(
"registering filename rule option");
185 if (file->
name == NULL)
195 memcpy(name, filename->
name, filename->
len);
196 name[filename->
len] =
'\0';
197 SCLogDebug(
"will look for filename %s", name);
241 if (filename->
bm_ctx == NULL) {
258 memcpy(name, filename->
name, filename->
len);
259 name[filename->
len] =
'\0';
260 SCLogDebug(
"will look for filename %s", name);
269 if (filename != NULL)
270 DetectFilenameFree(
de_ctx, filename);
291 if (filename == NULL)
301 sm->
ctx = (
void *)filename;
309 if (filename != NULL)
310 DetectFilenameFree(
de_ctx, filename);
325 if (filename->
bm_ctx != NULL) {
328 if (filename->
name != NULL)
355 Flow *f, uint8_t flow_flags,
File *cur_file,
356 int list_id,
int local_file_id,
bool first)
363 if (!first && buffer->
inspect != NULL)
366 const uint8_t *data = cur_file->
name;
367 uint32_t data_len = cur_file->
name_len;
374 static int DetectEngineInspectFilename(
378 Flow *f, uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
391 int local_file_id = 0;
392 for (
File *file = ffc->
head; file != NULL; file = file->
next) {
393 if (file->
txid != tx_id)
397 transforms, f,
flags, file, engine->
sm_list, local_file_id,
false);
437 const uint64_t idx,
const uint8_t
flags)
443 const int list_id = ctx->
list_id;
447 int local_file_id = 0;
448 for (
File *file = ffc->
head; file != NULL; file = file->
next) {
449 if (file->
txid != idx)
467 static void PrefilterMpmFilenameFree(
void *ptr)
484 mpm_reg->
app_v2.alproto, mpm_reg->
app_v2.tx_min_progress,
485 pectx, PrefilterMpmFilenameFree, mpm_reg->
pname);
493 static int DetectFilenameSignatureParseTest01(
void)
499 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; startswith; endswith; sid:1;)",
true));
510 static int DetectFilenameTestParse01 (
void)
514 DetectFilenameFree(NULL, dnd);
523 static int DetectFilenameTestParse02 (
void)
529 if (dnd->
len == 13 && memcmp(dnd->
name,
"backup.tar.gz", 13) == 0) {
533 DetectFilenameFree(NULL, dnd);
542 static int DetectFilenameTestParse03 (
void)
548 if (dnd->
len == 7 && memcmp(dnd->
name,
"cmd.exe", 7) == 0) {
552 DetectFilenameFree(NULL, dnd);
562 void DetectFilenameRegisterTests(
void)
564 UtRegisterTest(
"DetectFilenameSignatureParseTest01", DetectFilenameSignatureParseTest01);
566 UtRegisterTest(
"DetectFilenameTestParse01", DetectFilenameTestParse01);
567 UtRegisterTest(
"DetectFilenameTestParse02", DetectFilenameTestParse02);
568 UtRegisterTest(
"DetectFilenameTestParse03", DetectFilenameTestParse03);
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
#define SIGMATCH_INFO_STICKY_BUFFER
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
void(* Free)(DetectEngineCtx *, void *)
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIGMATCH_QUOTES_OPTIONAL
DetectEngineTransforms transforms
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
struct DetectBufferMpmRegistery_::@87::@89 app_v2
const DetectEngineTransforms * transforms
main detection engine ctx
FileContainer * AppLayerParserGetFiles(const Flow *f, const uint8_t direction)
one time registration of keywords at start up
#define FILE_SIG_NEED_FILENAME
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
#define SIG_FLAG_TOCLIENT
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
struct DetectEngineAppInspectionEngine_::@84 v2
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int DetectBufferTypeGetByName(const char *name)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define SIG_FLAG_TOSERVER
#define PASS
Pass the test.
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_CONTENT_NEGATED
uint8_t * BoyerMooreNocase(const uint8_t *x, uint16_t m, const uint8_t *y, uint32_t n, BmCtx *bm_ctx)
Boyer Moore search algorithm Is better as the pattern length increases and for big buffers to search ...
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
#define SIGMATCH_HANDLE_NEGATION
SignatureInitData * init_data
#define SCReturnPtr(x, type)
Data structures and function prototypes for keeping state for the detection engine.
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
SigMatch * SigMatchAlloc(void)
int DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *_alstate, void *tx, uint64_t tx_id)
Inspect the file inspecting keywords against the state.
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
uint16_t discontinue_matching
int DetectContentDataParse(const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
Parse a content string, ie "abc|DE|fgh".
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
#define DETECT_CI_FLAGS_SINGLE
struct PrefilterMpmFilename PrefilterMpmFilename
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int inspection_recursion_counter
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
a single match condition for a signature
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
const DetectEngineTransforms * transforms
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
#define FILE_SIG_NEED_FILE
int DetectBufferSetActiveList(Signature *s, const int list)
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
void DetectFilenameRegister(void)
Registration function for keyword: filename.
BmCtx * BoyerMooreNocaseCtxInit(uint8_t *needle, uint16_t needle_len)
Setup a Booyer Moore context for nocase search.
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)
void BoyerMooreCtxDeInit(BmCtx *bmctx)
Free the memory allocated to Booyer Moore context.