61 static void DetectFilenameRegisterTests(
void);
62 static void DetectFilenameFree(
void *);
63 static int g_file_match_list_id = 0;
64 static int g_file_name_buffer_id = 0;
69 static int DetectEngineInspectFilename(
134 for (
int i = 0; protos_ts[i] != 0; i++) {
137 DetectEngineInspectFilename, NULL);
140 PrefilterMpmFilenameRegister, NULL, protos_ts[i],
143 for (
int i = 0; protos_tc[i] != 0; i++) {
146 DetectEngineInspectFilename, NULL);
149 PrefilterMpmFilenameRegister, NULL, protos_tc[i],
157 SCLogDebug(
"registering filename rule option");
183 if (file->
name == NULL)
193 memcpy(name, filename->
name, filename->
len);
194 name[filename->
len] =
'\0';
195 SCLogDebug(
"will look for filename %s", name);
238 if (filename->
bm_ctx == NULL) {
255 memcpy(name, filename->
name, filename->
len);
256 name[filename->
len] =
'\0';
257 SCLogDebug(
"will look for filename %s", name);
266 if (filename != NULL)
267 DetectFilenameFree(filename);
288 if (filename == NULL)
298 sm->
ctx = (
void *)filename;
306 if (filename != NULL)
307 DetectFilenameFree(filename);
318 static void DetectFilenameFree(
void *ptr)
322 if (filename->
bm_ctx != NULL) {
325 if (filename->
name != NULL)
351 Flow *f, uint8_t flow_flags,
File *cur_file,
352 int list_id,
int local_file_id,
bool first)
360 if (!first && buffer->
inspect != NULL)
363 const uint8_t *data = cur_file->
name;
364 uint32_t data_len = cur_file->
name_len;
372 static int DetectEngineInspectFilename(
391 int local_file_id = 0;
393 for (; file != NULL; file = file->
next) {
394 if (file->
txid != tx_id)
398 transforms, f,
flags, file, engine->
sm_list, local_file_id,
false);
441 const uint64_t idx,
const uint8_t
flags)
451 int local_file_id = 0;
454 for (; file != NULL; file = file->
next) {
455 if (file->
txid != idx)
459 ctx->
transforms, f, flags, file, list_id, local_file_id,
true);
472 static void PrefilterMpmFilenameFree(
void *ptr)
490 pectx, PrefilterMpmFilenameFree, mpm_reg->
pname);
498 static int DetectFilenameSignatureParseTest01(
void)
504 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; startswith; endswith; sid:1;)",
true));
515 static int DetectFilenameTestParse01 (
void)
519 DetectFilenameFree(dnd);
528 static int DetectFilenameTestParse02 (
void)
534 if (dnd->
len == 13 && memcmp(dnd->
name,
"backup.tar.gz", 13) == 0) {
538 DetectFilenameFree(dnd);
547 static int DetectFilenameTestParse03 (
void)
553 if (dnd->
len == 7 && memcmp(dnd->
name,
"cmd.exe", 7) == 0) {
557 DetectFilenameFree(dnd);
568 void DetectFilenameRegisterTests(
void)
571 UtRegisterTest(
"DetectFilenameSignatureParseTest01", DetectFilenameSignatureParseTest01);
573 UtRegisterTest(
"DetectFilenameTestParse01", DetectFilenameTestParse01);
574 UtRegisterTest(
"DetectFilenameTestParse02", DetectFilenameTestParse02);
575 UtRegisterTest(
"DetectFilenameTestParse03", DetectFilenameTestParse03);
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
SignatureInitData * init_data
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
uint16_t discontinue_matching
#define PASS
Pass the test.
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
one time registration of keywords at start up
int DetectContentDataParse(const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
Parse a content string, ie "abc|DE|fgh".
#define FILE_SIG_NEED_FILENAME
Container for matching data for a signature group.
struct DetectEngineAppInspectionEngine_::@100 v2
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
int DetectFileInspectGeneric(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Inspect the file inspecting keywords against the state.
main detection engine ctx
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
uint8_t * BoyerMooreNocase(const uint8_t *x, uint16_t m, const uint8_t *y, uint32_t n, BmCtx *bm_ctx)
Boyer Moore search algorithm Is better as the pattern length increases and for big buffers to search ...
void BoyerMooreCtxDeInit(BmCtx *bmctx)
Free the memory allocated to Booyer Moore context.
int DetectBufferTypeGetByName(const char *name)
int(* FileMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
#define SIG_FLAG_TOCLIENT
#define SIGMATCH_INFO_STICKY_BUFFER
void DetectFilenameRegister(void)
Registration function for keyword: filename.
const DetectEngineTransforms * transforms
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Data structures and function prototypes for keeping state for the detection engine.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIGMATCH_QUOTES_OPTIONAL
#define SIG_FLAG_TOSERVER
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
#define FILE_SIG_NEED_FILE
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
#define DETECT_CONTENT_NEGATED
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
DetectEngineTransforms transforms
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
struct PrefilterMpmFilename PrefilterMpmFilename
void InspectionBufferApplyTransforms(InspectionBuffer *buffer, const DetectEngineTransforms *transforms)
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data)
Run the actual payload match functions.
struct DetectMpmAppLayerRegistery_::@101 v2
#define SCReturnPtr(x, type)
BmCtx * BoyerMooreNocaseCtxInit(uint8_t *needle, uint16_t needle_len)
Setup a Booyer Moore context for nocase search.
InspectionBufferMultipleForList * InspectionBufferGetMulti(DetectEngineThreadCtx *det_ctx, const int list_id)
int inspection_recursion_counter
#define DETECT_CI_FLAGS_SINGLE
int DetectBufferSetActiveList(Signature *s, const int list)
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
SigMatch * SigMatchAlloc(void)
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterTxFunc)(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, Flow *f, void *tx, const uint64_t idx, const uint8_t flags), AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Per thread variable structure.
AppProto alproto
application level protocol
FileContainer * AppLayerParserGetFiles(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t direction)
#define SIGMATCH_HANDLE_NEGATION
InspectionBuffer * InspectionBufferMultipleForListGet(InspectionBufferMultipleForList *fb, uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
a single match condition for a signature
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
const DetectEngineTransforms * transforms
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectMpmAppLayerRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine