Go to the documentation of this file.
71 static void DetectFilenameRegisterTests(
void);
74 static int g_file_match_list_id = 0;
75 static int g_file_name_buffer_id = 0;
82 void *alstate,
void *txv, uint64_t tx_id);
143 for (
int i = 0; protos_ts[i] != 0; i++) {
146 DetectEngineInspectFilename, NULL);
149 PrefilterMpmFilenameRegister, NULL, protos_ts[i],
152 for (
int i = 0; protos_tc[i] != 0; i++) {
155 DetectEngineInspectFilename, NULL);
158 PrefilterMpmFilenameRegister, NULL, protos_tc[i],
165 SCLogDebug(
"registering filename rule option");
191 if (file->
name == NULL)
201 memcpy(name, filename->
name, filename->
len);
202 name[filename->
len] =
'\0';
203 SCLogDebug(
"will look for filename %s", name);
242 if (filename->
bm_ctx == NULL) {
259 memcpy(name, filename->
name, filename->
len);
260 name[filename->
len] =
'\0';
261 SCLogDebug(
"will look for filename %s", name);
270 DetectFilenameFree(
de_ctx, filename);
291 if (filename == NULL)
301 sm->
ctx = (
void *)filename;
309 if (filename != NULL)
310 DetectFilenameFree(
de_ctx, filename);
325 if (filename->
bm_ctx != NULL) {
328 if (filename->
name != NULL)
355 int list_id,
int local_file_id)
365 const uint8_t *data = cur_file->
name;
366 uint32_t data_len = cur_file->
name_len;
375 void *alstate,
void *txv, uint64_t tx_id)
389 int local_file_id = 0;
390 for (
File *file = ffc->
head; file != NULL; file = file->
next) {
392 det_ctx, transforms, f,
flags, file, engine->
sm_list, local_file_id);
434 if (!AppLayerParserHasFilesInDir(txd,
flags))
439 const int list_id = ctx->
list_id;
444 int local_file_id = 0;
445 for (
File *file = ffc->
head; file != NULL; file = file->
next) {
462 static void PrefilterMpmFilenameFree(
void *ptr)
479 mpm_reg->
app_v2.alproto, mpm_reg->
app_v2.tx_min_progress,
480 pectx, PrefilterMpmFilenameFree, mpm_reg->
pname);
488 static int DetectFilenameSignatureParseTest01(
void)
494 FAIL_IF_NOT(
UTHParseSignature(
"alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; startswith; endswith; sid:1;)",
true));
505 static int DetectFilenameTestParse01 (
void)
509 DetectFilenameFree(NULL, dnd);
516 static int DetectFilenameTestParse02 (
void)
522 DetectFilenameFree(NULL, dnd);
529 static int DetectFilenameTestParse03 (
void)
535 DetectFilenameFree(NULL, dnd);
542 void DetectFilenameRegisterTests(
void)
544 UtRegisterTest(
"DetectFilenameSignatureParseTest01", DetectFilenameSignatureParseTest01);
546 UtRegisterTest(
"DetectFilenameTestParse01", DetectFilenameTestParse01);
547 UtRegisterTest(
"DetectFilenameTestParse02", DetectFilenameTestParse02);
548 UtRegisterTest(
"DetectFilenameTestParse03", DetectFilenameTestParse03);
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define SIGMATCH_INFO_STICKY_BUFFER
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
void(* Free)(DetectEngineCtx *, void *)
Container for matching data for a signature group.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIGMATCH_QUOTES_OPTIONAL
DetectEngineTransforms transforms
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
struct DetectBufferMpmRegistery_::@87::@89 app_v2
const DetectEngineTransforms * transforms
main detection engine ctx
one time registration of keywords at start up
#define FILE_SIG_NEED_FILENAME
#define SIG_FLAG_TOCLIENT
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
struct DetectEngineAppInspectionEngine_::@84 v2
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
int DetectBufferTypeGetByName(const char *name)
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define SIG_FLAG_TOSERVER
#define PASS
Pass the test.
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_CONTENT_NEGATED
uint8_t * BoyerMooreNocase(const uint8_t *x, uint16_t m, const uint8_t *y, uint32_t n, BmCtx *bm_ctx)
Boyer Moore search algorithm Is better as the pattern length increases and for big buffers to search ...
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
#define SIGMATCH_HANDLE_NEGATION
SignatureInitData * init_data
#define SCReturnPtr(x, type)
Data structures and function prototypes for keeping state for the detection engine.
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
SigMatch * SigMatchAlloc(void)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
uint16_t discontinue_matching
int DetectContentDataParse(const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
Parse a content string, ie "abc|DE|fgh".
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
struct AppLayerTxData AppLayerTxData
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
#define DETECT_CI_FLAGS_SINGLE
struct PrefilterMpmFilename PrefilterMpmFilename
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int inspection_recursion_counter
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Inspect the file inspecting keywords against the state.
a single match condition for a signature
struct DetectFilenameData DetectFilenameData
const DetectEngineTransforms * transforms
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
#define FILE_SIG_NEED_FILE
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
int DetectBufferSetActiveList(Signature *s, const int list)
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
void DetectFilenameRegister(void)
Registration function for keyword: filename.
BmCtx * BoyerMooreNocaseCtxInit(uint8_t *needle, uint16_t needle_len)
Setup a Booyer Moore context for nocase search.
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)
void BoyerMooreCtxDeInit(BmCtx *bmctx)
Free the memory allocated to Booyer Moore context.