suricata
detect-filename.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
23  *
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 
32 #include "detect-engine.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-engine-state.h"
35 #include "detect-engine-file.h"
38 
39 #include "detect-parse.h"
40 #include "detect-content.h"
41 #include "detect-file-data.h"
42 
43 #include "flow.h"
44 #include "flow-var.h"
45 #include "flow-util.h"
46 
47 #include "util-debug.h"
48 #include "util-spm-bm.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 #include "util-profiling.h"
52 
53 #include "app-layer.h"
54 #include "app-layer-htp.h"
55 
56 #include "stream-tcp.h"
57 
58 #include "detect-filename.h"
59 #include "app-layer-parser.h"
60 
61 static int DetectFileextSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str);
62 static int DetectFilenameSetup (DetectEngineCtx *, Signature *, const char *);
63 static int DetectFilenameSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
64 #ifdef UNITTESTS
65 static void DetectFilenameRegisterTests(void);
66 #endif
67 static int g_file_match_list_id = 0;
68 static int g_file_name_buffer_id = 0;
69 
70 static int PrefilterMpmFilenameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
71  const DetectBufferMpmRegistry *mpm_reg, int list_id);
72 static uint8_t DetectEngineInspectFilename(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
73  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
74  void *alstate, void *txv, uint64_t tx_id);
75 
76 /**
77  * \brief Registration function for keyword: filename
78  */
80 {
81  sigmatch_table[DETECT_FILENAME].name = "filename";
82  sigmatch_table[DETECT_FILENAME].desc = "match on the file name";
83  sigmatch_table[DETECT_FILENAME].url = "/rules/file-keywords.html#filename";
84  sigmatch_table[DETECT_FILENAME].Setup = DetectFilenameSetup;
85 #ifdef UNITTESTS
86  sigmatch_table[DETECT_FILENAME].RegisterTests = DetectFilenameRegisterTests;
87 #endif
90 
91  sigmatch_table[DETECT_FILEEXT].name = "fileext";
92  sigmatch_table[DETECT_FILEEXT].desc = "match on the extension of a file name";
93  sigmatch_table[DETECT_FILEEXT].url = "/rules/file-keywords.html#fileext";
94  sigmatch_table[DETECT_FILEEXT].Setup = DetectFileextSetup;
97 
98  sigmatch_table[DETECT_FILE_NAME].name = "file.name";
99  sigmatch_table[DETECT_FILE_NAME].desc = "sticky buffer to match on the file name";
100  sigmatch_table[DETECT_FILE_NAME].url = "/rules/file-keywords.html#filename";
101  sigmatch_table[DETECT_FILE_NAME].Setup = DetectFilenameSetupSticky;
103 
104  DetectBufferTypeSetDescriptionByName("file.name", "file name");
105 
106  g_file_match_list_id = DetectBufferTypeRegister("files");
107  g_file_name_buffer_id = DetectBufferTypeRegister("file.name");
108 
109  SCLogDebug("registering filename rule option");
114 
115  filehandler_table[DETECT_FILE_NAME].name = "file.name";
117  filehandler_table[DETECT_FILE_NAME].PrefilterFn = PrefilterMpmFilenameRegister;
118  filehandler_table[DETECT_FILE_NAME].Callback = DetectEngineInspectFilename;
119 
121 }
122 
123 static int DetectFileextSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
124 {
125  if (s->init_data->transforms.cnt) {
126  SCLogError("previous transforms not consumed before 'fileext'");
127  SCReturnInt(-1);
128  }
131 
132  size_t dotstr_len = strlen(str) + 2;
133  char *dotstr = SCCalloc(1, dotstr_len);
134  if (dotstr == NULL)
135  return -1;
136  dotstr[0] = '.';
137  strlcat(dotstr, str, dotstr_len);
138 
139  if (DetectContentSetup(de_ctx, s, dotstr) < 0) {
140  SCFree(dotstr);
141  return -1;
142  }
143  SCFree(dotstr);
144 
146  if (sm == NULL)
147  return -1;
148 
151  if (DetectContentConvertToNocase(de_ctx, cd) != 0)
152  return -1;
154  de_ctx, s, NULL, DETECT_FILE_NAME, g_file_name_buffer_id, s->alproto) < 0)
155  return -1;
156 
157  return 0;
158 }
159 /**
160  * \brief this function is used to parse filename options
161  * \brief into the current signature
162  *
163  * \param de_ctx pointer to the Detection Engine Context
164  * \param s pointer to the Current Signature
165  * \param str pointer to the user provided "filename" option
166  *
167  * \retval 0 on Success
168  * \retval -1 on Failure
169  */
170 static int DetectFilenameSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
171 {
172  if (s->init_data->transforms.cnt) {
173  SCLogError("previous transforms not consumed before 'filename'");
174  SCReturnInt(-1);
175  }
178 
179  if (DetectContentSetup(de_ctx, s, str) < 0) {
180  return -1;
181  }
182 
184  if (sm == NULL)
185  return -1;
186 
188  if (DetectContentConvertToNocase(de_ctx, cd) != 0)
189  return -1;
191  de_ctx, s, NULL, DETECT_FILE_NAME, g_file_name_buffer_id, s->alproto) < 0)
192  return -1;
193 
194  return 0;
195 }
196 
197 /* file.name implementation */
198 
199 /**
200  * \brief this function setup the file.data keyword used in the rule
201  *
202  * \param de_ctx Pointer to the Detection Engine Context
203  * \param s Pointer to the Signature to which the current keyword belongs
204  * \param str Should hold an empty string always
205  *
206  * \retval 0 On success
207  */
208 static int DetectFilenameSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
209 {
210  if (DetectSetupDirection(s, str) < 0) {
211  SCLogError("file.name failed to setup direction");
212  return -1;
213  }
214  if (DetectBufferSetActiveList(de_ctx, s, g_file_name_buffer_id) < 0)
215  return -1;
217  return 0;
218 }
219 
220 static InspectionBuffer *FilenameGetDataCallback(DetectEngineThreadCtx *det_ctx,
221  const DetectEngineTransforms *transforms, Flow *f, uint8_t flow_flags, File *cur_file,
222  int list_id, int local_file_id)
223 {
224  SCEnter();
225 
226  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_file_id);
227  if (buffer == NULL)
228  return NULL;
229  if (buffer->initialized)
230  return buffer;
231 
232  const uint8_t *data = cur_file->name;
233  uint32_t data_len = cur_file->name_len;
234 
235  InspectionBufferSetupMulti(det_ctx, buffer, transforms, data, data_len);
236 
237  SCReturnPtr(buffer, "InspectionBuffer");
238 }
239 
240 static uint8_t DetectEngineInspectFilename(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
241  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
242  void *alstate, void *txv, uint64_t tx_id)
243 {
244  const DetectEngineTransforms *transforms = NULL;
245  if (!engine->mpm) {
246  transforms = engine->v2.transforms;
247  }
248 
249  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, txv, flags);
250  FileContainer *ffc = files.fc;
251  if (ffc == NULL || ffc->head == NULL) {
252  const bool eof = (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) >
253  engine->progress);
254  if (eof && engine->match_on_null) {
256  }
257  if (ffc != NULL) {
259  }
261  }
262 
264  int local_file_id = 0;
265  for (File *file = ffc->head; file != NULL; file = file->next) {
266  InspectionBuffer *buffer = FilenameGetDataCallback(
267  det_ctx, transforms, f, flags, file, engine->sm_list, local_file_id);
268  if (buffer == NULL)
269  continue;
270 
271  const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
272  buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
274  if (match) {
276  } else {
278  }
279  local_file_id++;
280  }
281  return r;
282 }
283 
284 typedef struct PrefilterMpmFilename {
285  int list_id;
286  const MpmCtx *mpm_ctx;
289 
290 /** \brief Filedata Filedata Mpm prefilter callback
291  *
292  * \param det_ctx detection engine thread ctx
293  * \param p packet to inspect
294  * \param f flow to inspect
295  * \param txv tx to inspect
296  * \param pectx inspection context
297  */
298 static void PrefilterTxFilename(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
299  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *txd, const uint8_t flags)
300 {
301  SCEnter();
302 
303  if (!AppLayerParserHasFilesInDir(txd, flags))
304  return;
305 
306  const PrefilterMpmFilename *ctx = (const PrefilterMpmFilename *)pectx;
307  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
308  const int list_id = ctx->list_id;
309 
310  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, txv, flags);
311  FileContainer *ffc = files.fc;
312  if (ffc != NULL) {
313  int local_file_id = 0;
314  for (File *file = ffc->head; file != NULL; file = file->next) {
315  InspectionBuffer *buffer = FilenameGetDataCallback(
316  det_ctx, ctx->transforms, f, flags, file, list_id, local_file_id);
317  if (buffer == NULL)
318  continue;
319 
320  if (buffer->inspect_len >= mpm_ctx->minlen) {
321  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq,
322  buffer->inspect, buffer->inspect_len);
323  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
324  }
325  local_file_id++;
326  }
327  }
328 }
329 
330 static void PrefilterMpmFilenameFree(void *ptr)
331 {
332  SCFree(ptr);
333 }
334 
335 static int PrefilterMpmFilenameRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx,
336  const DetectBufferMpmRegistry *mpm_reg, int list_id)
337 {
338  PrefilterMpmFilename *pectx = SCCalloc(1, sizeof(*pectx));
339  if (pectx == NULL)
340  return -1;
341  pectx->list_id = list_id;
342  pectx->mpm_ctx = mpm_ctx;
343  pectx->transforms = &mpm_reg->transforms;
344 
345  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFilename,
346  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
347  pectx, PrefilterMpmFilenameFree, mpm_reg->pname);
348 }
349 
350 #ifdef UNITTESTS /* UNITTESTS */
351 
352 /**
353  * \test Test parser accepting valid rules and rejecting invalid rules
354  */
355 static int DetectFilenameSignatureParseTest01(void)
356 {
357  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; sid:1;)", true));
358  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; nocase; sid:1;)", true));
359  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; endswith; sid:1;)", true));
360  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; startswith; sid:1;)", true));
361  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; startswith; endswith; sid:1;)", true));
362  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; bsize:10; sid:1;)", true));
363 
364  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; rawbytes; sid:1;)", false));
365  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; file.name; sid:1;)", false));
366  //FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; file.name; content:\"abc\"; sid:1;)", false));
367  PASS;
368 }
369 /**
370  * \brief this function registers unit tests for DetectFilename
371  */
372 void DetectFilenameRegisterTests(void)
373 {
374  UtRegisterTest("DetectFilenameSignatureParseTest01", DetectFilenameSignatureParseTest01);
375 }
376 #endif /* UNITTESTS */
DetectEngineAppInspectionEngine_
Definition: detect.h:436
SigTableElmt_::url
const char * url
Definition: detect.h:1405
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:890
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:440
detect-content.h
FileContainer_
Definition: util-file.h:113
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:95
detect-engine.h
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1616
SigTableElmt_::desc
const char * desc
Definition: detect.h:1404
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1402
InspectionBuffer::initialized
bool initialized
Definition: detect.h:384
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1570
DetectEngineTransforms
Definition: detect.h:415
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
Signature_::alproto
AppProto alproto
Definition: detect.h:674
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1604
Flow_::proto
uint8_t proto
Definition: flow.h:378
DetectBufferSetActiveList
int DetectBufferSetActiveList(DetectEngineCtx *de_ctx, Signature *s, const int list)
Definition: detect-engine.c:1422
AppLayerParserGetStateProgress
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t flags)
get the progress value for a tx/protocol
Definition: app-layer-parser.c:1096
InspectionBuffer
Definition: detect.h:380
threads.h
Flow_
Flow data structure.
Definition: flow.h:356
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1298
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1396
PrefilterMpmFilename::transforms
const DetectEngineTransforms * transforms
Definition: detect-filename.c:287
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:920
DetectBufferTypeSupportsMultiInstance
void DetectBufferTypeSupportsMultiInstance(const char *name)
Definition: detect-engine.c:1107
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@79 v2
DetectContentConvertToNocase
int DetectContentConvertToNocase(DetectEngineCtx *de_ctx, DetectContentData *cd)
Definition: detect-content.c:766
DetectBufferMpmRegistry_
one time registration of keywords at start up
Definition: detect.h:763
detect-file-data.h
FILE_SIG_NEED_FILENAME
#define FILE_SIG_NEED_FILENAME
Definition: detect.h:320
DetectContentData_
Definition: detect-content.h:93
filehandler_table
DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC]
Definition: detect-parse.c:87
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1387
DetectBufferMpmRegistry_::transforms
DetectEngineTransforms transforms
Definition: detect.h:776
detect-engine-prefilter.h
util-unittest.h
detect-filename.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:878
File_::name_len
uint16_t name_len
Definition: util-file.h:81
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:444
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:43
PrefilterMpmFilename::list_id
int list_id
Definition: detect-filename.c:285
app-layer-htp.h
decode.h
util-debug.h
DetectSetupDirection
int DetectSetupDirection(Signature *s, const char *str)
Parse and setup a direction.
Definition: detect-parse.c:3539
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_ENDS_WITH
#define DETECT_CONTENT_ENDS_WITH
Definition: detect-content.h:42
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectContentSetup
int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
Function to setup a content pattern.
Definition: detect-content.c:329
DetectEngineThreadCtx_
Definition: detect.h:1197
strlcat
size_t strlcat(char *, const char *src, size_t siz)
Definition: util-strlcatu.c:45
detect-engine-file.h
SignatureInitData_::list
int list
Definition: detect.h:629
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:38
DetectBufferMpmRegistry_::app_v2
struct DetectBufferMpmRegistry_::@87::@89 app_v2
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:382
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
DETECT_FILENAME
@ DETECT_FILENAME
Definition: detect-engine-register.h:230
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1400
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:104
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
util-profiling.h
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:222
Packet_
Definition: decode.h:484
DetectEngineAppInspectionEngine_::match_on_null
bool match_on_null
Definition: detect.h:443
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1612
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:748
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
File_::name
uint8_t * name
Definition: util-file.h:88
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DetectFileHandlerTableElmt_::priority
int priority
Definition: detect-parse.h:34
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:177
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1294
PrefilterMpmFilename::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-filename.c:286
detect-engine-content-inspection.h
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:143
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:458
File_
Definition: util-file.h:79
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1466
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:286
DETECT_FILE_NAME
@ DETECT_FILE_NAME
Definition: detect-engine-register.h:231
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:49
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1093
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
PrefilterMpmFilename
struct PrefilterMpmFilename PrefilterMpmFilename
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:685
File_::next
struct File_ * next
Definition: util-file.h:92
DetectFileHandlerTableElmt_::PrefilterFn
PrefilterRegisterFunc PrefilterFn
Definition: detect-parse.h:35
PrefilterMpmFilename
Definition: detect-filename.c:284
util-spm-bm.h
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:352
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:37
DetectEngineAppInspectionEngine_::progress
int16_t progress
Definition: detect.h:446
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1601
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:383
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:381
str
#define str(s)
Definition: suricata-common.h:300
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectFileInspectGeneric
uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Inspect the file inspecting keywords against the state.
Definition: detect-engine-file.c:182
detect-parse.h
Signature_
Signature container.
Definition: detect.h:669
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:455
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:47
DetectEngineTransforms::cnt
int cnt
Definition: detect.h:417
DetectFileHandlerTableElmt_::Callback
InspectEngineFuncPtr Callback
Definition: detect-parse.h:36
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1598
FILE_SIG_NEED_FILE
#define FILE_SIG_NEED_FILE
Definition: detect.h:319
DETECT_FILEEXT
@ DETECT_FILEEXT
Definition: detect-engine-register.h:232
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:634
DetectFileHandlerTableElmt_::name
const char * name
Definition: detect-parse.h:33
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1254
SignatureInitData_::transforms
DetectEngineTransforms transforms
Definition: detect.h:632
MpmCtx_
Definition: util-mpm.h:93
flow.h
DetectEngineContentInspection
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
Definition: detect-engine-content-inspection.c:733
DetectFilenameRegister
void DetectFilenameRegister(void)
Registration function for keyword: filename.
Definition: detect-filename.c:79
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1679
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1394
app-layer.h
DetectBufferMpmRegistry_::pname
char pname[32]
Definition: detect.h:765