suricata
detect-filename.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
23  *
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "decode.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
32 #include "detect-content.h"
33 
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-file.h"
40 
41 #include "flow.h"
42 #include "flow-var.h"
43 #include "flow-util.h"
44 
45 #include "util-debug.h"
46 #include "util-spm-bm.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "util-profiling.h"
50 
51 #include "app-layer.h"
52 #include "app-layer-htp.h"
53 
54 #include "stream-tcp.h"
55 
56 #include "detect-filename.h"
57 #include "app-layer-parser.h"
58 
59 typedef struct DetectFilenameData {
60  uint8_t *name; /** name of the file to match */
61  BmCtx *bm_ctx; /** BM context */
62  uint16_t len; /** name length */
63  uint32_t flags;
65 
66 static int DetectFilenameMatch (DetectEngineThreadCtx *, Flow *,
67  uint8_t, File *, const Signature *, const SigMatchCtx *);
68 static int DetectFilenameSetup (DetectEngineCtx *, Signature *, const char *);
69 static int DetectFilenameSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
70 #ifdef UNITTESTS
71 static void DetectFilenameRegisterTests(void);
72 #endif
73 static void DetectFilenameFree(DetectEngineCtx *, void *);
74 static int g_file_match_list_id = 0;
75 static int g_file_name_buffer_id = 0;
76 
77 static int PrefilterMpmFilenameRegister(DetectEngineCtx *de_ctx,
78  SigGroupHead *sgh, MpmCtx *mpm_ctx,
79  const DetectBufferMpmRegistery *mpm_reg, int list_id);
80 static uint8_t DetectEngineInspectFilename(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
81  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
82  void *alstate, void *txv, uint64_t tx_id);
83 
84 /**
85  * \brief Registration function for keyword: filename
86  */
88 {
89  sigmatch_table[DETECT_FILENAME].name = "filename";
90  sigmatch_table[DETECT_FILENAME].desc = "match on the file name";
91  sigmatch_table[DETECT_FILENAME].url = "/rules/file-keywords.html#filename";
92  sigmatch_table[DETECT_FILENAME].FileMatch = DetectFilenameMatch;
93  sigmatch_table[DETECT_FILENAME].Setup = DetectFilenameSetup;
94  sigmatch_table[DETECT_FILENAME].Free = DetectFilenameFree;
95 #ifdef UNITTESTS
96  sigmatch_table[DETECT_FILENAME].RegisterTests = DetectFilenameRegisterTests;
97 #endif
100 
101  sigmatch_table[DETECT_FILE_NAME].name = "file.name";
102  sigmatch_table[DETECT_FILE_NAME].desc = "sticky buffer to match on the file name";
103  sigmatch_table[DETECT_FILE_NAME].url = "/rules/file-keywords.html#filename";
104  sigmatch_table[DETECT_FILE_NAME].Setup = DetectFilenameSetupSticky;
106 
108  HTP_REQUEST_BODY, DetectFileInspectGeneric, NULL);
110  HTP_RESPONSE_BODY, DetectFileInspectGeneric, NULL);
111 
114 
119 
124 
129 
130  //this is used by filestore
132  HTTP2StateDataClient, DetectFileInspectGeneric, NULL);
134  HTTP2StateDataServer, DetectFileInspectGeneric, NULL);
135 
136  g_file_match_list_id = DetectBufferTypeGetByName("files");
137 
139  ALPROTO_NFS, 0 };
141  0 };
142 
143  for (int i = 0; protos_ts[i] != 0; i++) {
144  DetectAppLayerInspectEngineRegister2("file.name", protos_ts[i],
146  DetectEngineInspectFilename, NULL);
147 
149  PrefilterMpmFilenameRegister, NULL, protos_ts[i],
150  0);
151  }
152  for (int i = 0; protos_tc[i] != 0; i++) {
153  DetectAppLayerInspectEngineRegister2("file.name", protos_tc[i],
155  DetectEngineInspectFilename, NULL);
156 
158  PrefilterMpmFilenameRegister, NULL, protos_tc[i],
159  0);
160  }
161 
162  DetectBufferTypeSetDescriptionByName("file.name", "file name");
163 
164  g_file_name_buffer_id = DetectBufferTypeGetByName("file.name");
165  SCLogDebug("registering filename rule option");
166  return;
167 }
168 
169 /**
170  * \brief match the specified filename
171  *
172  * \param t thread local vars
173  * \param det_ctx pattern matcher thread local data
174  * \param f *LOCKED* flow
175  * \param flags direction flags
176  * \param file file being inspected
177  * \param s signature being inspected
178  * \param m sigmatch that we will cast into DetectFilenameData
179  *
180  * \retval 0 no match
181  * \retval 1 match
182  */
183 static int DetectFilenameMatch (DetectEngineThreadCtx *det_ctx,
184  Flow *f, uint8_t flags, File *file, const Signature *s, const SigMatchCtx *m)
185 {
186  SCEnter();
187  int ret = 0;
188 
189  DetectFilenameData *filename = (DetectFilenameData *)m;
190 
191  if (file->name == NULL)
192  SCReturnInt(0);
193 
194  if (BoyerMooreNocase(filename->name, filename->len, file->name,
195  file->name_len, filename->bm_ctx) != NULL)
196  {
197 #ifdef DEBUG
198  if (SCLogDebugEnabled()) {
199  char *name = SCMalloc(filename->len + 1);
200  if (name != NULL) {
201  memcpy(name, filename->name, filename->len);
202  name[filename->len] = '\0';
203  SCLogDebug("will look for filename %s", name);
204  SCFree(name);
205  }
206  }
207 #endif
208 
209  if (!(filename->flags & DETECT_CONTENT_NEGATED)) {
210  ret = 1;
211  }
212  }
213 
214  else if (filename->flags & DETECT_CONTENT_NEGATED) {
215  SCLogDebug("negated match");
216  ret = 1;
217  }
218 
219  SCReturnInt(ret);
220 }
221 
222 /**
223  * \brief Parse the filename keyword
224  *
225  * \param de_ctx Pointer to the detection engine context
226  * \param idstr Pointer to the user provided option
227  *
228  * \retval filename pointer to DetectFilenameData on success
229  * \retval NULL on failure
230  */
231 static DetectFilenameData *DetectFilenameParse (DetectEngineCtx *de_ctx, const char *str, bool negate)
232 {
233  DetectFilenameData *filename = SCCalloc(1, sizeof(DetectFilenameData));
234  if (unlikely(filename == NULL))
235  return NULL;
236 
237  if (DetectContentDataParse ("filename", str, &filename->name, &filename->len) == -1) {
238  goto error;
239  }
240 
241  filename->bm_ctx = BoyerMooreNocaseCtxInit(filename->name, filename->len);
242  if (filename->bm_ctx == NULL) {
243  goto error;
244  }
245 
246  if (negate) {
247  filename->flags |= DETECT_CONTENT_NEGATED;
248  }
249 
250  SCLogDebug("flags %02X", filename->flags);
251  if (filename->flags & DETECT_CONTENT_NEGATED) {
252  SCLogDebug("negated filename");
253  }
254 
255 #ifdef DEBUG
256  if (SCLogDebugEnabled()) {
257  char *name = SCMalloc(filename->len + 1);
258  if (name != NULL) {
259  memcpy(name, filename->name, filename->len);
260  name[filename->len] = '\0';
261  SCLogDebug("will look for filename %s", name);
262  SCFree(name);
263  }
264  }
265 #endif
266 
267  return filename;
268 
269 error:
270  DetectFilenameFree(de_ctx, filename);
271  return NULL;
272 }
273 
274 /**
275  * \brief this function is used to parse filename options
276  * \brief into the current signature
277  *
278  * \param de_ctx pointer to the Detection Engine Context
279  * \param s pointer to the Current Signature
280  * \param str pointer to the user provided "filename" option
281  *
282  * \retval 0 on Success
283  * \retval -1 on Failure
284  */
285 static int DetectFilenameSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
286 {
287  DetectFilenameData *filename = NULL;
288  SigMatch *sm = NULL;
289 
290  filename = DetectFilenameParse(de_ctx, str, s->init_data->negated);
291  if (filename == NULL)
292  goto error;
293 
294  /* Okay so far so good, lets get this into a SigMatch
295  * and put it in the Signature. */
296  sm = SigMatchAlloc();
297  if (sm == NULL)
298  goto error;
299 
300  sm->type = DETECT_FILENAME;
301  sm->ctx = (void *)filename;
302 
303  SigMatchAppendSMToList(s, sm, g_file_match_list_id);
304 
306  return 0;
307 
308 error:
309  if (filename != NULL)
310  DetectFilenameFree(de_ctx, filename);
311  if (sm != NULL)
312  SCFree(sm);
313  return -1;
314 }
315 
316 /**
317  * \brief this function will free memory associated with DetectFilenameData
318  *
319  * \param filename pointer to DetectFilenameData
320  */
321 static void DetectFilenameFree(DetectEngineCtx *de_ctx, void *ptr)
322 {
323  if (ptr != NULL) {
324  DetectFilenameData *filename = (DetectFilenameData *)ptr;
325  if (filename->bm_ctx != NULL) {
326  BoyerMooreCtxDeInit(filename->bm_ctx);
327  }
328  if (filename->name != NULL)
329  SCFree(filename->name);
330  SCFree(filename);
331  }
332 }
333 
334 /* file.name implementation */
335 
336 /**
337  * \brief this function setup the file.data keyword used in the rule
338  *
339  * \param de_ctx Pointer to the Detection Engine Context
340  * \param s Pointer to the Signature to which the current keyword belongs
341  * \param str Should hold an empty string always
342  *
343  * \retval 0 On success
344  */
345 static int DetectFilenameSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
346 {
347  if (DetectBufferSetActiveList(s, g_file_name_buffer_id) < 0)
348  return -1;
350  return 0;
351 }
352 
353 static InspectionBuffer *FilenameGetDataCallback(DetectEngineThreadCtx *det_ctx,
354  const DetectEngineTransforms *transforms, Flow *f, uint8_t flow_flags, File *cur_file,
355  int list_id, int local_file_id)
356 {
357  SCEnter();
358 
359  InspectionBuffer *buffer = InspectionBufferMultipleForListGet(det_ctx, list_id, local_file_id);
360  if (buffer == NULL)
361  return NULL;
362  if (buffer->initialized)
363  return buffer;
364 
365  const uint8_t *data = cur_file->name;
366  uint32_t data_len = cur_file->name_len;
367 
368  InspectionBufferSetupMulti(buffer, transforms, data, data_len);
369 
370  SCReturnPtr(buffer, "InspectionBuffer");
371 }
372 
373 static uint8_t DetectEngineInspectFilename(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
374  const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags,
375  void *alstate, void *txv, uint64_t tx_id)
376 {
377  const DetectEngineTransforms *transforms = NULL;
378  if (!engine->mpm) {
379  transforms = engine->v2.transforms;
380  }
381 
382  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, alstate, txv, flags);
383  FileContainer *ffc = files.fc;
384  if (ffc == NULL) {
386  }
387 
389  int local_file_id = 0;
390  for (File *file = ffc->head; file != NULL; file = file->next) {
391  InspectionBuffer *buffer = FilenameGetDataCallback(
392  det_ctx, transforms, f, flags, file, engine->sm_list, local_file_id);
393  if (buffer == NULL)
394  continue;
395 
396  det_ctx->buffer_offset = 0;
397  det_ctx->discontinue_matching = 0;
398  det_ctx->inspection_recursion_counter = 0;
399  int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
400  NULL, f,
401  (uint8_t *)buffer->inspect,
402  buffer->inspect_len,
405  if (match == 1) {
407  } else {
409  }
410  local_file_id++;
411  }
412  return r;
413 }
414 
415 typedef struct PrefilterMpmFilename {
416  int list_id;
417  const MpmCtx *mpm_ctx;
420 
421 /** \brief Filedata Filedata Mpm prefilter callback
422  *
423  * \param det_ctx detection engine thread ctx
424  * \param p packet to inspect
425  * \param f flow to inspect
426  * \param txv tx to inspect
427  * \param pectx inspection context
428  */
429 static void PrefilterTxFilename(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p,
430  Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *txd, const uint8_t flags)
431 {
432  SCEnter();
433 
434  if (!AppLayerParserHasFilesInDir(txd, flags))
435  return;
436 
437  const PrefilterMpmFilename *ctx = (const PrefilterMpmFilename *)pectx;
438  const MpmCtx *mpm_ctx = ctx->mpm_ctx;
439  const int list_id = ctx->list_id;
440 
441  AppLayerGetFileState files = AppLayerParserGetTxFiles(f, f->alstate, txv, flags);
442  FileContainer *ffc = files.fc;
443  if (ffc != NULL) {
444  int local_file_id = 0;
445  for (File *file = ffc->head; file != NULL; file = file->next) {
446  InspectionBuffer *buffer = FilenameGetDataCallback(
447  det_ctx, ctx->transforms, f, flags, file, list_id, local_file_id);
448  if (buffer == NULL)
449  continue;
450 
451  if (buffer->inspect_len >= mpm_ctx->minlen) {
452  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
453  &det_ctx->mtcu, &det_ctx->pmq,
454  buffer->inspect, buffer->inspect_len);
455  PREFILTER_PROFILING_ADD_BYTES(det_ctx, buffer->inspect_len);
456  }
457  local_file_id++;
458  }
459  }
460 }
461 
462 static void PrefilterMpmFilenameFree(void *ptr)
463 {
464  SCFree(ptr);
465 }
466 
467 static int PrefilterMpmFilenameRegister(DetectEngineCtx *de_ctx,
468  SigGroupHead *sgh, MpmCtx *mpm_ctx,
469  const DetectBufferMpmRegistery *mpm_reg, int list_id)
470 {
471  PrefilterMpmFilename *pectx = SCCalloc(1, sizeof(*pectx));
472  if (pectx == NULL)
473  return -1;
474  pectx->list_id = list_id;
475  pectx->mpm_ctx = mpm_ctx;
476  pectx->transforms = &mpm_reg->transforms;
477 
478  return PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxFilename,
479  mpm_reg->app_v2.alproto, mpm_reg->app_v2.tx_min_progress,
480  pectx, PrefilterMpmFilenameFree, mpm_reg->pname);
481 }
482 
483 #ifdef UNITTESTS /* UNITTESTS */
484 
485 /**
486  * \test Test parser accepting valid rules and rejecting invalid rules
487  */
488 static int DetectFilenameSignatureParseTest01(void)
489 {
490  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; sid:1;)", true));
491  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; nocase; sid:1;)", true));
492  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; endswith; sid:1;)", true));
493  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; startswith; sid:1;)", true));
494  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; startswith; endswith; sid:1;)", true));
495  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; bsize:10; sid:1;)", true));
496 
497  FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_client; file.name; content:\"abc\"; rawbytes; sid:1;)", false));
498  FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_client; file.name; sid:1;)", false));
499  //FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_client; file.name; content:\"abc\"; sid:1;)", false));
500  PASS;
501 }
502 /**
503  * \test DetectFilenameTestParse01
504  */
505 static int DetectFilenameTestParse01 (void)
506 {
507  DetectFilenameData *dnd = DetectFilenameParse(NULL, "secret.pdf", false);
508  FAIL_IF_NULL(dnd);
509  DetectFilenameFree(NULL, dnd);
510  PASS;
511 }
512 
513 /**
514  * \test DetectFilenameTestParse02
515  */
516 static int DetectFilenameTestParse02 (void)
517 {
518  DetectFilenameData *dnd = DetectFilenameParse(NULL, "backup.tar.gz", false);
519  FAIL_IF_NULL(dnd);
520  FAIL_IF_NOT(dnd->len == 13);
521  FAIL_IF_NOT(memcmp(dnd->name, "backup.tar.gz", 13) == 0);
522  DetectFilenameFree(NULL, dnd);
523  PASS;
524 }
525 
526 /**
527  * \test DetectFilenameTestParse03
528  */
529 static int DetectFilenameTestParse03 (void)
530 {
531  DetectFilenameData *dnd = DetectFilenameParse(NULL, "cmd.exe", false);
532  FAIL_IF_NULL(dnd);
533  FAIL_IF_NOT(dnd->len == 7);
534  FAIL_IF_NOT(memcmp(dnd->name, "cmd.exe", 7) == 0);
535  DetectFilenameFree(NULL, dnd);
536  PASS;
537 }
538 
539 /**
540  * \brief this function registers unit tests for DetectFilename
541  */
542 void DetectFilenameRegisterTests(void)
543 {
544  UtRegisterTest("DetectFilenameSignatureParseTest01", DetectFilenameSignatureParseTest01);
545 
546  UtRegisterTest("DetectFilenameTestParse01", DetectFilenameTestParse01);
547  UtRegisterTest("DetectFilenameTestParse02", DetectFilenameTestParse02);
548  UtRegisterTest("DetectFilenameTestParse03", DetectFilenameTestParse03);
549 }
550 #endif /* UNITTESTS */
DetectEngineAppInspectionEngine_
Definition: detect.h:392
SigTableElmt_::url
const char * url
Definition: detect.h:1243
UTHParseSignature
int UTHParseSignature(const char *str, bool expect)
parser a sig and see if the expected result is correct
Definition: util-unittest-helper.c:930
DetectEngineAppInspectionEngine_::mpm
bool mpm
Definition: detect.h:396
detect-content.h
FileContainer_
Definition: util-file.h:113
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:91
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1055
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SIGMATCH_INFO_STICKY_BUFFER
#define SIGMATCH_INFO_STICKY_BUFFER
Definition: detect.h:1449
SigTableElmt_::desc
const char * desc
Definition: detect.h:1242
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE
Definition: detect-engine-content-inspection.h:36
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1230
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1240
InspectionBuffer::initialized
bool initialized
Definition: detect.h:343
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1397
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectEngineTransforms
Definition: detect.h:374
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectFilenameData
Definition: detect-filename.c:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1437
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
DetectBufferMpmRegistery_::transforms
DetectEngineTransforms transforms
Definition: detect.h:642
InspectionBuffer
Definition: detect.h:339
threads.h
Flow_
Flow data structure.
Definition: flow.h:357
SigTableElmt_::FileMatch
int(* FileMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, File *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1216
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1136
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1234
DetectBufferMpmRegistery_::app_v2
struct DetectBufferMpmRegistery_::@87::@89 app_v2
PrefilterMpmFilename::transforms
const DetectEngineTransforms * transforms
Definition: detect-filename.c:418
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:787
ALPROTO_FTP
@ ALPROTO_FTP
Definition: app-layer-protos.h:31
DetectBufferMpmRegistery_
one time registration of keywords at start up
Definition: detect.h:628
FILE_SIG_NEED_FILENAME
#define FILE_SIG_NEED_FILENAME
Definition: detect.h:280
m
SCMutex m
Definition: flow-hash.h:6
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:231
DetectFilenameData::bm_ctx
BmCtx * bm_ctx
Definition: detect-filename.c:61
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1225
DetectEngineAppInspectionEngine_::v2
struct DetectEngineAppInspectionEngine_::@84 v2
detect-engine-prefilter.h
DetectEngineThreadCtx_::mtcu
MpmThreadCtx mtcu
Definition: detect.h:1134
util-unittest.h
detect-filename.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
File_::name_len
uint16_t name_len
Definition: util-file.h:81
DetectEngineAppInspectionEngine_::sm_list
uint16_t sm_list
Definition: detect.h:398
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES
Definition: detect-engine-state.h:44
PrefilterMpmFilename::list_id
int list_id
Definition: detect-filename.c:416
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:230
app-layer-htp.h
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1027
ALPROTO_SMTP
@ ALPROTO_SMTP
Definition: app-layer-protos.h:32
detect-engine-file.h
DetectFilenameData::name
uint8_t * name
Definition: detect-filename.c:60
BmCtx_
Definition: util-spm-bm.h:33
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
FileContainer_::head
File * head
Definition: util-file.h:114
detect.h
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
InspectionBuffer::inspect_offset
uint64_t inspect_offset
Definition: detect.h:341
DETECT_FILENAME
@ DETECT_FILENAME
Definition: detect-engine-register.h:207
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1238
app-layer-parser.h
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:100
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:318
BoyerMooreNocase
uint8_t * BoyerMooreNocase(const uint8_t *x, uint16_t m, const uint8_t *y, uint32_t n, BmCtx *bm_ctx)
Boyer Moore search algorithm Is better as the pattern length increases and for big buffers to search ...
Definition: util-spm-bm.c:351
util-profiling.h
Packet_
Definition: decode.h:428
DetectAppLayerInspectEngineRegister2
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Definition: detect-engine.c:224
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1445
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:613
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
File_::name
uint8_t * name
Definition: util-file.h:88
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SignatureInitData_::negated
bool negated
Definition: detect.h:497
ALPROTO_HTTP2
@ ALPROTO_HTTP2
Definition: app-layer-protos.h:61
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:167
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:241
PrefilterMpmFilename::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-filename.c:417
detect-engine-content-inspection.h
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:310
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1094
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:409
DetectContentDataParse
int DetectContentDataParse(const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
Parse a content string, ie "abc|DE|fgh".
Definition: detect-content.c:83
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:106
File_
Definition: util-file.h:79
DetectAppLayerMpmRegister2
void DetectAppLayerMpmRegister2(const char *name, int direction, int priority, int(*PrefilterRegister)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistery *mpm_reg, int list_id), InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
register a MPM engine
Definition: detect-engine-mpm.c:89
AppLayerTxData
struct AppLayerTxData AppLayerTxData
Definition: detect.h:1305
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:307
DETECT_FILE_NAME
@ DETECT_FILE_NAME
Definition: detect-engine-register.h:208
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
DetectBufferMpmRegistery_::pname
char pname[32]
Definition: detect.h:630
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
PrefilterMpmFilename
struct PrefilterMpmFilename PrefilterMpmFilename
SigMatch_::type
uint16_t type
Definition: detect.h:316
Signature_::file_flags
uint8_t file_flags
Definition: detect.h:557
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1113
File_::next
struct File_ * next
Definition: util-file.h:92
ALPROTO_FTPDATA
@ ALPROTO_FTPDATA
Definition: app-layer-protos.h:47
PrefilterMpmFilename
Definition: detect-filename.c:415
util-spm-bm.h
InspectionBufferSetupMulti
void InspectionBufferSetupMulti(InspectionBuffer *buffer, const DetectEngineTransforms *transforms, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1444
PrefilterAppendTxEngine
int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterTxFn PrefilterTxFunc, AppProto alproto, int tx_min_progress, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:270
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:342
InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:340
str
#define str(s)
Definition: suricata-common.h:280
SCFree
#define SCFree(p)
Definition: util-mem.h:61
Flow_::alstate
void * alstate
Definition: flow.h:482
DetectFileInspectGeneric
uint8_t DetectFileInspectGeneric(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
Inspect the file inspecting keywords against the state.
Definition: detect-engine-file.c:183
detect-parse.h
Signature_
Signature container.
Definition: detect.h:542
SigMatch_
a single match condition for a signature
Definition: detect.h:315
DetectFilenameData
struct DetectFilenameData DetectFilenameData
DetectEngineAppInspectionEngine_::transforms
const DetectEngineTransforms * transforms
Definition: detect.h:406
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
InspectionBufferMultipleForListGet
InspectionBuffer * InspectionBufferMultipleForListGet(DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
for a InspectionBufferMultipleForList get a InspectionBuffer
Definition: detect-engine.c:1384
FILE_SIG_NEED_FILE
#define FILE_SIG_NEED_FILE
Definition: detect.h:279
ALPROTO_SMB
@ ALPROTO_SMB
Definition: app-layer-protos.h:37
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1425
AppLayerParserGetTxFiles
AppLayerGetFileState AppLayerParserGetTxFiles(const Flow *f, void *state, void *tx, const uint8_t direction)
Definition: app-layer-parser.c:890
DetectBufferSetActiveList
int DetectBufferSetActiveList(Signature *s, const int list)
Definition: detect-engine.c:1293
DetectBufferTypeSetDescriptionByName
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
Definition: detect-engine.c:1176
MpmCtx_
Definition: util-mpm.h:89
flow.h
DetectFilenameRegister
void DetectFilenameRegister(void)
Registration function for keyword: filename.
Definition: detect-filename.c:87
DetectFilenameData::len
uint16_t len
Definition: detect-filename.c:62
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
BoyerMooreNocaseCtxInit
BmCtx * BoyerMooreNocaseCtxInit(uint8_t *needle, uint16_t needle_len)
Setup a Booyer Moore context for nocase search.
Definition: util-spm-bm.c:105
SCLogDebugEnabled
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
Definition: util-debug.c:771
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:356
ALPROTO_NFS
@ ALPROTO_NFS
Definition: app-layer-protos.h:45
DetectFilenameData::flags
uint32_t flags
Definition: detect-filename.c:63
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1232
app-layer.h
BoyerMooreCtxDeInit
void BoyerMooreCtxDeInit(BmCtx *bmctx)
Free the memory allocated to Booyer Moore context.
Definition: util-spm-bm.c:119