suricata
detect-filestore.c File Reference
#include "suricata-common.h"
#include "threads.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "util-debug.h"
#include "util-spm-bm.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-htp.h"
#include "stream-tcp.h"
#include "detect-filestore.h"
Include dependency graph for detect-filestore.c:

Go to the source code of this file.

Macros

#define PARSE_REGEX   "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"
 Regex for parsing our flow options. More...
 
#define MAX_SUBSTRINGS   30
 

Functions

void DetectFilestoreRegister (void)
 Registration function for keyword: filestore. More...
 
int DetectFilestorePostMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s)
 post-match function for filestore More...
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Implements the filestore keyword

Definition in file detect-filestore.c.

Macro Definition Documentation

#define MAX_SUBSTRINGS   30
#define PARSE_REGEX   "^\\s*([A-z_]+)\\s*(?:,\\s*([A-z_]+))?\\s*(?:,\\s*([A-z_]+))?\\s*$"

Regex for parsing our flow options.

Definition at line 58 of file detect-filestore.c.

Referenced by DetectFilestoreRegister().

Function Documentation

int DetectFilestorePostMatch ( ThreadVars t,
DetectEngineThreadCtx det_ctx,
Packet p,
const Signature s 
)

post-match function for filestore

Parameters
tthread local vars
det_ctxpattern matcher thread local data
ppacket

The match function for filestore records store candidates in the det_ctx. When we are sure all parts of the signature matched, we run this function to finalize the filestore.

Definition at line 187 of file detect-filestore.c.

References Flow_::alproto, Signature_::alproto, ALPROTO_HTTP, Flow_::alstate, AppLayerHtpNeedFileInspection(), AppLayerParserGetFiles(), BUG_ON, SigMatch_::ctx, DE_QUIET, DETECT_FILESTORE, DETECT_FILESTORE_MAX, DetectEngineCtxFree(), DetectEngineCtxInit(), DetectFilestoreData_::direction, FAIL_IF, FAIL_IF_NOT_NULL, DetectEngineThreadCtx_::file_id, File_::file_store_id, FileReassemblyDepth(), DetectEngineThreadCtx_::filestore, DetectEngineThreadCtx_::filestore_cnt, Signature_::filestore_ctx, FILESTORE_DIR_BOTH, FILESTORE_DIR_DEFAULT, FILESTORE_DIR_TOCLIENT, FILESTORE_DIR_TOSERVER, FILESTORE_SCOPE_DEFAULT, FILESTORE_SCOPE_SSN, FILESTORE_SCOPE_TX, FileStoreFileById(), flags, Signature_::flags, DetectEngineCtx_::flags, Packet_::flow, FLOW_PKT_TOCLIENT, Packet_::flowflags, m, MAX_SUBSTRINGS, Flow_::proto, Flow_::protoctx, res, SC_ERR_CONFLICTING_RULE_KEYWORDS, SC_ERR_PCRE_GET_SUBSTRING, SC_ERR_PCRE_MATCH, SCEnter, SCFree, SCLogDebug, SCLogError, SCMalloc, DetectFilestoreData_::scope, SCReturnInt, SIG_FLAG_BYPASS, SIG_FLAG_FILESTORE, DetectEngineCtx_::sig_list, SigInit(), SigMatchAlloc(), SigMatchAppendSMToList(), str, STREAM_TOCLIENT, STREAM_TOSERVER, TcpSessionSetReassemblyDepth(), DetectEngineThreadCtx_::tx_id, SigMatch_::type, unlikely, and UtRegisterTest().

Here is the call graph for this function: