Go to the documentation of this file.
45 #define PARSE_REGEX "(.*),(.*)"
119 char varname[64], varcontent[64];
120 int ret = 0,
res = 0;
122 uint8_t *content = NULL;
123 uint16_t contentlen = 0;
132 pcre2len =
sizeof(varname);
133 res = pcre2_substring_copy_bynumber(parse_regex.
match, 1, (PCRE2_UCHAR8 *)varname, &pcre2len);
139 pcre2len =
sizeof(varcontent);
140 res = pcre2_substring_copy_bynumber(
141 parse_regex.
match, 2, (PCRE2_UCHAR8 *)varcontent, &pcre2len);
147 int varcontent_index = 0;
148 if (strlen(varcontent) >= 2) {
149 if (varcontent[0] ==
'"')
151 if (varcontent[strlen(varcontent)-1] ==
'"')
152 varcontent[strlen(varcontent)-1] =
'\0';
154 SCLogDebug(
"varcontent %s", &varcontent[varcontent_index]);
163 memset(fd, 0x00,
sizeof(*fd));
169 memcpy(fd->
content, content, contentlen);
171 fd->
flags = contentflags;
194 DetectFlowvarDataFree(
de_ctx, fd);
204 uint8_t *key, uint16_t key_len,
205 uint8_t *buffer, uint16_t
len,
int type)
225 uint8_t *buffer, uint16_t
len,
int type)
230 for ( ; fs != NULL; fs = fs->
next) {
231 if (fs->
idx == idx) {
267 memset(fv, 0x00,
sizeof(*fv));
283 DetectFlowvarDataFree(
de_ctx, fv);
292 static int DetectFlowvarPostMatch(
307 if (fd->
idx == 0 || fd->
idx == fs->
idx) {
365 }
while (fs != NULL);
int DetectFlowvarPostMatchSetup(DetectEngineCtx *de_ctx, Signature *s, uint32_t idx)
Setup a post-match for flowvar storage We're piggyback riding the DetectFlowvarData struct.
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
int DetectVarStoreMatch(DetectEngineThreadCtx *det_ctx, uint32_t idx, uint8_t *buffer, uint16_t len, int type)
Store flowvar in det_ctx so we can exec it post-match.
struct HtpBodyChunk_ * next
main detection engine ctx
void DetectVarProcessListInternal(DetectVarList *fs, Flow *f, Packet *p)
Handle flowvar candidate list in det_ctx: clean up the list.
#define DETECT_VAR_TYPE_PKT_POSTMATCH
int PktVarAdd(Packet *p, uint32_t id, uint8_t *value, uint16_t size)
add a key-value pktvar to the pkt
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
@ DETECT_SM_LIST_POSTMATCH
union FlowVar_::@111 data
@ DETECT_FLOWVAR_POSTMATCH
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
@ SC_ERR_PCRE_COPY_SUBSTRING
#define DETECT_CONTENT_NEGATED
struct DetectVarList_ * next
void FlowVarAddIdValue(Flow *f, uint32_t idx, uint8_t *value, uint16_t size)
SignatureInitData * init_data
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
SigMatch * SigMatchAlloc(void)
#define DETECT_VAR_TYPE_FLOW_POSTMATCH
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
int DetectContentDataParse(const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
Parse a content string, ie "abc|DE|fgh".
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
void DetectFlowvarRegister(void)
a single match condition for a signature
int DetectVarStoreMatchKeyValue(DetectEngineThreadCtx *det_ctx, uint8_t *key, uint16_t key_len, uint8_t *buffer, uint16_t len, int type)
Store flowvar in det_ctx so we can exec it post-match.
#define SpmSearch(text, textlen, needle, needlelen)
int PktVarAddKeyValue(Packet *p, uint8_t *key, uint16_t ksize, uint8_t *value, uint16_t size)
add a key-value pktvar to the pkt
FlowVar * FlowVarGet(Flow *f, uint32_t idx)
get the flowvar with index 'idx' from the flow
int DetectFlowvarMatch(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.