suricata
detect-nocase.c
Go to the documentation of this file.
1
/* Copyright (C) 2007-2010 Open Information Security Foundation
2
*
3
* You can copy, redistribute or modify this Program under the terms of
4
* the GNU General Public License version 2 as published by the Free
5
* Software Foundation.
6
*
7
* This program is distributed in the hope that it will be useful,
8
* but WITHOUT ANY WARRANTY; without even the implied warranty of
9
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10
* GNU General Public License for more details.
11
*
12
* You should have received a copy of the GNU General Public License
13
* version 2 along with this program; if not, write to the Free Software
14
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
* 02110-1301, USA.
16
*/
17
18
/**
19
* \file
20
*
21
* \author Victor Julien <victor@inliniac.net>
22
*
23
* Implements the nocase keyword
24
*/
25
26
#include "
suricata-common.h
"
27
#include "
decode.h
"
28
29
#include "
detect.h
"
30
#include "
detect-parse.h
"
31
#include "
detect-content.h
"
32
#include "
detect-nocase.h
"
33
34
#include "
util-debug.h
"
35
36
static
int
DetectNocaseSetup (
DetectEngineCtx
*,
Signature
*,
const
char
*);
37
38
void
DetectNocaseRegister
(
void
)
39
{
40
sigmatch_table
[
DETECT_NOCASE
].
name
=
"nocase"
;
41
sigmatch_table
[
DETECT_NOCASE
].
desc
=
"modify content match to be case insensitive"
;
42
sigmatch_table
[
DETECT_NOCASE
].
url
=
"/rules/payload-keywords.html#nocase"
;
43
sigmatch_table
[
DETECT_NOCASE
].
Setup
= DetectNocaseSetup;
44
sigmatch_table
[
DETECT_NOCASE
].
flags
|=
SIGMATCH_NOOPT
;
45
}
46
47
/**
48
* \internal
49
* \brief Apply the nocase keyword to the last pattern match, either content or uricontent
50
* \param det_ctx detection engine ctx
51
* \param s signature
52
* \param nullstr should be null
53
* \retval 0 ok
54
* \retval -1 failure
55
*/
56
static
int
DetectNocaseSetup (
DetectEngineCtx
*
de_ctx
,
Signature
*s,
const
char
*nullstr)
57
{
58
SCEnter
();
59
60
SigMatch
*pm = NULL;
61
int
ret = -1;
62
63
if
(nullstr != NULL) {
64
SCLogError
(
SC_ERR_INVALID_VALUE
,
"nocase has value"
);
65
goto
end;
66
}
67
68
/* retrive the sm to apply the nocase against */
69
pm =
DetectGetLastSMFromLists
(s,
DETECT_CONTENT
, -1);
70
if
(pm == NULL) {
71
SCLogError
(
SC_ERR_NOCASE_MISSING_PATTERN
,
"nocase needs "
72
"preceding content option"
);
73
goto
end;
74
}
75
76
/* verify other conditions. */
77
DetectContentData
*cd = (
DetectContentData
*)pm->
ctx
;;
78
79
if (cd->
flags
&
DETECT_CONTENT_NOCASE
) {
80
SCLogError
(
SC_ERR_INVALID_SIGNATURE
,
"can't use multiple nocase modifiers with the same content"
);
81
goto
end;
82
}
83
84
/* for consistency in later use (e.g. by MPM construction and hashing),
85
* coerce the content string to lower-case. */
86
for
(uint8_t *c = cd->
content
; c < cd->content + cd->
content_len
; c++) {
87
*c =
u8_tolower
(*c);
88
}
89
90
cd->
flags
|=
DETECT_CONTENT_NOCASE
;
91
/* Recreate the context with nocase chars */
92
SpmDestroyCtx
(cd->
spm_ctx
);
93
cd->
spm_ctx
=
SpmInitCtx
(cd->
content
, cd->
content_len
, 1,
94
de_ctx
->
spm_global_thread_ctx
);
95
if
(cd->
spm_ctx
== NULL) {
96
goto
end;
97
}
98
99
ret = 0;
100
end:
101
SCReturnInt
(ret);
102
}
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition:
detect-content.h:29
SigTableElmt_::url
const char * url
Definition:
detect.h:1270
detect-content.h
SigTableElmt_::desc
const char * desc
Definition:
detect.h:1269
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition:
util-error.h:160
SigTableElmt_::name
const char * name
Definition:
detect.h:1267
DETECT_CONTENT
@ DETECT_CONTENT
Definition:
detect-engine-register.h:60
u8_tolower
#define u8_tolower(c)
Definition:
suricata.h:178
SigTableElmt_::flags
uint16_t flags
Definition:
detect.h:1261
DetectEngineCtx_
main detection engine ctx
Definition:
detect.h:811
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition:
util-error.h:69
DetectContentData_
Definition:
detect-content.h:86
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition:
detect.h:1252
DETECT_NOCASE
@ DETECT_NOCASE
Definition:
detect-engine-register.h:70
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition:
fuzz_siginit.c:17
SCEnter
#define SCEnter(...)
Definition:
util-debug.h:300
detect.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition:
detect.h:324
DetectContentData_::flags
uint32_t flags
Definition:
detect-content.h:97
detect-nocase.h
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition:
detect-parse.c:73
DetectContentData_::content
uint8_t * content
Definition:
detect-content.h:87
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition:
util-debug.h:257
DetectContentData_::spm_ctx
SpmCtx * spm_ctx
Definition:
detect-content.h:104
detect-parse.h
Signature_
Signature container.
Definition:
detect.h:548
SigMatch_
a single match condition for a signature
Definition:
detect.h:321
DetectContentData_::content_len
uint16_t content_len
Definition:
detect-content.h:88
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition:
detect.h:1453
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition:
detect-parse.c:468
DetectEngineCtx_::spm_global_thread_ctx
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition:
detect.h:866
DetectNocaseRegister
void DetectNocaseRegister(void)
Definition:
detect-nocase.c:38
SpmDestroyCtx
void SpmDestroyCtx(SpmCtx *ctx)
Definition:
util-spm.c:184
SCReturnInt
#define SCReturnInt(x)
Definition:
util-debug.h:304
SpmInitCtx
SpmCtx * SpmInitCtx(const uint8_t *needle, uint16_t needle_len, int nocase, SpmGlobalThreadCtx *global_thread_ctx)
Definition:
util-spm.c:174
SC_ERR_NOCASE_MISSING_PATTERN
@ SC_ERR_NOCASE_MISSING_PATTERN
Definition:
util-error.h:141
src
detect-nocase.c
Generated on Sun May 15 2022 23:30:34 for suricata by
1.8.18