suricata
detect-nocase.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the nocase keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-parse.h"
31 #include "detect-content.h"
32 #include "detect-nocase.h"
33 
34 #include "util-debug.h"
35 
36 static int DetectNocaseSetup (DetectEngineCtx *, Signature *, const char *);
37 
39 {
40  sigmatch_table[DETECT_NOCASE].name = "nocase";
41  sigmatch_table[DETECT_NOCASE].desc = "modify content match to be case insensitive";
42  sigmatch_table[DETECT_NOCASE].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#nocase";
44  sigmatch_table[DETECT_NOCASE].Setup = DetectNocaseSetup;
47 
49 }
50 
51 /**
52  * \internal
53  * \brief Apply the nocase keyword to the last pattern match, either content or uricontent
54  * \param det_ctx detection engine ctx
55  * \param s signature
56  * \param nullstr should be null
57  * \retval 0 ok
58  * \retval -1 failure
59  */
60 static int DetectNocaseSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
61 {
62  SCEnter();
63 
64  SigMatch *pm = NULL;
65  int ret = -1;
66 
67  if (nullstr != NULL) {
68  SCLogError(SC_ERR_INVALID_VALUE, "nocase has value");
69  goto end;
70  }
71 
72  /* retrive the sm to apply the nocase against */
74  if (pm == NULL) {
76  "preceding content option");
77  goto end;
78  }
79 
80  /* verify other conditions. */
82 
83  if (cd->flags & DETECT_CONTENT_NOCASE) {
84  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use multiple nocase modifiers with the same content");
85  goto end;
86  }
87 
88  /* for consistency in later use (e.g. by MPM construction and hashing),
89  * coerce the content string to lower-case. */
90  for (uint8_t *c = cd->content; c < cd->content + cd->content_len; c++) {
91  *c = u8_tolower(*c);
92  }
93 
95  /* Recreate the context with nocase chars */
97  cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
98  de_ctx->spm_global_thread_ctx);
99  if (cd->spm_ctx == NULL) {
100  goto end;
101  }
102 
103  ret = 0;
104  end:
105  SCReturnInt(ret);
106 }
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1439
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1179
SpmGlobalThreadCtx * spm_global_thread_ctx
Definition: detect.h:810
const char * name
Definition: detect.h:1193
Signature container.
Definition: detect.h:517
main detection engine ctx
Definition: detect.h:756
#define u8_tolower(c)
Definition: suricata.h:181
SpmCtx * SpmInitCtx(const uint8_t *needle, uint16_t needle_len, int nocase, SpmGlobalThreadCtx *global_thread_ctx)
Definition: util-spm.c:166
void(* Free)(void *)
Definition: detect.h:1184
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
#define SCEnter(...)
Definition: util-debug.h:337
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1163
#define SCReturnInt(x)
Definition: util-debug.h:341
const char * desc
Definition: detect.h:1195
SigMatchCtx * ctx
Definition: detect.h:316
#define SIGMATCH_NOOPT
Definition: detect.h:1362
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us. ...
Definition: detect-parse.c:407
void SpmDestroyCtx(SpmCtx *ctx)
Definition: util-spm.c:176
const char * url
Definition: detect.h:1196
#define DOC_URL
Definition: suricata.h:86
void DetectNocaseRegister(void)
Definition: detect-nocase.c:38
#define DETECT_CONTENT_NOCASE
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1187
void(* RegisterTests)(void)
Definition: detect.h:1185
a single match condition for a signature
Definition: detect.h:313