Go to the source code of this file.
Data Structures | |
| struct | DetectFileHandlerTableElmt_ |
| struct | DetectParseRegex |
Macros | |
| #define | MAX_DETECT_ALPROTO_CNT 10 |
Typedefs | |
| typedef struct DetectFileHandlerTableElmt_ | DetectFileHandlerTableElmt |
| typedef struct DetectParseRegex | DetectParseRegex |
Enumerations | |
| enum | { SIG_DIREC_NORMAL, SIG_DIREC_SWITCHED } |
| enum | { SIG_DIREC_SRC, SIG_DIREC_DST } |
Functions | |
| void | DetectFileRegisterFileProtocols (DetectFileHandlerTableElmt *entry) |
| int | SignatureInitDataBufferCheckExpand (Signature *s) |
| check if buffers array still has space left, expand if not More... | |
| Signature * | SigAlloc (void) |
| void | SigFree (DetectEngineCtx *de_ctx, Signature *s) |
| Signature * | SigInit (DetectEngineCtx *, const char *sigstr) |
| Parses a signature and adds it to the Detection Engine Context. More... | |
| SigMatchData * | SigMatchList2DataArray (SigMatch *head) |
| convert SigMatch list to SigMatchData array More... | |
| void | SigParseRegisterTests (void) |
| Signature * | DetectEngineAppendSig (DetectEngineCtx *, const char *) |
| Parse and append a Signature into the Detection Engine Context signature list. More... | |
| SigMatch * | SigMatchAppendSMToList (DetectEngineCtx *, Signature *, uint16_t, SigMatchCtx *, int) |
| Append a SigMatch to the list type. More... | |
| void | SigMatchRemoveSMFromList (Signature *, SigMatch *, int) |
| int | SigMatchListSMBelongsTo (const Signature *, const SigMatch *) |
| int | DetectParseDupSigHashInit (DetectEngineCtx *) |
| Initializes the hash table that is used to cull duplicate sigs. More... | |
| void | DetectParseDupSigHashFree (DetectEngineCtx *) |
| Frees the hash table that is used to cull duplicate sigs. More... | |
| int | DetectEngineContentModifierBufferSetup (DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto) |
| bool | SigMatchSilentErrorEnabled (const DetectEngineCtx *de_ctx, const enum DetectKeywordId id) |
| bool | SigMatchStrictEnabled (const enum DetectKeywordId id) |
| const char * | DetectListToHumanString (int list) |
| const char * | DetectListToString (int list) |
| void | SigTableApplyStrictCommandLineOption (const char *str) |
| SigMatch * | DetectGetLastSM (const Signature *) |
| Returns the sm with the largest index (added latest) from this sig. More... | |
| SigMatch * | DetectGetLastSMFromMpmLists (const DetectEngineCtx *de_ctx, const Signature *s) |
| get the last SigMatch from lists that support MPM. More... | |
| SigMatch * | DetectGetLastSMFromLists (const Signature *s,...) |
| Returns the sm with the largest index (added latest) from the lists passed to us. More... | |
| SigMatch * | DetectGetLastSMByListPtr (const Signature *s, SigMatch *sm_list,...) |
| Returns the sm with the largest index (added last) from the list passed to us as a pointer. More... | |
| SigMatch * | DetectGetLastSMByListId (const Signature *s, int list_id,...) |
| Returns the sm with the largest index (added last) from the list passed to us as an id. More... | |
| int | DetectSignatureAddTransform (Signature *s, int transform, void *options) |
| int WARN_UNUSED | DetectSignatureSetAppProto (Signature *s, AppProto alproto) |
| DetectParseRegex * | DetectSetupPCRE2 (const char *parse_str, int opts) |
| bool | DetectSetupParseRegexesOpts (const char *parse_str, DetectParseRegex *parse_regex, int opts) |
| void | DetectSetupParseRegexes (const char *parse_str, DetectParseRegex *parse_regex) |
| void | DetectParseRegexAddToFreeList (DetectParseRegex *parse_regex) |
| add regex and/or study to at exit free list More... | |
| void | DetectParseFreeRegexes (void) |
| void | DetectParseFreeRegex (DetectParseRegex *r) |
| int | DetectParsePcreExec (DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options) |
| int | SC_Pcre2SubstringCopy (pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen) |
| int | SC_Pcre2SubstringGet (pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen) |
Variables | |
| DetectFileHandlerTableElmt | filehandler_table [DETECT_TBLSIZE_STATIC] |
Detailed Description
Definition in file detect-parse.h.
Macro Definition Documentation
◆ MAX_DETECT_ALPROTO_CNT
| #define MAX_DETECT_ALPROTO_CNT 10 |
Definition at line 32 of file detect-parse.h.
Typedef Documentation
◆ DetectFileHandlerTableElmt
| typedef struct DetectFileHandlerTableElmt_ DetectFileHandlerTableElmt |
◆ DetectParseRegex
| typedef struct DetectParseRegex DetectParseRegex |
Enumeration Type Documentation
◆ anonymous enum
| anonymous enum |
Flags to indicate if the Signature parsing must be done switching the source and dest (for ip addresses and ports) or otherwise as normal
| Enumerator | |
|---|---|
| SIG_DIREC_NORMAL | |
| SIG_DIREC_SWITCHED | |
Definition at line 50 of file detect-parse.h.
◆ anonymous enum
| anonymous enum |
Flags to indicate if are referencing the source of the Signature or the destination (for ip addresses and ports)
| Enumerator | |
|---|---|
| SIG_DIREC_SRC | |
| SIG_DIREC_DST | |
Definition at line 57 of file detect-parse.h.
Function Documentation
◆ DetectEngineAppendSig()
| Signature* DetectEngineAppendSig | ( | DetectEngineCtx * | de_ctx, |
| const char * | sigstr | ||
| ) |
Parse and append a Signature into the Detection Engine Context signature list.
If the signature is bidirectional it should append two signatures (with the addresses switched) into the list. Also handle duplicate signatures. In case of duplicate sigs, use the ones that have the latest revision. We use the sid and the msg to identify duplicate sigs. If 2 sigs have the same sid and gid, they are duplicates.
- Parameters
-
de_ctx Pointer to the Detection Engine Context. sigstr Pointer to a character string containing the signature to be parsed. sig_file Pointer to a character string containing the filename from which signature is read lineno Line number from where signature is read
- Return values
-
Pointer to the head Signature in the detection engine ctx sig_list on success; NULL on failure.
In DetectEngineAppendSig(), the signatures are prepended and we always return the first one so if the signature is bidirectional, the returned sig will point through "next" ptr to the cloned signatures with the switched addresses
Definition at line 2587 of file detect-parse.c.
References de_ctx, and SigInit().
◆ DetectEngineContentModifierBufferSetup()
| int DetectEngineContentModifierBufferSetup | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s, | ||
| const char * | arg, | ||
| int | sm_type, | ||
| int | sm_list, | ||
| AppProto | alproto | ||
| ) |
- Parameters
-
arg NULL or empty string
Definition at line 194 of file detect-parse.c.
References Signature_::alproto, ALPROTO_UNKNOWN, DETECT_SM_LIST_NOTSET, Signature_::init_data, SignatureInitData_::list, SCLogError, and sigmatch_table.
Referenced by DetectHttpUriSetup().
◆ DetectFileRegisterFileProtocols()
| void DetectFileRegisterFileProtocols | ( | DetectFileHandlerTableElmt * | entry | ) |
Definition at line 79 of file detect-parse.c.
References ALPROTO_FTP, ALPROTO_FTPDATA, ALPROTO_HTTP1, ALPROTO_HTTP2, ALPROTO_NFS, ALPROTO_SMB, ALPROTO_SMTP, ARRAY_SIZE, DetectFileHandlerTableElmt_::Callback, DetectAppLayerInspectEngineRegister(), DetectAppLayerMpmRegister(), DetectFileHandlerTableElmt_::GetData, DetectFileHandlerTableElmt_::name, DetectFileHandlerTableElmt_::PrefilterFn, DetectFileHandlerTableElmt_::priority, SIG_FLAG_TOCLIENT, and SIG_FLAG_TOSERVER.
◆ DetectGetLastSM()
Returns the sm with the largest index (added latest) from this sig.
- Return values
-
sm_last Pointer to last sm
Definition at line 751 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, DETECT_SM_LIST_MAX, SigMatch_::idx, Signature_::init_data, SignatureInitData_::smlists_tail, and SignatureInitDataBuffer_::tail.
◆ DetectGetLastSMByListId()
Returns the sm with the largest index (added last) from the list passed to us as an id.
- Parameters
-
list_id id of the list to be searched va_args list of keyword types terminated by -1
- Return values
-
sm_last to last sm.
Definition at line 700 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, DETECT_SM_LIST_MAX, Signature_::init_data, and SignatureInitDataBuffer_::tail.
◆ DetectGetLastSMByListPtr()
Returns the sm with the largest index (added last) from the list passed to us as a pointer.
- Parameters
-
sm_list pointer to the SigMatch we should look before va_args list of keyword types terminated by -1
- Return values
-
sm_last to last sm.
Definition at line 668 of file detect-parse.c.
Referenced by DetectGetLastSMFromMpmLists().
◆ DetectGetLastSMFromLists()
Returns the sm with the largest index (added latest) from the lists passed to us.
- Return values
-
Pointer to Last sm.
Definition at line 606 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, DETECT_SM_LIST_NOTSET, SignatureInitDataBuffer_::id, Signature_::init_data, SignatureInitData_::list, and SCLogDebug.
◆ DetectGetLastSMFromMpmLists()
| SigMatch* DetectGetLastSMFromMpmLists | ( | const DetectEngineCtx * | de_ctx, |
| const Signature * | s | ||
| ) |
get the last SigMatch from lists that support MPM.
- Note
- only supports the lists that are registered through DetectBufferTypeSupportsMpm().
Definition at line 569 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, de_ctx, DETECT_CONTENT, DETECT_SM_LIST_MAX, DetectEngineBufferTypeSupportsMpmGetById(), DetectGetLastSMByListPtr(), SignatureInitDataBuffer_::id, SigMatch_::idx, Signature_::init_data, SignatureInitData_::smlists_tail, and SignatureInitDataBuffer_::tail.
◆ DetectListToHumanString()
| const char* DetectListToHumanString | ( | int | list | ) |
Definition at line 160 of file detect-parse.c.
Referenced by DumpPatterns().
◆ DetectListToString()
| const char* DetectListToString | ( | int | list | ) |
Definition at line 178 of file detect-parse.c.
◆ DetectParseDupSigHashFree()
| void DetectParseDupSigHashFree | ( | DetectEngineCtx * | de_ctx | ) |
Frees the hash table that is used to cull duplicate sigs.
- Parameters
-
de_ctx Pointer to the detection engine context that holds this table.
Definition at line 2409 of file detect-parse.c.
References de_ctx, DetectEngineCtx_::dup_sig_hash_table, and HashListTableFree().
Referenced by DetectEngineCtxFree().
◆ DetectParseDupSigHashInit()
| int DetectParseDupSigHashInit | ( | DetectEngineCtx * | de_ctx | ) |
Initializes the hash table that is used to cull duplicate sigs.
- Parameters
-
de_ctx Pointer to the detection engine context.
- Return values
-
0 On success. -1 On failure.
Definition at line 2392 of file detect-parse.c.
References de_ctx, DetectEngineCtx_::dup_sig_hash_table, and HashListTableInit().
◆ DetectParseFreeRegex()
| void DetectParseFreeRegex | ( | DetectParseRegex * | r | ) |
Definition at line 2651 of file detect-parse.c.
References DetectParseRegex::context, and DetectParseRegex::regex.
◆ DetectParseFreeRegexes()
| void DetectParseFreeRegexes | ( | void | ) |
Definition at line 2661 of file detect-parse.c.
Referenced by GlobalsDestroy().
◆ DetectParsePcreExec()
| int DetectParsePcreExec | ( | DetectParseRegex * | parse_regex, |
| pcre2_match_data ** | match, | ||
| const char * | str, | ||
| int | start_offset, | ||
| int | options | ||
| ) |
Definition at line 2641 of file detect-parse.c.
◆ DetectParseRegexAddToFreeList()
| void DetectParseRegexAddToFreeList | ( | DetectParseRegex * | parse_regex | ) |
add regex and/or study to at exit free list
Definition at line 2677 of file detect-parse.c.
References FatalError, DetectParseRegex::next, DetectParseRegex::regex, and SCCalloc.
Referenced by DetectSetupParseRegexesOpts().
◆ DetectSetupParseRegexes()
| void DetectSetupParseRegexes | ( | const char * | parse_str, |
| DetectParseRegex * | parse_regex | ||
| ) |
Definition at line 2767 of file detect-parse.c.
References DetectSetupParseRegexesOpts(), and FatalError.
◆ DetectSetupParseRegexesOpts()
| bool DetectSetupParseRegexesOpts | ( | const char * | parse_str, |
| DetectParseRegex * | parse_regex, | ||
| int | opts | ||
| ) |
Definition at line 2688 of file detect-parse.c.
References DetectParseRegex::context, DetectParseRegexAddToFreeList(), DetectParseRegex::regex, SC_MATCH_LIMIT_DEFAULT, SC_MATCH_LIMIT_RECURSION_DEFAULT, and SCLogError.
Referenced by DetectSetupParseRegexes().
◆ DetectSetupPCRE2()
| DetectParseRegex* DetectSetupPCRE2 | ( | const char * | parse_str, |
| int | opts | ||
| ) |
Definition at line 2717 of file detect-parse.c.
References DetectParseRegex::next, DetectParseRegex::regex, SCCalloc, SCFree, and SCLogError.
◆ DetectSignatureAddTransform()
| int DetectSignatureAddTransform | ( | Signature * | s, |
| int | transform, | ||
| void * | options | ||
| ) |
Definition at line 1712 of file detect-parse.c.
References DetectEngineTransforms::cnt, DETECT_TRANSFORMS_MAX, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::list_set, TransformData_::options, SCLogDebug, SCLogError, SCReturnInt, Signature_::sig_str, TransformData_::transform, DetectEngineTransforms::transforms, and SignatureInitData_::transforms.
◆ DetectSignatureSetAppProto()
| int WARN_UNUSED DetectSignatureSetAppProto | ( | Signature * | s, |
| AppProto | alproto | ||
| ) |
Definition at line 1737 of file detect-parse.c.
References Signature_::alproto, ALPROTO_FAILED, ALPROTO_UNKNOWN, and SCLogError.
◆ SC_Pcre2SubstringCopy()
| int SC_Pcre2SubstringCopy | ( | pcre2_match_data * | match_data, |
| uint32_t | number, | ||
| PCRE2_UCHAR * | buffer, | ||
| PCRE2_SIZE * | bufflen | ||
| ) |
Definition at line 2743 of file detect-parse.c.
◆ SC_Pcre2SubstringGet()
| int SC_Pcre2SubstringGet | ( | pcre2_match_data * | match_data, |
| uint32_t | number, | ||
| PCRE2_UCHAR ** | bufferptr, | ||
| PCRE2_SIZE * | bufflen | ||
| ) |
Definition at line 2755 of file detect-parse.c.
◆ SigAlloc()
| Signature* SigAlloc | ( | void | ) |
Definition at line 1513 of file detect-parse.c.
References SignatureInitData_::buffers, SignatureInitData_::buffers_size, DETECT_SM_LIST_NOTSET, Signature_::init_data, SignatureInitData_::list, SignatureInitData_::mpm_sm_list, Signature_::prio, SCCalloc, SCFree, and unlikely.
◆ SigFree()
| void SigFree | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s | ||
| ) |
Definition at line 1628 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, SignatureInitData_::cidr_dst, SignatureInitData_::cidr_src, DetectEngineTransforms::cnt, de_ctx, DETECT_SM_LIST_MAX, SigTableElmt_::Free, SignatureInitDataBuffer_::head, Signature_::init_data, IPOnlyCIDRListFree(), SigMatch_::next, TransformData_::options, SCFree, sigmatch_table, SigMatchFree(), SignatureInitData_::smlists, TransformData_::transform, DetectEngineTransforms::transforms, and SignatureInitData_::transforms.
◆ SigInit()
| Signature* SigInit | ( | DetectEngineCtx * | de_ctx, |
| const char * | sigstr | ||
| ) |
Parses a signature and adds it to the Detection Engine Context.
- Parameters
-
de_ctx Pointer to the Detection Engine Context. sigstr Pointer to a character string containing the signature to be parsed.
- Return values
-
Pointer to the Signature instance on success; NULL on failure.
Definition at line 2285 of file detect-parse.c.
References de_ctx, SCEnter, DetectEngineCtx_::sigerror_ok, DetectEngineCtx_::sigerror_requires, DetectEngineCtx_::sigerror_silent, and DetectEngineCtx_::signum.
Referenced by DetectEngineAppendSig(), LLVMFuzzerTestOneInput(), UTHPacketMatchSig(), and UTHPacketMatchSigMpm().
◆ SigMatchAppendSMToList()
| SigMatch* SigMatchAppendSMToList | ( | DetectEngineCtx * | de_ctx, |
| Signature * | s, | ||
| uint16_t | type, | ||
| SigMatchCtx * | ctx, | ||
| const int | list | ||
| ) |
Append a SigMatch to the list type.
- Parameters
-
s Signature. new The sig match to append. list The list to append to.
Definition at line 436 of file detect-parse.c.
Referenced by DetectContentSetup(), and DetectFlowvarPostMatchSetup().
◆ SigMatchList2DataArray()
| SigMatchData* SigMatchList2DataArray | ( | SigMatch * | head | ) |
convert SigMatch list to SigMatchData array
- Note
- ownership of sm->ctx is transferred to smd->ctx
Definition at line 1856 of file detect-parse.c.
References len.
Referenced by DetectEngineAppInspectionEngine2Signature().
◆ SigMatchListSMBelongsTo()
Definition at line 805 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, SignatureInitDataBuffer_::head, SignatureInitDataBuffer_::id, Signature_::init_data, and SigMatch_::next.
◆ SigMatchRemoveSMFromList()
Definition at line 529 of file detect-parse.c.
References Signature_::init_data, SigMatch_::next, SigMatch_::prev, SignatureInitData_::smlists, and SignatureInitData_::smlists_tail.
Referenced by DetectIPProtoRemoveAllSMs().
◆ SigMatchSilentErrorEnabled()
| bool SigMatchSilentErrorEnabled | ( | const DetectEngineCtx * | de_ctx, |
| const enum DetectKeywordId | id | ||
| ) |
Definition at line 378 of file detect-parse.c.
References de_ctx, and DetectEngineCtx_::sm_types_silent_error.
◆ SigMatchStrictEnabled()
| bool SigMatchStrictEnabled | ( | const enum DetectKeywordId | id | ) |
Definition at line 384 of file detect-parse.c.
References DETECT_TBLSIZE, flags, SIGMATCH_STRICT_PARSING, and sigmatch_table.
◆ SignatureInitDataBufferCheckExpand()
| int SignatureInitDataBufferCheckExpand | ( | Signature * | s | ) |
check if buffers array still has space left, expand if not
Definition at line 1493 of file detect-parse.c.
References SignatureInitData_::buffer_index, SignatureInitData_::buffers, SignatureInitData_::buffers_size, Signature_::init_data, and SCRealloc.
Referenced by DetectBufferGetActiveList().
◆ SigParseRegisterTests()
| void SigParseRegisterTests | ( | void | ) |
Definition at line 4445 of file detect-parse.c.
References DetectParseRegisterTests(), and UtRegisterTest().
Referenced by SigRegisterTests().
◆ SigTableApplyStrictCommandLineOption()
| void SigTableApplyStrictCommandLineOption | ( | const char * | str | ) |
Definition at line 392 of file detect-parse.c.
References DETECT_TBLSIZE, FatalError, SigTableElmt_::flags, SCStrdup, SIGMATCH_STRICT_PARSING, sigmatch_table, and str.
Variable Documentation
◆ filehandler_table
| DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC] |
Definition at line 77 of file detect-parse.c.
