suricata
detect-parse.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DETECT_PARSE_H__
25 #define __DETECT_PARSE_H__
26 
27 /** Flags to indicate if the Signature parsing must be done
28 * switching the source and dest (for ip addresses and ports)
29 * or otherwise as normal */
30 enum {
33 };
34 
35 /** Flags to indicate if are referencing the source of the Signature
36 * or the destination (for ip addresses and ports)*/
37 enum {
40 };
41 
42 typedef struct DetectParseRegex_ {
43  pcre *regex;
44  pcre_extra *study;
45 #ifdef PCRE_HAVE_JIT_EXEC
46  pcre_jit_stack *jit_stack;
47 #endif
50 
51 /* prototypes */
52 Signature *SigAlloc(void);
53 void SigFree(Signature *s);
54 Signature *SigInit(DetectEngineCtx *, const char *sigstr);
55 Signature *SigInitReal(DetectEngineCtx *, const char *);
57 void SigParseRegisterTests(void);
59 
62 int SigMatchListSMBelongsTo(const Signature *, const SigMatch *);
63 
66 
68  Signature *s, const char *arg, int sm_type, int sm_list,
69  AppProto alproto);
70 
72  const enum DetectKeywordId id);
73 bool SigMatchStrictEnabled(const enum DetectKeywordId id);
74 
75 const char *DetectListToHumanString(int list);
76 const char *DetectListToString(int list);
77 
79 
83 SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...);
84 SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...);
85 
86 int DetectSignatureAddTransform(Signature *s, int transform);
88 
89 /* parse regex setup and free util funcs */
90 
91 void DetectSetupParseRegexesOpts(const char *parse_str, DetectParseRegex *parse_regex, int opts);
92 void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *parse_regex);
94 void DetectParseFreeRegexes(void);
96 
97 /* parse regex exec */
98 int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str,
99  int start_offset, int options,
100  int *ovector, int ovector_size);
101 int DetectParsePcreExecLen(DetectParseRegex *parse_regex, const char *str,
102  int str_len, int start_offset, int options,
103  int *ovector, int ovector_size);
104 
105 /* typical size of ovector */
106 #define MAX_SUBSTRINGS 30
107 
108 #endif /* __DETECT_PARSE_H__ */
109 
DetectParseRegex_::next
struct DetectParseRegex_ * next
Definition: detect-parse.h:48
SigMatchRemoveSMFromList
void SigMatchRemoveSMFromList(Signature *, SigMatch *, int)
Definition: detect-parse.c:387
SIG_DIREC_DST
@ SIG_DIREC_DST
Definition: detect-parse.h:39
SigInitReal
Signature * SigInitReal(DetectEngineCtx *, const char *)
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:71
DetectParseFreeRegex
void DetectParseFreeRegex(DetectParseRegex *r)
Definition: detect-parse.c:2380
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
DetectParseRegexAddToFreeList
void DetectParseRegexAddToFreeList(DetectParseRegex *parse_regex)
add regex and/or study to at exit free list
Definition: detect-parse.c:2406
DetectKeywordId
DetectKeywordId
Definition: detect-engine-register.h:27
DetectParseDupSigHashInit
int DetectParseDupSigHashInit(DetectEngineCtx *)
Initializes the hash table that is used to cull duplicate sigs.
Definition: detect-parse.c:2130
SigMatchData_
Data needed for Match()
Definition: detect.h:327
DetectParseFreeRegexes
void DetectParseFreeRegexes(void)
Definition: detect-parse.c:2390
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *, SigMatch *, int)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:540
DetectParsePcreExecLen
int DetectParsePcreExecLen(DetectParseRegex *parse_regex, const char *str, int str_len, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2363
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *parse_regex)
Definition: detect-parse.c:2440
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
DetectGetLastSM
SigMatch * DetectGetLastSM(const Signature *)
Returns the sm with the largest index (added latest) from this sig.
Definition: detect-parse.c:572
DetectParseRegex_::study
pcre_extra * study
Definition: detect-parse.h:44
DetectListToHumanString
const char * DetectListToHumanString(int list)
Definition: detect-parse.c:114
DetectSignatureAddTransform
int DetectSignatureAddTransform(Signature *s, int transform)
Definition: detect-parse.c:1442
DetectSignatureSetAppProto
int WARN_UNUSED DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1459
DetectParseRegex
struct DetectParseRegex_ DetectParseRegex
SigTableApplyStrictCommandlineOption
void SigTableApplyStrictCommandlineOption(const char *str)
Definition: detect-parse.c:306
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:298
DetectGetLastSMFromMpmLists
SigMatch * DetectGetLastSMFromMpmLists(const DetectEngineCtx *de_ctx, const Signature *s)
get the last SigMatch from lists that support MPM.
Definition: detect-parse.c:429
SigInit
Signature * SigInit(DetectEngineCtx *, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *, const SigMatch *)
Definition: detect-parse.c:622
SigMatchList2DataArray
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
Definition: detect-parse.c:1596
DetectGetLastSMByListPtr
SigMatch * DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list,...)
Returns the sm with the largest index (added last) from the list passed to us as a pointer.
Definition: detect-parse.c:508
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:146
SIG_DIREC_SRC
@ SIG_DIREC_SRC
Definition: detect-parse.h:38
DetectSetupParseRegexesOpts
void DetectSetupParseRegexesOpts(const char *parse_str, DetectParseRegex *parse_regex, int opts)
Definition: detect-parse.c:2418
DetectParseRegex_
Definition: detect-parse.h:42
SigMatchSilentErrorEnabled
bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx, const enum DetectKeywordId id)
Definition: detect-parse.c:292
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1254
SIG_DIREC_NORMAL
@ SIG_DIREC_NORMAL
Definition: detect-parse.h:31
str
#define str(s)
Definition: suricata-common.h:256
head
Flow * head
Definition: flow-hash.h:2
DetectParseRegex_::regex
pcre * regex
Definition: detect-parse.h:43
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition: detect-parse.c:4096
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
DetectListToString
const char * DetectListToString(int list)
Definition: detect-parse.c:131
DetectParseDupSigHashFree
void DetectParseDupSigHashFree(DetectEngineCtx *)
Frees the hash table that is used to cull duplicate sigs.
Definition: detect-parse.c:2147
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2316
SigFree
void SigFree(Signature *s)
Definition: detect-parse.c:1377
SIG_DIREC_SWITCHED
@ SIG_DIREC_SWITCHED
Definition: detect-parse.h:32
WARN_UNUSED
#define WARN_UNUSED
Definition: suricata-common.h:372