suricata
detect-parse.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef SURICATA_DETECT_PARSE_H
25 #define SURICATA_DETECT_PARSE_H
26 
27 #include "detect.h"
28 #include "detect-engine-mpm.h"
29 
30 /* File handler registration */
31 #define MAX_DETECT_ALPROTO_CNT 10
33  const char *name;
34  int priority;
40  int progress;
43 
44 /* File registration table */
46 
47 /** Flags to indicate if the Signature parsing must be done
48 * switching the source and dest (for ip addresses and ports)
49 * or otherwise as normal */
50 enum {
53 };
54 
55 /** Flags to indicate if are referencing the source of the Signature
56 * or the destination (for ip addresses and ports)*/
57 enum {
60 };
61 
62 typedef struct DetectParseRegex {
63  pcre2_code *regex;
64  pcre2_match_context *context;
67 
68 /* prototypes */
70 Signature *SigAlloc(void);
72 Signature *SigInit(DetectEngineCtx *, const char *sigstr);
74 void SigParseRegisterTests(void);
76 
79 int SigMatchListSMBelongsTo(const Signature *, const SigMatch *);
80 
83 
85  Signature *s, const char *arg, int sm_type, int sm_list,
86  AppProto alproto);
87 
89  const enum DetectKeywordId id);
90 bool SigMatchStrictEnabled(const enum DetectKeywordId id);
91 
92 const char *DetectListToHumanString(int list);
93 const char *DetectListToString(int list);
94 
96 
100 SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...);
101 SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...);
102 
103 int DetectSignatureAddTransform(Signature *s, int transform, void *options);
105 
106 /* parse regex setup and free util funcs */
107 
108 DetectParseRegex *DetectSetupPCRE2(const char *parse_str, int opts);
109 bool DetectSetupParseRegexesOpts(const char *parse_str, DetectParseRegex *parse_regex, int opts);
110 void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *parse_regex);
112 void DetectParseFreeRegexes(void);
114 
115 /* parse regex exec */
116 int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str,
117  int start_offset, int options);
119  pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen);
120 int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr,
121  PCRE2_SIZE *bufflen);
122 
123 #endif /* SURICATA_DETECT_PARSE_H */
DETECT_TBLSIZE_STATIC
@ DETECT_TBLSIZE_STATIC
Definition: detect-engine-register.h:335
SigMatchRemoveSMFromList
void SigMatchRemoveSMFromList(Signature *, SigMatch *, int)
Definition: detect-parse.c:530
DetectSetupPCRE2
DetectParseRegex * DetectSetupPCRE2(const char *parse_str, int opts)
Definition: detect-parse.c:2721
SIG_DIREC_SRC
@ SIG_DIREC_SRC
Definition: detect-parse.h:58
DetectParseRegex
Definition: detect-parse.h:62
DetectParseRegex::context
pcre2_match_context * context
Definition: detect-parse.h:64
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:81
SIG_DIREC_DST
@ SIG_DIREC_DST
Definition: detect-parse.h:59
InspectionBufferGetDataPtr
InspectionBuffer *(* InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id)
Definition: detect.h:414
DetectParseFreeRegex
void DetectParseFreeRegex(DetectParseRegex *r)
Definition: detect-parse.c:2655
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:843
DetectParseRegexAddToFreeList
void DetectParseRegexAddToFreeList(DetectParseRegex *parse_regex)
add regex and/or study to at exit free list
Definition: detect-parse.c:2681
SigTableApplyStrictCommandLineOption
void SigTableApplyStrictCommandLineOption(const char *str)
Definition: detect-parse.c:393
DetectFileHandlerTableElmt
struct DetectFileHandlerTableElmt_ DetectFileHandlerTableElmt
DetectParseRegex::regex
pcre2_code * regex
Definition: detect-parse.h:63
DetectKeywordId
DetectKeywordId
Definition: detect-engine-register.h:29
filehandler_table
DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE_STATIC]
Definition: detect-parse.c:78
DetectParseDupSigHashInit
int DetectParseDupSigHashInit(DetectEngineCtx *)
Initializes the hash table that is used to cull duplicate sigs.
Definition: detect-parse.c:2396
SigMatchData_
Data needed for Match()
Definition: detect.h:358
DetectParseFreeRegexes
void DetectParseFreeRegexes(void)
Definition: detect-parse.c:2665
DetectParseRegex::next
struct DetectParseRegex * next
Definition: detect-parse.h:65
DetectFileHandlerTableElmt_::GetData
InspectionBufferGetDataPtr GetData
Definition: detect-parse.h:37
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2747
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:701
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *parse_regex)
Definition: detect-parse.c:2771
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:607
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectGetLastSM
SigMatch * DetectGetLastSM(const Signature *)
Returns the sm with the largest index (added latest) from this sig.
Definition: detect-parse.c:752
DetectListToHumanString
const char * DetectListToHumanString(int list)
Definition: detect-parse.c:161
detect-engine-mpm.h
detect.h
SIG_DIREC_SWITCHED
@ SIG_DIREC_SWITCHED
Definition: detect-parse.h:52
DetectFileHandlerTableElmt_::progress
int progress
Definition: detect-parse.h:40
DetectParseRegex
struct DetectParseRegex DetectParseRegex
DetectSignatureSetAppProto
int WARN_UNUSED DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1738
DetectFileHandlerTableElmt_
Definition: detect-parse.h:32
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *, Signature *, uint16_t, SigMatchCtx *, int)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
DetectFileHandlerTableElmt_::al_protocols
int al_protocols[MAX_DETECT_ALPROTO_CNT]
Definition: detect-parse.h:38
PrefilterRegisterFunc
int(* PrefilterRegisterFunc)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
Definition: detect-engine-mpm.h:72
SigMatchStrictEnabled
bool SigMatchStrictEnabled(const enum DetectKeywordId id)
Definition: detect-parse.c:385
SigFree
void SigFree(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-parse.c:1629
DetectGetLastSMFromMpmLists
SigMatch * DetectGetLastSMFromMpmLists(const DetectEngineCtx *de_ctx, const Signature *s)
get the last SigMatch from lists that support MPM.
Definition: detect-parse.c:570
SigInit
Signature * SigInit(DetectEngineCtx *, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2289
DetectFileHandlerTableElmt_::priority
int priority
Definition: detect-parse.h:34
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2645
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *, const SigMatch *)
Definition: detect-parse.c:806
SigMatchList2DataArray
SigMatchData * SigMatchList2DataArray(SigMatch *head)
convert SigMatch list to SigMatchData array
Definition: detect-parse.c:1857
MAX_DETECT_ALPROTO_CNT
#define MAX_DETECT_ALPROTO_CNT
Definition: detect-parse.h:31
DetectSignatureAddTransform
int DetectSignatureAddTransform(Signature *s, int transform, void *options)
Definition: detect-parse.c:1713
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
DetectSetupParseRegexesOpts
bool DetectSetupParseRegexesOpts(const char *parse_str, DetectParseRegex *parse_regex, int opts)
Definition: detect-parse.c:2692
DetectGetLastSMByListPtr
SigMatch * DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list,...)
Returns the sm with the largest index (added last) from the list passed to us as a pointer.
Definition: detect-parse.c:669
DetectEngineContentModifierBufferSetup
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg, int sm_type, int sm_list, AppProto alproto)
Definition: detect-parse.c:195
InspectEngineFuncPtr
uint8_t(* InspectEngineFuncPtr)(struct DetectEngineCtx_ *de_ctx, struct DetectEngineThreadCtx_ *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const struct Signature_ *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Definition: detect.h:424
SignatureInitDataBufferCheckExpand
int SignatureInitDataBufferCheckExpand(Signature *s)
check if buffers array still has space left, expand if not
Definition: detect-parse.c:1494
SigMatchSilentErrorEnabled
bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx, const enum DetectKeywordId id)
Definition: detect-parse.c:379
DetectFileHandlerTableElmt_::PrefilterFn
PrefilterRegisterFunc PrefilterFn
Definition: detect-parse.h:35
DetectFileRegisterFileProtocols
void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *entry)
Definition: detect-parse.c:80
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1514
str
#define str(s)
Definition: suricata-common.h:291
head
Flow * head
Definition: flow-hash.h:1
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition: detect-parse.c:4449
Signature_
Signature container.
Definition: detect.h:603
SigMatch_
a single match condition for a signature
Definition: detect.h:349
SC_Pcre2SubstringGet
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2759
DetectFileHandlerTableElmt_::tx_progress
int tx_progress
Definition: detect-parse.h:39
DetectListToString
const char * DetectListToString(int list)
Definition: detect-parse.c:179
DetectFileHandlerTableElmt_::Callback
InspectEngineFuncPtr Callback
Definition: detect-parse.h:36
DetectParseDupSigHashFree
void DetectParseDupSigHashFree(DetectEngineCtx *)
Frees the hash table that is used to cull duplicate sigs.
Definition: detect-parse.c:2413
DetectFileHandlerTableElmt_::name
const char * name
Definition: detect-parse.h:33
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2591
WARN_UNUSED
#define WARN_UNUSED
Definition: suricata-common.h:403
SIG_DIREC_NORMAL
@ SIG_DIREC_NORMAL
Definition: detect-parse.h:51