suricata
detect-pcre.c File Reference
#include "suricata-common.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "pkt-var.h"
#include "flow-var.h"
#include "flow-util.h"
#include "detect-pcre.h"
#include "detect-flowvar.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-sigorder.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "util-var-name.h"
#include "util-unittest-helper.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-print.h"
#include "util-pool.h"
#include "conf.h"
#include "app-layer.h"
#include "app-layer-htp.h"
#include "stream.h"
#include "stream-tcp.h"
#include "stream-tcp-private.h"
#include "stream-tcp-reassemble.h"
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "util-pages.h"
Include dependency graph for detect-pcre.c:

Go to the source code of this file.

Macros

#define PARSE_CAPTURE_REGEX   "\\(\\?P\\<([A-z]+)\\_([A-z0-9_]+)\>"
 
#define PARSE_REGEX   "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)"
 
#define SC_MATCH_LIMIT_DEFAULT   3500
 
#define SC_MATCH_LIMIT_RECURSION_DEFAULT   1500
 
#define MAX_SUBSTRINGS   30
 
#define MAX_SUBSTRINGS   30
 

Functions

void DetectPcreRegister (void)
 
int DetectPcrePayloadMatch (DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *payload, uint32_t payload_len)
 Match a regex on a single payload. More...
 

Detailed Description

Author
Victor Julien victo.nosp@m.r@in.nosp@m.linia.nosp@m.c.ne.nosp@m.t

Implements the pcre keyword

Definition in file detect-pcre.c.

Macro Definition Documentation

#define MAX_SUBSTRINGS   30

Referenced by DetectPcrePayloadMatch().

#define MAX_SUBSTRINGS   30
#define PARSE_CAPTURE_REGEX   "\\(\\?P\\<([A-z]+)\\_([A-z0-9_]+)\>"

Definition at line 64 of file detect-pcre.c.

Referenced by DetectPcreRegister().

#define PARSE_REGEX   "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)"

Definition at line 65 of file detect-pcre.c.

Referenced by DetectPcreRegister().

#define SC_MATCH_LIMIT_DEFAULT   3500

Definition at line 67 of file detect-pcre.c.

Referenced by DetectPcrePayloadMatch(), and DetectPcreRegister().

#define SC_MATCH_LIMIT_RECURSION_DEFAULT   1500

Definition at line 68 of file detect-pcre.c.

Referenced by DetectPcrePayloadMatch(), and DetectPcreRegister().

Function Documentation

int DetectPcrePayloadMatch ( DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchData smd,
Packet p,
Flow f,
const uint8_t *  payload,
uint32_t  payload_len 
)

Match a regex on a single payload.

Parameters
det_ctxThread detection ctx.
sSignature.
smSig match to match against.
pPacket to set PktVars if any.
fFlow to set FlowVars if any.
payloadPayload to inspect.
payload_lenLength of the payload.
Return values
1Match.
0No match.

Definition at line 171 of file detect-pcre.c.

References Packet_::alerts, Flow_::alproto, Signature_::alproto, ALPROTO_DCERPC, ALPROTO_HTTP, ALPROTO_UNKNOWN, Flow_::alstate, AppLayerHtpEnableRequestBodyCallback(), AppLayerParserGetTx(), AppLayerParserGetTxCnt(), AppLayerParserParse(), AppLayerParserThreadCtxAlloc(), AppLayerParserThreadCtxFree(), DetectEngineThreadCtx_::buffer_offset, DetectPcreData_::capids, DetectPcreData_::captypes, PacketAlerts_::cnt, SigMatch_::ctx, SigMatchData_::ctx, FlowVar_::data, DE_QUIET, DETECT_CONTENT, DETECT_CONTENT_RELATIVE_NEXT, DETECT_PCRE, DETECT_PCRE_CAPTURE_MAX, DETECT_PCRE_CASELESS, DETECT_PCRE_MATCH_LIMIT, DETECT_PCRE_NEGATE, DETECT_PCRE_RAWBYTES, DETECT_PCRE_RELATIVE, DETECT_PCRE_RELATIVE_NEXT, DETECT_SM_LIST_NOTSET, DETECT_SM_LIST_PMATCH, DETECT_VAR_TYPE_FLOW_POSTMATCH, DETECT_VAR_TYPE_PKT_POSTMATCH, DetectBufferGetActiveList(), DetectBufferTypeGetByName(), DetectEngineAppendSig(), DetectEngineCtxFree(), DetectEngineCtxInit(), DetectEngineThreadCtxDeinit(), DetectEngineThreadCtxInit(), DetectFlowvarPostMatchSetup(), DetectGetLastSMByListPtr(), DetectSignatureSetAppProto(), DetectVarStoreMatch(), DetectVarStoreMatchKeyValue(), FAIL, FAIL_IF, FAIL_IF_NOT, FAIL_IF_NOT_NULL, FAIL_IF_NULL, HtpBody_::first, DetectPcreData_::flags, DetectContentData_::flags, Flow_::flags, Packet_::flags, Signature_::flags, DetectEngineCtx_::flags, Packet_::flow, FLOW_DESTROY, FLOW_INITIALIZE, FLOW_IPV4, FLOW_PKT_ESTABLISHED, FLOW_PKT_TOSERVER, Packet_::flowflags, FLOWLOCK_UNLOCK, FLOWLOCK_WRLOCK, FlowVarGet(), FlowVar_::fv_str, DetectPcreData_::idx, Signature_::init_data, len, SignatureInitData_::list, MAX_SUBSTRINGS, MIN, SignatureInitData_::negated, Signature_::next, offset, PacketAlertCheck(), PASS, payload_len, pcre_free_study, DetectEngineThreadCtx_::pcre_match_start_offset, PKT_HAS_FLOW, PKT_STREAM_EST, SigMatch_::prev, PrintRawDataFp(), Flow_::proto, Flow_::protoctx, DetectPcreData_::re, HtpTxUserData_::request_body, res, DetectEngineCtx_::rule_file, DetectEngineCtx_::rule_line, HtpBody_::sb, HtpBodyChunk_::sbseg, SC_ERR_INVALID_SIGNATURE, SC_ERR_PCRE_COMPILE, SC_ERR_PCRE_GET_SUBSTRING, SC_ERR_PCRE_MATCH, SC_ERR_PCRE_STUDY, SC_ERR_UNKNOWN_REGEX_MOD, SC_ERR_VAR_LIMIT, SC_MATCH_LIMIT_DEFAULT, SC_MATCH_LIMIT_RECURSION_DEFAULT, SCCalloc, SCEnter, SCFree, SCLogDebug, SCLogError, SCLogWarning, SCMalloc, SCReturnInt, SCSigOrderSignatures(), SCSigRegisterSignatureOrderingFuncs(), SCSigSignatureOrderingModuleCleanup(), DetectPcreData_::sd, SIG_FLAG_APPLAYER, DetectEngineCtx_::sig_list, SigAlloc(), SigCleanSignatures(), SigFree(), SigGroupBuild(), SigGroupCleanup(), SigInit(), SigMatchAlloc(), SigMatchAppendSMToList(), SigMatchSignatures(), STREAM_START, STREAM_TOSERVER, StreamingBufferSegmentCompareRawData(), StreamTcpFreeConfig(), StreamTcpInitConfig(), strlcpy(), Packet_::tcph, TRUE, SigMatch_::type, unlikely, UTHAddSessionToFlow(), UTHAddStreamToFlow(), UTHBuildFlow(), UTHBuildPacket(), UTHFreeFlow(), UTHFreePacket(), UTHFreePackets(), UTHPacketMatchSig(), UTHRemoveSessionFromFlow(), UtRegisterTest(), FlowVarTypeStr::value, FlowVarTypeStr::value_len, VAR_TYPE_FLOW_VAR, VAR_TYPE_PKT_VAR, VAR_TYPE_PKT_VAR_KV, VarNameStoreLookupByName(), and VarNameStoreSetupAdd().

Referenced by DetectEngineContentInspection().

Here is the call graph for this function:

Here is the caller graph for this function: