suricata
detect-prefilter.c
Go to the documentation of this file.
1
/* Copyright (C) 2007-2016 Open Information Security Foundation
2
*
3
* You can copy, redistribute or modify this Program under the terms of
4
* the GNU General Public License version 2 as published by the Free
5
* Software Foundation.
6
*
7
* This program is distributed in the hope that it will be useful,
8
* but WITHOUT ANY WARRANTY; without even the implied warranty of
9
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10
* GNU General Public License for more details.
11
*
12
* You should have received a copy of the GNU General Public License
13
* version 2 along with this program; if not, write to the Free Software
14
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
* 02110-1301, USA.
16
*/
17
18
/**
19
* \file
20
*
21
* \author Victor Julien <victor@inliniac.net>
22
*
23
* Implements the prefilter keyword
24
*/
25
26
#include "
suricata-common.h
"
27
#include "
decode.h
"
28
29
#include "
detect.h
"
30
#include "
detect-parse.h
"
31
#include "
detect-content.h
"
32
#include "
detect-engine-mpm.h
"
33
#include "
detect-prefilter.h
"
34
#include "
util-debug.h
"
35
36
static
int
DetectPrefilterSetup (
DetectEngineCtx
*,
Signature
*,
const
char
*);
37
38
void
DetectPrefilterRegister
(
void
)
39
{
40
sigmatch_table
[
DETECT_PREFILTER
].
name
=
"prefilter"
;
41
sigmatch_table
[
DETECT_PREFILTER
].
desc
=
"force a condition to be used as prefilter"
;
42
sigmatch_table
[
DETECT_PREFILTER
].
url
=
"/rules/prefilter-keywords.html#prefilter"
;
43
sigmatch_table
[
DETECT_PREFILTER
].
Setup
= DetectPrefilterSetup;
44
sigmatch_table
[
DETECT_PREFILTER
].
flags
|=
SIGMATCH_NOOPT
;
45
}
46
47
/**
48
* \internal
49
* \brief Apply the prefilter keyword to the last match
50
* \param det_ctx detection engine ctx
51
* \param s signature
52
* \param nullstr should be null
53
* \retval 0 ok
54
* \retval -1 failure
55
*/
56
static
int
DetectPrefilterSetup (
DetectEngineCtx
*
de_ctx
,
Signature
*s,
const
char
*nullstr)
57
{
58
SCEnter
();
59
60
if
(nullstr != NULL) {
61
SCLogError
(
"prefilter has value"
);
62
SCReturnInt
(-1);
63
}
64
65
if
(s->
flags
&
SIG_FLAG_PREFILTER
) {
66
SCLogError
(
"prefilter already set"
);
67
SCReturnInt
(-1);
68
}
69
70
SigMatch
*sm =
DetectGetLastSM
(s);
71
if
(sm == NULL) {
72
SCLogError
(
"prefilter needs preceding match"
);
73
SCReturnInt
(-1);
74
}
75
76
/* if the sig match is content, prefilter should act like
77
* 'fast_pattern' w/o options. */
78
if
(sm->
type
==
DETECT_CONTENT
) {
79
if
(s->
flags
&
SIG_FLAG_TXBOTHDIR
&& s->
init_data
->
curbuf
!= NULL) {
80
if
(s->
init_data
->
init_flags
&
SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER
) {
81
if
(
DetectBufferToClient
(
de_ctx
, s->
init_data
->
curbuf
->
id
, s->
alproto
)) {
82
SCLogError
(
"prefilter cannot be used on to_client keyword for "
83
"transactional rule %u"
,
84
s->
id
);
85
SCReturnInt
(-1);
86
}
else
{
87
s->
init_data
->
init_flags
|=
SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT
;
88
}
89
}
90
}
91
92
DetectContentData
*cd = (
DetectContentData
*)sm->
ctx
;
93
if ((cd->
flags
&
DETECT_CONTENT_NEGATED
) &&
94
((cd->
flags
&
DETECT_CONTENT_DISTANCE
) ||
95
(cd->
flags
&
DETECT_CONTENT_WITHIN
) ||
96
(cd->
flags
&
DETECT_CONTENT_OFFSET
) ||
97
(cd->
flags
&
DETECT_CONTENT_DEPTH
)))
98
{
99
SCLogError
(
"prefilter; cannot be "
100
"used with negated content, along with relative modifiers"
);
101
SCReturnInt
(-1);
102
}
103
cd->
flags
|=
DETECT_CONTENT_FAST_PATTERN
;
104
}
else
{
105
if
(
sigmatch_table
[sm->
type
].
SupportsPrefilter
== NULL) {
106
SCLogError
(
"prefilter is not supported for %s"
,
sigmatch_table
[sm->
type
].
name
);
107
SCReturnInt
(-1);
108
}
109
110
/* make sure setup function runs for this type. */
111
de_ctx
->
sm_types_prefilter
[sm->
type
] =
true
;
112
}
113
114
s->
init_data
->
prefilter_sm
= sm;
115
SCLogDebug
(
116
"sid %u: prefilter is on \"%s\" (%u)"
, s->
id
,
sigmatch_table
[sm->
type
].
name
, sm->
type
);
117
118
SCReturnInt
(0);
119
}
SigTableElmt_::url
const char * url
Definition:
detect.h:1405
detect-content.h
SigTableElmt_::desc
const char * desc
Definition:
detect.h:1404
sigmatch_table
SigTableElmt * sigmatch_table
Definition:
detect-parse.c:155
SigTableElmt_::name
const char * name
Definition:
detect.h:1402
DETECT_CONTENT
@ DETECT_CONTENT
Definition:
detect-engine-register.h:69
SignatureInitData_::prefilter_sm
SigMatch * prefilter_sm
Definition:
detect.h:626
Signature_::alproto
AppProto alproto
Definition:
detect.h:674
SCLogDebug
#define SCLogDebug(...)
Definition:
util-debug.h:269
SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT
#define SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT
Definition:
detect.h:305
SigTableElmt_::flags
uint16_t flags
Definition:
detect.h:1396
DetectEngineCtx_
main detection engine ctx
Definition:
detect.h:920
DETECT_PREFILTER
@ DETECT_PREFILTER
Definition:
detect-engine-register.h:305
SIG_FLAG_TXBOTHDIR
#define SIG_FLAG_TXBOTHDIR
Definition:
detect.h:249
SignatureInitData_::init_flags
uint32_t init_flags
Definition:
detect.h:609
DetectContentData_
Definition:
detect-content.h:93
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition:
detect.h:1387
decode.h
util-debug.h
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition:
detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition:
fuzz_siginit.c:18
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition:
detect-content.h:33
SCEnter
#define SCEnter(...)
Definition:
util-debug.h:271
detect-engine-mpm.h
detect.h
DetectEngineCtx_::sm_types_prefilter
bool * sm_types_prefilter
Definition:
detect.h:1099
detect-prefilter.h
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition:
detect-content.h:40
SigMatch_::ctx
SigMatchCtx * ctx
Definition:
detect.h:359
DetectBufferToClient
bool DetectBufferToClient(const DetectEngineCtx *de_ctx, int buf_id, AppProto alproto)
Definition:
detect-engine-mpm.c:1075
Signature_::flags
uint32_t flags
Definition:
detect.h:670
DetectContentData_::flags
uint32_t flags
Definition:
detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition:
detect.h:748
DetectPrefilterRegister
void DetectPrefilterRegister(void)
Definition:
detect-prefilter.c:38
DetectGetLastSM
SigMatch * DetectGetLastSM(const Signature *s)
Returns the sm with the largest index (added latest) from this sig.
Definition:
detect-parse.c:779
suricata-common.h
SigMatch_::type
uint16_t type
Definition:
detect.h:357
SignatureInitData_::curbuf
SignatureInitDataBuffer * curbuf
Definition:
detect.h:651
SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER
#define SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER
Definition:
detect.h:303
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition:
util-debug.h:261
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition:
detect.h:1389
Signature_::id
uint32_t id
Definition:
detect.h:714
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition:
detect-content.h:32
detect-parse.h
SignatureInitDataBuffer_::id
uint32_t id
Definition:
detect.h:538
Signature_
Signature container.
Definition:
detect.h:669
SigMatch_
a single match condition for a signature
Definition:
detect.h:356
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition:
detect.h:1592
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition:
detect-content.h:34
SCReturnInt
#define SCReturnInt(x)
Definition:
util-debug.h:275
SIG_FLAG_PREFILTER
#define SIG_FLAG_PREFILTER
Definition:
detect.h:277
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition:
detect-content.h:31
src
detect-prefilter.c
Generated on Fri Apr 18 2025 23:30:32 for suricata by
1.8.18