suricata
detect-prefilter.c
Go to the documentation of this file.
1
/* Copyright (C) 2007-2016 Open Information Security Foundation
2
*
3
* You can copy, redistribute or modify this Program under the terms of
4
* the GNU General Public License version 2 as published by the Free
5
* Software Foundation.
6
*
7
* This program is distributed in the hope that it will be useful,
8
* but WITHOUT ANY WARRANTY; without even the implied warranty of
9
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10
* GNU General Public License for more details.
11
*
12
* You should have received a copy of the GNU General Public License
13
* version 2 along with this program; if not, write to the Free Software
14
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
* 02110-1301, USA.
16
*/
17
18
/**
19
* \file
20
*
21
* \author Victor Julien <victor@inliniac.net>
22
*
23
* Implements the prefilter keyword
24
*/
25
26
#include "
suricata-common.h
"
27
#include "
decode.h
"
28
29
#include "
detect.h
"
30
#include "
detect-parse.h
"
31
#include "
detect-content.h
"
32
#include "
detect-prefilter.h
"
33
#include "
util-debug.h
"
34
35
static
int
DetectPrefilterSetup (
DetectEngineCtx
*,
Signature
*,
const
char
*);
36
37
void
DetectPrefilterRegister
(
void
)
38
{
39
sigmatch_table
[
DETECT_PREFILTER
].
name
=
"prefilter"
;
40
sigmatch_table
[
DETECT_PREFILTER
].
desc
=
"force a condition to be used as prefilter"
;
41
sigmatch_table
[
DETECT_PREFILTER
].
url
=
"/rules/prefilter-keywords.html#prefilter"
;
42
sigmatch_table
[
DETECT_PREFILTER
].
Setup
= DetectPrefilterSetup;
43
sigmatch_table
[
DETECT_PREFILTER
].
flags
|=
SIGMATCH_NOOPT
;
44
}
45
46
/**
47
* \internal
48
* \brief Apply the prefilter keyword to the last match
49
* \param det_ctx detection engine ctx
50
* \param s signature
51
* \param nullstr should be null
52
* \retval 0 ok
53
* \retval -1 failure
54
*/
55
static
int
DetectPrefilterSetup (
DetectEngineCtx
*
de_ctx
,
Signature
*s,
const
char
*nullstr)
56
{
57
SCEnter
();
58
59
if
(nullstr != NULL) {
60
SCLogError
(
"prefilter has value"
);
61
SCReturnInt
(-1);
62
}
63
64
if
(s->
flags
&
SIG_FLAG_PREFILTER
) {
65
SCLogError
(
"prefilter already set"
);
66
SCReturnInt
(-1);
67
}
68
69
SigMatch
*sm =
DetectGetLastSM
(s);
70
if
(sm == NULL) {
71
SCLogError
(
"prefilter needs preceding match"
);
72
SCReturnInt
(-1);
73
}
74
75
/* if the sig match is content, prefilter should act like
76
* 'fast_pattern' w/o options. */
77
if
(sm->
type
==
DETECT_CONTENT
) {
78
DetectContentData
*cd = (
DetectContentData
*)sm->
ctx
;
79
if ((cd->
flags
&
DETECT_CONTENT_NEGATED
) &&
80
((cd->
flags
&
DETECT_CONTENT_DISTANCE
) ||
81
(cd->
flags
&
DETECT_CONTENT_WITHIN
) ||
82
(cd->
flags
&
DETECT_CONTENT_OFFSET
) ||
83
(cd->
flags
&
DETECT_CONTENT_DEPTH
)))
84
{
85
SCLogError
(
"prefilter; cannot be "
86
"used with negated content, along with relative modifiers"
);
87
SCReturnInt
(-1);
88
}
89
cd->
flags
|=
DETECT_CONTENT_FAST_PATTERN
;
90
}
else
{
91
if
(
sigmatch_table
[sm->
type
].
SupportsPrefilter
== NULL) {
92
SCLogError
(
"prefilter is not supported for %s"
,
sigmatch_table
[sm->
type
].
name
);
93
SCReturnInt
(-1);
94
}
95
s->
flags
|=
SIG_FLAG_PREFILTER
;
96
97
/* make sure setup function runs for this type. */
98
de_ctx
->
sm_types_prefilter
[sm->
type
] =
true
;
99
}
100
101
s->
init_data
->
prefilter_sm
= sm;
102
103
SCReturnInt
(0);
104
}
SigTableElmt_::url
const char * url
Definition:
detect.h:1312
detect-content.h
SigTableElmt_::desc
const char * desc
Definition:
detect.h:1311
sigmatch_table
SigTableElmt * sigmatch_table
Definition:
detect-parse.c:128
SigTableElmt_::name
const char * name
Definition:
detect.h:1309
DETECT_CONTENT
@ DETECT_CONTENT
Definition:
detect-engine-register.h:72
SignatureInitData_::prefilter_sm
SigMatch * prefilter_sm
Definition:
detect.h:569
SigTableElmt_::flags
uint16_t flags
Definition:
detect.h:1303
DetectEngineCtx_
main detection engine ctx
Definition:
detect.h:843
DETECT_PREFILTER
@ DETECT_PREFILTER
Definition:
detect-engine-register.h:305
DetectContentData_
Definition:
detect-content.h:93
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition:
detect.h:1294
decode.h
util-debug.h
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition:
detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition:
fuzz_siginit.c:17
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition:
detect-content.h:33
SCEnter
#define SCEnter(...)
Definition:
util-debug.h:271
detect.h
DetectEngineCtx_::sm_types_prefilter
bool * sm_types_prefilter
Definition:
detect.h:1025
detect-prefilter.h
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition:
detect-content.h:40
SigMatch_::ctx
SigMatchCtx * ctx
Definition:
detect.h:352
Signature_::flags
uint32_t flags
Definition:
detect.h:604
DetectContentData_::flags
uint32_t flags
Definition:
detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition:
detect.h:672
DetectPrefilterRegister
void DetectPrefilterRegister(void)
Definition:
detect-prefilter.c:37
DetectGetLastSM
SigMatch * DetectGetLastSM(const Signature *s)
Returns the sm with the largest index (added latest) from this sig.
Definition:
detect-parse.c:752
suricata-common.h
SigMatch_::type
uint16_t type
Definition:
detect.h:350
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition:
util-debug.h:261
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition:
detect.h:1296
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition:
detect-content.h:32
detect-parse.h
Signature_
Signature container.
Definition:
detect.h:603
SigMatch_
a single match condition for a signature
Definition:
detect.h:349
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition:
detect.h:1493
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition:
detect-content.h:34
SCReturnInt
#define SCReturnInt(x)
Definition:
util-debug.h:275
SIG_FLAG_PREFILTER
#define SIG_FLAG_PREFILTER
Definition:
detect.h:274
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition:
detect-content.h:31
src
detect-prefilter.c
Generated on Wed Dec 25 2024 23:30:32 for suricata by
1.8.18