suricata
detect-rawbytes.c
Go to the documentation of this file.
1
/* Copyright (C) 2007-2018 Open Information Security Foundation
2
*
3
* You can copy, redistribute or modify this Program under the terms of
4
* the GNU General Public License version 2 as published by the Free
5
* Software Foundation.
6
*
7
* This program is distributed in the hope that it will be useful,
8
* but WITHOUT ANY WARRANTY; without even the implied warranty of
9
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10
* GNU General Public License for more details.
11
*
12
* You should have received a copy of the GNU General Public License
13
* version 2 along with this program; if not, write to the Free Software
14
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
* 02110-1301, USA.
16
*/
17
18
/**
19
* \file
20
*
21
* \author Victor Julien <victor@inliniac.net>
22
*
23
* Implements rawbytes keyword support
24
*
25
* \todo Provide un-normalized telnet dce/rpc buffers to match on
26
*/
27
28
#include "
suricata-common.h
"
29
30
#include "
decode.h
"
31
#include "
detect.h
"
32
#include "
detect-parse.h
"
33
#include "
detect-rawbytes.h
"
34
#include "
detect-engine.h
"
35
36
#include "
detect-content.h
"
37
#include "
detect-pcre.h
"
38
39
#include "
util-debug.h
"
40
41
static
int
DetectRawbytesSetup(
DetectEngineCtx
*,
Signature
*,
const
char
*);
42
43
void
DetectRawbytesRegister
(
void
)
44
{
45
sigmatch_table
[
DETECT_RAWBYTES
].
name
=
"rawbytes"
;
46
sigmatch_table
[
DETECT_RAWBYTES
].
desc
=
47
"dummy keyword to be compatible with snort signatures without effect"
;
48
sigmatch_table
[
DETECT_RAWBYTES
].
url
=
"/rules/payload-keywords.html#rawbytes"
;
49
sigmatch_table
[
DETECT_RAWBYTES
].
Setup
= DetectRawbytesSetup;
50
sigmatch_table
[
DETECT_RAWBYTES
].
flags
|=
SIGMATCH_NOOPT
;
51
}
52
53
static
int
DetectRawbytesSetup(
DetectEngineCtx
*
de_ctx
,
Signature
*s,
const
char
*nullstr)
54
{
55
SCEnter
();
56
57
if
(nullstr != NULL) {
58
SCLogError
(
"rawbytes has no value"
);
59
SCReturnInt
(-1);
60
}
61
62
if
(s->
init_data
->
list
!=
DETECT_SM_LIST_NOTSET
) {
63
SCLogError
(
"\"rawbytes\" cannot be combined "
64
"with the \"%s\" sticky buffer"
,
65
DetectEngineBufferTypeGetNameById
(
de_ctx
, s->
init_data
->
list
));
66
SCReturnInt
(-1);
67
}
68
69
SigMatch
*pm =
DetectGetLastSMByListId
(s,
DETECT_SM_LIST_PMATCH
,
DETECT_CONTENT
, -1);
70
if
(pm == NULL) {
71
SCLogError
(
"\"rawbytes\" needs a preceding content option"
);
72
SCReturnInt
(-1);
73
}
74
75
switch
(pm->
type
) {
76
case
DETECT_CONTENT
: {
77
DetectContentData
*cd = (
DetectContentData
*)pm->
ctx
;
78
if (cd->
flags
&
DETECT_CONTENT_RAWBYTES
) {
79
SCLogError
(
"can't use multiple rawbytes modifiers for the same content. "
);
80
SCReturnInt
(-1);
81
}
82
cd->
flags
|=
DETECT_CONTENT_RAWBYTES
;
83
break
;
84
}
85
default
:
86
SCLogError
(
"\"rawbytes\" needs a preceding content option"
);
87
SCReturnInt
(-1);
88
}
89
90
SCReturnInt
(0);
91
}
SigTableElmt_::url
const char * url
Definition:
detect.h:1312
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition:
detect.h:116
SigTableElmt_::desc
const char * desc
Definition:
detect.h:1311
sigmatch_table
SigTableElmt * sigmatch_table
Definition:
detect-parse.c:128
SigTableElmt_::name
const char * name
Definition:
detect.h:1309
DETECT_CONTENT
@ DETECT_CONTENT
Definition:
detect-engine-register.h:72
SigTableElmt_::flags
uint16_t flags
Definition:
detect.h:1303
DetectEngineCtx_
main detection engine ctx
Definition:
detect.h:843
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition:
detect-content.h:38
DetectEngineBufferTypeGetNameById
const char * DetectEngineBufferTypeGetNameById(const DetectEngineCtx *de_ctx, const int id)
Definition:
detect-engine.c:1124
DetectContentData_
Definition:
detect-content.h:93
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition:
detect.h:1294
detect-pcre.h
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition:
detect-parse.c:701
decode.h
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition:
fuzz_siginit.c:17
detect-rawbytes.h
SignatureInitData_::list
int list
Definition:
detect.h:572
SCEnter
#define SCEnter(...)
Definition:
util-debug.h:271
detect.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition:
detect.h:352
DetectContentData_::flags
uint32_t flags
Definition:
detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition:
detect.h:672
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition:
detect.h:141
suricata-common.h
SigMatch_::type
uint16_t type
Definition:
detect.h:350
DETECT_RAWBYTES
@ DETECT_RAWBYTES
Definition:
detect-engine-register.h:84
DetectRawbytesRegister
void DetectRawbytesRegister(void)
Definition:
detect-rawbytes.c:43
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition:
util-debug.h:261
detect-parse.h
Signature_
Signature container.
Definition:
detect.h:603
SigMatch_
a single match condition for a signature
Definition:
detect.h:349
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition:
detect.h:1493
SCReturnInt
#define SCReturnInt(x)
Definition:
util-debug.h:275
src
detect-rawbytes.c
Generated on Sat Dec 21 2024 23:30:32 for suricata by
1.8.18