detect-transform-compress-whitespace_8c_source.html

 /* Copyright (C) 2007-2010 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
  * Software Foundation.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * version 2 along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  * 02110-1301, USA.
  */

 /**
  * \file
  *
  * \author Victor Julien <victor@inliniac.net>
  *
  * Implements the compress_whitespace tranform keyword
  */

 #include "suricata-common.h"

 #include "detect.h"
 #include "detect-engine.h"
 #include "detect-engine-prefilter.h"
 #include "detect-parse.h"
 #include "detect-transform-compress-whitespace.h"

 #include "util-unittest.h"
 #include "util-print.h"

 static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *, Signature *, const char *);
 static void DetectTransformCompressWhitespaceRegisterTests(void);

 static void TransformCompressWhitespace(InspectionBuffer *buffer);

 void DetectTransformCompressWhitespaceRegister(void)
 {
     sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].name = "compress_whitespace";
     sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].desc =
         "modify buffer to compress consecutive whitespace characters "
         "into a single one before inspection";
     sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].url =
         DOC_URL DOC_VERSION "/rules/transforms.html#compress-whitespace";
     sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].Transform =
         TransformCompressWhitespace;
     sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].Setup =
         DetectTransformCompressWhitespaceSetup;
     sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].RegisterTests =
         DetectTransformCompressWhitespaceRegisterTests;

     sigmatch_table[DETECT_TRANSFORM_COMPRESS_WHITESPACE].flags |= SIGMATCH_NOOPT;
 }

 /**
  *  \internal
  *  \brief Apply the compress_whitespace keyword to the last pattern match
  *  \param det_ctx detection engine ctx
  *  \param s signature
  *  \param nullstr should be null
  *  \retval 0 ok
  *  \retval -1 failure
  */
 static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
 {
     SCEnter();
     int r = DetectSignatureAddTransform(s, DETECT_TRANSFORM_COMPRESS_WHITESPACE);
     SCReturnInt(r);
 }

 static void TransformCompressWhitespace(InspectionBuffer *buffer)
 {
     const uint8_t *input = buffer->inspect;
     const uint32_t input_len = buffer->inspect_len;
     uint8_t output[input_len]; // we can only shrink
     uint8_t *oi = output, *os = output;

     //PrintRawDataFp(stdout, input, input_len);
     for (uint32_t i = 0; i < input_len; ) {
         if (!(isspace(*input))) {
             *oi++ = *input++;
             i++;
         } else {
             *oi++ = *input++;
             i++;

             while (i < input_len && isspace(*input)) {
                 input++;
                 i++;
             }
         }
     }
     uint32_t output_size = oi - os;
     //PrintRawDataFp(stdout, output, output_size);

     InspectionBufferCopy(buffer, os, output_size);
 }

 #ifdef UNITTESTS
 static int TransformDoubleWhitespace(InspectionBuffer *buffer)
 {
     const uint8_t *input = buffer->inspect;
     const uint32_t input_len = buffer->inspect_len;
     uint8_t output[input_len * 2]; // if all chars are whitespace this fits
     uint8_t *oi = output, *os = output;

     PrintRawDataFp(stdout, input, input_len);
     for (uint32_t i = 0; i < input_len; i++) {
         if (isspace(*input)) {
             *oi++ = *input;
         }
         *oi++ = *input;
         input++;
     }
     uint32_t output_size = oi - os;
     PrintRawDataFp(stdout, output, output_size);

     InspectionBufferCopy(buffer, os, output_size);
     return 0;
 }

 static int DetectTransformCompressWhitespaceTest01(void)
 {
     const uint8_t *input = (const uint8_t *)" A B C D ";
     uint32_t input_len = strlen((char *)input);

     InspectionBuffer buffer;
     InspectionBufferInit(&buffer, 8);
     InspectionBufferSetup(&buffer, input, input_len);
     PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
     TransformCompressWhitespace(&buffer);
     PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
     InspectionBufferFree(&buffer);
     PASS;
 }

 static int DetectTransformCompressWhitespaceTest02(void)
 {
     const uint8_t *input = (const uint8_t *)" A B C D ";
     uint32_t input_len = strlen((char *)input);

     InspectionBuffer buffer;
     InspectionBufferInit(&buffer, 8);
     InspectionBufferSetup(&buffer, input, input_len);
     PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
     TransformDoubleWhitespace(&buffer);
     PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
     TransformDoubleWhitespace(&buffer);
     PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
     TransformCompressWhitespace(&buffer);
     PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
     InspectionBufferFree(&buffer);
     PASS;
 }

 #endif

 static void DetectTransformCompressWhitespaceRegisterTests(void)
 {
 #ifdef UNITTESTS
     UtRegisterTest("DetectTransformCompressWhitespaceTest01",
             DetectTransformCompressWhitespaceTest01);
     UtRegisterTest("DetectTransformCompressWhitespaceTest02",
             DetectTransformCompressWhitespaceTest02);
 #endif
 }
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448

SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186

DETECT_TRANSFORM_COMPRESS_WHITESPACE
Definition: detect-engine-register.h:256

PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105

detect-engine-prefilter.h

SigTableElmt_::name
const char * name
Definition: detect.h:1200

util-unittest.h

Signature_
Signature container.
Definition: detect.h:522

DetectSignatureAddTransform
int DetectSignatureAddTransform(Signature *s, int transform)
Definition: detect-parse.c:1439

InspectionBufferInit
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
Definition: detect-engine.c:1082

SigTableElmt_::Transform
void(* Transform)(InspectionBuffer *)
Definition: detect.h:1183

DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761

UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103

SCEnter
#define SCEnter(...)
Definition: util-debug.h:337

suricata-common.h

detect-engine.h

util-print.h

SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341

SigTableElmt_::desc
const char * desc
Definition: detect.h:1202

DetectTransformCompressWhitespaceRegister
void DetectTransformCompressWhitespaceRegister(void)
Definition: detect-transform-compress-whitespace.c:42

PrintRawDataFp
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141

InspectionBufferCopy
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
Definition: detect-engine.c:1128

detect-parse.h

InspectionBufferSetup
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
Definition: detect-engine.c:1092

SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1369

SigTableElmt_::url
const char * url
Definition: detect.h:1203

InspectionBuffer::inspect_len
uint32_t inspect_len
Definition: detect.h:345

InspectionBuffer::inspect
const uint8_t * inspect
Definition: detect.h:343

DOC_URL
#define DOC_URL
Definition: suricata.h:86

InspectionBufferFree
void InspectionBufferFree(InspectionBuffer *buffer)
Definition: detect-engine.c:1099

DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91

SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1194

detect-transform-compress-whitespace.h

InspectionBuffer
Definition: detect.h:342

SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1192

detect.h