suricata
detect-transform-compress-whitespace.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the nocase keyword
24  */
25 
26 #include "suricata-common.h"
27 
28 #include "detect.h"
29 #include "detect-engine.h"
31 #include "detect-parse.h"
33 
34 #include "util-unittest.h"
35 #include "util-print.h"
36 
37 static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *, Signature *, const char *);
38 static void DetectTransformCompressWhitespaceRegisterTests(void);
39 
40 static void TransformCompressWhitespace(InspectionBuffer *buffer);
41 
43 {
46  "modify buffer to strip whitespace before inspection";
48  DOC_URL DOC_VERSION "/rules/transforms.html#compress-whitespace";
50  TransformCompressWhitespace;
52  DetectTransformCompressWhitespaceSetup;
54  DetectTransformCompressWhitespaceRegisterTests;
55 
57 }
58 
59 /**
60  * \internal
61  * \brief Apply the nocase keyword to the last pattern match, either content or uricontent
62  * \param det_ctx detection engine ctx
63  * \param s signature
64  * \param nullstr should be null
65  * \retval 0 ok
66  * \retval -1 failure
67  */
68 static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
69 {
70  SCEnter();
72  SCReturnInt(r);
73 }
74 
75 static void TransformCompressWhitespace(InspectionBuffer *buffer)
76 {
77  const uint8_t *input = buffer->inspect;
78  const uint32_t input_len = buffer->inspect_len;
79  uint8_t output[input_len]; // we can only shrink
80  uint8_t *oi = output, *os = output;
81 
82  //PrintRawDataFp(stdout, input, input_len);
83  for (uint32_t i = 0; i < input_len; ) {
84  if (!(isspace(*input))) {
85  *oi++ = *input++;
86  i++;
87  } else {
88  *oi++ = *input++;
89  i++;
90 
91  while (i < input_len && isspace(*input)) {
92  input++;
93  i++;
94  }
95  }
96  }
97  uint32_t output_size = oi - os;
98  //PrintRawDataFp(stdout, output, output_size);
99 
100  InspectionBufferCopy(buffer, os, output_size);
101 }
102 
103 #ifdef UNITTESTS
104 static int TransformDoubleWhitespace(InspectionBuffer *buffer)
105 {
106  const uint8_t *input = buffer->inspect;
107  const uint32_t input_len = buffer->inspect_len;
108  uint8_t output[input_len * 2]; // if all chars are whitespace this fits
109  uint8_t *oi = output, *os = output;
110 
111  PrintRawDataFp(stdout, input, input_len);
112  for (uint32_t i = 0; i < input_len; i++) {
113  if (isspace(*input)) {
114  *oi++ = *input;
115  }
116  *oi++ = *input;
117  input++;
118  }
119  uint32_t output_size = oi - os;
120  PrintRawDataFp(stdout, output, output_size);
121 
122  InspectionBufferCopy(buffer, os, output_size);
123  return 0;
124 }
125 
126 static int DetectTransformCompressWhitespaceTest01(void)
127 {
128  const uint8_t *input = (const uint8_t *)" A B C D ";
129  uint32_t input_len = strlen((char *)input);
130 
131  InspectionBuffer buffer;
132  InspectionBufferInit(&buffer, 8);
133  InspectionBufferSetup(&buffer, input, input_len);
134  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
135  TransformCompressWhitespace(&buffer);
136  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
137  InspectionBufferFree(&buffer);
138  PASS;
139 }
140 
141 static int DetectTransformCompressWhitespaceTest02(void)
142 {
143  const uint8_t *input = (const uint8_t *)" A B C D ";
144  uint32_t input_len = strlen((char *)input);
145 
146  InspectionBuffer buffer;
147  InspectionBufferInit(&buffer, 8);
148  InspectionBufferSetup(&buffer, input, input_len);
149  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
150  TransformDoubleWhitespace(&buffer);
151  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
152  TransformDoubleWhitespace(&buffer);
153  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
154  TransformCompressWhitespace(&buffer);
155  PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len);
156  InspectionBufferFree(&buffer);
157  PASS;
158 }
159 
160 static int DetectTransformCompressWhitespaceTest03(void)
161 {
162  const char rule[] = "alert http any any -> any any (http_request_line; strip_whitespace; content:\"GET/HTTP\"; sid:1;)";
163  ThreadVars th_v;
164  DetectEngineThreadCtx *det_ctx = NULL;
165  memset(&th_v, 0, sizeof(th_v));
166 
168  FAIL_IF_NULL(de_ctx);
169  Signature *s = DetectEngineAppendSig(de_ctx, rule);
170  FAIL_IF_NULL(s);
171  SigGroupBuild(de_ctx);
172  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
173  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
174  DetectEngineCtxFree(de_ctx);
175  PASS;
176 }
177 
178 #endif
179 
180 static void DetectTransformCompressWhitespaceRegisterTests(void)
181 {
182 #ifdef UNITTESTS
183  UtRegisterTest("DetectTransformCompressWhitespaceTest01",
184  DetectTransformCompressWhitespaceTest01);
185  UtRegisterTest("DetectTransformCompressWhitespaceTest02",
186  DetectTransformCompressWhitespaceTest02);
187  UtRegisterTest("DetectTransformCompressWhitespaceTest03",
188  DetectTransformCompressWhitespaceTest03);
189 #endif
190 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
#define PASS
Pass the test.
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1163
Signature container.
Definition: detect.h:495
int DetectSignatureAddTransform(Signature *s, int transform)
void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size)
void(* Transform)(InspectionBuffer *)
Definition: detect.h:1146
main detection engine ctx
Definition: detect.h:723
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SCEnter(...)
Definition: util-debug.h:337
#define SCReturnInt(x)
Definition: util-debug.h:341
const char * desc
Definition: detect.h:1165
void DetectTransformCompressWhitespaceRegister(void)
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
Definition: util-print.c:141
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
void InspectionBufferSetup(InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len)
setup the buffer with our initial data
#define SIGMATCH_NOOPT
Definition: detect.h:1331
const char * url
Definition: detect.h:1166
uint32_t inspect_len
Definition: detect.h:348
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
const uint8_t * inspect
Definition: detect.h:347
#define DOC_URL
Definition: suricata.h:86
Per thread variable structure.
Definition: threadvars.h:57
void InspectionBufferFree(InspectionBuffer *buffer)
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1157
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void(* RegisterTests)(void)
Definition: detect.h:1155
DetectEngineCtx * DetectEngineCtxInit(void)