suricata
util-spm.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
22  */
23 
24 #ifndef __UTIL_SPM_H__
25 #define __UTIL_SPM_H__
26 
27 #include "util-spm-bs.h"
28 
29 enum {
30  SPM_BM, /* Boyer-Moore */
31  SPM_HS, /* Hyperscan */
32  /* Other SPM matchers will go here. */
33  SPM_TABLE_SIZE
34 };
35 
36 uint16_t SinglePatternMatchDefaultMatcher(void);
37 
38 /** Structure holding an immutable "built" SPM matcher (such as the Boyer-Moore
39  * tables, Hyperscan database etc) that is passed to the Scan call. */
40 typedef struct SpmCtx_ {
41  uint16_t matcher;
42  void *ctx;
43 } SpmCtx;
44 
45 /** Structure holding a global prototype for per-thread scratch space, passed
46  * to each InitCtx call. */
47 typedef struct SpmGlobalThreadCtx_ {
48  uint16_t matcher;
49  void *ctx;
50 } SpmGlobalThreadCtx;
51 
52 /** Structure holding some mutable per-thread space for use by a matcher at
53  * scan time. Constructed from SpmGlobalThreadCtx by the MakeThreadCtx call. */
54 typedef struct SpmThreadCtx_ {
55  uint16_t matcher;
56  void *ctx;
57 } SpmThreadCtx;
58 
59 typedef struct SpmTableElmt_ {
60  const char *name;
61  SpmGlobalThreadCtx *(*InitGlobalThreadCtx)(void);
62  void (*DestroyGlobalThreadCtx)(SpmGlobalThreadCtx *g_thread_ctx);
63  SpmThreadCtx *(*MakeThreadCtx)(const SpmGlobalThreadCtx *g_thread_ctx);
64  void (*DestroyThreadCtx)(SpmThreadCtx *thread_ctx);
65  SpmCtx *(*InitCtx)(const uint8_t *needle, uint16_t needle_len, int nocase,
66  SpmGlobalThreadCtx *g_thread_ctx);
67  void (*DestroyCtx)(SpmCtx *);
68  uint8_t *(*Scan)(const SpmCtx *ctx, SpmThreadCtx *thread_ctx,
69  const uint8_t *haystack, uint32_t haystack_len);
70 } SpmTableElmt;
71 
72 extern SpmTableElmt spm_table[SPM_TABLE_SIZE];
73 
74 void SpmTableSetup(void);
75 
76 SpmGlobalThreadCtx *SpmInitGlobalThreadCtx(uint16_t matcher);
77 
78 void SpmDestroyGlobalThreadCtx(SpmGlobalThreadCtx *g_thread_ctx);
79 
80 SpmThreadCtx *SpmMakeThreadCtx(const SpmGlobalThreadCtx *g_thread_ctx);
81 
82 void SpmDestroyThreadCtx(SpmThreadCtx *thread_ctx);
83 
84 SpmCtx *SpmInitCtx(const uint8_t *needle, uint16_t needle_len, int nocase,
85  SpmGlobalThreadCtx *g_thread_ctx);
86 
87 void SpmDestroyCtx(SpmCtx *ctx);
88 
89 uint8_t *SpmScan(const SpmCtx *ctx, SpmThreadCtx *thread_ctx,
90  const uint8_t *haystack, uint32_t haystack_len);
91 
92 /** Default algorithm to use: Boyer Moore */
93 uint8_t *Bs2bmSearch(const uint8_t *text, uint32_t textlen, const uint8_t *needle, uint16_t needlelen);
94 uint8_t *Bs2bmNocaseSearch(const uint8_t *text, uint32_t textlen, const uint8_t *needle, uint16_t needlelen);
95 uint8_t *BoyerMooreSearch(const uint8_t *text, uint32_t textlen, const uint8_t *needle, uint16_t needlelen);
96 uint8_t *BoyerMooreNocaseSearch(const uint8_t *text, uint32_t textlen, uint8_t *needle, uint16_t needlelen);
97 
98 /* Macros for automatic algorithm selection (use them only when you can't store the context) */
99 #define SpmSearch(text, textlen, needle, needlelen) ({\
100  uint8_t *mfound; \
101  if (needlelen < 4 && textlen < 512) \
102  mfound = BasicSearch(text, textlen, needle, needlelen); \
103  else if (needlelen < 4) \
104  mfound = BasicSearch(text, textlen, needle, needlelen); \
105  else \
106  mfound = BoyerMooreSearch(text, textlen, needle, needlelen); \
107  mfound; \
108  })
109 
110 #define SpmNocaseSearch(text, textlen, needle, needlelen) ({\
111  uint8_t *mfound; \
112  if (needlelen < 4 && textlen < 512) \
113  mfound = BasicSearchNocase(text, textlen, needle, needlelen); \
114  else if (needlelen < 4) \
115  mfound = BasicSearchNocase(text, textlen, needle, needlelen); \
116  else \
117  mfound = BoyerMooreNocaseSearch(text, textlen, needle, needlelen); \
118  mfound; \
119  })
120 
121 #ifdef UNITTESTS
122 void UtilSpmSearchRegistertests(void);
123 #endif
124 #endif /* __UTIL_SPM_H__ */
SpmThreadCtx_::ctx
void * ctx
Definition: util-spm.h:56
SPM_BM
@ SPM_BM
Definition: util-spm.h:30
SpmGlobalThreadCtx
struct SpmGlobalThreadCtx_ SpmGlobalThreadCtx
SpmGlobalThreadCtx_::matcher
uint16_t matcher
Definition: util-spm.h:48
SpmInitCtx
SpmCtx * SpmInitCtx(const uint8_t *needle, uint16_t needle_len, int nocase, SpmGlobalThreadCtx *g_thread_ctx)
Definition: util-spm.c:173
SpmTableElmt_::name
const char * name
Definition: util-spm.h:60
SpmCtx
struct SpmCtx_ SpmCtx
SpmScan
uint8_t * SpmScan(const SpmCtx *ctx, SpmThreadCtx *thread_ctx, const uint8_t *haystack, uint32_t haystack_len)
Definition: util-spm.c:193
util-spm-bs.h
SPM_HS
@ SPM_HS
Definition: util-spm.h:31
BoyerMooreNocaseSearch
uint8_t * BoyerMooreNocaseSearch(const uint8_t *text, uint32_t textlen, uint8_t *needle, uint16_t needlelen)
Search a pattern in the text using Boyer Moore nocase algorithm (build a bad character shifts array a...
Definition: util-spm.c:269
BoyerMooreSearch
uint8_t * BoyerMooreSearch(const uint8_t *text, uint32_t textlen, const uint8_t *needle, uint16_t needlelen)
Search a pattern in the text using Boyer Moore algorithm (build a bad character shifts array and good...
Definition: util-spm.c:249
Bs2bmSearch
uint8_t * Bs2bmSearch(const uint8_t *text, uint32_t textlen, const uint8_t *needle, uint16_t needlelen)
Search a pattern in the text using the Bs2Bm algorithm (build a bad characters array)
Definition: util-spm.c:214
SpmDestroyGlobalThreadCtx
void SpmDestroyGlobalThreadCtx(SpmGlobalThreadCtx *g_thread_ctx)
Definition: util-spm.c:144
SPM_TABLE_SIZE
@ SPM_TABLE_SIZE
Definition: util-spm.h:33
SpmTableSetup
void SpmTableSetup(void)
Definition: util-spm.c:122
SpmCtx_::matcher
uint16_t matcher
Definition: util-spm.h:41
SpmMakeThreadCtx
SpmThreadCtx * SpmMakeThreadCtx(const SpmGlobalThreadCtx *g_thread_ctx)
Definition: util-spm.c:153
SpmThreadCtx_::matcher
uint16_t matcher
Definition: util-spm.h:55
SpmDestroyCtx
void SpmDestroyCtx(SpmCtx *ctx)
Definition: util-spm.c:183
SpmCtx_
Definition: util-spm.h:40
spm_table
SpmTableElmt spm_table[SPM_TABLE_SIZE]
Definition: util-spm.c:62
SpmInitGlobalThreadCtx
SpmGlobalThreadCtx * SpmInitGlobalThreadCtx(uint16_t matcher)
Definition: util-spm.c:138
SpmTableElmt_::DestroyCtx
void(* DestroyCtx)(SpmCtx *)
Definition: util-spm.h:67
SpmCtx_::ctx
void * ctx
Definition: util-spm.h:42
SpmGlobalThreadCtx_::ctx
void * ctx
Definition: util-spm.h:49
SpmGlobalThreadCtx_
Definition: util-spm.h:47
SpmTableElmt
struct SpmTableElmt_ SpmTableElmt
SpmDestroyThreadCtx
void SpmDestroyThreadCtx(SpmThreadCtx *thread_ctx)
Definition: util-spm.c:163
SpmTableElmt_
Definition: util-spm.h:59
SinglePatternMatchDefaultMatcher
uint16_t SinglePatternMatchDefaultMatcher(void)
Returns the single pattern matcher algorithm to be used, based on the spm-algo setting in yaml.
Definition: util-spm.c:68
Bs2bmNocaseSearch
uint8_t * Bs2bmNocaseSearch(const uint8_t *text, uint32_t textlen, const uint8_t *needle, uint16_t needlelen)
Search a pattern in the text using the Bs2Bm nocase algorithm (build a bad characters array)
Definition: util-spm.c:231
UtilSpmSearchRegistertests
void UtilSpmSearchRegistertests(void)
Definition: util-spm.c:2674
SpmThreadCtx
struct SpmThreadCtx_ SpmThreadCtx
SpmTableElmt_::DestroyThreadCtx
void(* DestroyThreadCtx)(SpmThreadCtx *thread_ctx)
Definition: util-spm.h:64
SpmTableElmt_::DestroyGlobalThreadCtx
void(* DestroyGlobalThreadCtx)(SpmGlobalThreadCtx *g_thread_ctx)
Definition: util-spm.h:62
SpmThreadCtx_
Definition: util-spm.h:54