suricata
Macros | Functions
detect-bytejump.c File Reference
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-buffer.h"
#include "app-layer.h"
#include "detect-byte.h"
#include "detect-byte-extract.h"
#include "detect-bytejump.h"
#include "detect-content.h"
#include "detect-uricontent.h"
#include "util-byte.h"
#include "util-unittest.h"
#include "util-debug.h"
#include "util-validate.h"
#include "detect-pcre.h"
#include "detect-engine-build.h"
#include "util-unittest-helper.h"
Include dependency graph for detect-bytejump.c:

Go to the source code of this file.

Macros

#define PARSE_REGEX
 Regex for parsing our options.
 

Functions

void DetectBytejumpRegister (void)
 
bool DetectBytejumpDoMatch (DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchCtx *ctx, const uint8_t *payload, uint32_t payload_len, uint16_t flags, int32_t nbytes, int32_t offset)
 Byte jump match function.
 

Detailed Description

Author
Brian Rectanus brect.nosp@m.anu@.nosp@m.gmail.nosp@m..com

Implements byte_jump keyword.

Definition in file detect-bytejump.c.

Macro Definition Documentation

◆ PARSE_REGEX

#define PARSE_REGEX
Value:
"^\\s*" \
"([^\\s,]+\\s*,\\s*[^\\s,]+)" \
"(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
"(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
"(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
"(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
"(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
"(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
"(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
"(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
"(?:\\s*,\\s*((?:multiplier|post_offset)\\s+[^\\s,]+|[^\\s,]+))?" \
"\\s*$"

Regex for parsing our options.

Definition at line 50 of file detect-bytejump.c.

Function Documentation

◆ DetectBytejumpDoMatch()

bool DetectBytejumpDoMatch ( DetectEngineThreadCtx det_ctx,
const Signature s,
const SigMatchCtx ctx,
const uint8_t *  payload,
uint32_t  payload_len,
uint16_t  flags,
int32_t  nbytes,
int32_t  offset 
)

Byte jump match function.

Parameters
det_ctxthread detect engine ctx
ssignature
mbyte jump sigmatch
payloadptr to the payload
payload_lenlength of the payload
Return values
truematch
falseno match

Definition at line 137 of file detect-bytejump.c.

References DetectBytejumpData_::base, DetectEngineThreadCtx_::buffer_offset, BYTE_BIG_ENDIAN, BYTE_LITTLE_ENDIAN, ByteExtractStringUint64(), ByteExtractUint64(), ctx, DEBUG_VALIDATE_BUG_ON, DETECT_BYTEJUMP_ALIGN, DETECT_BYTEJUMP_BEGIN, DETECT_BYTEJUMP_END, DETECT_BYTEJUMP_LITTLE, DETECT_BYTEJUMP_NBYTES_VAR, DETECT_BYTEJUMP_RELATIVE, DETECT_BYTEJUMP_STRING, flags, DetectBytejumpData_::flags, len, DetectBytejumpData_::multiplier, offset, payload_len, DetectBytejumpData_::post_offset, SCEnter, SCLogDebug, SCLogDebugEnabled(), and SCReturnBool.

Here is the call graph for this function:

◆ DetectBytejumpRegister()

void DetectBytejumpRegister ( void  )

Registration function for byte_jump.

Todo:
add support for no_stream and stream_only

Definition at line 73 of file detect-bytejump.c.

References SigTableElmt_::desc, DETECT_BYTEJUMP, DetectSetupParseRegexes(), SigTableElmt_::Free, SigTableElmt_::Match, SigTableElmt_::name, PARSE_REGEX, SigTableElmt_::RegisterTests, SigTableElmt_::Setup, sigmatch_table, and SigTableElmt_::url.

Referenced by SigTableSetup().

Here is the call graph for this function:
Here is the caller graph for this function: