suricata
detect-engine-helper.c
Go to the documentation of this file.
1/* Copyright (C) 2023 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Philippe Antoine <p.antoine@catenacyber.fr>
22 *
23 */
24
25#include "suricata-common.h"
26#include "detect-engine.h"
28#include "detect-engine-mpm.h"
30#include "detect-parse.h"
32#include "rust.h"
33
34int SCDetectHelperBufferRegister(const char *name, AppProto alproto, uint8_t direction)
35{
36 if (direction & STREAM_TOSERVER) {
39 }
40 if (direction & STREAM_TOCLIENT) {
43 }
45}
46
47int SCDetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto,
48 uint8_t direction, InspectionSingleBufferGetDataPtr GetData)
49{
50 if (direction & STREAM_TOSERVER) {
54 name, SIG_FLAG_TOSERVER, 2, PrefilterSingleMpmRegister, GetData, alproto, 0);
55 }
56 if (direction & STREAM_TOCLIENT) {
60 name, SIG_FLAG_TOCLIENT, 2, PrefilterSingleMpmRegister, GetData, alproto, 0);
61 }
64}
65
66int SCDetectHelperMultiBufferProgressMpmRegister(const char *name, const char *desc,
67 AppProto alproto, uint8_t direction, InspectionMultiBufferGetDataPtr GetData, int progress)
68{
69 if (direction & STREAM_TOSERVER) {
70 DetectAppLayerMultiRegister(name, alproto, SIG_FLAG_TOSERVER, progress, GetData, 2);
71 }
72 if (direction & STREAM_TOCLIENT) {
73 DetectAppLayerMultiRegister(name, alproto, SIG_FLAG_TOCLIENT, progress, GetData, 2);
74 }
78}
79
80int SCDetectHelperMultiBufferMpmRegister(const char *name, const char *desc, AppProto alproto,
81 uint8_t direction, InspectionMultiBufferGetDataPtr GetData)
82{
83 return SCDetectHelperMultiBufferProgressMpmRegister(name, desc, alproto, direction, GetData, 0);
84}
85
87{
89 void *tmp = SCRealloc(
91 if (unlikely(tmp == NULL)) {
92 return -1;
93 }
94 sigmatch_table = tmp;
97 }
98
100 return DETECT_TBLSIZE_IDX - 1;
101}
102
104{
105 int keyword_id = SCDetectHelperNewKeywordId();
106 if (keyword_id < 0) {
107 return -1;
108 }
109
110 sigmatch_table[keyword_id].name = kw->name;
111 sigmatch_table[keyword_id].desc = kw->desc;
112 sigmatch_table[keyword_id].url = kw->url;
113 sigmatch_table[keyword_id].flags = kw->flags;
114 sigmatch_table[keyword_id].AppLayerTxMatch =
115 (int (*)(DetectEngineThreadCtx * det_ctx, Flow * f, uint8_t flags, void *alstate,
116 void *txv, const Signature *s, const SigMatchCtx *ctx)) kw->AppLayerTxMatch;
117 sigmatch_table[keyword_id].Setup =
118 (int (*)(DetectEngineCtx * de, Signature * s, const char *raw)) kw->Setup;
119 sigmatch_table[keyword_id].Free = (void (*)(DetectEngineCtx * de, void *ptr)) kw->Free;
120
121 return (uint16_t)keyword_id;
122}
123
124void SCDetectHelperKeywordAliasRegister(uint16_t kwid, const char *alias)
125{
126 sigmatch_table[kwid].alias = alias;
127}
128
130{
131 int transform_id = SCDetectHelperNewKeywordId();
132 if (transform_id < 0) {
133 return -1;
134 }
135
136 sigmatch_table[transform_id].name = kw->name;
137 sigmatch_table[transform_id].desc = kw->desc;
138 sigmatch_table[transform_id].url = kw->url;
139 sigmatch_table[transform_id].flags = kw->flags;
140 sigmatch_table[transform_id].Transform =
141 (void (*)(DetectEngineThreadCtx * det_ctx, InspectionBuffer * buffer, void *options))
142 kw->Transform;
143 sigmatch_table[transform_id].TransformValidate = (bool (*)(
144 const uint8_t *content, uint16_t content_len, void *context))kw->TransformValidate;
145 sigmatch_table[transform_id].Setup =
146 (int (*)(DetectEngineCtx * de, Signature * s, const char *raw)) kw->Setup;
147 sigmatch_table[transform_id].Free = (void (*)(DetectEngineCtx * de, void *ptr)) kw->Free;
148 sigmatch_table[transform_id].TransformId =
149 (void (*)(const uint8_t **id_data, uint32_t *length, void *context))kw->TransformId;
150
151 return transform_id;
152}
uint16_t AppProto
uint8_t flags
Definition decode-gre.h:0
int SCDetectHelperMultiBufferProgressMpmRegister(const char *name, const char *desc, AppProto alproto, uint8_t direction, InspectionMultiBufferGetDataPtr GetData, int progress)
void SCDetectHelperKeywordAliasRegister(uint16_t kwid, const char *alias)
int SCDetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, uint8_t direction, InspectionSingleBufferGetDataPtr GetData)
int SCDetectHelperMultiBufferMpmRegister(const char *name, const char *desc, AppProto alproto, uint8_t direction, InspectionMultiBufferGetDataPtr GetData)
int SCDetectHelperBufferRegister(const char *name, AppProto alproto, uint8_t direction)
uint16_t SCDetectHelperKeywordRegister(const SCSigTableAppLiteElmt *kw)
int SCDetectHelperTransformRegister(const SCTransformTableElmt *kw)
int SCDetectHelperNewKeywordId(void)
bool(* InspectionSingleBufferGetDataPtr)(const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)
bool(* InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len)
void DetectAppLayerMpmRegisterSingle(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionSingleBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress)
int PrefilterSingleMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id)
int DETECT_TBLSIZE_IDX
int DETECT_TBLSIZE
#define DETECT_TBLSIZE_STEP
uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
int DetectBufferTypeRegister(const char *name)
void DetectBufferTypeSetDescriptionByName(const char *name, const char *desc)
void DetectBufferTypeSupportsMultiInstance(const char *name)
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
Registers an app inspection engine.
void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionSingleBufferGetDataPtr GetData)
void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority)
int DetectBufferTypeGetByName(const char *name)
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
SigTableElmt * sigmatch_table
#define SIG_FLAG_TOCLIENT
Definition detect.h:272
#define SIG_FLAG_TOSERVER
Definition detect.h:271
struct Thresholds ctx
main detection engine ctx
Definition detect.h:932
Flow data structure.
Definition flow.h:356
App-layer light version of SigTableElmt.
uint16_t flags
flags SIGMATCH_*
const char * desc
keyword description
const char * name
keyword name
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
function callback to parse and setup keyword in rule
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
function callback to match on an app-layer transaction
void(* Free)(DetectEngineCtx *, void *)
function callback to free structure allocated by setup if any
const char * url
keyword documentation url
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
void(* Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context)
void(* TransformId)(const uint8_t **id_data, uint32_t *id_length, void *context)
void(* Free)(DetectEngineCtx *, void *)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition detect.h:351
element in sigmatch type table.
Definition detect.h:1419
const char * url
Definition detect.h:1462
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
void(* Free)(DetectEngineCtx *, void *)
Definition detect.h:1446
uint16_t flags
Definition detect.h:1450
const char * desc
Definition detect.h:1461
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition detect.h:1424
bool(* TransformValidate)(const uint8_t *content, uint16_t content_len, void *context)
Definition detect.h:1435
const char * alias
Definition detect.h:1460
void(* TransformId)(const uint8_t **data, uint32_t *length, void *context)
Definition detect.h:1438
const char * name
Definition detect.h:1459
void(* Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context)
Definition detect.h:1434
Signature container.
Definition detect.h:668
const char * name
#define SCRealloc(ptr, sz)
Definition util-mem.h:50
#define unlikely(expr)