suricata
detect-offset.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2019 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23 *
24 * Implements the offset keyword.
25 */
26
27#include "suricata-common.h"
28
29#include "decode.h"
30
31#include "detect.h"
32#include "detect-parse.h"
33#include "detect-content.h"
34#include "detect-uricontent.h"
35#include "detect-byte.h"
36#include "detect-byte-extract.h"
37#include "detect-offset.h"
38
39#include "flow-var.h"
40
41#include "util-byte.h"
42#include "util-debug.h"
43
44static int DetectOffsetSetup(DetectEngineCtx *, Signature *, const char *);
45
47{
49 sigmatch_table[DETECT_OFFSET].desc = "designate from which byte in the payload will be checked to find a match";
50 sigmatch_table[DETECT_OFFSET].url = "/rules/payload-keywords.html#offset";
51 sigmatch_table[DETECT_OFFSET].Setup = DetectOffsetSetup;
52}
53
54int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, const char *offsetstr)
55{
56 const char *str = offsetstr;
57
58 /* retrieve the sm to apply the offset against */
60 if (pm == NULL) {
61 SCLogError("offset needs preceding content option.");
62 return -1;
63 }
64
65 /* verify other conditions */
67
68 if (cd->flags & DETECT_CONTENT_STARTS_WITH) {
69 SCLogError("can't use offset with startswith.");
70 return -1;
71 }
72 if (cd->flags & DETECT_CONTENT_OFFSET) {
73 SCLogError("can't use multiple offsets for the same content.");
74 return -1;
75 }
77 SCLogError("can't use a relative "
78 "keyword like within/distance with a absolute "
79 "relative keyword like depth/offset for the same "
80 "content.");
81 return -1;
82 }
83 if (cd->flags & DETECT_CONTENT_NEGATED && cd->flags & DETECT_CONTENT_FAST_PATTERN) {
84 SCLogError("can't have a relative "
85 "negated keyword set along with 'fast_pattern'.");
86 return -1;
87 }
88 if (cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) {
89 SCLogError("can't have a relative "
90 "keyword set along with 'fast_pattern:only;'.");
91 return -1;
92 }
93 if (str[0] != '-' && isalpha((unsigned char)str[0])) {
95 if (!DetectByteRetrieveSMVar(str, s, -1, &index)) {
96 SCLogError("unknown byte_ keyword var "
97 "seen in offset - %s.",
98 str);
99 return -1;
100 }
101 cd->offset = index;
102 cd->flags |= DETECT_CONTENT_OFFSET_VAR;
103 } else {
104 if (StringParseUint16(&cd->offset, 0, 0, str) < 0)
105 {
106 SCLogError("invalid value for offset: %s.", str);
107 return -1;
108 }
109 if (cd->depth != 0) {
110 if (cd->depth < cd->content_len) {
111 SCLogDebug("depth increased to %"PRIu32" to match pattern len",
112 cd->content_len);
113 cd->depth = cd->content_len;
114 }
115 /* Updating the depth as is relative to the offset */
116 cd->depth += cd->offset;
117 }
118 }
119 cd->flags |= DETECT_CONTENT_OFFSET;
120 return 0;
121}
122
bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, int sm_list, DetectByteIndexType *index)
Used to retrieve args from BM.
Definition detect-byte.c:41
uint8_t DetectByteIndexType
Definition detect-byte.h:28
#define DETECT_CONTENT_STARTS_WITH
#define DETECT_CONTENT_FAST_PATTERN_ONLY
#define DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_NEGATED
void DetectOffsetRegister(void)
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
SigTableElmt * sigmatch_table
DetectEngineCtx * de_ctx
main detection engine ctx
Definition detect.h:932
a single match condition for a signature
Definition detect.h:356
SigMatchCtx * ctx
Definition detect.h:359
const char * url
Definition detect.h:1462
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
const char * desc
Definition detect.h:1461
const char * name
Definition detect.h:1459
Signature container.
Definition detect.h:668
#define str(s)
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition util-byte.c:337
#define SCLogDebug(...)
Definition util-debug.h:275
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267