suricata
detect-prefilter.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2016 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 *
23 * Implements the prefilter keyword
24 */
25
26#include "suricata-common.h"
27#include "decode.h"
28
29#include "detect.h"
30#include "detect-parse.h"
31#include "detect-content.h"
32#include "detect-engine-mpm.h"
33#include "detect-prefilter.h"
34#include "util-debug.h"
35
36static int DetectPrefilterSetup (DetectEngineCtx *, Signature *, const char *);
37
39{
41 sigmatch_table[DETECT_PREFILTER].desc = "force a condition to be used as prefilter";
42 sigmatch_table[DETECT_PREFILTER].url = "/rules/prefilter-keywords.html#prefilter";
43 sigmatch_table[DETECT_PREFILTER].Setup = DetectPrefilterSetup;
45}
46
47/**
48 * \internal
49 * \brief Apply the prefilter keyword to the last match
50 * \param det_ctx detection engine ctx
51 * \param s signature
52 * \param nullstr should be null
53 * \retval 0 ok
54 * \retval -1 failure
55 */
56static int DetectPrefilterSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
57{
58 SCEnter();
59
60 if (nullstr != NULL) {
61 SCLogError("prefilter has value");
62 SCReturnInt(-1);
63 }
64
65 if (s->flags & SIG_FLAG_PREFILTER) {
66 SCLogError("prefilter already set");
67 SCReturnInt(-1);
68 }
69
71 if (sm == NULL) {
72 SCLogError("prefilter needs preceding match");
73 SCReturnInt(-1);
74 }
75
76 /* if the sig match is content, prefilter should act like
77 * 'fast_pattern' w/o options. */
78 if (sm->type == DETECT_CONTENT) {
79 if (s->flags & SIG_FLAG_TXBOTHDIR && s->init_data->curbuf != NULL) {
82 SCLogError("prefilter cannot be used on to_client keyword for "
83 "transactional rule %u",
84 s->id);
85 SCReturnInt(-1);
86 } else {
88 }
89 }
90 }
91
93 if ((cd->flags & DETECT_CONTENT_NEGATED) &&
94 ((cd->flags & DETECT_CONTENT_DISTANCE) ||
95 (cd->flags & DETECT_CONTENT_WITHIN) ||
96 (cd->flags & DETECT_CONTENT_OFFSET) ||
97 (cd->flags & DETECT_CONTENT_DEPTH)))
98 {
99 SCLogError("prefilter; cannot be "
100 "used with negated content, along with relative modifiers");
101 SCReturnInt(-1);
102 }
103 cd->flags |= DETECT_CONTENT_FAST_PATTERN;
104 } else {
105 if (sigmatch_table[sm->type].SupportsPrefilter == NULL) {
106 SCLogError("prefilter is not supported for %s", sigmatch_table[sm->type].name);
107 SCReturnInt(-1);
108 }
109
110 /* make sure setup function runs for this type. */
111 de_ctx->sm_types_prefilter[sm->type] = true;
112 }
113
114 s->init_data->prefilter_sm = sm;
116 "sid %u: prefilter is on \"%s\" (%u)", s->id, sigmatch_table[sm->type].name, sm->type);
117
118 SCReturnInt(0);
119}
#define DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_NEGATED
bool DetectBufferToClient(const DetectEngineCtx *de_ctx, int buf_id, AppProto alproto)
SigMatch * DetectGetLastSM(const Signature *s)
Returns the sm with the largest index (added latest) from this sig.
SigTableElmt * sigmatch_table
void DetectPrefilterRegister(void)
#define SIGMATCH_NOOPT
Definition detect.h:1651
#define SIG_FLAG_INIT_TXDIR_STREAMING_TOSERVER
Definition detect.h:304
#define SIG_FLAG_INIT_TXDIR_FAST_TOCLIENT
Definition detect.h:306
#define SIG_FLAG_PREFILTER
Definition detect.h:278
#define SIG_FLAG_TXBOTHDIR
Definition detect.h:250
DetectEngineCtx * de_ctx
main detection engine ctx
Definition detect.h:932
bool * sm_types_prefilter
Definition detect.h:1111
a single match condition for a signature
Definition detect.h:356
uint16_t type
Definition detect.h:357
SigMatchCtx * ctx
Definition detect.h:359
const char * url
Definition detect.h:1462
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
uint16_t flags
Definition detect.h:1450
const char * desc
Definition detect.h:1461
const char * name
Definition detect.h:1459
bool(* SupportsPrefilter)(const Signature *s)
Definition detect.h:1443
uint32_t init_flags
Definition detect.h:608
SigMatch * prefilter_sm
Definition detect.h:625
SignatureInitDataBuffer * curbuf
Definition detect.h:650
Signature container.
Definition detect.h:668
uint32_t flags
Definition detect.h:669
SignatureInitData * init_data
Definition detect.h:747
AppProto alproto
Definition detect.h:673
uint32_t id
Definition detect.h:713
#define SCEnter(...)
Definition util-debug.h:277
#define SCLogDebug(...)
Definition util-debug.h:275
#define SCReturnInt(x)
Definition util-debug.h:281
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267