suricata/src/detect-content.h

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 */

#ifndef __DETECT_CONTENT_H__
#define __DETECT_CONTENT_H__

/* Flags affecting this content */

#define DETECT_CONTENT_NOCASE            0x00000001
#define DETECT_CONTENT_DISTANCE          0x00000002
#define DETECT_CONTENT_WITHIN            0x00000004
#define DETECT_CONTENT_OFFSET            0x00000008
#define DETECT_CONTENT_DEPTH             0x00000010
#define DETECT_CONTENT_FAST_PATTERN      0x00000020
#define DETECT_CONTENT_FAST_PATTERN_ONLY 0x00000040
#define DETECT_CONTENT_FAST_PATTERN_CHOP 0x00000080
/** content applies to a "raw"/undecoded field if applicable */
#define DETECT_CONTENT_RAWBYTES          0x00000100
/** content is negated */
#define DETECT_CONTENT_NEGATED           0x00000200

/** a relative match to this content is next, used in matching phase */
#define DETECT_CONTENT_RELATIVE_NEXT     0x00000400

#define DETECT_CONTENT_PACKET_MPM        0x00000800
#define DETECT_CONTENT_STREAM_MPM        0x00001000
#define DETECT_CONTENT_URI_MPM           0x00002000
#define DETECT_CONTENT_HCBD_MPM          0x00004000
#define DETECT_CONTENT_HSBD_MPM          0x00008000
#define DETECT_CONTENT_HHD_MPM           0x00010000
#define DETECT_CONTENT_HRHD_MPM          0x00020000
#define DETECT_CONTENT_HMD_MPM           0x00040000
#define DETECT_CONTENT_HCD_MPM           0x00080000
#define DETECT_CONTENT_HRUD_MPM          0x00100000
#define DETECT_CONTENT_HSMD_MPM          0x00200000
#define DETECT_CONTENT_HSCD_MPM          0x00400000
#define DETECT_CONTENT_HUAD_MPM          0x00800000

/* BE - byte extract */
#define DETECT_CONTENT_OFFSET_BE         0x01000000
#define DETECT_CONTENT_DEPTH_BE          0x02000000
#define DETECT_CONTENT_DISTANCE_BE       0x04000000
#define DETECT_CONTENT_WITHIN_BE         0x08000000

/* replace data */
#define DETECT_CONTENT_REPLACE           0x10000000

#define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE || \
                                       (c)->flags & DETECT_CONTENT_WITHIN || \
                                       (c)->flags & DETECT_CONTENT_RELATIVE_NEXT || \
                                       (c)->flags & DETECT_CONTENT_DEPTH || \
                                       (c)->flags & DETECT_CONTENT_OFFSET))

#include "util-spm-bm.h"

typedef struct DetectContentData_ {
    uint8_t *content;
    uint8_t content_len;
    /* would want to move PatIntId here and flags down to remove the padding
     * gap, but I think the first four members was used as a template for
     * casting.  \todo check this and fix it if posssible */
    uint32_t flags;
    PatIntId id;
    uint16_t depth;
    uint16_t offset;
    int32_t distance;
    int32_t within;
    /* Boyer Moore context (for spm search) */
    BmCtx *bm_ctx;
    /* for chopped fast pattern, the offset */
    uint16_t fp_chop_offset;
    /* for chopped fast pattern, the length */
    uint16_t fp_chop_len;
    /* pointer to replacement data */
    uint8_t *replace;
    uint8_t replace_len;
} DetectContentData;

/* prototypes */
void DetectContentRegister (void);
uint32_t DetectContentMaxId(DetectEngineCtx *);
DetectContentData *DetectContentParse (char *contentstr);
int DetectContentDataParse(char *keyword, char *contentstr, char** pstr, uint16_t *plen, int *flags);
DetectContentData *DetectContentParseEncloseQuotes(char *);

void DetectContentPrint(DetectContentData *);

void DetectContentFree(void *);

#endif /* __DETECT_CONTENT_H__ */
Import of GPLv2 Header 050410 15 years ago			`/* Copyright (C) 2007-2010 Open Information Security Foundation`
			`*`
			`* You can copy, redistribute or modify this Program under the terms of`
			`* the GNU General Public License version 2 as published by the Free`
			`* Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* version 2 along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA`
			`* 02110-1301, USA.`
			`*/`

			`/**`
			`* \file`
			`*`
			`* \author Victor Julien <victor@inliniac.net>`
			`*/`

Initial add of the files. 17 years ago			`#ifndef __DETECT_CONTENT_H__`
			`#define __DETECT_CONTENT_H__`

Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 16 years ago			`/* Flags affecting this content */`
Initial add of the files. 17 years ago
support fast pattern for http raw header. Also support relative modifiers for http raw header 15 years ago			`#define DETECT_CONTENT_NOCASE 0x00000001`
			`#define DETECT_CONTENT_DISTANCE 0x00000002`
			`#define DETECT_CONTENT_WITHIN 0x00000004`
			`#define DETECT_CONTENT_OFFSET 0x00000008`
			`#define DETECT_CONTENT_DEPTH 0x00000010`
			`#define DETECT_CONTENT_FAST_PATTERN 0x00000020`
			`#define DETECT_CONTENT_FAST_PATTERN_ONLY 0x00000040`
			`#define DETECT_CONTENT_FAST_PATTERN_CHOP 0x00000080`
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 16 years ago			`/** content applies to a "raw"/undecoded field if applicable */`
support fast pattern for http raw header. Also support relative modifiers for http raw header 15 years ago			`#define DETECT_CONTENT_RAWBYTES 0x00000100`
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 16 years ago			`/** content is negated */`
support fast pattern for http raw header. Also support relative modifiers for http raw header 15 years ago			`#define DETECT_CONTENT_NEGATED 0x00000200`
Initial add of the files. 17 years ago
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 16 years ago			`/** a relative match to this content is next, used in matching phase */`
support fast pattern for http raw header. Also support relative modifiers for http raw header 15 years ago			`#define DETECT_CONTENT_RELATIVE_NEXT 0x00000400`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago
support fast pattern for http raw header. Also support relative modifiers for http raw header 15 years ago			`#define DETECT_CONTENT_PACKET_MPM 0x00000800`
			`#define DETECT_CONTENT_STREAM_MPM 0x00001000`
			`#define DETECT_CONTENT_URI_MPM 0x00002000`
			`#define DETECT_CONTENT_HCBD_MPM 0x00004000`
Introduce http_server_body keyword. The http_server_body content modifier modifies the previous content to inspect the normalized (dechunked, unzipped) http_server_body. The workings are similar to http_client_body. Additionally, a new pcre flag was introduced "/S". To facilitate this change the signature flags field was changed to be 64 bit. 14 years ago			`#define DETECT_CONTENT_HSBD_MPM 0x00008000`
			`#define DETECT_CONTENT_HHD_MPM 0x00010000`
			`#define DETECT_CONTENT_HRHD_MPM 0x00020000`
			`#define DETECT_CONTENT_HMD_MPM 0x00040000`
			`#define DETECT_CONTENT_HCD_MPM 0x00080000`
			`#define DETECT_CONTENT_HRUD_MPM 0x00100000`
Support http stat msg detection engine, fast pattern(mpm engine included). Fix http stat msg setup function. Fix pcre option for stat msg keyword 14 years ago			`#define DETECT_CONTENT_HSMD_MPM 0x00200000`
Support http stat code detection engine, fast pattern(mpm engine included). Fix http stat code setup function. Fix pcre option for stat msg keyword. With this the pcre options for server_body is Q, for stat_msg is Y and for stat_code is S 14 years ago			`#define DETECT_CONTENT_HSCD_MPM 0x00400000`
http user agent keyword + mpm + inspection + fast pattern support added 13 years ago			`#define DETECT_CONTENT_HUAD_MPM 0x00800000`
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags 15 years ago
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines 14 years ago			`/* BE - byte extract */`
http user agent keyword + mpm + inspection + fast pattern support added 13 years ago			`#define DETECT_CONTENT_OFFSET_BE 0x01000000`
			`#define DETECT_CONTENT_DEPTH_BE 0x02000000`
			`#define DETECT_CONTENT_DISTANCE_BE 0x04000000`
			`#define DETECT_CONTENT_WITHIN_BE 0x08000000`
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines 14 years ago
Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match. 14 years ago			`/* replace data */`
http user agent keyword + mpm + inspection + fast pattern support added 13 years ago			`#define DETECT_CONTENT_REPLACE 0x10000000`
Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match. 14 years ago
Share content id's between identical patterns. 16 years ago			`#define DETECT_CONTENT_IS_SINGLE(c) (!((c)->flags & DETECT_CONTENT_DISTANCE \|\| \`
			`(c)->flags & DETECT_CONTENT_WITHIN \|\| \`
fixed a typo in the detect-content.h 15 years ago			`(c)->flags & DETECT_CONTENT_RELATIVE_NEXT \|\| \`
Add unittests for checking content flags. Fix indentation in PopulateMpmAddPatternToMpm(). Also fix DETECT_CONTENT_IS_SINGLE 15 years ago			`(c)->flags & DETECT_CONTENT_DEPTH \|\| \`
			`(c)->flags & DETECT_CONTENT_OFFSET))`
Share content id's between identical patterns. 16 years ago
Adding Boyer Moore context to content patterns, should speed up the search 16 years ago			`#include "util-spm-bm.h"`

Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct DetectContentData_ {`
unifying content structure - uricontent now uses DetectContentData 15 years ago			`uint8_t *content;`
			`uint8_t content_len;`
support fast pattern for http raw header. Also support relative modifiers for http raw header 15 years ago			`/* would want to move PatIntId here and flags down to remove the padding`
			`* gap, but I think the first four members was used as a template for`
			`* casting. \todo check this and fix it if posssible */`
			`uint32_t flags;`
unifying content structure - uricontent now uses DetectContentData 15 years ago			`PatIntId id;`
64 bit cleanup part2 16 years ago			`uint16_t depth;`
			`uint16_t offset;`
Initial add of the files. 17 years ago			`int32_t distance;`
			`int32_t within;`
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags 15 years ago			`/* Boyer Moore context (for spm search) */`
			`BmCtx *bm_ctx;`
support for fast_pattern only and fast_pattern:offset,length. Also support the new option for engine-analysis 15 years ago			`/* for chopped fast pattern, the offset */`
			`uint16_t fp_chop_offset;`
			`/* for chopped fast pattern, the length */`
			`uint16_t fp_chop_len;`
Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match. 14 years ago			`/* pointer to replacement data */`
			`uint8_t *replace;`
			`uint8_t replace_len;`
Initial add of the files. 17 years ago			`} DetectContentData;`

			`/* prototypes */`
			`void DetectContentRegister (void);`
64 bit cleanup part2 16 years ago			`uint32_t DetectContentMaxId(DetectEngineCtx *);`
Improvements to content keyword memory handling. First version of a simple pattern based L7 proto detection engine. Currently just works by matching a single pattern in the initial data. Implemented HTTP, SSL, MSN, JABBER, SMTP and a few more. Couple of pattern matcher cleanups. 16 years ago			`DetectContentData DetectContentParse (char contentstr);`
Various fixes and improvements based on feedback by Coverity analyzer. 14 years ago			`int DetectContentDataParse(char keyword, char contentstr, char** pstr, uint16_t plen, int flags);`
fix parsing content keywords. We are more strict now. All content keywords need to be enclosed in double quotes. Better validation for sid, priority and rev keywords 14 years ago			`DetectContentData DetectContentParseEncloseQuotes(char );`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago
			`void DetectContentPrint(DetectContentData *);`

Fix compiler warning. 16 years ago			`void DetectContentFree(void *);`
Initial add of the files. 17 years ago
			`#endif /* __DETECT_CONTENT_H__ */`