aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e38b9de6a2'
${ noResults }
suricata/src/detect-parse.h

125 lines
4.4 KiB
C
Raw Normal View History Unescape Escape

general: copyright bump
5 years ago
/* Copyright (C) 2007-2020 Open Information Security Foundation
Import of GPLv2 Header 050410
15 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*/
Cleanup signature parsing and other detect.c parts.
17 years ago
#ifndef __DETECT_PARSE_H__
#define __DETECT_PARSE_H__
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
#include "detect.h"
detect/file: Filehandler registration logic Add file handler registration functions for consolidated file handling. Issue: 4145
2 years ago
#include "detect-engine-mpm.h"
/* File handler registration */
#define MAX_DETECT_ALPROTO_CNT 10
typedef struct DetectFileHandlerTableElmt_ {
const char *name;
int priority;
PrefilterRegisterFunc PrefilterFn;
InspectEngineFuncPtr2 Callback;
InspectionBufferGetDataPtr GetData;
int al_protocols[MAX_DETECT_ALPROTO_CNT];
int tx_progress;
int progress;
} DetectFileHandlerTableElmt;
void DetectFileRegisterFileProtocols(DetectFileHandlerTableElmt *entry);
/* File registration table */
extern DetectFileHandlerTableElmt filehandler_table[DETECT_TBLSIZE];
src: includes cleanup Work towards making `suricata-common.h` only introduce system headers and other things that are independent of complex internal Suricata data structures. Update files to compile after this. Remove special DPDK handling for strlcpy and strlcat, as this caused many compilation failures w/o including DPDK headers for all files. Remove packet macros from decode.h and move them into their own file, turn them into functions and rename them to match our function naming policy.
3 years ago
Adding bidirectional operator support and unittests
16 years ago
/** Flags to indicate if the Signature parsing must be done
* switching the source and dest (for ip addresses and ports)
* or otherwise as normal */
enum {
SIG_DIREC_NORMAL,
SIG_DIREC_SWITCHED
};
/** Flags to indicate if are referencing the source of the Signature
* or the destination (for ip addresses and ports)*/
enum {
SIG_DIREC_SRC,
SIG_DIREC_DST
};
pcre2: only one DetectParseRegex structure
4 years ago
typedef struct DetectParseRegex {
pcre: use pcre2 to parse detect pcre itself
4 years ago
pcre2_code *regex;
pcre2_match_context *context;
pcre2_match_data *match;
pcre2: only one DetectParseRegex structure
4 years ago
struct DetectParseRegex *next;
} DetectParseRegex;
pcre: use pcre2 to parse detect pcre itself
4 years ago
Cleanup signature parsing and other detect.c parts.
17 years ago
/* prototypes */
detect: support multi buffer matching Multi buffer matching is implemented as a way for a rule to match on multiple buffers within the same transaction. Before this patch a rule like: dns.query; content:"example"; dns.query; content:".com"; would be equivalent to: dns.query; content:"example"; content:".com"; If a DNS query would request more than one name, e.g.: DNS: [example.net][something.com] Eeach would be inspected to have both patterns present. Otherwise, it would not be a match. So the rule above would not match, as neither example.net and somthing.com satisfy both conditions at the same time. This patch changes this behavior. Instead of the above, each time the sticky buffer is specified, it creates a separate detection unit. Each buffer is a "multi buffer" sticky buffer will now be evaluated against each "instance" of the sticky buffer. To continue with the above example: DNS: [example.net] <- matches 'dns.query; content:"example";' DNS: [something.com] <- matches 'dns.query; content:".com"' So this would now be a match. To make sure both patterns match in a single query string, the expression 'dns.query; content:"example"; content:".com";' still works for this. This patch doesn't yet enable the behavior for the keywords. That is done in a follow up patch. To be able to implement this the internal storage of parsed rules is changed. Until this patch and array of lists was used, where the index was the buffer id (e.g. http_uri, dns_query). Therefore there was only one list of matches per buffer id. As a side effect this array was always very sparsely populated as many buffers could not be mixed. This patch changes the internal representation. The new array is densely packed: dns.query; content:"1"; dns.query; bsize:1; content:"2"; [type: dns_query][list: content:"1";] [type: dns_query][list: bsize:1; content:"2";] The new scheme allows for multiple instances of the same buffer. These lists are then translated into multiple inspection engines during the final setup of the rule. Ticket: #5784.
2 years ago
int SignatureInitDataBufferCheckExpand(Signature *s);
Added http_method rule keyword.
16 years ago
Signature *SigAlloc(void);
detect: Provide `de_ctx` to free functions This commit makes sure that the `DetectEngineCtx *` is available to each detector's "free" function.
5 years ago
void SigFree(DetectEngineCtx *de_ctx, Signature *s);
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
Signature *SigInit(DetectEngineCtx *, const char *sigstr);
detect: shrink Signature::sm_arrays Signature::sm_arrays now only contains 'built-in' lists, and so is sized appropriately.
9 years ago
SigMatchData* SigMatchList2DataArray(SigMatch *head);
Large update containing the first step to making the detection engine use rule groups. Address based rule groups are now implemented.
17 years ago
void SigParseRegisterTests(void);
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
Signature *DetectEngineAppendSig(DetectEngineCtx *, const char *);
Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.
16 years ago
support relative pcre for client body. All pcre processing for client body moved to hcbd engine
15 years ago
void SigMatchAppendSMToList(Signature *, SigMatch *, int);
support multiple ipprotos in the same sig + unittest
14 years ago
void SigMatchRemoveSMFromList(Signature *, SigMatch *, int);
detect: constify mpm/detect funcs
10 years ago
int SigMatchListSMBelongsTo(const Signature *, const SigMatch *);
Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.
16 years ago
in case of duplicate signatures used the one with the latest revision
15 years ago
int DetectParseDupSigHashInit(DetectEngineCtx *);
void DetectParseDupSigHashFree(DetectEngineCtx *);
detect-parse: content modifier cleanup
9 years ago
int DetectEngineContentModifierBufferSetup(DetectEngineCtx *de_ctx,
Signature *s, const char *arg, int sm_type, int sm_list,
AppProto alproto);
Further customize content modifier buffer registration. Allow modifier setups functions to have CustomCallbacks to enable their internal conditions.
13 years ago
detect/parse: allow signature parsing to fail silently A sigmatches 'Setup' function may indicate it intends to fail silently after the first error. It will return -2 instead of -1 in this case. This is tracked in the DetectEngineCtx object, so errors will be shown again at rule reloads.
6 years ago
bool SigMatchSilentErrorEnabled(const DetectEngineCtx *de_ctx,
const enum DetectKeywordId id);
detect/parse: add --strict-rule-keywords option Add --strict-rule-keywords commandline option to enable strict rule parsing. It can be used without options or with a comma separated list: --strict-rule-keywords --strict-rule-keywords=all --strict-rule-keywords=classtype,reference Parsing implementations can use SigMatchStrictEnabled to check if strict parsing is enabled for them and act accordingly.
6 years ago
bool SigMatchStrictEnabled(const enum DetectKeywordId id);
detect: move sm_list to string funcs to parser code
10 years ago
const char *DetectListToHumanString(int list);
const char *DetectListToString(int list);
detect: spelling: update SigTableApplyStrictCommandLineOption
2 years ago
void SigTableApplyStrictCommandLineOption(const char *str);
detect/parse: add --strict-rule-keywords option Add --strict-rule-keywords commandline option to enable strict rule parsing. It can be used without options or with a comma separated list: --strict-rule-keywords --strict-rule-keywords=all --strict-rule-keywords=classtype,reference Parsing implementations can use SigMatchStrictEnabled to check if strict parsing is enabled for them and act accordingly.
6 years ago
detect: remove hardcoded sm_list logic from setup Introduce utility functions to aid this.
9 years ago
SigMatch *DetectGetLastSM(const Signature *);
detect: move buffer type map into detect ctx Move previously global table into detect engine ctx. Now that we can register buffers at rule loading time we need to take concurrency into account. Move DetectBufferType to detect.h and update DetectBufferCtx API calls to include a detect engine ctx reference.
8 years ago
SigMatch *DetectGetLastSMFromMpmLists(const DetectEngineCtx *de_ctx, const Signature *s);
detect: remove hardcoded sm_list logic from setup Introduce utility functions to aid this.
9 years ago
SigMatch *DetectGetLastSMFromLists(const Signature *s, ...);
SigMatch *DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list, ...);
SigMatch *DetectGetLastSMByListId(const Signature *s, int list_id, ...);
detect/transform: Support transform options This commit adds support for transform-specific options. During Setup, transforms have the signature string available for options detection. When a transform detects an option, it should convert the option into an internal format and supply a pointer to this format as the last argument to DetectSignatureAddTransform. Transforms that support options must provide a function in their Sigmatch table entry. When the transform is freed, a pointer to the internal format of the option is passed to this function.
6 years ago
int DetectSignatureAddTransform(Signature *s, int transform, void *options);
detect: Improve rule keyword alproto registration 1. Set WARN_UNUSED macro on DetectSignatureSetAppProto. 2. Replace all direct 'sets' of Signature::alproto from keyword registration. Closes redmine ticket #3006.
6 years ago
int WARN_UNUSED DetectSignatureSetAppProto(Signature *s, AppProto alproto);
detect: add and use util func for alproto sets
9 years ago
detect parser: add parse regex util function Add regex setup and free util functions. Keywords often use a regex to parse rule input. Introduce a common function to do this setup. Also create a list of registered regexes to free at engine shutdown.
10 years ago
/* parse regex setup and free util funcs */
pcre2: only one DetectParseRegex structure
4 years ago
DetectParseRegex *DetectSetupPCRE2(const char *parse_str, int opts);
detect: fail properly on invalid transform pcrexform
5 years ago
bool DetectSetupParseRegexesOpts(const char *parse_str, DetectParseRegex *parse_regex, int opts);
detect/parse: Refactor interfaces/definitions This commit refactors existing code patterns to reduce code duplication and to be a base for supporting additional PCRE jit-related actions.
6 years ago
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *parse_regex);
void DetectParseRegexAddToFreeList(DetectParseRegex *parse_regex);
detect parser: add parse regex util function Add regex setup and free util functions. Keywords often use a regex to parse rule input. Introduce a common function to do this setup. Also create a list of registered regexes to free at engine shutdown.
10 years ago
void DetectParseFreeRegexes(void);
detect/parse: Refactor interfaces/definitions This commit refactors existing code patterns to reduce code duplication and to be a base for supporting additional PCRE jit-related actions.
6 years ago
void DetectParseFreeRegex(DetectParseRegex *r);
/* parse regex exec */
detect/pcre: Use local match variables pcre2 is not thread-safe wrt match objects so use locally scoped objects. Issue: 4797
2 years ago
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str,
int start_offset, int options);
pcre2: follow code naming style
4 years ago
int SC_Pcre2SubstringCopy(
pcre2: check for PCRE2_ERROR_UNSET Needs maybe to be generalized
4 years ago
pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen);
pcre2: follow code naming style
4 years ago
int SC_Pcre2SubstringGet(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr,
pcre2: check for PCRE2_ERROR_UNSET Needs maybe to be generalized
4 years ago
PCRE2_SIZE *bufflen);
detect/parse: Refactor interfaces/definitions This commit refactors existing code patterns to reduce code duplication and to be a base for supporting additional PCRE jit-related actions.
6 years ago
Cleanup signature parsing and other detect.c parts.
17 years ago
#endif /* __DETECT_PARSE_H__ */