mirror of https://github.com/OISF/suricata
detect/pcrexform: New transform: applies RE
This commit adds a new transform -- pcrexform -- that applies a regular expression to the transformation buffer. If an expression was captured, that is output to the transformation buffer. Otherwise, the transformation buffer is unchanged.pull/5047/head
parent
c8eca52804
commit
c1875d8532
@ -0,0 +1,110 @@
|
||||
/* Copyright (C) 2020 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Jeff Lucovsky <jeff@lucovsky.org>
|
||||
*
|
||||
* Implements the pcrexform transform keyword with option support
|
||||
*/
|
||||
|
||||
#include "suricata-common.h"
|
||||
|
||||
#include "detect.h"
|
||||
#include "detect-engine.h"
|
||||
#include "detect-parse.h"
|
||||
#include "detect-transform-pcrexform.h"
|
||||
|
||||
typedef DetectParseRegex DetectTransformPcrexformData;
|
||||
|
||||
static int DetectTransformPcrexformSetup (DetectEngineCtx *, Signature *, const char *);
|
||||
static void DetectTransformPcrexformFree(DetectEngineCtx *, void *);
|
||||
static void DetectTransformPcrexform(InspectionBuffer *buffer, void *options);
|
||||
|
||||
void DetectTransformPcrexformRegister(void)
|
||||
{
|
||||
sigmatch_table[DETECT_TRANSFORM_PCREXFORM].name = "pcrexform";
|
||||
sigmatch_table[DETECT_TRANSFORM_PCREXFORM].desc =
|
||||
"modify buffer via PCRE before inspection";
|
||||
sigmatch_table[DETECT_TRANSFORM_PCREXFORM].url = "/rules/transforms.html#pcre-xform";
|
||||
sigmatch_table[DETECT_TRANSFORM_PCREXFORM].Transform =
|
||||
DetectTransformPcrexform;
|
||||
sigmatch_table[DETECT_TRANSFORM_PCREXFORM].Free =
|
||||
DetectTransformPcrexformFree;
|
||||
sigmatch_table[DETECT_TRANSFORM_PCREXFORM].Setup =
|
||||
DetectTransformPcrexformSetup;
|
||||
sigmatch_table[DETECT_TRANSFORM_PCREXFORM].flags |= SIGMATCH_QUOTES_MANDATORY;
|
||||
}
|
||||
|
||||
static void DetectTransformPcrexformFree(DetectEngineCtx *de_ctx, void *ptr)
|
||||
{
|
||||
if (ptr != NULL) {
|
||||
DetectTransformPcrexformData *pxd = (DetectTransformPcrexformData *) ptr;
|
||||
SCFree(pxd);
|
||||
}
|
||||
}
|
||||
/**
|
||||
* \internal
|
||||
* \brief Apply the pcrexform keyword to the last pattern match
|
||||
* \param det_ctx detection engine ctx
|
||||
* \param s signature
|
||||
* \param regexstr options string
|
||||
* \retval 0 ok
|
||||
* \retval -1 failure
|
||||
*/
|
||||
static int DetectTransformPcrexformSetup (DetectEngineCtx *de_ctx, Signature *s, const char *regexstr)
|
||||
{
|
||||
SCEnter();
|
||||
|
||||
// Create pxd from regexstr
|
||||
DetectTransformPcrexformData *pxd = SCCalloc(sizeof(*pxd), 1);
|
||||
if (pxd == NULL) {
|
||||
SCLogDebug("pxd allocation failed");
|
||||
SCReturnInt(-1);
|
||||
}
|
||||
|
||||
DetectSetupParseRegexes(regexstr, pxd);
|
||||
|
||||
int r = DetectSignatureAddTransform(s, DETECT_TRANSFORM_PCREXFORM, pxd);
|
||||
if (r != 0) {
|
||||
SCFree(pxd);
|
||||
}
|
||||
|
||||
SCReturnInt(r);
|
||||
}
|
||||
|
||||
static void DetectTransformPcrexform(InspectionBuffer *buffer, void *options)
|
||||
{
|
||||
const char *input = (const char *)buffer->inspect;
|
||||
const uint32_t input_len = buffer->inspect_len;
|
||||
DetectTransformPcrexformData *pxd = options;
|
||||
|
||||
int ov[MAX_SUBSTRINGS];
|
||||
int ret = DetectParsePcreExecLen(pxd, input, input_len, 0, 0, ov, MAX_SUBSTRINGS);
|
||||
|
||||
if (ret > 0) {
|
||||
const char *str;
|
||||
ret = pcre_get_substring((char *) buffer->inspect, ov,
|
||||
MAX_SUBSTRINGS, ret - 1, &str);
|
||||
|
||||
if (ret >= 0) {
|
||||
InspectionBufferCopy(buffer, (uint8_t *)str, (uint32_t) ret);
|
||||
pcre_free_substring(str);
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,30 @@
|
||||
/* Copyright (C) 2020 Open Information Security Foundation
|
||||
*
|
||||
* You can copy, redistribute or modify this Program under the terms of
|
||||
* the GNU General Public License version 2 as published by the Free
|
||||
* Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* version 2 along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
* 02110-1301, USA.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* \author Jeff Lucovsky <jeff@lucovsky.org
|
||||
*/
|
||||
|
||||
#ifndef __DETECT_TRANSFORM_PCREXFORM_H__
|
||||
#define __DETECT_TRANSFORM_PCREXFORM_H__
|
||||
|
||||
/* prototypes */
|
||||
void DetectTransformPcrexformRegister (void);
|
||||
|
||||
#endif /* __DETECT_TRANSFORM_PCREXFORM_H__ */
|
Loading…
Reference in New Issue