aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rust: bindgen detect-engine-helper.h

Browse Source 
Ticket: 7667

Begin by focusing on transforms
pull/13207/head
Philippe Antoine 7 months ago committed by Victor Julien
parent 3286ae2cc9
commit cf336396c3
15 changed files with 315 additions and 117 deletions
Show Stats Download Patch File Download Diff File

2
rust/cbindgen.toml
Unescape Escape View File

@ -89,8 +89,6 @@ include = [
"FtpStateValues",
"FtpDataStateValues",
"HTTP2TransactionState",
"SCSigTableAppLiteElmt",
"SCTransformTableElmt",
"DataRepType",
]

32
rust/src/detect/transforms/casechange.rs
Unescape Escape View File

@ -16,10 +16,14 @@
*/
use super::{
DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
DetectSignatureAddTransform, InspectionBufferCheckAndExpand, InspectionBufferLength,
InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
};
use crate::detect::SIGMATCH_NOOPT;
use suricata_sys::sys::{
DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
Signature,
};
use std::os::raw::{c_int, c_void};
use std::ptr;
@ -28,7 +32,7 @@ static mut G_TRANSFORM_TOLOWER_ID: c_int = 0;
static mut G_TRANSFORM_TOUPPER_ID: c_int = 0;
unsafe extern "C" fn tolower_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
return DetectSignatureAddTransform(s, G_TRANSFORM_TOLOWER_ID, ptr::null_mut());
}
@ -39,7 +43,9 @@ fn tolower_transform_do(input: &[u8], output: &mut [u8]) {
}
}
unsafe extern "C" fn tolower_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn tolower_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -75,20 +81,20 @@ pub unsafe extern "C" fn DetectTransformToLowerRegister() {
name: b"to_lowercase\0".as_ptr() as *const libc::c_char,
desc: b"convert buffer to lowercase\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#to_lowercase\0".as_ptr() as *const libc::c_char,
Setup: tolower_setup,
Setup: Some(tolower_setup),
flags: SIGMATCH_NOOPT,
Transform: tolower_transform,
Transform: Some(tolower_transform),
Free: None,
TransformValidate: Some(tolower_validate),
};
G_TRANSFORM_TOLOWER_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_TOLOWER_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_TOLOWER_ID < 0 {
SCLogWarning!("Failed registering transform tolower");
}
}
unsafe extern "C" fn toupper_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
return DetectSignatureAddTransform(s, G_TRANSFORM_TOUPPER_ID, ptr::null_mut());
}
@ -99,7 +105,9 @@ fn toupper_transform_do(input: &[u8], output: &mut [u8]) {
}
}
unsafe extern "C" fn toupper_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn toupper_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -135,13 +143,13 @@ pub unsafe extern "C" fn DetectTransformToUpperRegister() {
name: b"to_uppercase\0".as_ptr() as *const libc::c_char,
desc: b"convert buffer to uppercase\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#to_uppercase\0".as_ptr() as *const libc::c_char,
Setup: toupper_setup,
Setup: Some(toupper_setup),
flags: SIGMATCH_NOOPT,
Transform: toupper_transform,
Transform: Some(toupper_transform),
Free: None,
TransformValidate: Some(toupper_validate),
};
G_TRANSFORM_TOUPPER_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_TOUPPER_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_TOUPPER_ID < 0 {
SCLogWarning!("Failed registering transform toupper");
}

20
rust/src/detect/transforms/compress_whitespace.rs
Unescape Escape View File

@ -16,10 +16,14 @@
*/
use super::{
DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
DetectSignatureAddTransform, InspectionBufferCheckAndExpand, InspectionBufferLength,
InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
};
use crate::detect::SIGMATCH_NOOPT;
use suricata_sys::sys::{
DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
Signature,
};
use std::os::raw::{c_int, c_void};
use std::ptr;
@ -27,7 +31,7 @@ use std::ptr;
static mut G_TRANSFORM_COMPRESS_WHITESPACE_ID: c_int = 0;
unsafe extern "C" fn compress_whitespace_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
return DetectSignatureAddTransform(s, G_TRANSFORM_COMPRESS_WHITESPACE_ID, ptr::null_mut());
}
@ -49,7 +53,9 @@ fn compress_whitespace_transform_do(input: &[u8], output: &mut [u8]) -> u32 {
return nb as u32;
}
unsafe extern "C" fn compress_whitespace_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn compress_whitespace_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -98,13 +104,13 @@ pub unsafe extern "C" fn DetectTransformCompressWhitespaceRegister() {
desc: b"modify buffer to compress consecutive whitespace characters into a single one before inspection\0".as_ptr()
as *const libc::c_char,
url: b"/rules/transforms.html#compress-whitespace\0".as_ptr() as *const libc::c_char,
Setup: compress_whitespace_setup,
Setup: Some(compress_whitespace_setup),
flags: SIGMATCH_NOOPT,
Transform: compress_whitespace_transform,
Transform: Some(compress_whitespace_transform),
Free: None,
TransformValidate: Some(compress_whitespace_validate),
};
G_TRANSFORM_COMPRESS_WHITESPACE_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_COMPRESS_WHITESPACE_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_COMPRESS_WHITESPACE_ID < 0 {
SCLogWarning!("Failed registering transform compress_whitespace");
}

33
rust/src/detect/transforms/domain.rs
Unescape Escape View File

@ -16,10 +16,15 @@
*/
use super::{
DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
DetectSignatureAddTransform, InspectionBufferCheckAndExpand, InspectionBufferLength,
InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
};
use crate::detect::SIGMATCH_NOOPT;
use suricata_sys::sys::{
DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
Signature,
};
use std::os::raw::{c_int, c_void};
use std::ptr;
@ -27,7 +32,7 @@ static mut G_TRANSFORM_DOMAIN_ID: c_int = 0;
static mut G_TRANSFORM_TLD_ID: c_int = 0;
unsafe extern "C" fn domain_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
return DetectSignatureAddTransform(s, G_TRANSFORM_DOMAIN_ID, ptr::null_mut());
}
@ -42,7 +47,9 @@ fn get_domain(input: &[u8], output: &mut [u8]) -> u32 {
0
}
unsafe extern "C" fn domain_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn domain_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -63,7 +70,7 @@ unsafe extern "C" fn domain_transform(_det: *mut c_void, buffer: *mut c_void, _c
}
unsafe extern "C" fn tld_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
return DetectSignatureAddTransform(s, G_TRANSFORM_TLD_ID, ptr::null_mut());
}
@ -79,7 +86,9 @@ fn get_tld(input: &[u8], output: &mut [u8]) -> u32 {
0
}
unsafe extern "C" fn tld_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn tld_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -105,14 +114,14 @@ pub unsafe extern "C" fn SCDetectTransformDomainRegister() {
name: b"domain\0".as_ptr() as *const libc::c_char,
desc: b"modify buffer to extract the domain\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#domain\0".as_ptr() as *const libc::c_char,
Setup: domain_setup,
Setup: Some(domain_setup),
flags: SIGMATCH_NOOPT,
Transform: domain_transform,
Transform: Some(domain_transform),
Free: None,
TransformValidate: None,
};
unsafe {
G_TRANSFORM_DOMAIN_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_DOMAIN_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_DOMAIN_ID < 0 {
SCLogWarning!("Failed registering transform domain");
}
@ -122,14 +131,14 @@ pub unsafe extern "C" fn SCDetectTransformDomainRegister() {
name: b"tld\0".as_ptr() as *const libc::c_char,
desc: b"modify buffer to extract the tld\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#tld\0".as_ptr() as *const libc::c_char,
Setup: tld_setup,
Setup: Some(tld_setup),
flags: SIGMATCH_NOOPT,
Transform: tld_transform,
Transform: Some(tld_transform),
Free: None,
TransformValidate: None,
};
unsafe {
G_TRANSFORM_TLD_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_TLD_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_TLD_ID < 0 {
SCLogWarning!("Failed registering transform tld");
}

20
rust/src/detect/transforms/dotprefix.rs
Unescape Escape View File

@ -16,10 +16,14 @@
*/
use super::{
DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
DetectSignatureAddTransform, InspectionBufferCheckAndExpand, InspectionBufferLength,
InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
};
use crate::detect::SIGMATCH_NOOPT;
use suricata_sys::sys::{
DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
Signature,
};
use std::os::raw::{c_int, c_void};
use std::ptr;
@ -27,7 +31,7 @@ use std::ptr;
static mut G_TRANSFORM_DOT_PREFIX_ID: c_int = 0;
unsafe extern "C" fn dot_prefix_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
return DetectSignatureAddTransform(s, G_TRANSFORM_DOT_PREFIX_ID, ptr::null_mut());
}
@ -41,7 +45,9 @@ fn dot_prefix_transform_do(input: &[u8], output: &mut [u8]) {
output[0] = b'.';
}
unsafe extern "C" fn dot_prefix_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn dot_prefix_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input_len = InspectionBufferLength(buffer);
if input_len == 0 {
return;
@ -71,14 +77,14 @@ pub unsafe extern "C" fn DetectTransformDotPrefixRegister() {
name: b"dotprefix\0".as_ptr() as *const libc::c_char,
desc: b"modify buffer to extract the dotprefix\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#dotprefix\0".as_ptr() as *const libc::c_char,
Setup: dot_prefix_setup,
Setup: Some(dot_prefix_setup),
flags: SIGMATCH_NOOPT,
Transform: dot_prefix_transform,
Transform: Some(dot_prefix_transform),
Free: None,
TransformValidate: None,
};
unsafe {
G_TRANSFORM_DOT_PREFIX_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_DOT_PREFIX_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_DOT_PREFIX_ID < 0 {
SCLogWarning!("Failed registering transform dot_prefix");
}

45
rust/src/detect/transforms/hash.rs
Unescape Escape View File

@ -16,10 +16,15 @@
*/
use super::{
DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
DetectSignatureAddTransform, InspectionBufferCheckAndExpand, InspectionBufferLength,
InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
};
use crate::detect::SIGMATCH_NOOPT;
use suricata_sys::sys::{
DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
Signature,
};
use crate::ffi::hashing::{G_DISABLE_HASHING, SC_SHA1_LEN, SC_SHA256_LEN};
use digest::{Digest, Update};
use md5::Md5;
@ -36,7 +41,7 @@ static mut G_TRANSFORM_SHA256_ID: c_int = 0;
const SC_MD5_LEN: usize = 16;
unsafe extern "C" fn md5_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
if G_DISABLE_HASHING {
SCLogError!("MD5 hashing has been disabled, needed for to_md5 keyword");
@ -49,7 +54,9 @@ fn md5_transform_do(input: &[u8], output: &mut [u8]) {
Md5::new().chain(input).finalize_into(output.into());
}
unsafe extern "C" fn md5_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn md5_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -75,20 +82,20 @@ pub unsafe extern "C" fn DetectTransformMd5Register() {
name: b"to_md5\0".as_ptr() as *const libc::c_char,
desc: b"convert to md5 hash of the buffer\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#to-md5\0".as_ptr() as *const libc::c_char,
Setup: md5_setup,
Setup: Some(md5_setup),
flags: SIGMATCH_NOOPT,
Transform: md5_transform,
Transform: Some(md5_transform),
Free: None,
TransformValidate: None,
};
G_TRANSFORM_MD5_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_MD5_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_MD5_ID < 0 {
SCLogWarning!("Failed registering transform md5");
}
}
unsafe extern "C" fn sha1_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
if G_DISABLE_HASHING {
SCLogError!("SHA1 hashing has been disabled, needed for to_sha1 keyword");
@ -101,7 +108,9 @@ fn sha1_transform_do(input: &[u8], output: &mut [u8]) {
Sha1::new().chain(input).finalize_into(output.into());
}
unsafe extern "C" fn sha1_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn sha1_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -127,20 +136,20 @@ pub unsafe extern "C" fn DetectTransformSha1Register() {
name: b"to_sha1\0".as_ptr() as *const libc::c_char,
desc: b"convert to sha1 hash of the buffer\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#to-sha1\0".as_ptr() as *const libc::c_char,
Setup: sha1_setup,
Setup: Some(sha1_setup),
flags: SIGMATCH_NOOPT,
Transform: sha1_transform,
Transform: Some(sha1_transform),
Free: None,
TransformValidate: None,
};
G_TRANSFORM_SHA1_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_SHA1_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_SHA1_ID < 0 {
SCLogWarning!("Failed registering transform sha1");
}
}
unsafe extern "C" fn sha256_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
if G_DISABLE_HASHING {
SCLogError!("SHA256 hashing has been disabled, needed for to_sha256 keyword");
@ -153,7 +162,9 @@ fn sha256_transform_do(input: &[u8], output: &mut [u8]) {
Sha256::new().chain(input).finalize_into(output.into());
}
unsafe extern "C" fn sha256_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn sha256_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -179,13 +190,13 @@ pub unsafe extern "C" fn DetectTransformSha256Register() {
name: b"to_sha256\0".as_ptr() as *const libc::c_char,
desc: b"convert to sha256 hash of the buffer\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#to-sha256\0".as_ptr() as *const libc::c_char,
Setup: sha256_setup,
Setup: Some(sha256_setup),
flags: SIGMATCH_NOOPT,
Transform: sha256_transform,
Transform: Some(sha256_transform),
Free: None,
TransformValidate: None,
};
G_TRANSFORM_SHA256_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_SHA256_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_SHA256_ID < 0 {
SCLogWarning!("Failed registering transform sha256");
}

32
rust/src/detect/transforms/http_headers.rs
Unescape Escape View File

@ -16,10 +16,14 @@
*/
use super::{
DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
DetectSignatureAddTransform, InspectionBufferCheckAndExpand, InspectionBufferLength,
InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
};
use crate::detect::SIGMATCH_NOOPT;
use suricata_sys::sys::{
DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
Signature,
};
use std::os::raw::{c_int, c_void};
use std::ptr;
@ -28,7 +32,7 @@ static mut G_TRANSFORM_HEADER_LOWER_ID: c_int = 0;
static mut G_TRANSFORM_STRIP_PSEUDO_ID: c_int = 0;
unsafe extern "C" fn header_lowersetup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
return DetectSignatureAddTransform(s, G_TRANSFORM_HEADER_LOWER_ID, ptr::null_mut());
}
@ -52,7 +56,9 @@ fn header_lowertransform_do(input: &[u8], output: &mut [u8]) {
}
}
unsafe extern "C" fn header_lowertransform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn header_lowertransform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -78,20 +84,20 @@ pub unsafe extern "C" fn DetectTransformHeaderLowercaseRegister() {
name: b"header_lowercase\0".as_ptr() as *const libc::c_char,
desc: b"modify buffer via lowercaseing header names\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#header_lowercase\0".as_ptr() as *const libc::c_char,
Setup: header_lowersetup,
Setup: Some(header_lowersetup),
flags: SIGMATCH_NOOPT,
Transform: header_lowertransform,
Transform: Some(header_lowertransform),
Free: None,
TransformValidate: None,
};
G_TRANSFORM_HEADER_LOWER_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_HEADER_LOWER_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_HEADER_LOWER_ID < 0 {
SCLogWarning!("Failed registering transform tolower");
}
}
unsafe extern "C" fn strip_pseudo_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
return DetectSignatureAddTransform(s, G_TRANSFORM_STRIP_PSEUDO_ID, ptr::null_mut());
}
@ -114,7 +120,9 @@ fn strip_pseudo_transform_do(input: &[u8], output: &mut [u8]) -> u32 {
return nb as u32;
}
unsafe extern "C" fn strip_pseudo_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn strip_pseudo_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -140,13 +148,13 @@ pub unsafe extern "C" fn DetectTransformStripPseudoHeadersRegister() {
name: b"strip_pseudo_headers\0".as_ptr() as *const libc::c_char,
desc: b"modify buffer via stripping pseudo headers\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#strip_pseudo_headers\0".as_ptr() as *const libc::c_char,
Setup: strip_pseudo_setup,
Setup: Some(strip_pseudo_setup),
flags: SIGMATCH_NOOPT,
Transform: strip_pseudo_transform,
Transform: Some(strip_pseudo_transform),
Free: None,
TransformValidate: None,
};
G_TRANSFORM_STRIP_PSEUDO_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_STRIP_PSEUDO_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_STRIP_PSEUDO_ID < 0 {
SCLogWarning!("Failed registering transform toupper");
}

31
rust/src/detect/transforms/mod.rs
Unescape Escape View File

@ -17,7 +17,9 @@
//! Module for transforms
use std::os::raw::{c_char, c_int, c_void};
use std::os::raw::{c_int, c_void};
use suricata_sys::sys::{InspectionBuffer, SCTransformTableElmt, Signature};
pub mod casechange;
pub mod compress_whitespace;
@ -29,29 +31,14 @@ pub mod strip_whitespace;
pub mod urldecode;
pub mod xor;
#[repr(C)]
#[allow(non_snake_case)]
pub struct SCTransformTableElmt {
pub name: *const c_char,
pub desc: *const c_char,
pub url: *const c_char,
pub flags: u16,
pub Setup: unsafe extern "C" fn(de: *mut c_void, s: *mut c_void, raw: *const c_char) -> c_int,
pub Free: Option<unsafe extern "C" fn(de: *mut c_void, ptr: *mut c_void)>,
pub Transform: unsafe extern "C" fn(_det: *mut c_void, inspect_buf: *mut c_void, options: *mut c_void),
pub TransformValidate:
Option<unsafe extern "C" fn(content: *const u8, len: u16, context: *mut c_void) -> bool>,
}
/// cbindgen:ignore
extern "C" {
pub fn DetectSignatureAddTransform(
s: *mut c_void, transform_id: c_int, ctx: *mut c_void,
s: *mut Signature, transform_id: c_int, ctx: *mut c_void,
) -> c_int;
pub fn InspectionBufferPtr(buf: *const c_void) -> *const u8;
pub fn InspectionBufferLength(buf: *const c_void) -> u32;
pub fn InspectionBufferCopy(ibuf: *const c_void, buf: *const u8, buf_len: u32);
pub fn DetectHelperTransformRegister(kw: *const SCTransformTableElmt) -> c_int;
pub fn InspectionBufferCheckAndExpand(ibuf: *const c_void, buf_len: u32) -> *mut u8;
pub fn InspectionBufferTruncate(ibuf: *const c_void, buf_len: u32);
pub fn InspectionBufferPtr(buf: *const InspectionBuffer) -> *const u8;
pub fn InspectionBufferLength(buf: *const InspectionBuffer) -> u32;
pub fn InspectionBufferCopy(ibuf: *const InspectionBuffer, buf: *const u8, buf_len: u32);
pub fn InspectionBufferCheckAndExpand(ibuf: *const InspectionBuffer, buf_len: u32) -> *mut u8;
pub fn InspectionBufferTruncate(ibuf: *const InspectionBuffer, buf_len: u32);
}

20
rust/src/detect/transforms/strip_whitespace.rs
Unescape Escape View File

@ -16,10 +16,14 @@
*/
use super::{
DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
DetectSignatureAddTransform, InspectionBufferCheckAndExpand, InspectionBufferLength,
InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
};
use crate::detect::SIGMATCH_NOOPT;
use suricata_sys::sys::{
DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
Signature,
};
use std::os::raw::{c_int, c_void};
use std::ptr;
@ -27,7 +31,7 @@ use std::ptr;
static mut G_TRANSFORM_STRIP_WHITESPACE_ID: c_int = 0;
unsafe extern "C" fn strip_whitespace_setup(
_de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
) -> c_int {
return DetectSignatureAddTransform(s, G_TRANSFORM_STRIP_WHITESPACE_ID, ptr::null_mut());
}
@ -46,7 +50,9 @@ fn strip_whitespace_transform_do(input: &[u8], output: &mut [u8]) -> u32 {
return nb as u32;
}
unsafe extern "C" fn strip_whitespace_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn strip_whitespace_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -85,14 +91,14 @@ pub unsafe extern "C" fn DetectTransformStripWhitespaceRegister() {
desc: b"modify buffer to strip whitespace before inspection\0".as_ptr()
as *const libc::c_char,
url: b"/rules/transforms.html#strip-whitespace\0".as_ptr() as *const libc::c_char,
Setup: strip_whitespace_setup,
Setup: Some(strip_whitespace_setup),
flags: SIGMATCH_NOOPT,
Transform: strip_whitespace_transform,
Transform: Some(strip_whitespace_transform),
Free: None,
TransformValidate: Some(strip_whitespace_validate),
};
unsafe {
G_TRANSFORM_STRIP_WHITESPACE_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_STRIP_WHITESPACE_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_STRIP_WHITESPACE_ID < 0 {
SCLogWarning!("Failed registering transform strip_whitespace");
}

20
rust/src/detect/transforms/urldecode.rs
Unescape Escape View File

@ -16,10 +16,14 @@
*/
use super::{
DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
DetectSignatureAddTransform, InspectionBufferCheckAndExpand, InspectionBufferLength,
InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
};
use crate::detect::SIGMATCH_NOOPT;
use suricata_sys::sys::{
DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
Signature,
};
use std::os::raw::{c_int, c_void};
use std::ptr;
@ -27,7 +31,7 @@ use std::ptr;
static mut G_TRANSFORM_URL_DECODE_ID: c_int = 0;
unsafe extern "C" fn url_decode_setup(
_de: *mut c_void, s: *mut c_void, _opt: *const std::os::raw::c_char,
_de: *mut DetectEngineCtx, s: *mut Signature, _opt: *const std::os::raw::c_char,
) -> c_int {
return DetectSignatureAddTransform(s, G_TRANSFORM_URL_DECODE_ID, ptr::null_mut());
}
@ -86,7 +90,9 @@ fn url_decode_transform_do(input: &[u8], output: &mut [u8]) -> u32 {
return nb as u32;
}
unsafe extern "C" fn url_decode_transform(_det: *mut c_void, buffer: *mut c_void, _ctx: *mut c_void) {
unsafe extern "C" fn url_decode_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, _ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -113,13 +119,13 @@ pub unsafe extern "C" fn DetectTransformUrlDecodeRegister() {
desc: b"modify buffer to decode urlencoded data before inspection\0".as_ptr()
as *const libc::c_char,
url: b"/rules/transforms.html#url-decode\0".as_ptr() as *const libc::c_char,
Setup: url_decode_setup,
Setup: Some(url_decode_setup),
flags: SIGMATCH_NOOPT,
Transform: url_decode_transform,
Transform: Some(url_decode_transform),
Free: None,
TransformValidate: None,
};
G_TRANSFORM_URL_DECODE_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_URL_DECODE_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_URL_DECODE_ID < 0 {
SCLogWarning!("Failed registering transform dot_prefix");
}

22
rust/src/detect/transforms/xor.rs
Unescape Escape View File

@ -16,10 +16,14 @@
*/
use super::{
DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
DetectSignatureAddTransform, InspectionBufferCheckAndExpand, InspectionBufferLength,
InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
};
use crate::detect::SIGMATCH_QUOTES_MANDATORY;
use suricata_sys::sys::{
DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
Signature,
};
use std::ffi::CStr;
use std::os::raw::{c_int, c_void};
@ -59,7 +63,7 @@ unsafe fn xor_parse(raw: *const std::os::raw::c_char) -> *mut c_void {
}
unsafe extern "C" fn xor_setup(
de: *mut c_void, s: *mut c_void, opt_str: *const std::os::raw::c_char,
de: *mut DetectEngineCtx, s: *mut Signature, opt_str: *const std::os::raw::c_char,
) -> c_int {
let ctx = xor_parse(opt_str);
if ctx.is_null() {
@ -80,7 +84,9 @@ fn xor_transform_do(input: &[u8], output: &mut [u8], ctx: &DetectTransformXorDat
}
}
unsafe extern "C" fn xor_transform(_det: *mut c_void, buffer: *mut c_void, ctx: *mut c_void) {
unsafe extern "C" fn xor_transform(
_det: *mut DetectEngineThreadCtx, buffer: *mut InspectionBuffer, ctx: *mut c_void,
) {
let input = InspectionBufferPtr(buffer);
let input_len = InspectionBufferLength(buffer);
if input.is_null() || input_len == 0 {
@ -101,7 +107,7 @@ unsafe extern "C" fn xor_transform(_det: *mut c_void, buffer: *mut c_void, ctx:
InspectionBufferTruncate(buffer, input_len);
}
unsafe extern "C" fn xor_free(_de: *mut c_void, ctx: *mut c_void) {
unsafe extern "C" fn xor_free(_de: *mut DetectEngineCtx, ctx: *mut c_void) {
std::mem::drop(Box::from_raw(ctx as *mut DetectTransformXorData));
}
@ -111,14 +117,14 @@ pub unsafe extern "C" fn DetectTransformXorRegister() {
name: b"xor\0".as_ptr() as *const libc::c_char,
desc: b"modify buffer via XOR decoding before inspection\0".as_ptr() as *const libc::c_char,
url: b"/rules/transforms.html#xor\0".as_ptr() as *const libc::c_char,
Setup: xor_setup,
Setup: Some(xor_setup),
flags: SIGMATCH_QUOTES_MANDATORY,
Transform: xor_transform,
Transform: Some(xor_transform),
Free: Some(xor_free),
TransformValidate: None,
};
unsafe {
G_TRANSFORM_XOR_ID = DetectHelperTransformRegister(&kw);
G_TRANSFORM_XOR_ID = SCDetectHelperTransformRegister(&kw);
if G_TRANSFORM_XOR_ID < 0 {
SCLogWarning!("Failed registering transform dot_prefix");
}

100
rust/sys/src/sys.rs
Unescape Escape View File

@ -193,6 +193,106 @@ extern "C" {
de_ctx: *mut DetectEngineCtx, s: *mut Signature, list: ::std::os::raw::c_int,
) -> ::std::os::raw::c_int;
}
#[repr(C)]
#[derive(Debug, Copy, Clone)]
pub struct Flow_ {
_unused: [u8; 0],
}
pub type Flow = Flow_;
#[repr(C)]
#[derive(Debug, Copy, Clone)]
pub struct SigMatchCtx_ {
_unused: [u8; 0],
}
pub type SigMatchCtx = SigMatchCtx_;
#[repr(C)]
#[derive(Debug, Copy, Clone)]
pub struct DetectEngineThreadCtx_ {
_unused: [u8; 0],
}
pub type DetectEngineThreadCtx = DetectEngineThreadCtx_;
#[repr(C)]
#[derive(Debug, Copy, Clone)]
pub struct InspectionBuffer {
_unused: [u8; 0],
}
#[doc = " App-layer light version of SigTableElmt"]
#[repr(C)]
#[derive(Debug, Copy, Clone)]
pub struct SCSigTableAppLiteElmt {
#[doc = " keyword name"]
pub name: *const ::std::os::raw::c_char,
#[doc = " keyword description"]
pub desc: *const ::std::os::raw::c_char,
#[doc = " keyword documentation url"]
pub url: *const ::std::os::raw::c_char,
#[doc = " flags SIGMATCH_*"]
pub flags: u16,
#[doc = " function callback to parse and setup keyword in rule"]
pub Setup: ::std::option::Option<
unsafe extern "C" fn(
arg1: *mut DetectEngineCtx,
arg2: *mut Signature,
arg3: *const ::std::os::raw::c_char,
) -> ::std::os::raw::c_int,
>,
#[doc = " function callback to free structure allocated by setup if any"]
pub Free: ::std::option::Option<
unsafe extern "C" fn(arg1: *mut DetectEngineCtx, arg2: *mut ::std::os::raw::c_void),
>,
#[doc = " function callback to match on an app-layer transaction"]
pub AppLayerTxMatch: ::std::option::Option<
unsafe extern "C" fn(
arg1: *mut DetectEngineThreadCtx,
arg2: *mut Flow,
flags: u8,
alstate: *mut ::std::os::raw::c_void,
txv: *mut ::std::os::raw::c_void,
arg3: *const Signature,
arg4: *const SigMatchCtx,
) -> ::std::os::raw::c_int,
>,
}
#[repr(C)]
#[derive(Debug, Copy, Clone)]
pub struct SCTransformTableElmt {
pub name: *const ::std::os::raw::c_char,
pub desc: *const ::std::os::raw::c_char,
pub url: *const ::std::os::raw::c_char,
pub flags: u16,
pub Setup: ::std::option::Option<
unsafe extern "C" fn(
arg1: *mut DetectEngineCtx,
arg2: *mut Signature,
arg3: *const ::std::os::raw::c_char,
) -> ::std::os::raw::c_int,
>,
pub Free: ::std::option::Option<
unsafe extern "C" fn(arg1: *mut DetectEngineCtx, arg2: *mut ::std::os::raw::c_void),
>,
pub Transform: ::std::option::Option<
unsafe extern "C" fn(
arg1: *mut DetectEngineThreadCtx,
arg2: *mut InspectionBuffer,
context: *mut ::std::os::raw::c_void,
),
>,
pub TransformValidate: ::std::option::Option<
unsafe extern "C" fn(
content: *const u8,
content_len: u16,
context: *mut ::std::os::raw::c_void,
) -> bool,
>,
}
extern "C" {
pub fn SCDetectHelperNewKeywordId() -> ::std::os::raw::c_int;
}
extern "C" {
pub fn SCDetectHelperTransformRegister(
kw: *const SCTransformTableElmt,
) -> ::std::os::raw::c_int;
}
#[doc = " Structure of a configuration parameter."]
#[repr(C)]
#[derive(Debug, Copy, Clone)]

1
src/bindgen.h
Unescape Escape View File

@ -36,6 +36,7 @@
#include "output-eve-bindgen.h"
#include "detect-engine-register.h"
#include "detect-engine-buffer.h"
#include "detect-engine-helper.h"
#include "conf.h"

3
src/detect-engine-helper.c
Unescape Escape View File

@ -29,6 +29,7 @@
#include "detect-engine-prefilter.h"
#include "detect-parse.h"
#include "detect-engine-content-inspection.h"
#include "rust.h"
int DetectHelperBufferRegister(const char *name, AppProto alproto, uint8_t direction)
{
@ -143,7 +144,7 @@ void DetectHelperKeywordAliasRegister(int kwid, const char *alias)
sigmatch_table[kwid].alias = alias;
}
int DetectHelperTransformRegister(const SCTransformTableElmt *kw)
int SCDetectHelperTransformRegister(const SCTransformTableElmt *kw)
{
int transform_id = SCDetectHelperNewKeywordId();
if (transform_id < 0) {

51
src/detect-engine-helper.h
Unescape Escape View File

@ -25,8 +25,53 @@
#define SURICATA_DETECT_ENGINE_HELPER_H
#include "app-layer-protos.h"
#include "detect.h"
#include "rust.h"
// type from flow.h with only forward declarations for bindgen
typedef struct Flow_ Flow;
// types from detect.h with only forward declarations for bindgen
// could be #ifndef SURICATA_BINDGEN_H #include "detect.h" #endif
typedef struct DetectEngineCtx_ DetectEngineCtx;
typedef struct Signature_ Signature;
typedef struct SigMatchCtx_ SigMatchCtx;
typedef struct DetectEngineThreadCtx_ DetectEngineThreadCtx;
typedef struct InspectionBuffer InspectionBuffer;
typedef struct DetectEngineTransforms DetectEngineTransforms;
typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx,
const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv,
const int list_id);
typedef bool (*InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx,
const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf,
uint32_t *buf_len);
/// App-layer light version of SigTableElmt
typedef struct SCSigTableAppLiteElmt {
/// keyword name
const char *name;
/// keyword description
const char *desc;
/// keyword documentation url
const char *url;
/// flags SIGMATCH_*
uint16_t flags;
/// function callback to parse and setup keyword in rule
int (*Setup)(DetectEngineCtx *, Signature *, const char *);
/// function callback to free structure allocated by setup if any
void (*Free)(DetectEngineCtx *, void *);
/// function callback to match on an app-layer transaction
int (*AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv,
const Signature *, const SigMatchCtx *);
} SCSigTableAppLiteElmt;
typedef struct SCTransformTableElmt {
const char *name;
const char *desc;
const char *url;
uint16_t flags;
int (*Setup)(DetectEngineCtx *, Signature *, const char *);
void (*Free)(DetectEngineCtx *, void *);
void (*Transform)(DetectEngineThreadCtx *, InspectionBuffer *, void *context);
bool (*TransformValidate)(const uint8_t *content, uint16_t content_len, void *context);
} SCTransformTableElmt;
int SCDetectHelperNewKeywordId(void);
@ -46,7 +91,7 @@ int DetectHelperMultiBufferMpmRegister(const char *name, const char *desc, AppPr
int DetectHelperMultiBufferProgressMpmRegister(const char *name, const char *desc, AppProto alproto,
uint8_t direction, InspectionMultiBufferGetDataPtr GetData, int progress);
int DetectHelperTransformRegister(const SCTransformTableElmt *kw);
int SCDetectHelperTransformRegister(const SCTransformTableElmt *kw);
const uint8_t *InspectionBufferPtr(InspectionBuffer *buf);
uint32_t InspectionBufferLength(InspectionBuffer *buf);

Write Preview
Loading…
Cancel
Save