From e2603fa8206981778c686e70a1eee45e598b27ac Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 28 Apr 2025 15:51:43 +0200 Subject: [PATCH] detect/single-buf: new simple wrapper Introduce DetectGetSingleData which does the generic wrapping, including the transforms, using a new callback prototype DetectTxGetBufferPtr The goal is to replace most InspectionBufferGetDataPtr. For this commit, we do not change every callback to keep the change relatively small. Focus here is to remove DetectHelperGetData as its functionality is provided more directly by the new DetectTxGetBufferPtr. --- examples/plugins/altemplate/src/detect.rs | 19 +-- rust/src/applayertemplate/detect.rs | 19 +-- rust/src/detect/mod.rs | 13 +- rust/src/enip/detect.rs | 35 +--- rust/src/ldap/detect.rs | 17 +- rust/src/mqtt/detect.rs | 138 ++-------------- rust/src/rfb/detect.rs | 19 +-- rust/src/sdp/detect.rs | 137 +--------------- rust/src/sip/detect.rs | 81 +--------- rust/src/snmp/detect.rs | 36 +---- rust/src/websocket/detect.rs | 19 +-- src/detect-email.c | 187 +++++----------------- src/detect-engine-helper.c | 36 ++--- src/detect-engine-helper.h | 9 +- src/detect-engine-mpm.c | 23 ++- src/detect-engine-mpm.h | 3 + src/detect-engine-prefilter.c | 63 +++++++- src/detect-engine-prefilter.h | 3 + src/detect-engine.c | 116 +++++++++++++- src/detect-engine.h | 10 ++ src/detect-ftp-command-data.c | 12 +- src/detect-ftp-command.c | 33 ++-- src/detect-smtp.c | 29 ++-- src/detect.h | 5 + 24 files changed, 328 insertions(+), 734 deletions(-) diff --git a/examples/plugins/altemplate/src/detect.rs b/examples/plugins/altemplate/src/detect.rs index 47c276adcb..7ae3d1e596 100644 --- a/examples/plugins/altemplate/src/detect.rs +++ b/examples/plugins/altemplate/src/detect.rs @@ -24,7 +24,7 @@ use super::template::{TemplateTransaction, ALPROTO_TEMPLATE}; use std::os::raw::{c_int, c_void}; use suricata::cast_pointer; use suricata::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigTableElmtStickyBuffer, }; use suricata::core::{STREAM_TOCLIENT, STREAM_TOSERVER}; @@ -46,7 +46,7 @@ unsafe extern "C" fn template_buffer_setup( } /// Get the request/response buffer for a transaction from C. -unsafe extern "C" fn template_buffer_get_data( +unsafe extern "C" fn template_buffer_get( tx: *const c_void, flags: u8, buf: *mut *const u8, len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, TemplateTransaction); @@ -64,21 +64,6 @@ unsafe extern "C" fn template_buffer_get_data( return false; } -unsafe extern "C" fn template_buffer_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - template_buffer_get_data, - ); -} - pub(super) unsafe extern "C" fn detect_template_register() { // TODO create a suricata-verify test // Setup a keyword structure and register it diff --git a/rust/src/applayertemplate/detect.rs b/rust/src/applayertemplate/detect.rs index 31d0d473de..9f1222e866 100644 --- a/rust/src/applayertemplate/detect.rs +++ b/rust/src/applayertemplate/detect.rs @@ -21,7 +21,7 @@ use crate::conf::conf_get_node; /* TEMPLATE_END_REMOVE */ use crate::core::{STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigTableElmtStickyBuffer, }; use crate::direction::Direction; @@ -43,7 +43,7 @@ unsafe extern "C" fn template_buffer_setup( } /// Get the request/response buffer for a transaction from C. -unsafe extern "C" fn template_buffer_get_data( +unsafe extern "C" fn template_buffer_get( tx: *const c_void, flags: u8, buf: *mut *const u8, len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, TemplateTransaction); @@ -61,21 +61,6 @@ unsafe extern "C" fn template_buffer_get_data( return false; } -unsafe extern "C" fn template_buffer_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - template_buffer_get_data, - ); -} - #[no_mangle] pub unsafe extern "C" fn SCDetectTemplateRegister() { /* TEMPLATE_START_REMOVE */ diff --git a/rust/src/detect/mod.rs b/rust/src/detect/mod.rs index c27347abe8..f466bc14bf 100644 --- a/rust/src/detect/mod.rs +++ b/rust/src/detect/mod.rs @@ -120,21 +120,14 @@ pub const SIGMATCH_INFO_STICKY_BUFFER: u16 = 0x200; // BIT_U16(9) /// cbindgen:ignore extern "C" { - pub fn DetectHelperGetData( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, - get_buf: unsafe extern "C" fn(*const c_void, u8, *mut *const u8, *mut u32) -> bool, - ) -> *mut c_void; pub fn DetectHelperBufferMpmRegister( name: *const libc::c_char, desc: *const libc::c_char, alproto: AppProto, dir: u8, get_data: unsafe extern "C" fn( - *mut c_void, - *const c_void, *const c_void, u8, - *const c_void, - i32, - ) -> *mut c_void, + *mut *const u8, + *mut u32, + ) -> bool, ) -> c_int; // from detect-parse.h pub fn DetectSignatureSetAppProto(s: *mut Signature, alproto: AppProto) -> c_int; diff --git a/rust/src/enip/detect.rs b/rust/src/enip/detect.rs index 6278668108..e0a0fb90fc 100644 --- a/rust/src/enip/detect.rs +++ b/rust/src/enip/detect.rs @@ -36,7 +36,7 @@ use crate::detect::uint::{ SCDetectU8Match, SCDetectU8Parse, }; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use suricata_sys::sys::{ @@ -1253,7 +1253,7 @@ pub unsafe extern "C" fn product_name_setup( return 0; } -unsafe extern "C" fn product_name_get( +unsafe extern "C" fn product_name_get_data( tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, EnipTransaction); @@ -1273,21 +1273,6 @@ unsafe extern "C" fn product_name_get( return false; } -unsafe extern "C" fn product_name_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - product_name_get, - ); -} - pub unsafe extern "C" fn service_name_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -1300,7 +1285,7 @@ pub unsafe extern "C" fn service_name_setup( return 0; } -unsafe extern "C" fn service_name_get( +unsafe extern "C" fn service_name_get_data( tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, EnipTransaction); @@ -1320,20 +1305,6 @@ unsafe extern "C" fn service_name_get( return false; } -unsafe extern "C" fn service_name_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - service_name_get, - ); -} #[no_mangle] pub unsafe extern "C" fn SCDetectEnipRegister() { let kw = SCSigTableAppLiteElmt { diff --git a/rust/src/ldap/detect.rs b/rust/src/ldap/detect.rs index 114f7fa606..4bc281491f 100644 --- a/rust/src/ldap/detect.rs +++ b/rust/src/ldap/detect.rs @@ -22,7 +22,7 @@ use crate::detect::uint::{ SCDetectU8Free, }; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use crate::ldap::types::{LdapMessage, LdapResultCode, ProtocolOp, ProtocolOpCode}; @@ -319,21 +319,6 @@ unsafe extern "C" fn ldap_detect_request_dn_setup( } unsafe extern "C" fn ldap_detect_request_dn_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - ldap_tx_get_request_dn, - ); -} - -unsafe extern "C" fn ldap_tx_get_request_dn( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, LdapTransaction); diff --git a/rust/src/mqtt/detect.rs b/rust/src/mqtt/detect.rs index c761a3f91e..138b488a70 100644 --- a/rust/src/mqtt/detect.rs +++ b/rust/src/mqtt/detect.rs @@ -23,7 +23,7 @@ use crate::detect::uint::{ SCDetectU8Free, SCDetectU8Parse, }; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use suricata_sys::sys::{ @@ -55,7 +55,7 @@ fn mqtt_tx_has_type(tx: &MQTTTransaction, mtype: &DetectUintData) -> c_int { return 0; } -unsafe extern "C" fn mqtt_tx_get_connect_clientid( +unsafe extern "C" fn mqtt_conn_clientid_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -75,7 +75,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_clientid( return false; } -unsafe extern "C" fn mqtt_tx_get_connect_username( +unsafe extern "C" fn mqtt_conn_username_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -96,7 +96,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_username( return false; } -unsafe extern "C" fn mqtt_tx_get_connect_password( +unsafe extern "C" fn mqtt_conn_password_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -117,7 +117,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_password( return false; } -unsafe extern "C" fn mqtt_tx_get_connect_willtopic( +unsafe extern "C" fn mqtt_conn_willtopic_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -138,7 +138,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_willtopic( return false; } -unsafe extern "C" fn mqtt_tx_get_connect_willmessage( +unsafe extern "C" fn mqtt_conn_willmsg_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -159,7 +159,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_willmessage( return false; } -unsafe extern "C" fn mqtt_tx_get_connect_protocol_string( +unsafe extern "C" fn mqtt_conn_protocolstring_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -179,7 +179,7 @@ unsafe extern "C" fn mqtt_tx_get_connect_protocol_string( return false; } -unsafe extern "C" fn mqtt_tx_get_publish_topic( +unsafe extern "C" fn mqtt_pub_topic_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -199,7 +199,7 @@ unsafe extern "C" fn mqtt_tx_get_publish_topic( return false; } -unsafe extern "C" fn mqtt_tx_get_publish_message( +unsafe extern "C" fn mqtt_pub_msg_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, MQTTTransaction); @@ -598,21 +598,6 @@ unsafe extern "C" fn mqtt_pub_topic_setup( return 0; } -unsafe extern "C" fn mqtt_pub_topic_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_publish_topic, - ); -} - unsafe extern "C" fn mqtt_pub_msg_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -625,21 +610,6 @@ unsafe extern "C" fn mqtt_pub_msg_setup( return 0; } -unsafe extern "C" fn mqtt_pub_msg_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_publish_message, - ); -} - unsafe extern "C" fn mqtt_protocol_version_setup( de: *mut DetectEngineCtx, s: *mut Signature, raw: *const libc::c_char, ) -> c_int { @@ -922,21 +892,6 @@ unsafe extern "C" fn mqtt_conn_willtopic_setup( return 0; } -unsafe extern "C" fn mqtt_conn_willtopic_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_willtopic, - ); -} - unsafe extern "C" fn mqtt_conn_willmsg_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -949,21 +904,6 @@ unsafe extern "C" fn mqtt_conn_willmsg_setup( return 0; } -unsafe extern "C" fn mqtt_conn_willmsg_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_willmessage, - ); -} - unsafe extern "C" fn mqtt_conn_username_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -976,21 +916,6 @@ unsafe extern "C" fn mqtt_conn_username_setup( return 0; } -unsafe extern "C" fn mqtt_conn_username_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_username, - ); -} - unsafe extern "C" fn mqtt_conn_protocolstring_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -1003,21 +928,6 @@ unsafe extern "C" fn mqtt_conn_protocolstring_setup( return 0; } -unsafe extern "C" fn mqtt_conn_protocolstring_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_protocol_string, - ); -} - unsafe extern "C" fn mqtt_conn_password_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -1030,21 +940,6 @@ unsafe extern "C" fn mqtt_conn_password_setup( return 0; } -unsafe extern "C" fn mqtt_conn_password_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_password, - ); -} - unsafe extern "C" fn mqtt_conn_clientid_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -1057,21 +952,6 @@ unsafe extern "C" fn mqtt_conn_clientid_setup( return 0; } -unsafe extern "C" fn mqtt_conn_clientid_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - mqtt_tx_get_connect_clientid, - ); -} - #[no_mangle] pub unsafe extern "C" fn SCDetectMqttRegister() { let keyword_name = b"mqtt.unsubscribe.topic\0".as_ptr() as *const libc::c_char; diff --git a/rust/src/rfb/detect.rs b/rust/src/rfb/detect.rs index 0ec574b01e..696df7f9d6 100644 --- a/rust/src/rfb/detect.rs +++ b/rust/src/rfb/detect.rs @@ -24,7 +24,7 @@ use crate::detect::uint::{ detect_match_uint, detect_parse_uint_enum, DetectUintData, SCDetectU32Free, SCDetectU32Parse, }; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use std::ffi::CStr; @@ -36,7 +36,7 @@ use suricata_sys::sys::{ SigMatchCtx, Signature, }; -unsafe extern "C" fn rfb_name_get_data( +unsafe extern "C" fn rfb_name_get( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, RFBTransaction); @@ -54,21 +54,6 @@ unsafe extern "C" fn rfb_name_get_data( return false; } -unsafe extern "C" fn rfb_name_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - rfb_name_get_data, - ); -} - static mut G_RFB_NAME_BUFFER_ID: c_int = 0; static mut G_RFB_SEC_TYPE_KW_ID: c_int = 0; static mut G_RFB_SEC_TYPE_BUFFER_ID: c_int = 0; diff --git a/rust/src/sdp/detect.rs b/rust/src/sdp/detect.rs index 1801bff3b1..a6103dd248 100644 --- a/rust/src/sdp/detect.rs +++ b/rust/src/sdp/detect.rs @@ -19,7 +19,7 @@ use crate::core::{STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigTableElmtStickyBuffer, }; use crate::direction::Direction; @@ -62,21 +62,6 @@ unsafe extern "C" fn sdp_session_name_setup( } unsafe extern "C" fn sdp_session_name_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_session_name_get_data, - ); -} - -unsafe extern "C" fn sdp_session_name_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -110,21 +95,6 @@ unsafe extern "C" fn sdp_session_info_setup( } unsafe extern "C" fn sdp_session_info_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_session_info_get_data, - ); -} - -unsafe extern "C" fn sdp_session_info_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -157,21 +127,6 @@ unsafe extern "C" fn sdp_origin_setup( } unsafe extern "C" fn sdp_origin_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_origin_get_data, - ); -} - -unsafe extern "C" fn sdp_origin_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -205,21 +160,6 @@ unsafe extern "C" fn sdp_uri_setup( } unsafe extern "C" fn sdp_uri_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_uri_get_data, - ); -} - -unsafe extern "C" fn sdp_uri_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -252,21 +192,6 @@ unsafe extern "C" fn sdp_email_setup( } unsafe extern "C" fn sdp_email_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_email_get_data, - ); -} - -unsafe extern "C" fn sdp_email_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -299,21 +224,6 @@ unsafe extern "C" fn sdp_phone_number_setup( } unsafe extern "C" fn sdp_phone_number_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_phone_number_get_data, - ); -} - -unsafe extern "C" fn sdp_phone_number_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -346,21 +256,6 @@ unsafe extern "C" fn sdp_conn_data_setup( } unsafe extern "C" fn sdp_conn_data_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_conn_data_get_data, - ); -} - -unsafe extern "C" fn sdp_conn_data_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -502,21 +397,6 @@ unsafe extern "C" fn sdp_timezone_setup( } unsafe extern "C" fn sdp_timezone_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_timezone_get_data, - ); -} - -unsafe extern "C" fn sdp_timezone_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -549,21 +429,6 @@ unsafe extern "C" fn sdp_encryption_key_setup( } unsafe extern "C" fn sdp_encryption_key_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sdp_encryption_key_get_data, - ); -} - -unsafe extern "C" fn sdp_encryption_key_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); diff --git a/rust/src/sip/detect.rs b/rust/src/sip/detect.rs index 5aa34edab7..173cf83c21 100644 --- a/rust/src/sip/detect.rs +++ b/rust/src/sip/detect.rs @@ -19,14 +19,17 @@ use crate::core::{STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigTableElmtStickyBuffer, }; use crate::direction::Direction; use crate::sip::sip::{SIPTransaction, ALPROTO_SIP}; use std::os::raw::{c_int, c_void}; use std::ptr; -use suricata_sys::sys::{DetectEngineCtx, SCDetectBufferSetActiveList, Signature, SCDetectHelperMultiBufferMpmRegister, DetectEngineThreadCtx}; +use suricata_sys::sys::{ + DetectEngineCtx, DetectEngineThreadCtx, SCDetectBufferSetActiveList, + SCDetectHelperMultiBufferMpmRegister, Signature, +}; static mut G_SIP_PROTOCOL_BUFFER_ID: c_int = 0; static mut G_SIP_STAT_CODE_BUFFER_ID: c_int = 0; @@ -91,21 +94,6 @@ unsafe extern "C" fn sip_protocol_setup( } unsafe extern "C" fn sip_protocol_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sip_protocol_get_data, - ); -} - -unsafe extern "C" fn sip_protocol_get_data( tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -149,21 +137,6 @@ unsafe extern "C" fn sip_stat_code_setup( } unsafe extern "C" fn sip_stat_code_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sip_stat_code_get_data, - ); -} - -unsafe extern "C" fn sip_stat_code_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -193,20 +166,6 @@ unsafe extern "C" fn sip_stat_msg_setup( } unsafe extern "C" fn sip_stat_msg_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sip_stat_msg_get_data, - ); -} -unsafe extern "C" fn sip_stat_msg_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -236,21 +195,6 @@ unsafe extern "C" fn sip_request_line_setup( } unsafe extern "C" fn sip_request_line_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sip_request_line_get_data, - ); -} - -unsafe extern "C" fn sip_request_line_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); @@ -279,21 +223,6 @@ unsafe extern "C" fn sip_response_line_setup( } unsafe extern "C" fn sip_response_line_get( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - sip_response_line_get_data, - ); -} - -unsafe extern "C" fn sip_response_line_get_data( tx: *const c_void, _flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SIPTransaction); diff --git a/rust/src/snmp/detect.rs b/rust/src/snmp/detect.rs index 6669f0d95d..4e0a66da2e 100644 --- a/rust/src/snmp/detect.rs +++ b/rust/src/snmp/detect.rs @@ -21,7 +21,7 @@ use super::snmp::{SNMPTransaction, ALPROTO_SNMP}; use crate::core::{STREAM_TOCLIENT, STREAM_TOSERVER}; use crate::detect::uint::{DetectUintData, SCDetectU32Free, SCDetectU32Match, SCDetectU32Parse}; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use std::os::raw::{c_int, c_void}; @@ -120,7 +120,7 @@ unsafe extern "C" fn snmp_detect_usm_setup( return 0; } -unsafe extern "C" fn snmp_detect_usm_get( +unsafe extern "C" fn snmp_detect_usm_get_data( tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SNMPTransaction); @@ -132,21 +132,6 @@ unsafe extern "C" fn snmp_detect_usm_get( return false; } -unsafe extern "C" fn snmp_detect_usm_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - snmp_detect_usm_get, - ); -} - unsafe extern "C" fn snmp_detect_community_setup( de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char, ) -> c_int { @@ -159,7 +144,7 @@ unsafe extern "C" fn snmp_detect_community_setup( return 0; } -unsafe extern "C" fn snmp_detect_community_get( +unsafe extern "C" fn snmp_detect_community_get_data( tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, SNMPTransaction); @@ -171,21 +156,6 @@ unsafe extern "C" fn snmp_detect_community_get( return false; } -unsafe extern "C" fn snmp_detect_community_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - snmp_detect_community_get, - ); -} - pub(super) unsafe extern "C" fn detect_snmp_register() { let kw = SCSigTableAppLiteElmt { name: b"snmp.version\0".as_ptr() as *const libc::c_char, diff --git a/rust/src/websocket/detect.rs b/rust/src/websocket/detect.rs index d1bd9d6760..c2cd320ceb 100644 --- a/rust/src/websocket/detect.rs +++ b/rust/src/websocket/detect.rs @@ -22,7 +22,7 @@ use crate::detect::uint::{ SCDetectU32Match, SCDetectU32Parse, SCDetectU8Free, SCDetectU8Match, }; use crate::detect::{ - helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectHelperGetData, + helper_keyword_register_sticky_buffer, DetectHelperBufferMpmRegister, DetectSignatureSetAppProto, SigMatchAppendSMToList, SigTableElmtStickyBuffer, }; use crate::websocket::parser::WebSocketOpcode; @@ -257,7 +257,7 @@ pub unsafe extern "C" fn websocket_detect_payload_setup( return 0; } -pub unsafe extern "C" fn websocket_detect_payload_get( +pub unsafe extern "C" fn websocket_detect_payload_get_data( tx: *const c_void, _flow_flags: u8, buffer: *mut *const u8, buffer_len: *mut u32, ) -> bool { let tx = cast_pointer!(tx, WebSocketTransaction); @@ -266,21 +266,6 @@ pub unsafe extern "C" fn websocket_detect_payload_get( return true; } -pub unsafe extern "C" fn websocket_detect_payload_get_data( - de: *mut c_void, transforms: *const c_void, flow: *const c_void, flow_flags: u8, - tx: *const c_void, list_id: c_int, -) -> *mut c_void { - return DetectHelperGetData( - de, - transforms, - flow, - flow_flags, - tx, - list_id, - websocket_detect_payload_get, - ); -} - #[no_mangle] pub unsafe extern "C" fn SCDetectWebsocketRegister() { let kw = SCSigTableAppLiteElmt { diff --git a/src/detect-email.c b/src/detect-email.c index 4cc36a4aa5..cee39793da 100644 --- a/src/detect-email.c +++ b/src/detect-email.c @@ -45,27 +45,13 @@ static int DetectMimeEmailFromSetup(DetectEngineCtx *de_ctx, Signature *s, const return 0; } -static InspectionBuffer *GetMimeEmailFromData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailFromData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_from = NULL; - uint32_t b_email_from_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_from, &b_email_from_len, "from") != 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_from, b_email_from_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "from") == 1); } static int DetectMimeEmailSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -79,28 +65,13 @@ static int DetectMimeEmailSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, co return 0; } -static InspectionBuffer *GetMimeEmailSubjectData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailSubjectData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_sub = NULL; - uint32_t b_email_sub_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_sub, &b_email_sub_len, "subject") != - 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_sub, b_email_sub_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "subject") == 1); } static int DetectMimeEmailToSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -114,29 +85,13 @@ static int DetectMimeEmailToSetup(DetectEngineCtx *de_ctx, Signature *s, const c return 0; } -static InspectionBuffer *GetMimeEmailToData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailToData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_to = NULL; - uint32_t b_email_to_len = 0; - - if ((tx->mime_state != NULL)) { - if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_to, &b_email_to_len, "to") != 1) - return NULL; - } - - if (b_email_to == NULL || b_email_to_len == 0) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_to, b_email_to_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "to") == 1); } static int DetectMimeEmailCcSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -150,27 +105,13 @@ static int DetectMimeEmailCcSetup(DetectEngineCtx *de_ctx, Signature *s, const c return 0; } -static InspectionBuffer *GetMimeEmailCcData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailCcData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_cc = NULL; - uint32_t b_email_cc_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_cc, &b_email_cc_len, "cc") != 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_cc, b_email_cc_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "cc") == 1); } static int DetectMimeEmailDateSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -184,27 +125,13 @@ static int DetectMimeEmailDateSetup(DetectEngineCtx *de_ctx, Signature *s, const return 0; } -static InspectionBuffer *GetMimeEmailDateData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailDateData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_date = NULL; - uint32_t b_email_date_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData(tx->mime_state, &b_email_date, &b_email_date_len, "date") != 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_date, b_email_date_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "date") == 1); } static int DetectMimeEmailMessageIdSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -218,28 +145,13 @@ static int DetectMimeEmailMessageIdSetup(DetectEngineCtx *de_ctx, Signature *s, return 0; } -static InspectionBuffer *GetMimeEmailMessageIdData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailMessageIdData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_msg_id = NULL; - uint32_t b_email_msg_id_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData( - tx->mime_state, &b_email_msg_id, &b_email_msg_id_len, "message-id") != 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_msg_id, b_email_msg_id_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "message-id") == 1); } static int DetectMimeEmailXMailerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -253,28 +165,13 @@ static int DetectMimeEmailXMailerSetup(DetectEngineCtx *de_ctx, Signature *s, co return 0; } -static InspectionBuffer *GetMimeEmailXMailerData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetMimeEmailXMailerData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - - const uint8_t *b_email_x_mailer = NULL; - uint32_t b_email_x_mailer_len = 0; - - if (tx->mime_state == NULL) - return NULL; - - if (SCDetectMimeEmailGetData( - tx->mime_state, &b_email_x_mailer, &b_email_x_mailer_len, "x-mailer") != 1) - return NULL; - - InspectionBufferSetup(det_ctx, list_id, buffer, b_email_x_mailer, b_email_x_mailer_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mime_state == NULL) + return false; + return (SCDetectMimeEmailGetData(tx->mime_state, data, data_len, "x-mailer") == 1); } static int DetectMimeEmailUrlSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) diff --git a/src/detect-engine-helper.c b/src/detect-engine-helper.c index 7c6221ca45..6a74ab7aed 100644 --- a/src/detect-engine-helper.c +++ b/src/detect-engine-helper.c @@ -44,38 +44,20 @@ int SCDetectHelperBufferRegister(const char *name, AppProto alproto, uint8_t dir return DetectBufferTypeRegister(name); } -InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, - const int list_id, - bool (*GetBuf)(void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len)) -{ - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - const uint8_t *b = NULL; - uint32_t b_len = 0; - - if (!GetBuf(txv, flow_flags, &b, &b_len)) - return NULL; - - InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); - } - return buffer; -} - int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, - uint8_t direction, InspectionBufferGetDataPtr GetData) + uint8_t direction, InspectionSingleBufferGetDataPtr GetData) { if (direction & STREAM_TOSERVER) { - DetectAppLayerInspectEngineRegister( - name, alproto, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister( - name, SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, GetData, alproto, 0); + DetectAppLayerInspectEngineRegisterSingle( + name, alproto, SIG_FLAG_TOSERVER, 0, DetectEngineInspectBufferSingle, GetData); + DetectAppLayerMpmRegisterSingle( + name, SIG_FLAG_TOSERVER, 2, PrefilterSingleMpmRegister, GetData, alproto, 0); } if (direction & STREAM_TOCLIENT) { - DetectAppLayerInspectEngineRegister( - name, alproto, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectBufferGeneric, GetData); - DetectAppLayerMpmRegister( - name, SIG_FLAG_TOCLIENT, 2, PrefilterGenericMpmRegister, GetData, alproto, 0); + DetectAppLayerInspectEngineRegisterSingle( + name, alproto, SIG_FLAG_TOCLIENT, 0, DetectEngineInspectBufferSingle, GetData); + DetectAppLayerMpmRegisterSingle( + name, SIG_FLAG_TOCLIENT, 2, PrefilterSingleMpmRegister, GetData, alproto, 0); } DetectBufferTypeSetDescriptionByName(name, desc); return DetectBufferTypeGetByName(name); diff --git a/src/detect-engine-helper.h b/src/detect-engine-helper.h index 170cda374e..ece83be3b5 100644 --- a/src/detect-engine-helper.h +++ b/src/detect-engine-helper.h @@ -42,6 +42,8 @@ typedef InspectionBuffer *(*InspectionBufferGetDataPtr)(struct DetectEngineThrea typedef bool (*InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len); +typedef bool (*InspectionSingleBufferGetDataPtr)( + const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len); /// App-layer light version of SigTableElmt typedef struct SCSigTableAppLiteElmt { @@ -80,13 +82,8 @@ int SCDetectHelperKeywordRegister(const SCSigTableAppLiteElmt *kw); void SCDetectHelperKeywordAliasRegister(int kwid, const char *alias); int SCDetectHelperBufferRegister(const char *name, AppProto alproto, uint8_t direction); -typedef bool (*SimpleGetTxBuffer)(void *, uint8_t, const uint8_t **, uint32_t *); - -InspectionBuffer *DetectHelperGetData(struct DetectEngineThreadCtx_ *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, - const int list_id, SimpleGetTxBuffer GetBuf); int DetectHelperBufferMpmRegister(const char *name, const char *desc, AppProto alproto, - uint8_t direction, InspectionBufferGetDataPtr GetData); + uint8_t direction, InspectionSingleBufferGetDataPtr GetData); int SCDetectHelperMultiBufferMpmRegister(const char *name, const char *desc, AppProto alproto, uint8_t direction, InspectionMultiBufferGetDataPtr GetData); int SCDetectHelperMultiBufferProgressMpmRegister(const char *name, const char *desc, diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 3ac3896a91..1b223da8a8 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -88,6 +88,7 @@ static int g_mpm_list_cnt[DETECT_BUFFER_MPM_TYPE_SIZE] = { 0, 0, 0 }; */ static void RegisterInternal(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, + InspectionSingleBufferGetDataPtr GetDataSingle, InspectionMultiBufferGetDataPtr GetMultiData, AppProto alproto, int tx_min_progress) { SCLogDebug("registering %s/%d/%d/%p/%p/%u/%d", name, direction, priority, @@ -109,8 +110,8 @@ static void RegisterInternal(const char *name, int direction, int priority, // every HTTP2 can be accessed from DOH2 if (alproto == ALPROTO_HTTP2 || alproto == ALPROTO_DNS) { - RegisterInternal(name, direction, priority, PrefilterRegister, GetData, GetMultiData, - ALPROTO_DOH2, tx_min_progress); + RegisterInternal(name, direction, priority, PrefilterRegister, GetData, GetDataSingle, + GetMultiData, ALPROTO_DOH2, tx_min_progress); } DetectBufferMpmRegistry *am = SCCalloc(1, sizeof(*am)); BUG_ON(am == NULL); @@ -126,6 +127,8 @@ static void RegisterInternal(const char *name, int direction, int priority, am->PrefilterRegisterWithListId = PrefilterRegister; if (GetData != NULL) { am->app_v2.GetData = GetData; + } else if (GetDataSingle != NULL) { + am->app_v2.GetDataSingle = GetDataSingle; } else if (GetMultiData != NULL) { am->app_v2.GetMultiData = GetMultiData; } @@ -152,16 +155,24 @@ void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress) { - RegisterInternal( - name, direction, priority, PrefilterRegister, GetData, NULL, alproto, tx_min_progress); + RegisterInternal(name, direction, priority, PrefilterRegister, GetData, NULL, NULL, alproto, + tx_min_progress); +} + +void DetectAppLayerMpmRegisterSingle(const char *name, int direction, int priority, + PrefilterRegisterFunc PrefilterRegister, InspectionSingleBufferGetDataPtr GetData, + AppProto alproto, int tx_min_progress) +{ + RegisterInternal(name, direction, priority, PrefilterRegister, NULL, GetData, NULL, alproto, + tx_min_progress); } void DetectAppLayerMpmMultiRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionMultiBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress) { - RegisterInternal( - name, direction, priority, PrefilterRegister, NULL, GetData, alproto, tx_min_progress); + RegisterInternal(name, direction, priority, PrefilterRegister, NULL, NULL, GetData, alproto, + tx_min_progress); } /** \brief copy a mpm engine from parent_id, add in transforms */ diff --git a/src/detect-engine-mpm.h b/src/detect-engine-mpm.h index 34d67ae767..6bde23a202 100644 --- a/src/detect-engine-mpm.h +++ b/src/detect-engine-mpm.h @@ -87,6 +87,9 @@ typedef int (*PrefilterRegisterFunc)(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void DetectAppLayerMpmRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress); +void DetectAppLayerMpmRegisterSingle(const char *name, int direction, int priority, + PrefilterRegisterFunc PrefilterRegister, InspectionSingleBufferGetDataPtr GetData, + AppProto alproto, int tx_min_progress); void DetectAppLayerMpmMultiRegister(const char *name, int direction, int priority, PrefilterRegisterFunc PrefilterRegister, InspectionMultiBufferGetDataPtr GetData, AppProto alproto, int tx_min_progress); diff --git a/src/detect-engine-prefilter.c b/src/detect-engine-prefilter.c index 73976d707b..071b2382db 100644 --- a/src/detect-engine-prefilter.c +++ b/src/detect-engine-prefilter.c @@ -1499,11 +1499,49 @@ const char *PrefilterStoreGetName(const uint32_t id) typedef struct PrefilterMpmCtx { int list_id; - InspectionBufferGetDataPtr GetData; + union { + InspectionBufferGetDataPtr GetData; + InspectionSingleBufferGetDataPtr GetDataSingle; + }; const MpmCtx *mpm_ctx; const DetectEngineTransforms *transforms; } PrefilterMpmCtx; +/** \brief Generic Mpm prefilter callback for simple InspectionSingleBufferGetDataPtr + * + * \param det_ctx detection engine thread ctx + * \param p packet to inspect + * \param f flow to inspect + * \param txv tx to inspect + * \param pectx inspection context + */ +static void PrefilterMpmTxSingle(DetectEngineThreadCtx *det_ctx, const void *pectx, Packet *p, + Flow *f, void *txv, const uint64_t idx, const AppLayerTxData *_txd, const uint8_t flags) +{ + SCEnter(); + + const PrefilterMpmCtx *ctx = (const PrefilterMpmCtx *)pectx; + const MpmCtx *mpm_ctx = ctx->mpm_ctx; + SCLogDebug("running on list %d", ctx->list_id); + + InspectionBuffer *buffer = DetectGetSingleData( + det_ctx, ctx->transforms, f, flags, txv, ctx->list_id, ctx->GetDataSingle); + if (buffer == NULL) + return; + + const uint32_t data_len = buffer->inspect_len; + const uint8_t *data = buffer->inspect; + + SCLogDebug("mpm'ing buffer:"); + // PrintRawDataFp(stdout, data, data_len); + + if (data != NULL && data_len >= mpm_ctx->minlen) { + (void)mpm_table[mpm_ctx->mpm_type].Search( + mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, data, data_len); + PREFILTER_PROFILING_ADD_BYTES(det_ctx, data_len); + } +} + /** \brief Generic Mpm prefilter callback * * \param det_ctx detection engine thread ctx @@ -1521,8 +1559,7 @@ static void PrefilterMpm(DetectEngineThreadCtx *det_ctx, const void *pectx, Pack const MpmCtx *mpm_ctx = ctx->mpm_ctx; SCLogDebug("running on list %d", ctx->list_id); - InspectionBuffer *buffer = ctx->GetData(det_ctx, ctx->transforms, - f, flags, txv, ctx->list_id); + InspectionBuffer *buffer = ctx->GetData(det_ctx, ctx->transforms, f, flags, txv, ctx->list_id); if (buffer == NULL) return; @@ -1565,6 +1602,26 @@ int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmC return r; } +int PrefilterSingleMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, + const DetectBufferMpmRegistry *mpm_reg, int list_id) +{ + SCEnter(); + PrefilterMpmCtx *pectx = SCCalloc(1, sizeof(*pectx)); + if (pectx == NULL) + return -1; + pectx->list_id = list_id; + pectx->GetDataSingle = mpm_reg->app_v2.GetDataSingle; + pectx->mpm_ctx = mpm_ctx; + pectx->transforms = &mpm_reg->transforms; + + int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterMpmTxSingle, mpm_reg->app_v2.alproto, + mpm_reg->app_v2.tx_min_progress, pectx, PrefilterGenericMpmFree, mpm_reg->pname); + if (r != 0) { + SCFree(pectx); + } + return r; +} + static void PrefilterMultiGenericMpmFree(void *ptr) { // PrefilterMpmListId diff --git a/src/detect-engine-prefilter.h b/src/detect-engine-prefilter.h index 3dbd2a45e4..62e5ad502b 100644 --- a/src/detect-engine-prefilter.h +++ b/src/detect-engine-prefilter.h @@ -97,6 +97,9 @@ void PrefilterDeinit(DetectEngineCtx *de_ctx); int PrefilterGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id); +int PrefilterSingleMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, + const DetectBufferMpmRegistry *mpm_reg, int list_id); + int PrefilterMultiGenericMpmRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx, const DetectBufferMpmRegistry *mpm_reg, int list_id); diff --git a/src/detect-engine.c b/src/detect-engine.c index eec091f566..c2243d88c9 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -172,6 +172,7 @@ void DetectPktInspectEngineRegister(const char *name, * \note errors are fatal */ static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData, + InspectionSingleBufferGetDataPtr GetDataSingle, InspectionMultiBufferGetDataPtr GetMultiData) { BUG_ON(progress >= 48); @@ -192,6 +193,10 @@ static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alp SCLogError("Invalid arguments: must register " "GetData with DetectEngineInspectBufferGeneric"); BUG_ON(1); + } else if (Callback == DetectEngineInspectBufferSingle && GetDataSingle == NULL) { + SCLogError("Invalid arguments: must register " + "GetData with DetectEngineInspectBufferGeneric"); + BUG_ON(1); } else if (Callback == DetectEngineInspectMultiBufferGeneric && GetMultiData == NULL) { SCLogError("Invalid arguments: must register " "GetData with DetectEngineInspectMultiBufferGeneric"); @@ -207,7 +212,7 @@ static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alp // every DNS or HTTP2 can be accessed from DOH2 if (alproto == ALPROTO_HTTP2 || alproto == ALPROTO_DNS) { AppLayerInspectEngineRegisterInternal( - name, ALPROTO_DOH2, dir, progress, Callback, GetData, GetMultiData); + name, ALPROTO_DOH2, dir, progress, Callback, GetData, GetDataSingle, GetMultiData); } DetectEngineAppInspectionEngine *new_engine = @@ -223,6 +228,8 @@ static void AppLayerInspectEngineRegisterInternal(const char *name, AppProto alp new_engine->v2.Callback = Callback; if (Callback == DetectEngineInspectBufferGeneric) { new_engine->v2.GetData = GetData; + } else if (Callback == DetectEngineInspectBufferSingle) { + new_engine->v2.GetDataSingle = GetDataSingle; } else if (Callback == DetectEngineInspectMultiBufferGeneric) { new_engine->v2.GetMultiData = GetMultiData; } @@ -257,7 +264,31 @@ void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uin t = t->next; } - AppLayerInspectEngineRegisterInternal(name, alproto, dir, progress, Callback, GetData, NULL); + AppLayerInspectEngineRegisterInternal( + name, alproto, dir, progress, Callback, GetData, NULL, NULL); +} + +void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir, + int progress, InspectEngineFuncPtr Callback, InspectionSingleBufferGetDataPtr GetData) +{ + /* before adding, check that we don't add a duplicate entry, which will + * propegate all the way into the packet runtime if allowed. */ + DetectEngineAppInspectionEngine *t = g_app_inspect_engines; + while (t != NULL) { + const uint32_t t_direction = t->dir == 0 ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT; + const int sm_list = DetectBufferTypeGetByName(name); + + if (t->sm_list == sm_list && t->alproto == alproto && t_direction == dir && + t->progress == progress && t->v2.Callback == Callback && + t->v2.GetDataSingle == GetData) { + DEBUG_VALIDATE_BUG_ON(1); + return; + } + t = t->next; + } + + AppLayerInspectEngineRegisterInternal( + name, alproto, dir, progress, Callback, NULL, GetData, NULL); } /* copy an inspect engine with transforms to a new list id. */ @@ -1927,6 +1958,66 @@ uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThre return DETECT_ENGINE_INSPECT_SIG_MATCH; } +/** + * \brief Do the content inspection & validation for a signature + * + * \param de_ctx Detection engine context + * \param det_ctx Detection engine thread context + * \param s Signature to inspect + * \param f Flow + * \param flags app layer flags + * \param state App layer state + * + * \retval 0 no match. + * \retval 1 match. + * \retval 2 Sig can't match. + */ +uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, + const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id) +{ + const int list_id = engine->sm_list; + SCLogDebug("running inspect on %d", list_id); + + const bool eof = + (AppLayerParserGetStateProgress(f->proto, f->alproto, txv, flags) > engine->progress); + + SCLogDebug("list %d mpm? %s transforms %p", engine->sm_list, engine->mpm ? "true" : "false", + engine->v2.transforms); + + /* if prefilter didn't already run, we need to consider transformations */ + const DetectEngineTransforms *transforms = NULL; + if (!engine->mpm) { + transforms = engine->v2.transforms; + } + + const InspectionBuffer *buffer = DetectGetSingleData( + det_ctx, transforms, f, flags, txv, list_id, engine->v2.GetDataSingle); + if (unlikely(buffer == NULL)) { + if (eof && engine->match_on_null) { + return DETECT_ENGINE_INSPECT_SIG_MATCH; + } + return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH : DETECT_ENGINE_INSPECT_SIG_NO_MATCH; + } + + const uint32_t data_len = buffer->inspect_len; + const uint8_t *data = buffer->inspect; + const uint64_t offset = buffer->inspect_offset; + + uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0; + ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0); + ci_flags |= buffer->flags; + + /* Inspect all the uricontents fetched on each + * transaction at the app layer */ + const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, data, + data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE); + if (match) { + return DETECT_ENGINE_INSPECT_SIG_MATCH; + } else { + return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH : DETECT_ENGINE_INSPECT_SIG_NO_MATCH; + } +} /** * \brief Do the content inspection & validation for a signature @@ -1995,12 +2086,29 @@ uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineTh void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority) { - AppLayerInspectEngineRegisterInternal( - name, alproto, dir, progress, DetectEngineInspectMultiBufferGeneric, NULL, GetData); + AppLayerInspectEngineRegisterInternal(name, alproto, dir, progress, + DetectEngineInspectMultiBufferGeneric, NULL, NULL, GetData); DetectAppLayerMpmMultiRegister( name, dir, priority, PrefilterMultiGenericMpmRegister, GetData, alproto, progress); } +InspectionBuffer *DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx, + const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, + const int list_id, InspectionSingleBufferGetDataPtr GetBuf) +{ + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + if (buffer->inspect == NULL) { + const uint8_t *b = NULL; + uint32_t b_len = 0; + + if (!GetBuf(txv, flow_flags, &b, &b_len)) + return NULL; + + InspectionBufferSetupAndApplyTransforms(det_ctx, list_id, buffer, b, b_len, transforms); + } + return buffer; +} + InspectionBuffer *DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf) diff --git a/src/detect-engine.h b/src/detect-engine.h index 3a883289a8..557009fcfd 100644 --- a/src/detect-engine.h +++ b/src/detect-engine.h @@ -131,6 +131,13 @@ uint8_t DetectEngineInspectBufferGeneric(DetectEngineCtx *de_ctx, DetectEngineTh const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id); +uint8_t DetectEngineInspectBufferSingle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, + const DetectEngineAppInspectionEngine *engine, const Signature *s, Flow *f, uint8_t flags, + void *alstate, void *txv, uint64_t tx_id); + +InspectionBuffer *DetectGetSingleData(struct DetectEngineThreadCtx_ *det_ctx, + const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, + const int list_id, InspectionSingleBufferGetDataPtr GetBuf); InspectionBuffer *DetectGetMultiData(struct DetectEngineThreadCtx_ *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, void *txv, const int list_id, uint32_t index, InspectionMultiBufferGetDataPtr GetBuf); @@ -156,6 +163,9 @@ int DetectEngineInspectPktBufferGeneric( void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback2, InspectionBufferGetDataPtr GetData); +void DetectAppLayerInspectEngineRegisterSingle(const char *name, AppProto alproto, uint32_t dir, + int progress, InspectEngineFuncPtr Callback2, InspectionSingleBufferGetDataPtr GetData); + void DetectAppLayerMultiRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectionMultiBufferGetDataPtr GetData, int priority); diff --git a/src/detect-ftp-command-data.c b/src/detect-ftp-command-data.c index 7d84424f47..63b0fd21d7 100644 --- a/src/detect-ftp-command-data.c +++ b/src/detect-ftp-command-data.c @@ -62,7 +62,7 @@ static int DetectFtpCommandDataSetup(DetectEngineCtx *de_ctx, Signature *s, cons } static bool DetectFTPCommandDataGetData( - void *txv, const uint8_t _flow_flags, const uint8_t **buffer, uint32_t *buffer_len) + const void *txv, const uint8_t _flow_flags, const uint8_t **buffer, uint32_t *buffer_len) { FTPTransaction *tx = (FTPTransaction *)txv; @@ -86,14 +86,6 @@ static bool DetectFTPCommandDataGetData( return false; } -static InspectionBuffer *GetDataWrapper(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *_f, const uint8_t _flow_flags, void *txv, - const int list_id) -{ - return DetectHelperGetData( - det_ctx, transforms, _f, _flow_flags, txv, list_id, DetectFTPCommandDataGetData); -} - void DetectFtpCommandDataRegister(void) { /* ftp.command sticky buffer */ @@ -105,7 +97,7 @@ void DetectFtpCommandDataRegister(void) sigmatch_table[DETECT_FTP_COMMAND_DATA].flags |= SIGMATCH_NOOPT; DetectHelperBufferMpmRegister( - BUFFER_NAME, BUFFER_NAME, ALPROTO_FTP, STREAM_TOSERVER, GetDataWrapper); + BUFFER_NAME, BUFFER_DESC, ALPROTO_FTP, STREAM_TOSERVER, DetectFTPCommandDataGetData); DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); diff --git a/src/detect-ftp-command.c b/src/detect-ftp-command.c index 479f632525..80940ae0d8 100644 --- a/src/detect-ftp-command.c +++ b/src/detect-ftp-command.c @@ -56,27 +56,22 @@ static int DetectFtpCommandSetup(DetectEngineCtx *de_ctx, Signature *s, const ch return 0; } -static InspectionBuffer *DetectFTPCommandGetData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool DetectFTPCommandGetData( + const void *txv, const uint8_t _flow_flags, const uint8_t **buffer, uint32_t *buffer_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - FTPTransaction *tx = (FTPTransaction *)txv; - - if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN) - return NULL; - - const char *b = NULL; - uint8_t b_len = 0; - if (SCGetFtpCommandInfo(tx->command_descriptor.command_index, &b, NULL, &b_len)) { - InspectionBufferSetupAndApplyTransforms( - det_ctx, list_id, buffer, (const uint8_t *)b, b_len, transforms); - } else { - return NULL; - } + FTPTransaction *tx = (FTPTransaction *)txv; + + if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN) + return false; + + uint8_t b_len = 0; + if (SCGetFtpCommandInfo( + tx->command_descriptor.command_index, (const char **)buffer, NULL, &b_len)) { + *buffer_len = b_len; + return true; + } else { + return false; } - return buffer; } void DetectFtpCommandRegister(void) diff --git a/src/detect-smtp.c b/src/detect-smtp.c index 756640dee8..890d616236 100644 --- a/src/detect-smtp.c +++ b/src/detect-smtp.c @@ -28,6 +28,7 @@ #include "detect-engine-buffer.h" #include "detect-engine-content-inspection.h" #include "detect-engine-helper.h" +#include "detect-engine-prefilter.h" #include "detect-parse.h" #include "app-layer-smtp.h" #include "rust.h" @@ -75,19 +76,15 @@ static int DetectSmtpMailFromSetup(DetectEngineCtx *de_ctx, Signature *s, const return 0; } -static InspectionBuffer *GetSmtpMailFromData(DetectEngineThreadCtx *det_ctx, - const DetectEngineTransforms *transforms, Flow *f, const uint8_t _flow_flags, void *txv, - const int list_id) +static bool GetSmtpMailFromData( + const void *txv, const uint8_t _flow_flags, const uint8_t **data, uint32_t *data_len) { - InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); - if (buffer->inspect == NULL) { - SMTPTransaction *tx = (SMTPTransaction *)txv; - if (tx->mail_from == NULL || tx->mail_from_len == 0) - return NULL; - InspectionBufferSetup(det_ctx, list_id, buffer, tx->mail_from, tx->mail_from_len); - InspectionBufferApplyTransforms(det_ctx, buffer, transforms); - } - return buffer; + SMTPTransaction *tx = (SMTPTransaction *)txv; + if (tx->mail_from == NULL) + return false; + *data = tx->mail_from; + *data_len = tx->mail_from_len; + return true; } static int DetectSmtpRcptToSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) @@ -137,8 +134,12 @@ void SCDetectSMTPRegister(void) kw.Setup = DetectSmtpHeloSetup; kw.flags = SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER; SCDetectHelperKeywordRegister(&kw); - g_smtp_helo_buffer_id = DetectHelperBufferMpmRegister( - "smtp.helo", "SMTP helo", ALPROTO_SMTP, STREAM_TOSERVER, GetSmtpHeloData); + DetectAppLayerInspectEngineRegister("smtp.helo", ALPROTO_SMTP, SIG_FLAG_TOSERVER, 0, + DetectEngineInspectBufferGeneric, GetSmtpHeloData); + DetectAppLayerMpmRegister("smtp.helo", SIG_FLAG_TOSERVER, 2, PrefilterGenericMpmRegister, + GetSmtpHeloData, ALPROTO_SMTP, 0); + DetectBufferTypeSetDescriptionByName("smtp.helo", "SMTP helo"); + g_smtp_helo_buffer_id = DetectBufferTypeGetByName("smtp.helo"); kw.name = "smtp.mail_from"; kw.desc = "SMTP mail from buffer"; diff --git a/src/detect.h b/src/detect.h index 2d4ecb5d38..da613ff55e 100644 --- a/src/detect.h +++ b/src/detect.h @@ -401,6 +401,9 @@ typedef InspectionBuffer *(*InspectionBufferGetDataPtr)( Flow *f, const uint8_t flow_flags, void *txv, const int list_id); +typedef bool (*InspectionSingleBufferGetDataPtr)( + const void *txv, const uint8_t flow_flags, const uint8_t **buf, uint32_t *buf_len); + typedef bool (*InspectionMultiBufferGetDataPtr)(struct DetectEngineThreadCtx_ *det_ctx, const void *txv, const uint8_t flow_flags, uint32_t local_id, const uint8_t **buf, uint32_t *buf_len); @@ -426,6 +429,7 @@ typedef struct DetectEngineAppInspectionEngine_ { struct { union { InspectionBufferGetDataPtr GetData; + InspectionSingleBufferGetDataPtr GetDataSingle; InspectionMultiBufferGetDataPtr GetMultiData; }; InspectEngineFuncPtr Callback; @@ -764,6 +768,7 @@ typedef struct DetectBufferMpmRegistry_ { struct { union { InspectionBufferGetDataPtr GetData; + InspectionSingleBufferGetDataPtr GetDataSingle; InspectionMultiBufferGetDataPtr GetMultiData; }; AppProto alproto;