detect/base64: move content inspection logic

Integrate with rest of content inspect code.
pull/9999/head
Victor Julien 2 years ago committed by Victor Julien
parent 6a01f40d40
commit e9b33c48f0

@ -61,19 +61,6 @@ static int DetectBase64DataSetup(DetectEngineCtx *de_ctx, Signature *s,
return 0;
}
int DetectBase64DataDoMatch(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f)
{
if (det_ctx->base64_decoded_len) {
return DetectEngineContentInspectionInternal(de_ctx, det_ctx, s,
s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], NULL, f, det_ctx->base64_decoded,
det_ctx->base64_decoded_len, 0, DETECT_CI_FLAGS_SINGLE,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
}
return 0;
}
#ifdef UNITTESTS
static int g_file_data_buffer_id = 0;

@ -19,7 +19,5 @@
#define __DETECT_BASE64_DATA_H__
void DetectBase64DataRegister(void);
int DetectBase64DataDoMatch(DetectEngineCtx *, DetectEngineThreadCtx *,
const Signature *, Flow *);
#endif /* __DETECT_BASE64_DATA_H__ */

@ -651,10 +651,16 @@ int DetectEngineContentInspectionInternal(DetectEngineCtx *de_ctx, DetectEngineT
} else if (smd->type == DETECT_BASE64_DECODE) {
if (DetectBase64DecodeDoMatch(det_ctx, s, smd, buffer, buffer_len)) {
if (s->sm_arrays[DETECT_SM_LIST_BASE64_DATA] != NULL) {
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
if (DetectBase64DataDoMatch(de_ctx, det_ctx, s, f) == 1) {
/* Base64 is a terminal list. */
goto final_match;
if (det_ctx->base64_decoded_len) {
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
int r = DetectEngineContentInspectionInternal(de_ctx, det_ctx, s,
s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], NULL, f,
det_ctx->base64_decoded, det_ctx->base64_decoded_len, 0,
DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (r == 1) {
/* Base64 is a terminal list. */
goto final_match;
}
}
}
}

Loading…
Cancel
Save