[people/ms/suricata.git] / src / detect-byte-extract.h

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
 */

#ifndef __DETECT_BYTEEXTRACT_H__
#define __DETECT_BYTEEXTRACT_H__

/* flags */
#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE   0x01
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER 0x02
#define DETECT_BYTE_EXTRACT_FLAG_STRING     0x04
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN      0x08
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN     0x10

/* endian value to be used.  Would be stored in DetectByteParseData->endian */
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE    0
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG     1
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE  2
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE     3

/**
 * \brief Holds data related to byte_extract keyword.
 */
typedef struct DetectByteExtractData_ {
    /* local id used by other keywords in the sig to reference this */
    uint8_t local_id;

    uint8_t nbytes;
    int16_t pad;
    int32_t offset;
    const char *name;
    uint8_t flags;
    uint8_t endian;
    uint8_t base;
    uint8_t align_value;

    uint16_t multiplier_value;
    /* unique id used to reference this byte_extract keyword */
    uint16_t id;

} DetectByteExtractData;

void DetectByteExtractRegister(void);

SigMatch *DetectByteExtractRetrieveSMVar(const char *, const Signature *);
int DetectByteExtractDoMatch(DetectEngineThreadCtx *, const SigMatchData *, const Signature *,
                             const uint8_t *, uint16_t, uint64_t *, uint8_t);

#endif /* __DETECT_BYTEEXTRACT_H__ */
Commit	Line	Data
35f3eafa AS	1	/* Copyright (C) 2007-2010 Open Information Security Foundation
	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
	11	*
	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*/
	17
	18	/**
	19	* \file
	20	*
420befb1	21	* \author Anoop Saldanha <anoopsaldanha@gmail.com>
35f3eafa AS	22	*/
	23
	24	#ifndef __DETECT_BYTEEXTRACT_H__
	25	#define __DETECT_BYTEEXTRACT_H__
	26
	27	/* flags */
	28	#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE 0x01
	29	#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER 0x02
	30	#define DETECT_BYTE_EXTRACT_FLAG_STRING 0x04
	31	#define DETECT_BYTE_EXTRACT_FLAG_ALIGN 0x08
	32	#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN 0x10
	33
	34	/* endian value to be used. Would be stored in DetectByteParseData->endian */
	35	#define DETECT_BYTE_EXTRACT_ENDIAN_NONE 0
	36	#define DETECT_BYTE_EXTRACT_ENDIAN_BIG 1
	37	#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE 2
	38	#define DETECT_BYTE_EXTRACT_ENDIAN_DCE 3
	39
	40	/**
	41	* \brief Holds data related to byte_extract keyword.
	42	*/
	43	typedef struct DetectByteExtractData_ {
	44	/* local id used by other keywords in the sig to reference this */
	45	uint8_t local_id;
	46
	47	uint8_t nbytes;
	48	int16_t pad;
	49	int32_t offset;
	50	const char *name;
	51	uint8_t flags;
	52	uint8_t endian;
	53	uint8_t base;
	54	uint8_t align_value;
	55
	56	uint16_t multiplier_value;
	57	/* unique id used to reference this byte_extract keyword */
	58	uint16_t id;
	59
	60	} DetectByteExtractData;
	61
35f3eafa	62	void DetectByteExtractRegister(void);
39613778	63
bfd4bc82	64	SigMatch DetectByteExtractRetrieveSMVar(const char , const Signature *);
bd456076	65	int DetectByteExtractDoMatch(DetectEngineThreadCtx , const SigMatchData , const Signature *,
579cc9f0	66	const uint8_t , uint16_t, uint64_t , uint8_t);
35f3eafa AS	67
35f3eafa AS	68	#endif /* __DETECT_BYTEEXTRACT_H__ */