git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Sun, 5 Nov 2017 10:37:48 +0000 (11:37 +0100)
committer	Victor Julien <victor@inliniac.net>
	Mon, 11 Dec 2017 15:59:10 +0000 (16:59 +0100)
commit	9e37e266b69c2ccb7c23c5ead895ad7e51ea9def
tree	db2dc8837685e4d3821c05a932bf10ce12d4bc2c	tree
parent	6f0794c16f6adaa3e8a79553a8fcc81aadeed9c7	commit \| diff

detect: content limits propagation

Propagate inspection limits from anchered keywords to the rest of
a rule.

Examples:

content:"A"; depth:1; is anchored, it can only match in the first byte

content:"A"; depth:1; content:"BC"; distance:0; within:2;
"BC" can only be in the 2nd and 3rd byte of the payload. So effectively
it has an implicite offset of 1 and an implicit depth of 3.

content:"A"; depth:1; content:"BC"; distance:0; can assume offset:1; for
the 2nd content.

content:"A"; depth:1; pcre:"/B/R"; content:"C"; distance:0; can assume
at least offset:1; for content "C". We can't analyzer the pcre pattern
(yet), so we assume it matches with 0 bytes.

Add lots of test cases.

src/detect-content.c		diff \| blob \| blame \| history
src/detect-content.h		diff \| blob \| blame \| history
src/detect.c		diff \| blob \| blame \| history