{
if (det_ctx->base64_decoded_len) {
return DetectEngineContentInspection(de_ctx, det_ctx, s,
- s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], f, det_ctx->base64_decoded,
+ s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], NULL, f, det_ctx->base64_decoded,
det_ctx->base64_decoded_len, 0, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
}
return 0;
{
uint32_t buffer_len = 0;
uint8_t *buffer = NULL;
- DCERPCState *dcerpc_state = NULL;
uint8_t ci_flags = DETECT_CI_FLAGS_SINGLE;
if (f->alproto == ALPROTO_SMB) {
if (rs_smb_tx_get_stub_data(tx, dir, &buffer, &buffer_len) != 1)
goto end;
SCLogDebug("have data!");
- } else
- {
- dcerpc_state = alstate;
+ } else {
+ DCERPCState *dcerpc_state = alstate;
if (dcerpc_state == NULL)
goto end;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
- f,
+ NULL, f,
buffer, buffer_len,
0, ci_flags,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE,
- dcerpc_state);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;
/* Content match - should probably be put into its own file. */
if (flags & STREAM_TOSERVER && tx->request_buffer != NULL) {
r = DetectEngineContentInspection(de_ctx, det_ctx, s,
- smd, f, tx->request_buffer,
+ smd, NULL, f, tx->request_buffer,
tx->request_buffer_len, 0, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
}
else if (flags & STREAM_TOCLIENT && tx->response_buffer != NULL) {
r = DetectEngineContentInspection(de_ctx, det_ctx, s,
- smd, f, tx->response_buffer,
+ smd, NULL, f, tx->response_buffer,
tx->response_buffer_len, 0, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
}
SCReturnInt(r);
det_ctx->inspection_recursion_counter = 0;
const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- f,
+ NULL, f,
(uint8_t *)buffer->inspect,
buffer->inspect_len,
buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (match == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
* \param det_ctx Detection engine thread context
* \param s Signature to inspect
* \param sm SigMatch to inspect
+ * \param p Packet. Can be NULL.
* \param f Flow (for pcre flowvar storage)
* \param buffer Ptr to the buffer to inspect
* \param buffer_len Length of the payload
* \param inspection_mode Refers to the engine inspection mode we are currently
* inspecting. Can be payload, stream, one of the http
* buffer inspection modes or dce inspection mode.
- * \param data Used to send some custom data. For example in
- * payload inspection mode, data contains packet ptr,
- * and under dce inspection mode, contains dce state.
+ * \param flags DETECT_CI_FLAG_*
*
* \retval 0 no match
* \retval 1 match
*/
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd,
- Flow *f,
+ Packet *p, Flow *f,
uint8_t *buffer, uint32_t buffer_len,
uint32_t stream_start_offset, uint8_t flags,
- uint8_t inspection_mode, void *data)
+ uint8_t inspection_mode)
{
SCEnter();
KEYWORD_PROFILING_START;
* search for another occurence of this content and see
* if the others match then until we run out of matches */
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1,
- f, buffer, buffer_len, stream_start_offset, flags,
- inspection_mode, data);
+ p, f, buffer, buffer_len, stream_start_offset, flags,
+ inspection_mode);
if (r == 1) {
SCReturnInt(1);
}
det_ctx->pcre_match_start_offset = 0;
do {
- Packet *p = NULL;
- if (inspection_mode == DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD)
- p = (Packet *)data;
r = DetectPcrePayloadMatch(det_ctx, s, smd, p, f,
buffer, buffer_len);
if (r == 0) {
* search for another occurence of this pcre and see
* if the others match, until we run out of matches */
r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1,
- f, buffer, buffer_len, stream_start_offset, flags,
- inspection_mode, data);
+ p, f, buffer, buffer_len, stream_start_offset, flags,
+ inspection_mode);
if (r == 1) {
SCReturnInt(1);
}
if (!smd->is_last) {
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1,
- f, buffer, buffer_len, stream_start_offset, flags,
- inspection_mode, data);
+ p, f, buffer, buffer_len, stream_start_offset, flags,
+ inspection_mode);
SCReturnInt(r);
}
final_match:
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd,
- Flow *f,
+ Packet *p, Flow *f,
uint8_t *buffer, uint32_t buffer_len,
uint32_t stream_start_offset, uint8_t flags,
- uint8_t inspection_mode, void *data);
+ uint8_t inspection_mode);
void DetectEngineContentInspectionRegisterTests(void);
det_ctx->inspection_recursion_counter = 0;
det_ctx->replist = NULL;
- r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[DETECT_SM_LIST_PMATCH],
- f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, p);
+ r = DetectEngineContentInspection(de_ctx, det_ctx,
+ s, s->sm_arrays[DETECT_SM_LIST_PMATCH],
+ p, f, p->payload, p->payload_len, 0,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD);
if (r == 1) {
SCReturnInt(1);
}
det_ctx->replist = NULL;
r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
- f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, p);
+ p, f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE,
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD);
if (r == 1) {
SCReturnInt(1);
}
r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx,
smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH],
- smd->f, (uint8_t *)data, data_len, 0, 0, //TODO
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, NULL);
+ NULL, smd->f, (uint8_t *)data, data_len, 0, 0, //TODO
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM);
if (r == 1) {
SCReturnInt(1);
}
r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx,
smd->s, smd->smd,
- smd->f, (uint8_t *)data, data_len, 0, 0, // TODO
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, NULL);
+ NULL, smd->f, (uint8_t *)data, data_len, 0, 0, // TODO
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM);
if (r == 1) {
SCReturnInt(1);
}
* transaction at the app layer */
int r = DetectEngineContentInspection(de_ctx, det_ctx,
s, engine->smd,
- f,
+ NULL, f,
(uint8_t *)data, data_len, offset, ci_flags,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (r == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- f,
+ NULL, f,
(uint8_t *)buffer->inspect,
buffer->inspect_len,
buffer->inspect_offset, ciflags,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (match == 1) {
r = 1;
break;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- f,
+ NULL, f,
(uint8_t *)buffer->inspect,
buffer->inspect_len,
buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (match == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- f,
+ NULL, f,
(uint8_t *)buffer->inspect,
buffer->inspect_len,
buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (match == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- f, (uint8_t *)data, data_len, offset,
+ NULL, f, (uint8_t *)data, data_len, offset,
DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;
/* Inspect all the uricontents fetched on each
* transaction at the app layer */
- int r = DetectEngineContentInspection(de_ctx, det_ctx,
- s, engine->smd,
- f,
- (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
+ NULL, f, (uint8_t *)data, data_len, offset,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
SCLogDebug("r = %d", r);
if (r == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
det_ctx->discontinue_matching = 0;
det_ctx->inspection_recursion_counter = 0;
int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- f, (uint8_t *)data, data_len, offset,
+ NULL, f, (uint8_t *)data, data_len, offset,
DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (r == 1)
return DETECT_ENGINE_INSPECT_SIG_MATCH;
det_ctx->inspection_recursion_counter = 0;
const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- f,
+ NULL, f,
(uint8_t *)buffer->inspect,
buffer->inspect_len,
buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (match == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
det_ctx->inspection_recursion_counter = 0;
const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- f,
+ NULL, f,
(uint8_t *)buffer->inspect,
buffer->inspect_len,
buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (match == 1) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
if (data != NULL) {
ret = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
- f, (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
+ NULL, f, (uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE,
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
}
SCLogNotice("Returning %d.", ret);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); \
FAIL_IF_NULL(det_ctx); \
int r = DetectEngineContentInspection(de_ctx, det_ctx, \
- s, s->sm_arrays[DETECT_SM_LIST_PMATCH], &f, \
+ s, s->sm_arrays[DETECT_SM_LIST_PMATCH], NULL, &f, \
(uint8_t *)(buf), (buflen), 0, DETECT_CI_FLAGS_SINGLE, \
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, NULL); \
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD); \
FAIL_IF_NOT(r == (match)); \
FAIL_IF_NOT(det_ctx->inspection_recursion_counter == (steps)); \
DetectEngineThreadCtxDeinit(&tv, det_ctx); \
projects / thirdparty / suricata.git / commitdiff
