return 0;
}
-/**
- * \brief Run the pattern matcher against the queries
- *
- * \param f locked flow
- * \param dns_state initialized dns state
- *
- * \warning Make sure the flow/state is locked
- * \todo what should we return? Just the fact that we matched?
- */
-uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
- DNSState *dns_state, uint8_t flags, void *txv,
- uint64_t tx_id)
-{
- SCEnter();
-
- DNSTransaction *tx = (DNSTransaction *)txv;
- DNSQueryEntry *query = NULL;
- uint8_t *buffer;
- uint16_t buffer_len;
- uint32_t cnt = 0;
-
- TAILQ_FOREACH(query, &tx->query_list, next) {
- SCLogDebug("tx %p query %p", tx, query);
-
- buffer = (uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry));
- buffer_len = query->len;
-
- cnt += DnsQueryPatternSearch(det_ctx,
- buffer, buffer_len,
- flags);
- }
-
- SCReturnUInt(cnt);
-}
-
#ifdef UNITTESTS
/** \test simple google.com query matching */
static int DetectDnsQueryTest01(void)
#include "util-unittest.h"
#include "util-unittest-helper.h"
+#include "util-validate.h"
/** \brief Do the content inspection & validation for a signature
*
return r;
}
+/**
+ * \brief DNS query match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param hrh Buffer to inspect.
+ * \param hrh_len buffer length.
+ * \param flags Flags
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *buffer, uint32_t buffer_len,
+ uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret = 0;
+
+ DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, buffer, buffer_len);
+
+ SCReturnUInt(ret);
+}
+
+/**
+ * \brief Run the pattern matcher against the queries
+ *
+ * \param f locked flow
+ * \param dns_state initialized dns state
+ *
+ * \warning Make sure the flow/state is locked
+ * \todo what should we return? Just the fact that we matched?
+ */
+uint32_t DetectDnsQueryInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
+ DNSState *dns_state, uint8_t flags, void *txv,
+ uint64_t tx_id)
+{
+ SCEnter();
+
+ DNSTransaction *tx = (DNSTransaction *)txv;
+ DNSQueryEntry *query = NULL;
+ uint8_t *buffer;
+ uint16_t buffer_len;
+ uint32_t cnt = 0;
+
+ TAILQ_FOREACH(query, &tx->query_list, next) {
+ SCLogDebug("tx %p query %p", tx, query);
+
+ buffer = (uint8_t *)((uint8_t *)query + sizeof(DNSQueryEntry));
+ buffer_len = query->len;
+
+ cnt += DnsQueryPatternSearch(det_ctx,
+ buffer, buffer_len,
+ flags);
+ }
+
+ SCReturnUInt(cnt);
+}
/** \brief Do the content inspection & validation for a signature
*
#include "app-layer-protos.h"
#include "app-layer-parser.h"
+#include "util-validate.h"
+
#include "conf.h"
#include "conf-yaml-loader.h"
return;
}
+/**
+ * \brief SMTP Filedata match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param buffer Buffer to inspect.
+ * \param buffer_len buffer length.
+ * \param flags Flags
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *buffer, uint32_t buffer_len,
+ uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret = 0;
+
+ DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_smtp_filedata_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_smtp_filedata_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_smtp_filedata_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, buffer, buffer_len);
+
+ SCReturnUInt(ret);
+}
+
int DetectEngineRunSMTPMpm(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f,
SMTPState *smtp_state, uint8_t flags,
#include "conf.h"
#include "conf-yaml-loader.h"
+#include "util-validate.h"
+
#define BUFFER_STEP 50
static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
return buffer;
}
+/** \brief Http client body pattern match -- searches for one pattern per
+ * signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param body The request body to inspect.
+ * \param body_len Body length.
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *body, uint32_t body_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+
+ DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcbd_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, body, body_len);
+
+ SCReturnUInt(ret);
+}
+
int DetectEngineRunHttpClientBodyMpm(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
#include "app-layer.h"
#include "app-layer-htp.h"
#include "app-layer-protos.h"
+#include "util-validate.h"
+
+/**
+ * \brief Http cookie match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param cookie Cookie to inspect.
+ * \param cookie_len Cookie length.
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *cookie, uint32_t cookie_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+ if (flags & STREAM_TOSERVER) {
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, cookie, cookie_len);
+ } else {
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_tc == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type].
+ Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu,
+ &det_ctx->pmq, cookie, cookie_len);
+ }
+
+ SCReturnUInt(ret);
+}
int DetectEngineRunHttpCookieMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
#include "app-layer-htp.h"
#include "app-layer-protos.h"
+#include "util-validate.h"
+
#define BUFFER_STEP 50
static inline int HHDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
return headers_buffer;
}
+/**
+ * \brief Http header match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param headers Headers to inspect.
+ * \param headers_len Headers length.
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *headers, uint32_t headers_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+ if (flags & STREAM_TOSERVER) {
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, headers, headers_len);
+ } else {
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_tc == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type].
+ Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu,
+ &det_ctx->pmq, headers, headers_len);
+ }
+
+ SCReturnUInt(ret);
+}
+
int DetectEngineRunHttpHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
void *tx, uint64_t idx)
#include "app-layer-protos.h"
#include "detect-engine-hhhd.h"
+#include "util-validate.h"
+
+/**
+ * \brief Http host header match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param hh Host header to inspect.
+ * \param hh_len Host header buffer length.
+ * \param flags Flags
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *hh, uint32_t hh_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+
+ DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhhd_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_hhhd_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, hh, hh_len);
+
+ SCReturnUInt(ret);
+}
int DetectEngineRunHttpHHMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
#include "app-layer.h"
#include "app-layer-htp.h"
#include "app-layer-protos.h"
+#include "util-validate.h"
+
+/**
+ * \brief Http method match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param method Method to inspect.
+ * \param method_len Method length.
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *raw_method, uint32_t raw_method_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+
+ DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hmd_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, raw_method, raw_method_len);
+
+ SCReturnUInt(ret);
+}
int DetectEngineRunHttpMethodMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
#include "app-layer-htp.h"
#include "app-layer-protos.h"
+#include "util-validate.h"
+
+/**
+ * \brief Http raw header match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param headers Raw headers to inspect.
+ * \param headers_len Raw headers length.
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *raw_headers, uint32_t raw_headers_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+ if (flags & STREAM_TOSERVER) {
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, raw_headers, raw_headers_len);
+ } else {
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_tc == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type].
+ Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu,
+ &det_ctx->pmq, raw_headers, raw_headers_len);
+ }
+
+ SCReturnUInt(ret);
+}
int DetectEngineRunHttpRawHeaderMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
#include "app-layer-protos.h"
#include "detect-engine-hrhhd.h"
+#include "util-validate.h"
+
+/**
+ * \brief Http raw host header match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param hrh Raw hostname to inspect.
+ * \param hrh_len Raw hostname buffer length.
+ * \param flags Flags
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *hrh, uint32_t hrh_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+
+ DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhhd_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hrhhd_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_hrhhd_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, hrh, hrh_len);
+
+ SCReturnUInt(ret);
+}
int DetectEngineRunHttpHRHMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
#include "app-layer-htp.h"
#include "app-layer-protos.h"
+#include "util-validate.h"
+
+/**
+ * \brief Http raw uri match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param uri Raw uri to inspect.
+ * \param uri_len Raw uri length.
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *uri, uint32_t uri_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+
+ DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrud_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, uri, uri_len);
+
+ SCReturnUInt(ret);
+}
/**
* \brief Run the mpm against raw http uris.
#include "conf.h"
#include "conf-yaml-loader.h"
+#include "util-validate.h"
+
#define BUFFER_STEP 50
static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
return buffer;
}
+/** \brief Http server body pattern match -- searches for one pattern per
+ * signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param body The request body to inspect.
+ * \param body_len Body length.
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *body, uint32_t body_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+
+ DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsbd_ctx_tc == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type].
+ Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu,
+ &det_ctx->pmq, body, body_len);
+
+ SCReturnUInt(ret);
+}
+
int DetectEngineRunHttpServerBodyMpm(DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
#include "app-layer.h"
#include "app-layer-htp.h"
#include "app-layer-protos.h"
+#include "util-validate.h"
+
+/**
+ * \brief Http stat code match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param stat_code Stat code to inspect.
+ * \param stat_code_len Stat code length.
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *stat_code, uint32_t stat_code_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+
+ DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hscd_ctx_tc == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hscd_ctx_tc->mpm_type].
+ Search(det_ctx->sgh->mpm_hscd_ctx_tc, &det_ctx->mtcu,
+ &det_ctx->pmq, stat_code, stat_code_len);
+
+ SCReturnUInt(ret);
+}
/**
* \brief Run the mpm against http stat code.
#include "app-layer.h"
#include "app-layer-htp.h"
#include "app-layer-protos.h"
+#include "util-validate.h"
+
+/**
+ * \brief Http stat msg match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param stat_msg Stat msg to inspect.
+ * \param stat_msg_len Stat msg length.
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *stat_msg, uint32_t stat_msg_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+
+ DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsmd_ctx_tc == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_hsmd_ctx_tc->mpm_type].
+ Search(det_ctx->sgh->mpm_hsmd_ctx_tc, &det_ctx->mtcu,
+ &det_ctx->pmq, stat_msg, stat_msg_len);
+
+ SCReturnUInt(ret);
+}
/**
* \brief Run the mpm against http stat msg.
#include "app-layer-protos.h"
#include "detect-engine-hua.h"
+#include "util-validate.h"
+
+/**
+ * \brief Http user agent match -- searches for one pattern per signature.
+ *
+ * \param det_ctx Detection engine thread ctx.
+ * \param cookie User-Agent to inspect.
+ * \param cookie_len User-Agent buffer length.
+ *
+ * \retval ret Number of matches.
+ */
+static uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *ua, uint32_t ua_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+
+ DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_huad_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_huad_ctx_ts, &det_ctx->mtcu,
+ &det_ctx->pmq, ua, ua_len);
+
+ SCReturnUInt(ret);
+}
int DetectEngineRunHttpUAMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
HtpState *htp_state, uint8_t flags,
#include "util-debug.h"
#include "util-print.h"
#include "util-memcmp.h"
-#ifdef __SC_CUDA_SUPPORT__
-#include "util-mpm-ac.h"
-#endif
#include "util-validate.h"
const char *builtin_mpms[] = {
return mpm_algo_val;
}
-uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx,
- Packet *p)
-{
- SCEnter();
-
- uint32_t ret = 0;
- const MpmCtx *mpm_ctx = NULL;
-
- if (p->flowflags & FLOW_PKT_TOSERVER) {
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_ts == NULL);
-
- mpm_ctx = det_ctx->sgh->mpm_stream_ctx_ts;
-
- } else {
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_tc == NULL);
-
- mpm_ctx = det_ctx->sgh->mpm_stream_ctx_tc;
- }
- if (unlikely(mpm_ctx == NULL)) {
- SCReturnInt(0);
- }
-
- ret = mpm_table[mpm_ctx->mpm_type].
- Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq,
- p->payload, p->payload_len);
-
- SCReturnInt(ret);
-}
-
-/** \brief Pattern match -- searches for only one pattern per signature.
- *
- * \param det_ctx detection engine thread ctx
- * \param p packet to inspect
- *
- * \retval ret number of matches
- */
-uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p)
-{
- SCEnter();
-
- uint32_t ret;
- const MpmCtx *mpm_ctx = NULL;
-
- if (p->proto == IPPROTO_TCP) {
- if (p->flowflags & FLOW_PKT_TOSERVER) {
- mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_ts;
- } else {
- mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_tc;
- }
- } else if (p->proto == IPPROTO_UDP) {
- if (p->flowflags & FLOW_PKT_TOSERVER) {
- mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_ts;
- } else {
- mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_tc;
- }
- } else {
- mpm_ctx = det_ctx->sgh->mpm_proto_other_ctx;
- }
- if (unlikely(mpm_ctx == NULL))
- SCReturnInt(0);
-
-#ifdef __SC_CUDA_SUPPORT__
- if (p->cuda_pkt_vars.cuda_mpm_enabled && p->pkt_src == PKT_SRC_WIRE) {
- ret = SCACCudaPacketResultsProcessing(p, mpm_ctx, &det_ctx->pmq);
- } else {
- ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
- &det_ctx->mtc,
- &det_ctx->pmq,
- p->payload,
- p->payload_len);
- }
-#else
- ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
- &det_ctx->mtc,
- &det_ctx->pmq,
- p->payload,
- p->payload_len);
-#endif
-
- SCReturnInt(ret);
-}
-
-/** \brief Uri Pattern match -- searches for one pattern per signature.
- *
- * \param det_ctx detection engine thread ctx
- * \param p packet to inspect
- *
- * \retval ret number of matches
- */
-uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *uri, uint16_t uri_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
-
- DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_uri_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_uri_ctx_ts,
- &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len);
-
- //PrintRawDataFp(stdout, uri, uri_len);
-
- SCReturnUInt(ret);
-}
-
-/** \brief Http client body pattern match -- searches for one pattern per
- * signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param body The request body to inspect.
- * \param body_len Body length.
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *body, uint32_t body_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
-
- DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcbd_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hcbd_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_hcbd_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, body, body_len);
-
- SCReturnUInt(ret);
-}
-
-/** \brief Http server body pattern match -- searches for one pattern per
- * signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param body The request body to inspect.
- * \param body_len Body length.
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *body, uint32_t body_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
-
- DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsbd_ctx_tc == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hsbd_ctx_tc->mpm_type].
- Search(det_ctx->sgh->mpm_hsbd_ctx_tc, &det_ctx->mtcu,
- &det_ctx->pmq, body, body_len);
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief Http header match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param headers Headers to inspect.
- * \param headers_len Headers length.
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *headers, uint32_t headers_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
- if (flags & STREAM_TOSERVER) {
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_hhd_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, headers, headers_len);
- } else {
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhd_ctx_tc == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hhd_ctx_tc->mpm_type].
- Search(det_ctx->sgh->mpm_hhd_ctx_tc, &det_ctx->mtcu,
- &det_ctx->pmq, headers, headers_len);
- }
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief Http raw header match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param headers Raw headers to inspect.
- * \param headers_len Raw headers length.
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *raw_headers, uint32_t raw_headers_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
- if (flags & STREAM_TOSERVER) {
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_hrhd_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, raw_headers, raw_headers_len);
- } else {
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhd_ctx_tc == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hrhd_ctx_tc->mpm_type].
- Search(det_ctx->sgh->mpm_hrhd_ctx_tc, &det_ctx->mtcu,
- &det_ctx->pmq, raw_headers, raw_headers_len);
- }
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief Http method match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param method Method to inspect.
- * \param method_len Method length.
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *raw_method, uint32_t raw_method_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
-
- DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hmd_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hmd_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_hmd_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, raw_method, raw_method_len);
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief Http cookie match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param cookie Cookie to inspect.
- * \param cookie_len Cookie length.
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *cookie, uint32_t cookie_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
- if (flags & STREAM_TOSERVER) {
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_hcd_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, cookie, cookie_len);
- } else {
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hcd_ctx_tc == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hcd_ctx_tc->mpm_type].
- Search(det_ctx->sgh->mpm_hcd_ctx_tc, &det_ctx->mtcu,
- &det_ctx->pmq, cookie, cookie_len);
- }
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief Http raw uri match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param uri Raw uri to inspect.
- * \param uri_len Raw uri length.
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *uri, uint32_t uri_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
-
- DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrud_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hrud_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_hrud_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, uri, uri_len);
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief Http stat msg match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param stat_msg Stat msg to inspect.
- * \param stat_msg_len Stat msg length.
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *stat_msg, uint32_t stat_msg_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
-
- DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hsmd_ctx_tc == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hsmd_ctx_tc->mpm_type].
- Search(det_ctx->sgh->mpm_hsmd_ctx_tc, &det_ctx->mtcu,
- &det_ctx->pmq, stat_msg, stat_msg_len);
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief Http stat code match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param stat_code Stat code to inspect.
- * \param stat_code_len Stat code length.
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *stat_code, uint32_t stat_code_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
-
- DEBUG_VALIDATE_BUG_ON(!(flags & STREAM_TOCLIENT));
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hscd_ctx_tc == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hscd_ctx_tc->mpm_type].
- Search(det_ctx->sgh->mpm_hscd_ctx_tc, &det_ctx->mtcu,
- &det_ctx->pmq, stat_code, stat_code_len);
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief Http user agent match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param cookie User-Agent to inspect.
- * \param cookie_len User-Agent buffer length.
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *ua, uint32_t ua_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
-
- DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_huad_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_huad_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_huad_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, ua, ua_len);
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief Http host header match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param hh Host header to inspect.
- * \param hh_len Host header buffer length.
- * \param flags Flags
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *hh, uint32_t hh_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
-
- DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hhhd_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hhhd_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_hhhd_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, hh, hh_len);
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief Http raw host header match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param hrh Raw hostname to inspect.
- * \param hrh_len Raw hostname buffer length.
- * \param flags Flags
- *
- * \retval ret Number of matches.
- */
-uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *hrh, uint32_t hrh_len, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret;
-
- DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_hrhhd_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_hrhhd_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_hrhhd_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, hrh, hrh_len);
-
- SCReturnUInt(ret);
-}
-
-/**
- * \brief DNS query match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param hrh Buffer to inspect.
- * \param hrh_len buffer length.
- * \param flags Flags
- *
- * \retval ret Number of matches.
- */
-uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *buffer, uint32_t buffer_len,
- uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret = 0;
-
- DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_dnsquery_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_dnsquery_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_dnsquery_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, buffer, buffer_len);
-
- SCReturnUInt(ret);
-}
-
-/** \brief Pattern match -- searches for only one pattern per signature.
- *
- * \param det_ctx detection engine thread ctx
- * \param p packet
- * \param smsg stream msg (reassembled stream data)
- * \param flags stream flags
- *
- * \retval ret number of matches
- */
-uint32_t StreamPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p,
- StreamMsg *smsg, uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret = 0;
- uint8_t cnt = 0;
-
- //PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len);
-
- uint32_t r;
- if (flags & STREAM_TOSERVER) {
- for ( ; smsg != NULL; smsg = smsg->next) {
- r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs,
- &det_ctx->pmq, smsg->data, smsg->data_len);
- if (r > 0) {
- ret += r;
- }
-
- cnt++;
- }
- } else {
- for ( ; smsg != NULL; smsg = smsg->next) {
- r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].
- Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs,
- &det_ctx->pmq, smsg->data, smsg->data_len);
- if (r > 0) {
- ret += r;
- }
-
- cnt++;
- }
- }
-
- SCReturnInt(ret);
-}
-
-/**
- * \brief SMTP Filedata match -- searches for one pattern per signature.
- *
- * \param det_ctx Detection engine thread ctx.
- * \param buffer Buffer to inspect.
- * \param buffer_len buffer length.
- * \param flags Flags
- *
- * \retval ret Number of matches.
- */
-uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx,
- uint8_t *buffer, uint32_t buffer_len,
- uint8_t flags)
-{
- SCEnter();
-
- uint32_t ret = 0;
-
- DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
- DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_smtp_filedata_ctx_ts == NULL);
-
- ret = mpm_table[det_ctx->sgh->mpm_smtp_filedata_ctx_ts->mpm_type].
- Search(det_ctx->sgh->mpm_smtp_filedata_ctx_ts, &det_ctx->mtcu,
- &det_ctx->pmq, buffer, buffer_len);
-
- SCReturnUInt(ret);
-}
-
/** \brief cleans up the mpm instance after a match */
void PacketPatternCleanup(ThreadVars *t, DetectEngineThreadCtx *det_ctx)
{
uint32_t PatternStrength(uint8_t *, uint16_t);
uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *, Packet *);
uint32_t PacketPatternSearch(DetectEngineThreadCtx *, Packet *);
-uint32_t UriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint16_t, uint8_t);
uint32_t StreamPatternSearch(DetectEngineThreadCtx *, Packet *, StreamMsg *, uint8_t);
-uint32_t HttpClientBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpServerBodyPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpRawHeaderPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpMethodPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpCookiePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpRawUriPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpStatMsgPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpStatCodePatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpUAPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpHHPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
-uint32_t HttpHRHPatternSearch(DetectEngineThreadCtx *, uint8_t *, uint32_t, uint8_t);
uint32_t DnsQueryPatternSearch(DetectEngineThreadCtx *det_ctx, uint8_t *buffer, uint32_t buffer_len, uint8_t flags);
-uint32_t SMTPFiledataPatternSearch(DetectEngineThreadCtx *det_ctx, uint8_t *buffer, uint32_t buffer_len, uint8_t flags);
void PacketPatternCleanup(ThreadVars *, DetectEngineThreadCtx *);
#include "detect-parse.h"
#include "detect-engine-content-inspection.h"
+#include "stream.h"
+
#include "util-debug.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
+#include "util-validate.h"
+
+#include "util-mpm-ac.h"
+
+uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx,
+ Packet *p)
+{
+ SCEnter();
+
+ uint32_t ret = 0;
+ const MpmCtx *mpm_ctx = NULL;
+
+ if (p->flowflags & FLOW_PKT_TOSERVER) {
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_ts == NULL);
+
+ mpm_ctx = det_ctx->sgh->mpm_stream_ctx_ts;
+
+ } else {
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_tc == NULL);
+
+ mpm_ctx = det_ctx->sgh->mpm_stream_ctx_tc;
+ }
+ if (unlikely(mpm_ctx == NULL)) {
+ SCReturnInt(0);
+ }
+
+ ret = mpm_table[mpm_ctx->mpm_type].
+ Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq,
+ p->payload, p->payload_len);
+
+ SCReturnInt(ret);
+}
+
+/** \brief Pattern match -- searches for only one pattern per signature.
+ *
+ * \param det_ctx detection engine thread ctx
+ * \param p packet
+ * \param smsg stream msg (reassembled stream data)
+ * \param flags stream flags
+ *
+ * \retval ret number of matches
+ */
+uint32_t StreamPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p,
+ StreamMsg *smsg, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret = 0;
+ uint8_t cnt = 0;
+
+ //PrintRawDataFp(stdout, smsg->data.data, smsg->data.data_len);
+
+ uint32_t r;
+ if (flags & STREAM_TOSERVER) {
+ for ( ; smsg != NULL; smsg = smsg->next) {
+ r = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtcs,
+ &det_ctx->pmq, smsg->data, smsg->data_len);
+ if (r > 0) {
+ ret += r;
+ }
+
+ cnt++;
+ }
+ } else if (flags & STREAM_TOCLIENT) {
+ for ( ; smsg != NULL; smsg = smsg->next) {
+ r = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type].
+ Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtcs,
+ &det_ctx->pmq, smsg->data, smsg->data_len);
+ if (r > 0) {
+ ret += r;
+ }
+
+ cnt++;
+ }
+ }
+
+ SCReturnInt(ret);
+}
+
+/** \brief Pattern match -- searches for only one pattern per signature.
+ *
+ * \param det_ctx detection engine thread ctx
+ * \param p packet to inspect
+ *
+ * \retval ret number of matches
+ */
+uint32_t PacketPatternSearch(DetectEngineThreadCtx *det_ctx, Packet *p)
+{
+ SCEnter();
+
+ uint32_t ret;
+ const MpmCtx *mpm_ctx = NULL;
+
+ if (p->proto == IPPROTO_TCP) {
+ if (p->flowflags & FLOW_PKT_TOSERVER) {
+ mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_ts;
+ } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
+ mpm_ctx = det_ctx->sgh->mpm_proto_tcp_ctx_tc;
+ }
+ } else if (p->proto == IPPROTO_UDP) {
+ if (p->flowflags & FLOW_PKT_TOSERVER) {
+ mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_ts;
+ } else if (p->flowflags & FLOW_PKT_TOCLIENT) {
+ mpm_ctx = det_ctx->sgh->mpm_proto_udp_ctx_tc;
+ }
+ } else {
+ mpm_ctx = det_ctx->sgh->mpm_proto_other_ctx;
+ }
+ if (unlikely(mpm_ctx == NULL))
+ SCReturnInt(0);
+
+#ifdef __SC_CUDA_SUPPORT__
+ if (p->cuda_pkt_vars.cuda_mpm_enabled && p->pkt_src == PKT_SRC_WIRE) {
+ ret = SCACCudaPacketResultsProcessing(p, mpm_ctx, &det_ctx->pmq);
+ } else {
+ ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+ &det_ctx->mtc,
+ &det_ctx->pmq,
+ p->payload,
+ p->payload_len);
+ }
+#else
+ ret = mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
+ &det_ctx->mtc,
+ &det_ctx->pmq,
+ p->payload,
+ p->payload_len);
+#endif
+
+ SCReturnInt(ret);
+}
/**
* \brief Do the content inspection & validation for a signature
#include "app-layer.h"
#include "app-layer-htp.h"
#include "app-layer-protos.h"
+#include "util-validate.h"
+
+/** \brief Uri Pattern match -- searches for one pattern per signature.
+ *
+ * \param det_ctx detection engine thread ctx
+ * \param p packet to inspect
+ *
+ * \retval ret number of matches
+ */
+static uint32_t UriPatternSearch(DetectEngineThreadCtx *det_ctx,
+ uint8_t *uri, uint16_t uri_len, uint8_t flags)
+{
+ SCEnter();
+
+ uint32_t ret;
+
+ DEBUG_VALIDATE_BUG_ON(flags & STREAM_TOCLIENT);
+ DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_uri_ctx_ts == NULL);
+
+ ret = mpm_table[det_ctx->sgh->mpm_uri_ctx_ts->mpm_type].
+ Search(det_ctx->sgh->mpm_uri_ctx_ts,
+ &det_ctx->mtcu, &det_ctx->pmq, uri, uri_len);
+
+ //PrintRawDataFp(stdout, uri, uri_len);
+
+ SCReturnUInt(ret);
+}
+
+/**
+ * \brief Checks if the content sent as the argument, has a uricontent which
+ * has been provided in the rule. This match function matches the
+ * normalized http uri against the given rule using multi pattern
+ * search algorithms.
+ *
+ * \param det_ctx Pointer to the detection engine thread context
+ * \param content Pointer to the uri content currently being matched
+ * \param content_len Content_len of the received uri content
+ *
+ * \retval 1 if the uri contents match; 0 no match
+ */
+static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ctx,
+ uint8_t *uri, uint16_t uri_len, uint8_t flags)
+{
+ int ret = 0;
+ /* run the pattern matcher against the uri */
+ if (det_ctx->sgh->mpm_uricontent_minlen > uri_len) {
+ SCLogDebug("not searching as uri len is smaller than the "
+ "shortest uricontent length we need to match");
+ } else {
+ SCLogDebug("search: (%p, minlen %" PRIu32 ", sgh->sig_cnt "
+ "%" PRIu32 ")", det_ctx->sgh,
+ det_ctx->sgh->mpm_uricontent_minlen, det_ctx->sgh->sig_cnt);
+
+ ret += UriPatternSearch(det_ctx, uri, uri_len, flags);
+
+ SCLogDebug("post search: cnt %" PRIu32, ret);
+ }
+ return ret;
+}
+
+/**
+ * \brief Run the pattern matcher against the uri(s)
+ *
+ * We run against _all_ uri(s) we have as the pattern matcher will
+ * flag each sig that has a match. We need to do this for all uri(s)
+ * to not miss possible events.
+ *
+ * \param f locked flow
+ * \param htp_state initialized htp state
+ *
+ * \warning Make sure the flow/state is locked
+ * \todo what should we return? Just the fact that we matched?
+ */
+uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
+ HtpState *htp_state, uint8_t flags,
+ void *txv, uint64_t idx)
+{
+ SCEnter();
+
+ htp_tx_t *tx = (htp_tx_t *)txv;
+ HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
+ uint32_t cnt = 0;
+
+ if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL)
+ goto end;
+ cnt = DoDetectAppLayerUricontentMatch(det_ctx, (uint8_t *)
+ bstr_ptr(tx_ud->request_uri_normalized),
+ bstr_len(tx_ud->request_uri_normalized),
+ flags);
+
+end:
+ SCReturnUInt(cnt);
+}
/**
* \brief Do the content inspection & validation for a signature
SCReturnInt(-1);
}
-/**
- * \brief Checks if the content sent as the argument, has a uricontent which
- * has been provided in the rule. This match function matches the
- * normalized http uri against the given rule using multi pattern
- * search algorithms.
- *
- * \param det_ctx Pointer to the detection engine thread context
- * \param content Pointer to the uri content currently being matched
- * \param content_len Content_len of the received uri content
- *
- * \retval 1 if the uri contents match; 0 no match
- */
-static inline int DoDetectAppLayerUricontentMatch (DetectEngineThreadCtx *det_ctx,
- uint8_t *uri, uint16_t uri_len, uint8_t flags)
-{
- int ret = 0;
- /* run the pattern matcher against the uri */
- if (det_ctx->sgh->mpm_uricontent_minlen > uri_len) {
- SCLogDebug("not searching as uri len is smaller than the "
- "shortest uricontent length we need to match");
- } else {
- SCLogDebug("search: (%p, minlen %" PRIu32 ", sgh->sig_cnt "
- "%" PRIu32 ")", det_ctx->sgh,
- det_ctx->sgh->mpm_uricontent_minlen, det_ctx->sgh->sig_cnt);
-
- ret += UriPatternSearch(det_ctx, uri, uri_len, flags);
-
- SCLogDebug("post search: cnt %" PRIu32, ret);
- }
- return ret;
-}
-
-/**
- * \brief Run the pattern matcher against the uri(s)
- *
- * We run against _all_ uri(s) we have as the pattern matcher will
- * flag each sig that has a match. We need to do this for all uri(s)
- * to not miss possible events.
- *
- * \param f locked flow
- * \param htp_state initialized htp state
- *
- * \warning Make sure the flow/state is locked
- * \todo what should we return? Just the fact that we matched?
- */
-uint32_t DetectUricontentInspectMpm(DetectEngineThreadCtx *det_ctx, Flow *f,
- HtpState *htp_state, uint8_t flags,
- void *txv, uint64_t idx)
-{
- SCEnter();
-
- htp_tx_t *tx = (htp_tx_t *)txv;
- HtpTxUserData *tx_ud = htp_tx_get_user_data(tx);
- uint32_t cnt = 0;
-
- if (tx_ud == NULL || tx_ud->request_uri_normalized == NULL)
- goto end;
- cnt = DoDetectAppLayerUricontentMatch(det_ctx, (uint8_t *)
- bstr_ptr(tx_ud->request_uri_normalized),
- bstr_len(tx_ud->request_uri_normalized),
- flags);
-
-end:
- SCReturnUInt(cnt);
-}
-
/*
* UNITTTESTS
*/
projects / thirdparty / suricata.git / commitdiff
