DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f)
{
if (det_ctx->base64_decoded_len) {
- return DetectEngineContentInspection(de_ctx, det_ctx, s,
- s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], NULL, f, det_ctx->base64_decoded,
- det_ctx->base64_decoded_len, 0, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ return DetectEngineContentInspectionInternal(de_ctx, det_ctx, s,
+ s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], NULL, f, det_ctx->base64_decoded,
+ det_ctx->base64_decoded_len, 0, DETECT_CI_FLAGS_SINGLE,
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
}
return 0;
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- NULL, f,
- (uint8_t *)buffer->inspect,
- buffer->inspect_len,
- buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
* buffer inspection modes or dce inspection mode.
* \param flags DETECT_CI_FLAG_*
*
+ * \retval -1 no match and give up (discontinue matching)
* \retval 0 no match
* \retval 1 match
*/
-uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+int DetectEngineContentInspectionInternal(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer,
uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
{
det_ctx->inspection_recursion_counter++;
if (det_ctx->inspection_recursion_counter == de_ctx->inspection_recursion_limit) {
- det_ctx->discontinue_matching = 1;
KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
- SCReturnInt(0);
+ SCReturnInt(-1);
}
// we want the ability to match on bsize: 0
if (!(cd->flags & DETECT_CONTENT_NEGATED)) {
if ((cd->flags & (DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN)) == 0) {
/* independent match from previous matches, so failure is fatal */
- det_ctx->discontinue_matching = 1;
+ goto no_match_discontinue;
}
goto no_match;
goto match;
}
}
- if (DETECT_CONTENT_IS_SINGLE(cd))
- det_ctx->discontinue_matching = 1;
+ if (DETECT_CONTENT_IS_SINGLE(cd)) {
+ goto no_match_discontinue;
+ }
goto no_match;
} else {
SCLogDebug("content %" PRIu32 " matched at offset %" PRIu32 "", cd->id,
/* see if the next buffer keywords match. If not, we will
* search for another occurrence of this content and see
* if the others match then until we run out of matches */
- uint8_t r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd + 1, p, f,
- buffer, buffer_len, stream_start_offset, flags, inspection_mode);
+ int r = DetectEngineContentInspectionInternal(de_ctx, det_ctx, s, smd + 1,
+ p, f, buffer, buffer_len, stream_start_offset, flags,
+ inspection_mode);
if (r == 1) {
SCReturnInt(1);
- }
- SCLogDebug("no match for 'next sm'");
-
- if (det_ctx->discontinue_matching) {
+ } else if (r == -1) {
SCLogDebug("'next sm' said to discontinue this right now");
- goto no_match;
+ SCReturnInt(-1);
}
+ SCLogDebug("no match for 'next sm'");
/* no match and no reason to look for another instance */
if ((cd->flags & DETECT_CONTENT_WITHIN_NEXT) == 0) {
SCLogDebug("'next sm' does not depend on me, so we can give up");
- det_ctx->discontinue_matching = 1;
- goto no_match;
+ SCReturnInt(-1);
}
SCLogDebug("'next sm' depends on me %p, lets see what we can do (flags %u)",
DetectPcreData *pe = (DetectPcreData *)smd->ctx;
uint32_t prev_buffer_offset = det_ctx->buffer_offset;
uint32_t prev_offset = 0;
- int r = 0;
det_ctx->pcre_match_start_offset = 0;
do {
- r = DetectPcrePayloadMatch(det_ctx, s, smd, p, f,
- buffer, buffer_len);
+ int r = DetectPcrePayloadMatch(det_ctx, s, smd, p, f, buffer, buffer_len);
if (r == 0) {
goto no_match;
}
/* see if the next payload keywords match. If not, we will
* search for another occurrence of this pcre and see
* if the others match, until we run out of matches */
- r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1,
- p, f, buffer, buffer_len, stream_start_offset, flags,
- inspection_mode);
+ r = DetectEngineContentInspectionInternal(de_ctx, det_ctx, s, smd + 1, p, f, buffer,
+ buffer_len, stream_start_offset, flags, inspection_mode);
if (r == 1) {
SCReturnInt(1);
+ } else if (r == -1) {
+ SCReturnInt(-1);
}
- if (det_ctx->discontinue_matching)
- goto no_match;
-
det_ctx->buffer_offset = prev_buffer_offset;
det_ctx->pcre_match_start_offset = prev_offset;
} while (1);
const uint64_t data_size = buffer_len + stream_start_offset;
int r = DetectBsizeMatch(smd->ctx, data_size, eof);
if (r < 0) {
- det_ctx->discontinue_matching = 1;
- goto no_match;
-
+ goto no_match_discontinue;
} else if (r == 0) {
goto no_match;
}
if (r == 1) {
goto match;
}
- det_ctx->discontinue_matching = 1;
- goto no_match;
+ goto no_match_discontinue;
} else if (smd->type == DETECT_DATAREP) {
if (r == 1) {
goto match;
}
- det_ctx->discontinue_matching = 1;
- goto no_match;
+ goto no_match_discontinue;
} else if (smd->type == DETECT_AL_URILEN) {
SCLogDebug("inspecting uri len");
if (r == 1) {
goto match;
}
-
- det_ctx->discontinue_matching = 1;
-
- goto no_match;
+ goto no_match_discontinue;
#ifdef HAVE_LUA
}
else if (smd->type == DETECT_LUA) {
if (DetectBase64DecodeDoMatch(det_ctx, s, smd, buffer, buffer_len)) {
if (s->sm_arrays[DETECT_SM_LIST_BASE64_DATA] != NULL) {
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
- if (DetectBase64DataDoMatch(de_ctx, det_ctx, s, f)) {
+ if (DetectBase64DataDoMatch(de_ctx, det_ctx, s, f) == 1) {
/* Base64 is a terminal list. */
goto final_match;
}
KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
SCReturnInt(0);
+no_match_discontinue:
+ KEYWORD_PROFILING_END(det_ctx, smd->type, 0);
+ SCReturnInt(-1);
+
match:
/* this sigmatch matched, inspect the next one. If it was the last,
* the buffer portion of the signature matched. */
if (!smd->is_last) {
KEYWORD_PROFILING_END(det_ctx, smd->type, 1);
- uint8_t r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd + 1, p, f, buffer,
+ int r = DetectEngineContentInspectionInternal(de_ctx, det_ctx, s, smd + 1, p, f, buffer,
buffer_len, stream_start_offset, flags, inspection_mode);
SCReturnInt(r);
}
SCReturnInt(1);
}
+/** \brief wrapper around DetectEngineContentInspectionInternal to return true/false only
+ *
+ * \param smd sigmatches to evaluate
+ */
+bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+ const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer,
+ const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags,
+ const uint8_t inspection_mode)
+{
+ det_ctx->buffer_offset = 0;
+ det_ctx->inspection_recursion_counter = 0;
+
+ int r = DetectEngineContentInspectionInternal(de_ctx, det_ctx, s, smd, p, f, buffer, buffer_len,
+ stream_start_offset, flags, inspection_mode);
+ if (r == 1)
+ return true;
+ else
+ return false;
+}
+
#ifdef UNITTESTS
#include "tests/detect-engine-content-inspection.c"
#endif
* inspection function contains both start and end of the data. */
#define DETECT_CI_FLAGS_SINGLE (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END)
-uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+/* "internal" returns 1 match, 0 no match, -1 can't match */
+int DetectEngineContentInspectionInternal(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+ const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer,
+ const uint32_t buffer_len, const uint32_t stream_start_offset, const uint8_t flags,
+ const uint8_t inspection_mode);
+/* implicit "public" just returns true match, false no match */
+bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer,
uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode);
// PrintRawDataFp(stdout, data, data_len);
- int r = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p, p->flow,
- (uint8_t *)data, data_len, 0, buffer->flags,
+ const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p,
+ p->flow, (uint8_t *)data, data_len, 0, buffer->flags,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME);
- if (r == 1) {
+ if (match) {
SCLogDebug("match!");
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
const uint8_t *data = buffer->inspect;
const uint64_t data_offset = buffer->inspect_offset;
DetectEngineThreadCtx *det_ctx = fsd->det_ctx;
- det_ctx->discontinue_matching = 0;
- det_ctx->buffer_offset = 0;
- det_ctx->inspection_recursion_counter = 0;
const DetectEngineFrameInspectionEngine *engine = fsd->inspect_engine;
const Signature *s = fsd->s;
#endif
BUG_ON(fsd->frame->len > 0 && (int64_t)data_len > fsd->frame->len);
- int r = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p, p->flow,
- (uint8_t *)data, data_len, data_offset, buffer->flags,
+ const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p,
+ p->flow, (uint8_t *)data, data_len, data_offset, buffer->flags,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_FRAME);
- if (r == 1) {
+ if (match) {
SCLogDebug("DETECT_ENGINE_INSPECT_SIG_MATCH");
fsd->inspect_result = DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
const Signature *s, Flow *f, Packet *p)
{
SCEnter();
- int r = 0;
if (s->sm_arrays[DETECT_SM_LIST_PMATCH] == NULL) {
SCReturnInt(0);
det_ctx->payload_persig_cnt++;
det_ctx->payload_persig_size += p->payload_len;
#endif
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
det_ctx->replist = NULL;
- r = DetectEngineContentInspection(de_ctx, det_ctx,
- s, s->sm_arrays[DETECT_SM_LIST_PMATCH],
- p, f, p->payload, p->payload_len, 0,
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s,
+ s->sm_arrays[DETECT_SM_LIST_PMATCH], p, f, p->payload, p->payload_len, 0,
DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD);
- if (r == 1) {
+ if (match) {
SCReturnInt(1);
}
SCReturnInt(0);
Packet *p)
{
SCEnter();
- int r = 0;
if (smd == NULL) {
SCReturnInt(0);
det_ctx->payload_persig_cnt++;
det_ctx->payload_persig_size += p->payload_len;
#endif
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
det_ctx->replist = NULL;
- r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
- p, f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD);
- if (r == 1) {
+ const bool match =
+ DetectEngineContentInspection(de_ctx, det_ctx, s, smd, p, f, p->payload, p->payload_len,
+ 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD);
+ if (match) {
SCReturnInt(1);
}
SCReturnInt(0);
void *cb_data, const uint8_t *data, const uint32_t data_len, const uint64_t _offset)
{
SCEnter();
- int r = 0;
struct StreamContentInspectData *smd = cb_data;
#ifdef DEBUG
smd->det_ctx->stream_persig_cnt++;
smd->det_ctx->stream_persig_size += data_len;
#endif
- smd->det_ctx->buffer_offset = 0;
- smd->det_ctx->discontinue_matching = 0;
- smd->det_ctx->inspection_recursion_counter = 0;
- r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx,
- smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH],
- NULL, smd->f, (uint8_t *)data, data_len, 0, 0, //TODO
+ const bool match = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx, smd->s,
+ smd->s->sm_arrays[DETECT_SM_LIST_PMATCH], NULL, smd->f, (uint8_t *)data, data_len, 0,
+ 0, // TODO
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM);
- if (r == 1) {
+ if (match) {
SCReturnInt(1);
}
void *cb_data, const uint8_t *data, const uint32_t data_len, const uint64_t _offset)
{
SCEnter();
- int r = 0;
struct StreamContentInspectEngineData *smd = cb_data;
#ifdef DEBUG
smd->det_ctx->stream_persig_cnt++;
smd->det_ctx->stream_persig_size += data_len;
#endif
- smd->det_ctx->buffer_offset = 0;
- smd->det_ctx->discontinue_matching = 0;
- smd->det_ctx->inspection_recursion_counter = 0;
- r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx,
- smd->s, smd->smd,
+ const bool match = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx, smd->s, smd->smd,
NULL, smd->f, (uint8_t *)data, data_len, 0, 0, // TODO
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM);
- if (r == 1) {
+ if (match) {
SCReturnInt(1);
}
ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
ci_flags |= buffer->flags;
- det_ctx->discontinue_matching = 0;
- det_ctx->buffer_offset = 0;
- det_ctx->inspection_recursion_counter = 0;
-
/* Inspect all the uricontents fetched on each
* transaction at the app layer */
- int r = DetectEngineContentInspection(de_ctx, det_ctx,
- s, engine->smd,
- NULL, f,
- (uint8_t *)data, data_len, offset, ci_flags,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (r == 1) {
+ const bool match =
+ DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)data,
+ data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
return eof ? DETECT_ENGINE_INSPECT_SIG_CANT_MATCH :
uint8_t ci_flags = DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END;
ci_flags |= buffer->flags;
- det_ctx->discontinue_matching = 0;
- det_ctx->buffer_offset = 0;
- det_ctx->inspection_recursion_counter = 0;
-
/* Inspect all the uricontents fetched on each
* transaction at the app layer */
- int r = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p, p->flow,
- buffer->inspect, buffer->inspect_len, 0, ci_flags,
+ const bool match = DetectEngineContentInspection(det_ctx->de_ctx, det_ctx, s, engine->smd, p,
+ p->flow, buffer->inspect, buffer->inspect_len, 0, ci_flags,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_HEADER);
- if (r == 1) {
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
if (buffer->inspect_offset == 0)
ciflags |= DETECT_CI_FLAGS_START;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
(uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset, ciflags,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
if (buffer == NULL)
continue;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
- int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- NULL, f,
- (uint8_t *)buffer->inspect,
- buffer->inspect_len,
- buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES;
if (buffer == NULL)
continue;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
- int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- NULL, f,
- (uint8_t *)buffer->inspect,
- buffer->inspect_len,
- buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
} else {
r = DETECT_ENGINE_INSPECT_SIG_CANT_MATCH_FILES;
ci_flags |= (offset == 0 ? DETECT_CI_FLAGS_START : 0);
ci_flags |= buffer->flags;
- det_ctx->discontinue_matching = 0;
- det_ctx->buffer_offset = 0;
- det_ctx->inspection_recursion_counter = 0;
-
/* Inspect all the uricontents fetched on each
* transaction at the app layer */
- int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)data,
- data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (r == 1) {
+ const bool match =
+ DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f, (uint8_t *)data,
+ data_len, offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
const uint8_t *data = buffer->inspect;
const uint64_t offset = buffer->inspect_offset;
- det_ctx->discontinue_matching = 0;
- det_ctx->buffer_offset = 0;
- det_ctx->inspection_recursion_counter = 0;
-
/* Inspect all the uricontents fetched on each
* transaction at the app layer */
- int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- NULL, f, (uint8_t *)data, data_len, offset,
- DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- SCLogDebug("r = %d", r);
- if (r == 1) {
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE,
+ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
end:
};
InspectionBuffer *buffer =
GetHttp2HeaderData(det_ctx, flags, transforms, f, &cbdata, engine->sm_list);
-
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
(uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
};
InspectionBuffer *buffer =
GetHttp1HeaderData(det_ctx, flags, transforms, f, &cbdata, engine->sm_list);
-
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
(uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- NULL, f,
- (uint8_t *)buffer->inspect,
- buffer->inspect_len,
- buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
(uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
struct Krb5PrincipalNameDataArgs cbdata = { local_id, txv, };
InspectionBuffer *buffer =
GetKrb5CNameData(det_ctx, transforms, f, &cbdata, engine->sm_list);
-
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- NULL, f,
- (uint8_t *)buffer->inspect,
- buffer->inspect_len,
- buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- NULL, f,
- (uint8_t *)buffer->inspect,
- buffer->inspect_len,
- buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- NULL, f,
- (uint8_t *)buffer->inspect,
- buffer->inspect_len,
- buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- NULL, f,
- (uint8_t *)buffer->inspect,
- buffer->inspect_len,
- buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
(uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
(uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
local_id++;
DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine,
const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
{
- uint8_t ret = 0;
+ uint8_t ret = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
const uint8_t *data = NULL;
uint32_t data_len = 0;
}
if (data != NULL) {
- ret = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
(uint8_t *)data, data_len, 0, DETECT_CI_FLAGS_SINGLE,
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
+ ret = DETECT_ENGINE_INSPECT_SIG_MATCH;
+ }
}
- SCLogNotice("Returning %d.", ret);
+ SCLogNotice("Returning %u.", ret);
return ret;
}
if (buffer == NULL || buffer->inspect == NULL)
break;
- det_ctx->buffer_offset = 0;
- det_ctx->discontinue_matching = 0;
- det_ctx->inspection_recursion_counter = 0;
-
- const int match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd,
- NULL, f, (uint8_t *)buffer->inspect,
- buffer->inspect_len,
- buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE,
- DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
- if (match == 1) {
+ const bool match = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, NULL, f,
+ (uint8_t *)buffer->inspect, buffer->inspect_len, buffer->inspect_offset,
+ DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE);
+ if (match) {
return DETECT_ENGINE_INSPECT_SIG_MATCH;
}
uint32_t *to_clear_queue;
} multi_inspect;
- /* used to discontinue any more matching */
- uint16_t discontinue_matching;
uint16_t flags; /**< DETECT_ENGINE_THREAD_CTX_* flags */
/* true if tx_id is set */
projects / thirdparty / suricata.git / commitdiff
