From: Victor Julien Date: Mon, 18 Dec 2017 16:11:15 +0000 (+0100) Subject: detect/content: pass START/END flags to inspection X-Git-Tag: suricata-4.1.0-beta1~137 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d14e51a4aa6c2111ff115b4fe4b1b36fd09d6bc9;p=thirdparty%2Fsuricata.git detect/content: pass START/END flags to inspection --- diff --git a/src/detect-base64-data.c b/src/detect-base64-data.c index e9d72b11c4..92cce96cbd 100644 --- a/src/detect-base64-data.c +++ b/src/detect-base64-data.c @@ -64,7 +64,7 @@ int DetectBase64DataDoMatch(DetectEngineCtx *de_ctx, if (det_ctx->base64_decoded_len) { return DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[DETECT_SM_LIST_BASE64_DATA], f, det_ctx->base64_decoded, - det_ctx->base64_decoded_len, 0, + det_ctx->base64_decoded_len, 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); } diff --git a/src/detect-dce-stub-data.c b/src/detect-dce-stub-data.c index 6470c92acb..569dad5df4 100644 --- a/src/detect-dce-stub-data.c +++ b/src/detect-dce-stub-data.c @@ -181,7 +181,7 @@ static int InspectEngineDceStubData(ThreadVars *tv, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, buffer, buffer_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, dcerpc_state); if (r == 1) diff --git a/src/detect-dnp3.c b/src/detect-dnp3.c index a979391d54..ebb3e13609 100644 --- a/src/detect-dnp3.c +++ b/src/detect-dnp3.c @@ -154,12 +154,14 @@ static int DetectEngineInspectDNP3Data(ThreadVars *tv, DetectEngineCtx *de_ctx, if (flags & STREAM_TOSERVER && tx->request_buffer != NULL) { r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, tx->request_buffer, - tx->request_buffer_len, 0, 0, NULL); + tx->request_buffer_len, 0, DETECT_CI_FLAGS_SINGLE, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); } else if (flags & STREAM_TOCLIENT && tx->response_buffer != NULL) { r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, tx->response_buffer, - tx->response_buffer_len, 0, 0, NULL); + tx->response_buffer_len, 0, DETECT_CI_FLAGS_SINGLE, + DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); } SCReturnInt(r); diff --git a/src/detect-dns-query.c b/src/detect-dns-query.c index d851bb21cb..6b74f52d79 100644 --- a/src/detect-dns-query.c +++ b/src/detect-dns-query.c @@ -164,7 +164,7 @@ static int DetectEngineInspectDnsQuery( f, (uint8_t *)buffer->inspect, buffer->inspect_len, - buffer->inspect_offset, + buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (match == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; @@ -190,7 +190,7 @@ static int DetectEngineInspectDnsQuery( f, (uint8_t *)buffer->inspect, buffer->inspect_len, - buffer->inspect_offset, + buffer->inspect_offset, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (match == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c index ef878b2f65..3e4471c9d7 100644 --- a/src/detect-engine-content-inspection.c +++ b/src/detect-engine-content-inspection.c @@ -102,7 +102,7 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, - uint32_t stream_start_offset, + uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data) { SCEnter(); @@ -332,7 +332,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx * search for another occurence of this content and see * if the others match then until we run out of matches */ int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1, - f, buffer, buffer_len, stream_start_offset, inspection_mode, data); + f, buffer, buffer_len, stream_start_offset, flags, + inspection_mode, data); if (r == 1) { SCReturnInt(1); } @@ -435,7 +436,8 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx * search for another occurence of this pcre and see * if the others match, until we run out of matches */ r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1, - f, buffer, buffer_len, stream_start_offset, inspection_mode, data); + f, buffer, buffer_len, stream_start_offset, flags, + inspection_mode, data); if (r == 1) { SCReturnInt(1); } @@ -449,27 +451,27 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx } else if (smd->type == DETECT_BYTETEST) { DetectBytetestData *btd = (DetectBytetestData *)smd->ctx; - uint8_t flags = btd->flags; + uint8_t btflags = btd->flags; int32_t offset = btd->offset; uint64_t value = btd->value; - if (flags & DETECT_BYTETEST_OFFSET_BE) { + if (btflags & DETECT_BYTETEST_OFFSET_BE) { offset = det_ctx->bj_values[offset]; } - if (flags & DETECT_BYTETEST_VALUE_BE) { + if (btflags & DETECT_BYTETEST_VALUE_BE) { value = det_ctx->bj_values[value]; } /* if we have dce enabled we will have to use the endianness * specified by the dce header */ - if (flags & DETECT_BYTETEST_DCE && data != NULL) { + if (btflags & DETECT_BYTETEST_DCE && data != NULL) { DCERPCState *dcerpc_state = (DCERPCState *)data; /* enable the endianness flag temporarily. once we are done * processing we reset the flags to the original value*/ - flags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ? + btflags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ? DETECT_BYTETEST_LITTLE: 0); } - if (DetectBytetestDoMatch(det_ctx, s, smd->ctx, buffer, buffer_len, flags, + if (DetectBytetestDoMatch(det_ctx, s, smd->ctx, buffer, buffer_len, btflags, offset, value) != 1) { goto no_match; } @@ -478,25 +480,25 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx } else if (smd->type == DETECT_BYTEJUMP) { DetectBytejumpData *bjd = (DetectBytejumpData *)smd->ctx; - uint8_t flags = bjd->flags; + uint8_t bjflags = bjd->flags; int32_t offset = bjd->offset; - if (flags & DETECT_BYTEJUMP_OFFSET_BE) { + if (bjflags & DETECT_BYTEJUMP_OFFSET_BE) { offset = det_ctx->bj_values[offset]; } /* if we have dce enabled we will have to use the endianness * specified by the dce header */ - if (flags & DETECT_BYTEJUMP_DCE && data != NULL) { + if (bjflags & DETECT_BYTEJUMP_DCE && data != NULL) { DCERPCState *dcerpc_state = (DCERPCState *)data; /* enable the endianness flag temporarily. once we are done * processing we reset the flags to the original value*/ - flags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ? + bjflags |= ((dcerpc_state->dcerpc.dcerpchdr.packed_drep[0] & 0x10) ? DETECT_BYTEJUMP_LITTLE: 0); } if (DetectBytejumpDoMatch(det_ctx, s, smd->ctx, buffer, buffer_len, - flags, offset) != 1) { + bjflags, offset) != 1) { goto no_match; } @@ -604,7 +606,8 @@ match: if (!smd->is_last) { KEYWORD_PROFILING_END(det_ctx, smd->type, 1); int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd+1, - f, buffer, buffer_len, stream_start_offset, inspection_mode, data); + f, buffer, buffer_len, stream_start_offset, flags, + inspection_mode, data); SCReturnInt(r); } final_match: diff --git a/src/detect-engine-content-inspection.h b/src/detect-engine-content-inspection.h index 26db938c36..6d6d4e3945 100644 --- a/src/detect-engine-content-inspection.h +++ b/src/detect-engine-content-inspection.h @@ -19,6 +19,7 @@ * \file * * \author Anoop Saldanha + * \author Victor Julien */ #ifndef __DETECT_ENGINE_CONTENT_INSPECTION_H__ @@ -33,11 +34,19 @@ enum { DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, }; +#define DETECT_CI_FLAGS_START BIT_U8(0) /**< unused, reserved for future use */ +#define DETECT_CI_FLAGS_END BIT_U8(1) /**< indication that current buffer + * is the end of the data */ + +/** buffer is a single, non-streaming, buffer. Data sent to the content + * inspection function contains both start and end of the data. */ +#define DETECT_CI_FLAGS_SINGLE (DETECT_CI_FLAGS_START|DETECT_CI_FLAGS_END) + int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, - uint32_t stream_start_offset, + uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data); void DetectEngineContentInspectionRegisterTests(void); diff --git a/src/detect-engine-filedata.c b/src/detect-engine-filedata.c index 155706bdab..d20a56d30f 100644 --- a/src/detect-engine-filedata.c +++ b/src/detect-engine-filedata.c @@ -162,6 +162,11 @@ int DetectEngineInspectFiledata( if (buffer == NULL) continue; + bool eof = (file->state == FILE_STATE_CLOSED); + uint8_t ciflags = eof ? DETECT_CI_FLAGS_END : 0; + if (buffer->inspect_offset == 0) + ciflags |= DETECT_CI_FLAGS_START; + det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; @@ -169,7 +174,7 @@ int DetectEngineInspectFiledata( f, (uint8_t *)buffer->inspect, buffer->inspect_len, - buffer->inspect_offset, + buffer->inspect_offset, ciflags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (match == 1) { r = 1; diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c index 448842ff21..97a6977e71 100644 --- a/src/detect-engine-hcbd.c +++ b/src/detect-engine-hcbd.c @@ -269,6 +269,7 @@ int DetectEngineInspectHttpClientBody(ThreadVars *tv, HtpState *htp_state = (HtpState *)alstate; uint32_t buffer_len = 0; uint32_t stream_start_offset = 0; + const bool eof = (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_REQUEST_BODY); const uint8_t *buffer = DetectEngineHCBDGetBufferForTX(tx, tx_id, de_ctx, det_ctx, f, htp_state, @@ -278,6 +279,9 @@ int DetectEngineInspectHttpClientBody(ThreadVars *tv, if (buffer_len == 0) goto end; + uint8_t ci_flags = eof ? DETECT_CI_FLAGS_END : 0; + ci_flags |= (stream_start_offset == 0 ? DETECT_CI_FLAGS_START : 0); + det_ctx->buffer_offset = 0; det_ctx->discontinue_matching = 0; det_ctx->inspection_recursion_counter = 0; @@ -285,14 +289,14 @@ int DetectEngineInspectHttpClientBody(ThreadVars *tv, f, (uint8_t *)buffer, buffer_len, - stream_start_offset, + stream_start_offset, ci_flags, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; end: - if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, tx, flags) > HTP_REQUEST_BODY) + if (eof) return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH; else return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; diff --git a/src/detect-engine-hcd.c b/src/detect-engine-hcd.c index e919c106dd..21d5646d6e 100644 --- a/src/detect-engine-hcd.c +++ b/src/detect-engine-hcd.c @@ -197,7 +197,7 @@ int DetectEngineInspectHttpCookie(ThreadVars *tv, f, (uint8_t *)bstr_ptr(h->value), bstr_len(h->value), - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine-hhhd.c b/src/detect-engine-hhhd.c index d55bbc70aa..c164651923 100644 --- a/src/detect-engine-hhhd.c +++ b/src/detect-engine-hhhd.c @@ -134,7 +134,7 @@ int DetectEngineInspectHttpHH(ThreadVars *tv, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, hname, hname_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine-hmd.c b/src/detect-engine-hmd.c index 976a9cdab7..cc21a0c9f1 100644 --- a/src/detect-engine-hmd.c +++ b/src/detect-engine-hmd.c @@ -132,7 +132,7 @@ int DetectEngineInspectHttpMethod(ThreadVars *tv, f, (uint8_t *)bstr_ptr(tx->request_method), bstr_len(tx->request_method), - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine-hrhd.c b/src/detect-engine-hrhd.c index 2974c04083..c515408063 100644 --- a/src/detect-engine-hrhd.c +++ b/src/detect-engine-hrhd.c @@ -201,7 +201,7 @@ int DetectEngineInspectHttpRawHeader(ThreadVars *tv, f, headers_raw, headers_raw_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine-hrhhd.c b/src/detect-engine-hrhhd.c index 6e0c02b655..558f14ec00 100644 --- a/src/detect-engine-hrhhd.c +++ b/src/detect-engine-hrhhd.c @@ -157,7 +157,7 @@ int DetectEngineInspectHttpHRH(ThreadVars *tv, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, hname, hname_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine-hrud.c b/src/detect-engine-hrud.c index a37043378f..a7811802be 100644 --- a/src/detect-engine-hrud.c +++ b/src/detect-engine-hrud.c @@ -134,7 +134,7 @@ int DetectEngineInspectHttpRawUri(ThreadVars *tv, f, (uint8_t *)bstr_ptr(tx->request_uri), bstr_len(tx->request_uri), - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine-hscd.c b/src/detect-engine-hscd.c index 33e7560853..a09e55c551 100644 --- a/src/detect-engine-hscd.c +++ b/src/detect-engine-hscd.c @@ -131,7 +131,7 @@ int DetectEngineInspectHttpStatCode(ThreadVars *tv, f, (uint8_t *)bstr_ptr(tx->response_status), bstr_len(tx->response_status), - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine-hsmd.c b/src/detect-engine-hsmd.c index 4266ec770c..c83ac3c47e 100644 --- a/src/detect-engine-hsmd.c +++ b/src/detect-engine-hsmd.c @@ -131,7 +131,7 @@ int DetectEngineInspectHttpStatMsg(ThreadVars *tv, f, (uint8_t *)bstr_ptr(tx->response_message), bstr_len(tx->response_message), - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine-hua.c b/src/detect-engine-hua.c index ee8f6d84d2..1e9cd0c934 100644 --- a/src/detect-engine-hua.c +++ b/src/detect-engine-hua.c @@ -140,7 +140,7 @@ int DetectEngineInspectHttpUA(ThreadVars *tv, f, (uint8_t *)bstr_ptr(h->value), bstr_len(h->value), - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine-payload.c b/src/detect-engine-payload.c index c0a9b97fb9..ce15ded4d5 100644 --- a/src/detect-engine-payload.c +++ b/src/detect-engine-payload.c @@ -163,7 +163,7 @@ int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, det_ctx->replist = NULL; r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_arrays[DETECT_SM_LIST_PMATCH], - f, p->payload, p->payload_len, 0, + f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, p); if (r == 1) { SCReturnInt(1); @@ -205,7 +205,7 @@ static int DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx, det_ctx->replist = NULL; r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, p->payload, p->payload_len, 0, + f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, p); if (r == 1) { SCReturnInt(1); @@ -235,7 +235,7 @@ static int StreamContentInspectFunc(void *cb_data, const uint8_t *data, const ui r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx, smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH], - smd->f, (uint8_t *)data, data_len, 0, + smd->f, (uint8_t *)data, data_len, 0, 0, //TODO DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, NULL); if (r == 1) { SCReturnInt(1); @@ -293,7 +293,7 @@ static int StreamContentInspectEngineFunc(void *cb_data, const uint8_t *data, co r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx, smd->s, smd->smd, - smd->f, (uint8_t *)data, data_len, 0, + smd->f, (uint8_t *)data, data_len, 0, 0, // TODO DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM, NULL); if (r == 1) { SCReturnInt(1); diff --git a/src/detect-engine-tls.c b/src/detect-engine-tls.c index 84ec894685..53f2b1a9a1 100644 --- a/src/detect-engine-tls.c +++ b/src/detect-engine-tls.c @@ -117,7 +117,7 @@ int DetectEngineInspectTlsSni(ThreadVars *tv, buffer_len = strlen(ssl_state->client_connp.sni); cnt = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, buffer, buffer_len, 0, + f, buffer, buffer_len, 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); return cnt; @@ -193,7 +193,7 @@ int DetectEngineInspectTlsIssuer(ThreadVars *tv, buffer_len = strlen(ssl_state->server_connp.cert0_issuerdn); cnt = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, buffer, buffer_len, 0, + f, buffer, buffer_len, 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); return cnt; @@ -269,7 +269,7 @@ int DetectEngineInspectTlsSubject(ThreadVars *tv, buffer_len = strlen(ssl_state->server_connp.cert0_subject); cnt = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, buffer, buffer_len, 0, + f, buffer, buffer_len, 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); return cnt; @@ -346,7 +346,7 @@ int DetectEngineInspectTlsSerial(ThreadVars *tv, DetectEngineCtx *de_ctx, buffer_len = strlen(ssl_state->server_connp.cert0_serial); cnt = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, buffer, buffer_len, 0, + f, buffer, buffer_len, 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); return cnt; @@ -424,7 +424,7 @@ int DetectEngineInspectTlsFingerprint(ThreadVars *tv, DetectEngineCtx *de_ctx, buffer_len = strlen(ssl_state->server_connp.cert0_fingerprint); cnt = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, buffer, buffer_len, 0, + f, buffer, buffer_len, 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); return cnt; diff --git a/src/detect-engine-uri.c b/src/detect-engine-uri.c index 71f46cf783..acbe296036 100644 --- a/src/detect-engine-uri.c +++ b/src/detect-engine-uri.c @@ -135,7 +135,7 @@ int DetectEngineInspectHttpUri(ThreadVars *tv, f, bstr_ptr(tx_ud->request_uri_normalized), bstr_len(tx_ud->request_uri_normalized), - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-engine.c b/src/detect-engine.c index ac53d1919c..5131cb93eb 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -1199,7 +1199,7 @@ int DetectEngineInspectBufferGeneric( int r = DetectEngineContentInspection(de_ctx, det_ctx, s, engine->smd, f, - (uint8_t *)data, data_len, offset, + (uint8_t *)data, data_len, offset, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-http-header-names.c b/src/detect-http-header-names.c index fa27800457..0f947b2dbb 100644 --- a/src/detect-http-header-names.c +++ b/src/detect-http-header-names.c @@ -332,7 +332,7 @@ static int InspectEngineHttpHeaderNames(ThreadVars *tv, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, buffer, buffer_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-http-header.c b/src/detect-http-header.c index 9d2c980c0c..3caa1eb362 100644 --- a/src/detect-http-header.c +++ b/src/detect-http-header.c @@ -331,7 +331,7 @@ static int DetectEngineInspectHttpHeader(ThreadVars *tv, f, buffer, buffer_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-http-headers-stub.h b/src/detect-http-headers-stub.h index fc70640146..c76574411f 100644 --- a/src/detect-http-headers-stub.h +++ b/src/detect-http-headers-stub.h @@ -251,7 +251,7 @@ static int InspectEngineHttpRequestHeader(ThreadVars *tv, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, buffer, buffer_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; @@ -292,7 +292,7 @@ static int InspectEngineHttpResponseHeader(ThreadVars *tv, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, buffer, buffer_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-http-protocol.c b/src/detect-http-protocol.c index 527a9e2e75..1b669e357f 100644 --- a/src/detect-http-protocol.c +++ b/src/detect-http-protocol.c @@ -180,7 +180,7 @@ static int InspectEngineHttpProtocol(ThreadVars *tv, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, buffer, buffer_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-http-response-line.c b/src/detect-http-response-line.c index f1d79d5dca..bebe97acc7 100644 --- a/src/detect-http-response-line.c +++ b/src/detect-http-response-line.c @@ -200,7 +200,7 @@ int DetectEngineInspectHttpResponseLine(ThreadVars *tv, f, bstr_ptr(tx->response_line), bstr_len(tx->response_line), - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-http-start.c b/src/detect-http-start.c index 19f79160e8..6aecb84897 100644 --- a/src/detect-http-start.c +++ b/src/detect-http-start.c @@ -269,7 +269,7 @@ static int InspectEngineHttpStart(ThreadVars *tv, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, buffer, buffer_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-ssh-proto.c b/src/detect-ssh-proto.c index 58d6bd0749..f54dc51a3f 100644 --- a/src/detect-ssh-proto.c +++ b/src/detect-ssh-proto.c @@ -161,7 +161,7 @@ static int InspectEngineSshProtocol(ThreadVars *tv, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, buffer, buffer_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-ssh-software.c b/src/detect-ssh-software.c index 4f5b4e214d..ef175be48c 100644 --- a/src/detect-ssh-software.c +++ b/src/detect-ssh-software.c @@ -161,7 +161,7 @@ static int InspectEngineSshSoftware(ThreadVars *tv, int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, f, buffer, buffer_len, - 0, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) return DETECT_ENGINE_INSPECT_SIG_MATCH; diff --git a/src/detect-template-buffer.c b/src/detect-template-buffer.c index ad6066688b..0f02f2b39a 100644 --- a/src/detect-template-buffer.c +++ b/src/detect-template-buffer.c @@ -97,12 +97,14 @@ static int DetectEngineInspectTemplateBuffer(ThreadVars *tv, if (flags & STREAM_TOSERVER && tx->request_buffer != NULL) { ret = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, tx->request_buffer, tx->request_buffer_len, 0, + f, tx->request_buffer, tx->request_buffer_len, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); } else if (flags & STREAM_TOCLIENT && tx->response_buffer != NULL) { ret = DetectEngineContentInspection(de_ctx, det_ctx, s, smd, - f, tx->response_buffer, tx->response_buffer_len, 0, + f, tx->response_buffer, tx->response_buffer_len, + 0, DETECT_CI_FLAGS_SINGLE, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); } diff --git a/src/tests/detect-engine-content-inspection.c b/src/tests/detect-engine-content-inspection.c index c920657f9d..1f9e87ad7b 100644 --- a/src/tests/detect-engine-content-inspection.c +++ b/src/tests/detect-engine-content-inspection.c @@ -48,7 +48,7 @@ FAIL_IF_NULL(det_ctx); \ int r = DetectEngineContentInspection(de_ctx, det_ctx, \ s, s->sm_arrays[DETECT_SM_LIST_PMATCH], &f, \ - (uint8_t *)(buf), (buflen), 0, \ + (uint8_t *)(buf), (buflen), 0, DETECT_CI_FLAGS_SINGLE, \ DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, NULL); \ FAIL_IF_NOT(r == (match)); \ FAIL_IF_NOT(det_ctx->inspection_recursion_counter == (steps)); \