suricata/src/detect-content.h

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 */

#ifndef __DETECT_CONTENT_H__
#define __DETECT_CONTENT_H__

/* Flags affecting this content */

#define DETECT_CONTENT_NOCASE            BIT_U32(0)
#define DETECT_CONTENT_DISTANCE          BIT_U32(1)
#define DETECT_CONTENT_WITHIN            BIT_U32(2)
#define DETECT_CONTENT_OFFSET            BIT_U32(3)
#define DETECT_CONTENT_DEPTH             BIT_U32(4)
#define DETECT_CONTENT_FAST_PATTERN      BIT_U32(5)
#define DETECT_CONTENT_FAST_PATTERN_ONLY BIT_U32(6)
#define DETECT_CONTENT_FAST_PATTERN_CHOP BIT_U32(7)
/** content applies to a "raw"/undecoded field if applicable */
#define DETECT_CONTENT_RAWBYTES          BIT_U32(8)
/** content is negated */
#define DETECT_CONTENT_NEGATED           BIT_U32(9)

#define DETECT_CONTENT_ENDS_WITH         BIT_U32(10)

/* BE - byte extract */
#define DETECT_CONTENT_OFFSET_BE         BIT_U32(11)
#define DETECT_CONTENT_DEPTH_BE          BIT_U32(12)
#define DETECT_CONTENT_DISTANCE_BE       BIT_U32(13)
#define DETECT_CONTENT_WITHIN_BE         BIT_U32(14)

/* replace data */
#define DETECT_CONTENT_REPLACE           BIT_U32(15)
/* this flag is set during the staging phase.  It indicates that a content
 * has been added to the mpm phase and requires no further inspection inside
 * the inspection phase */
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED BIT_U32(16)

#define DETECT_CONTENT_WITHIN_NEXT      BIT_U32(17)
#define DETECT_CONTENT_DISTANCE_NEXT    BIT_U32(18)
#define DETECT_CONTENT_STARTS_WITH      BIT_U32(19)
/** MPM pattern selected by the engine or forced by fast_pattern keyword */
#define DETECT_CONTENT_MPM              BIT_U32(20)

/** a relative match to this content is next, used in matching phase */
#define DETECT_CONTENT_RELATIVE_NEXT    (DETECT_CONTENT_WITHIN_NEXT|DETECT_CONTENT_DISTANCE_NEXT)

#define DETECT_CONTENT_IS_SINGLE(c) (!( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
                                        ((c)->flags & DETECT_CONTENT_WITHIN) || \
                                        ((c)->flags & DETECT_CONTENT_RELATIVE_NEXT) || \
                                        ((c)->flags & DETECT_CONTENT_DEPTH) || \
                                        ((c)->flags & DETECT_CONTENT_OFFSET) ))

/* if a pattern has no depth/offset limits, no relative specifiers and isn't
 * chopped for the mpm, we can take the mpm and consider this pattern a match
 * w/o futher inspection. Warning: this may still mean other patterns depend
 * on this pattern that force match validation anyway. */
#define DETECT_CONTENT_MPM_IS_CONCLUSIVE(c) \
                                    !( ((c)->flags & DETECT_CONTENT_DISTANCE) || \
                                       ((c)->flags & DETECT_CONTENT_WITHIN)   || \
                                       ((c)->flags & DETECT_CONTENT_DEPTH)    || \
                                       ((c)->flags & DETECT_CONTENT_OFFSET)   || \
                                       ((c)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP))


#include "util-spm.h"

typedef struct DetectContentData_ {
    uint8_t *content;
    uint16_t content_len;
    uint16_t replace_len;
    /* for chopped fast pattern, the length */
    uint16_t fp_chop_len;
    /* for chopped fast pattern, the offset */
    uint16_t fp_chop_offset;
    /* would want to move PatIntId here and flags down to remove the padding
     * gap, but I think the first four members was used as a template for
     * casting.  \todo check this and fix it if posssible */
    uint32_t flags;
    PatIntId id;
    uint16_t depth;
    uint16_t offset;
    int32_t distance;
    int32_t within;
    /* SPM search context. */
    SpmCtx *spm_ctx;
    /* pointer to replacement data */
    uint8_t *replace;
} DetectContentData;

/* prototypes */
void DetectContentRegister (void);
uint32_t DetectContentMaxId(DetectEngineCtx *);
DetectContentData *DetectContentParse(SpmGlobalThreadCtx *spm_global_thread_ctx,
                                      const char *contentstr);
int DetectContentDataParse(const char *keyword, const char *contentstr,
    uint8_t **pstr, uint16_t *plen);
DetectContentData *DetectContentParseEncloseQuotes(SpmGlobalThreadCtx *spm_global_thread_ctx,
        const char *contentstr);

int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr);
void DetectContentPrint(DetectContentData *);

void DetectContentFree(void *);
_Bool DetectContentPMATCHValidateCallback(const Signature *s);
void DetectContentPropagateLimits(Signature *s);

#endif /* __DETECT_CONTENT_H__ */
Import of GPLv2 Header 050410 15 years ago			`/* Copyright (C) 2007-2010 Open Information Security Foundation`
			`*`
			`* You can copy, redistribute or modify this Program under the terms of`
			`* the GNU General Public License version 2 as published by the Free`
			`* Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* version 2 along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA`
			`* 02110-1301, USA.`
			`*/`

			`/**`
			`* \file`
			`*`
			`* \author Victor Julien <victor@inliniac.net>`
			`*/`

Initial add of the files. 17 years ago			`#ifndef __DETECT_CONTENT_H__`
			`#define __DETECT_CONTENT_H__`

Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 15 years ago			`/* Flags affecting this content */`
Initial add of the files. 17 years ago
detect: use BIT_U32 macro for content flags 8 years ago			`#define DETECT_CONTENT_NOCASE BIT_U32(0)`
			`#define DETECT_CONTENT_DISTANCE BIT_U32(1)`
			`#define DETECT_CONTENT_WITHIN BIT_U32(2)`
			`#define DETECT_CONTENT_OFFSET BIT_U32(3)`
			`#define DETECT_CONTENT_DEPTH BIT_U32(4)`
			`#define DETECT_CONTENT_FAST_PATTERN BIT_U32(5)`
			`#define DETECT_CONTENT_FAST_PATTERN_ONLY BIT_U32(6)`
			`#define DETECT_CONTENT_FAST_PATTERN_CHOP BIT_U32(7)`
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 15 years ago			`/** content applies to a "raw"/undecoded field if applicable */`
detect: use BIT_U32 macro for content flags 8 years ago			`#define DETECT_CONTENT_RAWBYTES BIT_U32(8)`
Further simplify content api: merge flags that indicate a next relative match, remove chunks as they are unnecessary now, make negated a bitflag. 15 years ago			`/** content is negated */`
detect: use BIT_U32 macro for content flags 8 years ago			`#define DETECT_CONTENT_NEGATED BIT_U32(9)`
Initial add of the files. 17 years ago
detect: enforce isdataat:!1,relative earlier The expression 'isdataat:!1,relative' is used to make sure a match is at the end of a buffer quite often. This patch optimizes this case for 'content' followed by the expression. It enforces it by setting and 'ends with' flag on the content and then taking that flag into account while doing the pattern match. 8 years ago			`#define DETECT_CONTENT_ENDS_WITH BIT_U32(10)`
make some name changes. break PopulateMpm(). Set the avoid mpm double check flags 15 years ago
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines 14 years ago			`/* BE - byte extract */`
detect: use BIT_U32 macro for content flags 8 years ago			`#define DETECT_CONTENT_OFFSET_BE BIT_U32(11)`
			`#define DETECT_CONTENT_DEPTH_BE BIT_U32(12)`
			`#define DETECT_CONTENT_DISTANCE_BE BIT_U32(13)`
			`#define DETECT_CONTENT_WITHIN_BE BIT_U32(14)`
byte extract added to the engine. Detection support added for packet payload, uri and dce detection engines 14 years ago
Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match. 14 years ago			`/* replace data */`
detect: use BIT_U32 macro for content flags 8 years ago			`#define DETECT_CONTENT_REPLACE BIT_U32(15)`
fix for bug #577. If a pattern has matched on mpm, don't re-inspect it later, subject to certain conditions met by the pattern - namely, not negated, right chop, no replacet attached to it. 13 years ago			`/* this flag is set during the staging phase. It indicates that a content`
			`* has been added to the mpm phase and requires no further inspection inside`
			`* the inspection phase */`
detect: use BIT_U32 macro for content flags 8 years ago			`#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED BIT_U32(16)`

detect: don't rescan when just distance is used Content inspection optimization: when just distance is used without within we don't need to search recursively. E.g. content:"a"; content:"b"; distance:1; will scan the buffer for 'a' and when it finds 'a' it will scan the remainder for 'b'. Until now, the failure to find 'b' would lead to looking for the next 'a' and then for 'b' after that. However, we already inspected the entire buffer for 'b', so we know this will fail. 8 years ago			`#define DETECT_CONTENT_WITHIN_NEXT BIT_U32(17)`
			`#define DETECT_CONTENT_DISTANCE_NEXT BIT_U32(18)`
detect/content: introduce startswith modifier Add startswith modifier to simplify matching patterns at the start of a buffer. Instead of: content:"abc"; depth:3; This enables: content:"abc"; startswith; Especially with longer patterns this makes the intention of the rule more clear and eases writing the rules. Internally it's simply a shorthand for 'depth:<pattern len>;'. Ticket https://redmine.openinfosecfoundation.org/issues/742 7 years ago			`#define DETECT_CONTENT_STARTS_WITH BIT_U32(19)`
detect/analyzer: show pattern that is used by mpm Set a new DETECT_CONTENT_MPM flag on the pattern that is selected during setup. 7 years ago			`/** MPM pattern selected by the engine or forced by fast_pattern keyword */`
			`#define DETECT_CONTENT_MPM BIT_U32(20)`

detect: don't rescan when just distance is used Content inspection optimization: when just distance is used without within we don't need to search recursively. E.g. content:"a"; content:"b"; distance:1; will scan the buffer for 'a' and when it finds 'a' it will scan the remainder for 'b'. Until now, the failure to find 'b' would lead to looking for the next 'a' and then for 'b' after that. However, we already inspected the entire buffer for 'b', so we know this will fail. 8 years ago			`/** a relative match to this content is next, used in matching phase */`
			`#define DETECT_CONTENT_RELATIVE_NEXT (DETECT_CONTENT_WITHIN_NEXT\|DETECT_CONTENT_DISTANCE_NEXT)`
Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match. 14 years ago
Added parentheses to fix Eclipse static code analysis Fixed bug in action priority (REJECT_DST had lowest prio) 13 years ago			`#define DETECT_CONTENT_IS_SINGLE(c) (!( ((c)->flags & DETECT_CONTENT_DISTANCE) \|\| \`
			`((c)->flags & DETECT_CONTENT_WITHIN) \|\| \`
			`((c)->flags & DETECT_CONTENT_RELATIVE_NEXT) \|\| \`
			`((c)->flags & DETECT_CONTENT_DEPTH) \|\| \`
			`((c)->flags & DETECT_CONTENT_OFFSET) ))`
Share content id's between identical patterns. 15 years ago
mpm: improve negated mpm The idea is: if mpm is negated, it's both on mpm and nonmpm sid lists and we can kick it out in that case during the merge sort. It only works for patterns that are 'independent'. This means that the rule doesn't need to only match if the negated mpm pattern is limited to the first 10 bytes for example. Or more generally, an negated mpm pattern that has depth, offset, distance or within settings can't be handled this way. These patterns are not added to the mpm at all, but just to to non-mpm list. This makes sense as they will always need manual inspection. Similarly, a pattern that is 'chopped' always needs validation. This is because in this case we only inspect a part of the final pattern. 10 years ago			`/* if a pattern has no depth/offset limits, no relative specifiers and isn't`
			`* chopped for the mpm, we can take the mpm and consider this pattern a match`
			`* w/o futher inspection. Warning: this may still mean other patterns depend`
			`* on this pattern that force match validation anyway. */`
			`#define DETECT_CONTENT_MPM_IS_CONCLUSIVE(c) \`
			`!( ((c)->flags & DETECT_CONTENT_DISTANCE) \|\| \`
			`((c)->flags & DETECT_CONTENT_WITHIN) \|\| \`
			`((c)->flags & DETECT_CONTENT_DEPTH) \|\| \`
			`((c)->flags & DETECT_CONTENT_OFFSET) \|\| \`
			`((c)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP))`


spm: add and use new SPM API This new API allows for different SPM implementations, using a function pointer table like that used for MPM. This change also switches over the paths that make use of DetectContentData (which previously used BoyerMoore directly) to the new API. 9 years ago			`#include "util-spm.h"`
Adding Boyer Moore context to content patterns, should speed up the search 15 years ago
Rename all structure definitions in the "typedef struct _SomeStruct" format to "typedef struct SomeStruct_" to make the Doxygen output more useful. Remove the Trie multi pattern matcher code. It wasn't used anymore. 16 years ago			`typedef struct DetectContentData_ {`
unifying content structure - uricontent now uses DetectContentData 15 years ago			`uint8_t *content;`
Bug 1281 - Accept rule content with lengths greater than 255. 11 years ago			`uint16_t content_len;`
			`uint16_t replace_len;`
content: reorder DetectContentData member, shrinking the struct from 64 to 48 bytes. 11 years ago			`/* for chopped fast pattern, the length */`
			`uint16_t fp_chop_len;`
detect: allow for more than 64k mpm rules 9 years ago			`/* for chopped fast pattern, the offset */`
			`uint16_t fp_chop_offset;`
support fast pattern for http raw header. Also support relative modifiers for http raw header 14 years ago			`/* would want to move PatIntId here and flags down to remove the padding`
			`* gap, but I think the first four members was used as a template for`
			`* casting. \todo check this and fix it if posssible */`
			`uint32_t flags;`
unifying content structure - uricontent now uses DetectContentData 15 years ago			`PatIntId id;`
64 bit cleanup part2 16 years ago			`uint16_t depth;`
			`uint16_t offset;`
Initial add of the files. 17 years ago			`int32_t distance;`
			`int32_t within;`
spm: add and use new SPM API This new API allows for different SPM implementations, using a function pointer table like that used for MPM. This change also switches over the paths that make use of DetectContentData (which previously used BoyerMoore directly) to the new API. 9 years ago			`/* SPM search context. */`
			`SpmCtx *spm_ctx;`
Add support for replace keyword. This patch adds support for the replace keyword. It is used with content to change selected part of the payload. The major point with this patch is that having a replace keyword made necessary to avoid all stream level check because we need to access to the could-be-modified packet payload. One of the main difficulty is to handle complex signature. If there is other content check, we must do the substitution when we're sure all match are valid. The patch adds an attribute to the thread context variable to be able to deal with recursivity of the match function. Replace is only activated in IPS mode and apply only to raw match. 14 years ago			`/* pointer to replacement data */`
			`uint8_t *replace;`
Initial add of the files. 17 years ago			`} DetectContentData;`

			`/* prototypes */`
			`void DetectContentRegister (void);`
64 bit cleanup part2 16 years ago			`uint32_t DetectContentMaxId(DetectEngineCtx *);`
spm: add and use new SPM API This new API allows for different SPM implementations, using a function pointer table like that used for MPM. This change also switches over the paths that make use of DetectContentData (which previously used BoyerMoore directly) to the new API. 9 years ago			`DetectContentData DetectContentParse(SpmGlobalThreadCtx spm_global_thread_ctx,`
detect-parse: improve common parser In preparation of turning input to keyword parsers to const add options to the common rule parser to enforce and strip double quotes and parse negation support. At registration, the keyword can register 3 extra flags: SIGMATCH_QUOTES_MANDATORY: value to keyword must be quoted SIGMATCH_QUOTES_OPTIONAL: value to keyword may be quoted SIGMATCH_HANDLE_NEGATION: leading ! is parsed In all cases leading spaces are removed. If the 'quote' flags are set, the quotes are removed from the input as well. 8 years ago			`const char *contentstr);`
Update DetectContentDataParse to reflect the actual data types content uses. 12 years ago			`int DetectContentDataParse(const char keyword, const char contentstr,`
detect-parse: improve common parser In preparation of turning input to keyword parsers to const add options to the common rule parser to enforce and strip double quotes and parse negation support. At registration, the keyword can register 3 extra flags: SIGMATCH_QUOTES_MANDATORY: value to keyword must be quoted SIGMATCH_QUOTES_OPTIONAL: value to keyword may be quoted SIGMATCH_HANDLE_NEGATION: leading ! is parsed In all cases leading spaces are removed. If the 'quote' flags are set, the quotes are removed from the input as well. 8 years ago			`uint8_t *pstr, uint16_t plen);`
spm: add and use new SPM API This new API allows for different SPM implementations, using a function pointer table like that used for MPM. This change also switches over the paths that make use of DetectContentData (which previously used BoyerMoore directly) to the new API. 9 years ago			`DetectContentData DetectContentParseEncloseQuotes(SpmGlobalThreadCtx spm_global_thread_ctx,`
detect-parse: improve common parser In preparation of turning input to keyword parsers to const add options to the common rule parser to enforce and strip double quotes and parse negation support. At registration, the keyword can register 3 extra flags: SIGMATCH_QUOTES_MANDATORY: value to keyword must be quoted SIGMATCH_QUOTES_OPTIONAL: value to keyword may be quoted SIGMATCH_HANDLE_NEGATION: leading ! is parsed In all cases leading spaces are removed. If the 'quote' flags are set, the quotes are removed from the input as well. 8 years ago			`const char *contentstr);`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang. 8 years ago			`int DetectContentSetup(DetectEngineCtx de_ctx, Signature s, const char *contentstr);`
Adding detect_content chunks handling for max_pattern_length and unittests. Updating modifiers to use it. 16 years ago			`void DetectContentPrint(DetectContentData *);`

Fix compiler warning. 16 years ago			`void DetectContentFree(void *);`
detect: reject dsize rules that can't match Rules can contain conflicting statements and lead to a unmatchable rule. 2 examples are rejected by this patch: 1. dsize < content 2. dsize < content@offset Bug #2187 8 years ago			`_Bool DetectContentPMATCHValidateCallback(const Signature *s);`
detect: content limits propagation Propagate inspection limits from anchered keywords to the rest of a rule. Examples: content:"A"; depth:1; is anchored, it can only match in the first byte content:"A"; depth:1; content:"BC"; distance:0; within:2; "BC" can only be in the 2nd and 3rd byte of the payload. So effectively it has an implicite offset of 1 and an implicit depth of 3. content:"A"; depth:1; content:"BC"; distance:0; can assume offset:1; for the 2nd content. content:"A"; depth:1; pcre:"/B/R"; content:"C"; distance:0; can assume at least offset:1; for content "C". We can't analyzer the pcre pattern (yet), so we assume it matches with 0 bytes. Add lots of test cases. 7 years ago			`void DetectContentPropagateLimits(Signature *s);`
Initial add of the files. 17 years ago
			`#endif /* __DETECT_CONTENT_H__ */`